Back to binalyze.com

EventTranscript DB

Overview

Evidence: EventTranscript DB Description: Collect EventTranscript DB Category: System Platform: windows Short Name: evnttrscdb Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes

Background

EventTranscript.db is a SQLite database maintained by Windows for diagnostic data and telemetry. It contains detailed information about application inventory, browser history, WiFi connections, device installations, and other system events.

This database provides unique forensic artifacts not available in other Windows logs, including granular application usage data, WiFi access point history, and detailed system inventory information.

Data Collected

This collector gathers structured data about eventtranscript db.

EventTranscript DB Data

Field
Description
Example

SID

User security identifier

S-1-5-21-...

Username

Username

DOMAIN\user

AccessTime

URL access timestamp

2023-10-15T14:30:00

URL

Visited URL

https://www.example.com

SID

User security identifier

S-1-5-21-...

Username

Username

DOMAIN\user

ProgramName

Application name

Google Chrome

InstallPath

Installation path

C:\Program Files\Google\Chrome

OSVersion

OS version at install time

10.0.19041

InstallDate

Installation timestamp

2023-10-01T10:00:00

Version

Application version

118.0.5993.89

SID

User security identifier

S-1-5-21-...

Username

Username

DOMAIN\user

AccessTime

Scan timestamp

2023-10-15T14:30:00

SSID

WiFi network name

Corporate-WiFi

MACAddress

Access point MAC address

00:11:22:33:44:55

SID

User security identifier

S-1-5-21-...

Username

Username

DOMAIN\user

DeviceMake

Device manufacturer

Dell Inc.

DeviceModel

Device model

Latitude 7490

TimeZone

User time zone

America/New_York

DefaultBrowser

Default browser ProgID

ChromeHTML

DefaultApp

Default app for file types

DeviceId

Device identifier

\.\PHYSICALDRIVE0

SerialNumber

Disk serial number

S4BXNX0N123456

Size

Disk size in bytes

512110190592

NumPartitions

Number of partitions

4

BytesPerSector

Bytes per sector

512

MediaType

Media type

SSD

SID

User security identifier

S-1-5-21-...

Username

Username

DOMAIN\user

InterfaceGuid

Network interface GUID

{12345678-1234-1234-1234-123456789ABC}

InterfaceType

Interface type

71

InterfaceDescription

Interface description

Intel(R) Wireless-AC 9560

SSID

Connected WiFi network

Corporate-WiFi

AuthAlg

Authentication algorithm

WPA2PSK

BSSID

Access point MAC address

00:11:22:33:44:55

Manufacturer

AP manufacturer

Cisco

ModelName

AP model name

AIR-AP2802I

ModelNumber

AP model number

AP2802I

SID

User security identifier

S-1-5-21-...

Username

Username

DOMAIN\user

ObjectID

Device object identifier

PCI\VEN_8086&DEV_9D60

Service

Associated service

nvme

FirstInstallDate

First installation

2023-01-15T10:00:00

InstallDate

Last installation

2023-10-01T14:00:00

Model

Device model

Samsung SSD 970 EVO

Manufacturer

Device manufacturer

Samsung

SID

User security identifier

S-1-5-21-...

UserName

Username

DOMAIN\user

TimeStamp

Event timestamp

2023-10-15T14:30:00.123Z

ProducerId

Producer ID

123

Producer

Producer name

Microsoft-Windows-Kernel-General

ProviderGroupId

Provider group ID

45

ProviderGroupGUID

Provider group GUID

{A68CA8B7-004F-D7B6...}

LocaleName

Locale name

en-US

TagName

Event tag name

BrowserHistory

TagId

Event tag ID

1

FullEventName

Complete event name

Microsoft.Windows.Shell.SystemSettings.AppDefaultsUpdated

LoggingBinaryName

Logging binary

SystemSettings.exe

FriendlyLoggingBinaryName

Friendly binary name

System Settings

FullEventNameHash

Event name hash

12345678901234567890

Keywords

Event keywords

0x8000000000000000

IsCore

Is core event

true

CompressedSize

Compressed payload size

1024

Payload

JSON payload data

{"AppId":"MSEdge","Url":"https://..."}

Collection Method

This collector:

  • Collects the EventTranscript database from ProgramData\Microsoft\Diagnosis\EventTranscript

  • Opens the SQLite database

  • Queries specific event types using SQL

  • Parses JSON payloads from event records

  • Extracts and structures data into separate tables

  • Also exports raw event data organized by tags to CSV files

Forensic Value

EventTranscript provides unique telemetry data not available in traditional Windows logs. Investigators use this for historical browser activity tracking, application installation timelines, WiFi network history and geolocation, device installation tracking, user behavior patterns, and system configuration analysis.

PreviousEvent Log EVTX FilesNextEvernote Databases

Last updated

Was this helpful?