├── .github └── ISSUE_TEMPLATE │ ├── bug_report.md │ └── feature_request.md ├── COMResearch ├── diagtrack.dll │ └── 1803 │ │ └── a8ac16b3039d1eeb58651979ea9f8c98 │ │ └── notes.txt ├── flightsettings.dll │ └── d479b75bbd70e7004e7fc13d497bca18 │ │ └── notes.txt └── telllib.dll │ └── c83da515d2082a22483d1f9bff022aa1 │ └── notes.txt ├── FileRepository └── DirectoryMonitorProOutput ├── FullEventNames ├── Browsing History │ └── BrowsingHistory_FullEventNames.txt ├── Device Connectivity and Configuration │ ├── Census JSON Examples.txt │ └── DeviceConnectivityandConfiguration_FullEventNames.txt ├── Inking Typing and Speech Utterance │ ├── InkingTypingandSpeechUtterance_FullEventNames.txt │ └── Microsoft.Windows.TextInput.LinguisticData JSON Examples.txt ├── Office Diagnostics │ ├── OfficeDiagnostics_FullEventNames.txt │ └── OfficeDiagnostics_SortedByApp.xlsx ├── Product and Service Performance │ ├── Microsoft.Windows.Kernel.Power.OSStateChange JSON Example.txt │ └── ProductandServicePerformance_FullEventNames.txt ├── Product and Service Usage │ ├── LSM Reconnect and Disconnect JSON Example.txt │ ├── ProductandServiceUsage_FullEventNames.txt │ ├── Size.exe Artifact Timestamp Comparison.xlsx │ └── Win32kTraceLogging.AppInteractivitySummary JSON Example.txt ├── RequiredOnly.txt ├── RequiredandOptional.txt └── Software Setup and Inventory │ └── SoftwareandSetupInventory_FullEventNames.txt ├── LICENSE ├── Pictures ├── DiagnosticDataOverviewFilteringandNewEventsOverview.gif ├── DiagnosticDataSettings.gif ├── DiagnosticDataViewer.jpg ├── DiagnosticDataViewerAboutYourData.jpg ├── DiagnosticDataViewerProblemReports.jpg ├── DiagnosticsandFeedbackSettings.jpg ├── DiagnosticsandFeedbackSettingsMarkedUp.jpg ├── JSONExtractExamples.jpg ├── OfficeDiagnosticData.jpg ├── Pasted image 20210518161731.png ├── Pasted image 20210518162055.png ├── Pasted image 20210518164349.png └── Pasted image 20210518165200.png └── README.md /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: bug 6 | assignees: rathbuna 7 | 8 | --- 9 | 10 | **Describe the bug** 11 | A clear and concise description of what the bug is. 12 | 13 | **To Reproduce** 14 | Steps to reproduce the behavior: 15 | 1. Go to '...' 16 | 2. Click on '....' 17 | 3. Scroll down to '....' 18 | 4. See error 19 | 20 | **Expected behavior** 21 | A clear and concise description of what you expected to happen. 22 | 23 | **Screenshots** 24 | If applicable, add screenshots to help explain your problem. 25 | 26 | **Additional context** 27 | Add any other context about the problem here. 28 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: enhancement 6 | assignees: rathbuna 7 | 8 | --- 9 | 10 | **Is your feature request related to a problem? Please describe.** 11 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 12 | 13 | **Describe the solution you'd like** 14 | A clear and concise description of what you want to happen. 15 | 16 | **Describe alternatives you've considered** 17 | A clear and concise description of any alternative solutions or features you've considered. 18 | 19 | **Additional context** 20 | Add any other context or screenshots about the feature request here. 21 | -------------------------------------------------------------------------------- /COMResearch/diagtrack.dll/1803/a8ac16b3039d1eeb58651979ea9f8c98/notes.txt: -------------------------------------------------------------------------------- 1 | 2 | ------------------------------------------------------------------------------------------------------- 3 | 4 | COM object creation at 1801c2b94 5 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 6 | iid: e833feb2-c58a-45e4-8d93-08874744febb 7 | Name: Flight Settings API Broker 8 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 9 | Path: %SystemRoot%\System32\FlightSettings.dll 10 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 11 | 12 | Instantiation failed 13 | 14 | ------------------------------------------------------------------------------------------------------- 15 | 16 | COM object creation at 180072064 17 | uuid: 0000034b-0000-0000-c000-000000000046 - CLSID_GlobalOptions 18 | iid: 0000015b-0000-0000-c000-000000000046 - IID_IGlobalOptions 19 | Name: GlobalOptions 20 | 21 | TypeName: System.__ComObject 22 | 23 | Name MemberType Definition 24 | ---- ---------- ---------- 25 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 26 | Equals Method bool Equals(System.Object obj) 27 | GetHashCode Method int GetHashCode() 28 | GetLifetimeService Method System.Object GetLifetimeService() 29 | GetType Method type GetType() 30 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 31 | ToString Method string ToString() 32 | 33 | ------------------------------------------------------------------------------------------------------- 34 | 35 | COM object creation at 1801b0b07 36 | uuid: 0f87369f-a4e5-4cfc-bd3e-73e6154572dd - TaskScheduler 37 | iid: 2faba4c7-4da9-4013-9697-20cc3fd40f85 - IID_ITaskService 38 | 39 | TypeName: System.__ComObject#{2faba4c7-4da9-4013-9697-20cc3fd40f85} 40 | 41 | Name MemberType Definition 42 | ---- ---------- ---------- 43 | Connect Method void Connect (Variant, Variant, Variant, Variant) 44 | GetFolder Method ITaskFolder GetFolder (string) 45 | GetRunningTasks Method IRunningTaskCollection GetRunningTasks (int) 46 | NewTask Method ITaskDefinition NewTask (uint) 47 | Connected Property bool Connected () {get} 48 | ConnectedDomain Property string ConnectedDomain () {get} 49 | ConnectedUser Property string ConnectedUser () {get} 50 | HighestVersion Property uint HighestVersion () {get} 51 | TargetServer Property string TargetServer () {get} 52 | 53 | ------------------------------------------------------------------------------------------------------- 54 | 55 | COM object creation at 1800c8223 56 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 57 | iid: 79588f37-5be1-4a35-b23d-29832257cada 58 | Name: Flight Ids Client API 59 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 60 | Path: %SystemRoot%\System32\FlightSettings.dll 61 | 62 | 63 | TypeName: System.__ComObject 64 | 65 | Name MemberType Definition 66 | ---- ---------- ---------- 67 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 68 | Equals Method bool Equals(System.Object obj) 69 | GetHashCode Method int GetHashCode() 70 | GetLifetimeService Method System.Object GetLifetimeService() 71 | GetType Method type GetType() 72 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 73 | ToString Method string ToString() 74 | 75 | 76 | ------------------------------------------------------------------------------------------------------- 77 | 78 | COM object creation at 1800dfdba 79 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 80 | iid: 79588f37-5be1-4a35-b23d-29832257cada 81 | Name: Flight Ids Client API 82 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 83 | Path: %SystemRoot%\System32\FlightSettings.dll 84 | 85 | 86 | TypeName: System.__ComObject 87 | 88 | Name MemberType Definition 89 | ---- ---------- ---------- 90 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 91 | Equals Method bool Equals(System.Object obj) 92 | GetHashCode Method int GetHashCode() 93 | GetLifetimeService Method System.Object GetLifetimeService() 94 | GetType Method type GetType() 95 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 96 | ToString Method string ToString() 97 | 98 | ------------------------------------------------------------------------------------------------------- 99 | 100 | COM object creation at 1800f6ef0 101 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 102 | iid: 79588f37-5be1-4a35-b23d-29832257cada 103 | Name: Flight Ids Client API 104 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 105 | Path: %SystemRoot%\System32\FlightSettings.dll 106 | 107 | 108 | TypeName: System.__ComObject 109 | 110 | Name MemberType Definition 111 | ---- ---------- ---------- 112 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 113 | Equals Method bool Equals(System.Object obj) 114 | GetHashCode Method int GetHashCode() 115 | GetLifetimeService Method System.Object GetLifetimeService() 116 | GetType Method type GetType() 117 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 118 | ToString Method string ToString() 119 | 120 | ------------------------------------------------------------------------------------------------------- 121 | 122 | COM object creation at 18003f2bf 123 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 124 | iid: 79588f37-5be1-4a35-b23d-29832257cada 125 | Name: Flight Ids Client API 126 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 127 | Path: %SystemRoot%\System32\FlightSettings.dll 128 | 129 | 130 | TypeName: System.__ComObject 131 | 132 | Name MemberType Definition 133 | ---- ---------- ---------- 134 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 135 | Equals Method bool Equals(System.Object obj) 136 | GetHashCode Method int GetHashCode() 137 | GetLifetimeService Method System.Object GetLifetimeService() 138 | GetType Method type GetType() 139 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 140 | ToString Method string ToString() 141 | 142 | ------------------------------------------------------------------------------------------------------- 143 | 144 | COM object creation at 1800958ba 145 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 146 | iid: e833feb2-c58a-45e4-8d93-08874744febb 147 | Name: Flight Settings API Broker 148 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 149 | Path: %SystemRoot%\System32\FlightSettings.dll 150 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 151 | 152 | Instantiation failed 153 | 154 | ------------------------------------------------------------------------------------------------------- 155 | 156 | COM object creation at 180095a8b 157 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 158 | iid: e833feb2-c58a-45e4-8d93-08874744febb 159 | Name: Flight Settings API Broker 160 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 161 | Path: %SystemRoot%\System32\FlightSettings.dll 162 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 163 | 164 | Instantiation failed 165 | 166 | ------------------------------------------------------------------------------------------------------- 167 | 168 | COM object creation at 1800a5598 169 | uuid: 0134a8b2-3407-4b45-ad25-e9f7c92a80bc - XblAuthManager 170 | iid: 097ad6b8-203b-4506-a509-02e4b11b6bb5 171 | LocalService: XblAuthManager 172 | 173 | TypeName: System.__ComObject 174 | 175 | Name MemberType Definition 176 | ---- ---------- ---------- 177 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 178 | Equals Method bool Equals(System.Object obj) 179 | GetHashCode Method int GetHashCode() 180 | GetLifetimeService Method System.Object GetLifetimeService() 181 | GetType Method type GetType() 182 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 183 | ToString Method string ToString() 184 | 185 | ------------------------------------------------------------------------------------------------------- 186 | 187 | COM object creation at 1801ec174 188 | uuid: 17e24fbc-4d64-459e-8595-fd7154c6d113 - CLSID_HVSIContainerManager 189 | iid: 2524d4e0-180b-40f1-99b3-73b65847d0df 190 | Key: Computer\HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{17e24fbc-4d64-459e-8595-fd7154c6d113} 191 | AppID: {24c7514d-82c5-4522-9030-c915a4291a6e} 192 | 193 | Instantiation failed 194 | 195 | ------------------------------------------------------------------------------------------------------- 196 | 197 | COM object creation at 1800ba1a7 198 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 199 | iid: e833feb2-c58a-45e4-8d93-08874744febb 200 | Name: Flight Settings API Broker 201 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 202 | Path: %SystemRoot%\System32\FlightSettings.dll 203 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 204 | 205 | Instantiation failed 206 | 207 | ------------------------------------------------------------------------------------------------------- 208 | 209 | COM object creation at 1800ba35b 210 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 211 | iid: e833feb2-c58a-45e4-8d93-08874744febb 212 | Name: Flight Settings API Broker 213 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 214 | Path: %SystemRoot%\System32\FlightSettings.dll 215 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 216 | 217 | Instantiation failed 218 | 219 | ------------------------------------------------------------------------------------------------------- 220 | 221 | COM object creation at 1800ba1a7 222 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 223 | iid: e833feb2-c58a-45e4-8d93-08874744febb 224 | Name: Flight Settings API Broker 225 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 226 | Path: %SystemRoot%\System32\FlightSettings.dll 227 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 228 | 229 | Instantiation failed 230 | 231 | ------------------------------------------------------------------------------------------------------- 232 | 233 | COM object creation at 1800ba35b 234 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 235 | iid: e833feb2-c58a-45e4-8d93-08874744febb 236 | Name: Flight Settings API Broker 237 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 238 | Path: %SystemRoot%\System32\FlightSettings.dll 239 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 240 | 241 | Instantiation failed 242 | 243 | ------------------------------------------------------------------------------------------------------- 244 | 245 | COM object creation at 18017bd11 246 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 247 | iid: e833feb2-c58a-45e4-8d93-08874744febb 248 | Name: Flight Settings API Broker 249 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 250 | Path: %SystemRoot%\System32\FlightSettings.dll 251 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 252 | 253 | Instantiation failed 254 | 255 | ------------------------------------------------------------------------------------------------------- 256 | 257 | COM object creation at 18017b75c 258 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 259 | iid: 79588f37-5be1-4a35-b23d-29832257cada 260 | Name: Flight Ids Client API 261 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 262 | Path: %SystemRoot%\System32\FlightSettings.dll 263 | 264 | 265 | TypeName: System.__ComObject 266 | 267 | Name MemberType Definition 268 | ---- ---------- ---------- 269 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 270 | Equals Method bool Equals(System.Object obj) 271 | GetHashCode Method int GetHashCode() 272 | GetLifetimeService Method System.Object GetLifetimeService() 273 | GetType Method type GetType() 274 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 275 | ToString Method string ToString() 276 | 277 | 278 | ------------------------------------------------------------------------------------------------------- 279 | 280 | COM object creation at 1800b7900 281 | uuid: 0c9281f9-6da1-4006-8729-de6e6b61581c - CLSID_CWindowsPushNotificationPlatform 282 | iid: df8e9480-ca73-448e-b8f0-da000f581428 - IID_IWpnPlatform 283 | 284 | Instantiation: 285 | TypeName: System.__ComObject 286 | 287 | Name MemberType Definition 288 | ---- ---------- ---------- 289 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 290 | Equals Method bool Equals(System.Object obj) 291 | GetHashCode Method int GetHashCode() 292 | GetLifetimeService Method System.Object GetLifetimeService() 293 | GetType Method type GetType() 294 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 295 | ToString Method string ToString() 296 | 297 | ------------------------------------------------------------------------------------------------------- -------------------------------------------------------------------------------- /COMResearch/flightsettings.dll/d479b75bbd70e7004e7fc13d497bca18/notes.txt: -------------------------------------------------------------------------------- 1 | 2 | ------------------------------------------------------------------------------------------------------- 3 | 4 | COM object creation at 18005abbf 5 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 6 | iid: 79588f37-5be1-4a35-b23d-29832257cada 7 | Name: Flight Ids Client API 8 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 9 | Path: %SystemRoot%\System32\FlightSettings.dll 10 | 11 | 12 | TypeName: System.__ComObject 13 | 14 | Name MemberType Definition 15 | ---- ---------- ---------- 16 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 17 | Equals Method bool Equals(System.Object obj) 18 | GetHashCode Method int GetHashCode() 19 | GetLifetimeService Method System.Object GetLifetimeService() 20 | GetType Method type GetType() 21 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 22 | ToString Method string ToString() 23 | 24 | ------------------------------------------------------------------------------------------------------- 25 | 26 | COM object creation at 18005498e 27 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 28 | iid: e833feb2-c58a-45e4-8d93-08874744febb 29 | Name: Flight Settings API Broker 30 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 31 | Path: %SystemRoot%\System32\FlightSettings.dll 32 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 33 | 34 | Instantiation failed 35 | 36 | ------------------------------------------------------------------------------------------------------- 37 | 38 | COM object creation at 1800879eb 39 | uuid: 0c9281f9-6da1-4006-8729-de6e6b61581c - CLSID_CWindowsPushNotificationPlatform 40 | iid: df8e9480-ca73-448e-b8f0-da000f581428 - IID_IWpnPlatform 41 | 42 | Instantiation: 43 | TypeName: System.__ComObject 44 | 45 | Name MemberType Definition 46 | ---- ---------- ---------- 47 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 48 | Equals Method bool Equals(System.Object obj) 49 | GetHashCode Method int GetHashCode() 50 | GetLifetimeService Method System.Object GetLifetimeService() 51 | GetType Method type GetType() 52 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 53 | ToString Method string ToString() 54 | 55 | ------------------------------------------------------------------------------------------------------- 56 | 57 | COM object creation at 180061aad 58 | uuid: 0000034b-0000-0000-c000-000000000046 - CLSID_GlobalOptions 59 | iid: 0000015b-0000-0000-c000-000000000046 - IID_IGlobalOptions 60 | Name: GlobalOptions 61 | 62 | TypeName: System.__ComObject 63 | 64 | Name MemberType Definition 65 | ---- ---------- ---------- 66 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 67 | Equals Method bool Equals(System.Object obj) 68 | GetHashCode Method int GetHashCode() 69 | GetLifetimeService Method System.Object GetLifetimeService() 70 | GetType Method type GetType() 71 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 72 | ToString Method string ToString() 73 | 74 | ------------------------------------------------------------------------------------------------------- 75 | 76 | COM object creation at 180079b39 77 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 78 | iid: 79588f37-5be1-4a35-b23d-29832257cada 79 | Name: Flight Ids Client API 80 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 81 | Path: %SystemRoot%\System32\FlightSettings.dll 82 | 83 | 84 | TypeName: System.__ComObject 85 | 86 | Name MemberType Definition 87 | ---- ---------- ---------- 88 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 89 | Equals Method bool Equals(System.Object obj) 90 | GetHashCode Method int GetHashCode() 91 | GetLifetimeService Method System.Object GetLifetimeService() 92 | GetType Method type GetType() 93 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 94 | ToString Method string ToString() 95 | 96 | ------------------------------------------------------------------------------------------------------- 97 | 98 | COM object creation at 18007ab50 99 | uuid: b91d5831-b1bd-4608-8198-d72e155020f7 - UpdateSessionOrchestrator 100 | iid: 07f3afac-7c8a-4ce7-a5e0-3d24ee8a77e0 101 | Name: UpdateSessionOrchestrator 102 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{B91D5831-B1BD-4608-8198-D72E155020F7} 103 | AppID: {E7299E79-75E5-47BB-A03D-6D319FB7F886} 104 | Path: %SystemRoot%\System32\usosvc.dll 105 | 106 | Instantiation failed 107 | 108 | ------------------------------------------------------------------------------------------------------- 109 | 110 | COM object creation at 18002fc0a 111 | uuid: 4590f811-1d3a-11d0-891f-00aa004b2e24 - CLSID_WbemLocator 112 | iid: dc12a687-737f-11cf-884d-00aa004b2e24 - IID_IWbemLocator 113 | Name: WEBM Locator 114 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} 115 | Path: %systemroot%\system32\wbem\wbemprox.dll 116 | 117 | TypeName: System.__ComObject 118 | 119 | Name MemberType Definition 120 | ---- ---------- ---------- 121 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 122 | Equals Method bool Equals(System.Object obj) 123 | GetHashCode Method int GetHashCode() 124 | GetLifetimeService Method System.Object GetLifetimeService() 125 | GetType Method type GetType() 126 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 127 | ToString Method string ToString() 128 | 129 | ------------------------------------------------------------------------------------------------------- 130 | 131 | COM object creation at 180071cae 132 | uuid: 00000323-0000-0000-c000-000000000046 - CLSID_StdGlobalInterfaceTable 133 | iid: 00000146-0000-0000-c000-000000000046 - IID_IGlobalInterfaceTable 134 | 135 | TypeName: System.__ComObject 136 | 137 | Name MemberType Definition 138 | ---- ---------- ---------- 139 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 140 | Equals Method bool Equals(System.Object obj) 141 | GetHashCode Method int GetHashCode() 142 | GetLifetimeService Method System.Object GetLifetimeService() 143 | GetType Method type GetType() 144 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 145 | ToString Method string ToString() 146 | 147 | ------------------------------------------------------------------------------------------------------- 148 | 149 | COM object creation at 18004ae06 150 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 151 | iid: 79588f37-5be1-4a35-b23d-29832257cada 152 | Name: Flight Ids Client API 153 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 154 | Path: %SystemRoot%\System32\FlightSettings.dll 155 | 156 | 157 | TypeName: System.__ComObject 158 | 159 | Name MemberType Definition 160 | ---- ---------- ---------- 161 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 162 | Equals Method bool Equals(System.Object obj) 163 | GetHashCode Method int GetHashCode() 164 | GetLifetimeService Method System.Object GetLifetimeService() 165 | GetType Method type GetType() 166 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 167 | ToString Method string ToString() 168 | 169 | ------------------------------------------------------------------------------------------------------- 170 | 171 | COM object creation at 180049eef 172 | uuid: 0000034b-0000-0000-c000-000000000046 - CLSID_GlobalOptions 173 | iid: 0000015b-0000-0000-c000-000000000046 - IID_IGlobalOptions 174 | Name: GlobalOptions 175 | 176 | TypeName: System.__ComObject 177 | 178 | Name MemberType Definition 179 | ---- ---------- ---------- 180 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 181 | Equals Method bool Equals(System.Object obj) 182 | GetHashCode Method int GetHashCode() 183 | GetLifetimeService Method System.Object GetLifetimeService() 184 | GetType Method type GetType() 185 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 186 | ToString Method string ToString() 187 | 188 | ------------------------------------------------------------------------------------------------------- 189 | 190 | COM object creation at 18004af26 191 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 192 | iid: 79588f37-5be1-4a35-b23d-29832257cada 193 | Name: Flight Ids Client API 194 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 195 | Path: %SystemRoot%\System32\FlightSettings.dll 196 | 197 | TypeName: System.__ComObject 198 | 199 | Name MemberType Definition 200 | ---- ---------- ---------- 201 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 202 | Equals Method bool Equals(System.Object obj) 203 | GetHashCode Method int GetHashCode() 204 | GetLifetimeService Method System.Object GetLifetimeService() 205 | GetType Method type GetType() 206 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 207 | ToString Method string ToString() 208 | 209 | ------------------------------------------------------------------------------------------------------- 210 | 211 | COM object creation at 180079fc6 212 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 213 | iid: 79588f37-5be1-4a35-b23d-29832257cada 214 | Name: Flight Ids Client API 215 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 216 | Path: %SystemRoot%\System32\FlightSettings.dll 217 | 218 | TypeName: System.__ComObject 219 | 220 | Name MemberType Definition 221 | ---- ---------- ---------- 222 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 223 | Equals Method bool Equals(System.Object obj) 224 | GetHashCode Method int GetHashCode() 225 | GetLifetimeService Method System.Object GetLifetimeService() 226 | GetType Method type GetType() 227 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 228 | ToString Method string ToString() 229 | 230 | ------------------------------------------------------------------------------------------------------- 231 | 232 | COM object creation at 18001c3b8 233 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 234 | iid: 79588f37-5be1-4a35-b23d-29832257cada 235 | Name: Flight Ids Client API 236 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 237 | Path: %SystemRoot%\System32\FlightSettings.dll 238 | 239 | TypeName: System.__ComObject 240 | 241 | Name MemberType Definition 242 | ---- ---------- ---------- 243 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 244 | Equals Method bool Equals(System.Object obj) 245 | GetHashCode Method int GetHashCode() 246 | GetLifetimeService Method System.Object GetLifetimeService() 247 | GetType Method type GetType() 248 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 249 | ToString Method string ToString() 250 | 251 | ------------------------------------------------------------------------------------------------------- 252 | 253 | COM object creation at 18005f4c1 254 | uuid: 0000034b-0000-0000-c000-000000000046 - CLSID_GlobalOptions 255 | iid: 0000015b-0000-0000-c000-000000000046 - IID_IGlobalOptions 256 | Name: GlobalOptions 257 | 258 | TypeName: System.__ComObject 259 | 260 | Name MemberType Definition 261 | ---- ---------- ---------- 262 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 263 | Equals Method bool Equals(System.Object obj) 264 | GetHashCode Method int GetHashCode() 265 | GetLifetimeService Method System.Object GetLifetimeService() 266 | GetType Method type GetType() 267 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 268 | ToString Method string ToString() 269 | 270 | ------------------------------------------------------------------------------------------------------- 271 | 272 | COM object creation at 18008062d 273 | uuid: b91d5831-b1bd-4608-8198-d72e155020f7 - UpdateSessionOrchestrator 274 | iid: 07f3afac-7c8a-4ce7-a5e0-3d24ee8a77e0 275 | Name: UpdateSessionOrchestrator 276 | AppID: {E7299E79-75E5-47BB-A03D-6D319FB7F886} 277 | Path: %SystemRoot%\System32\usosvc.dll 278 | 279 | Instantiation failed 280 | 281 | ------------------------------------------------------------------------------------------------------- 282 | 283 | COM object creation at 18000565a 284 | uuid: 1fd1b5a7-5c96-4711-a7c3-fff6d21f93d9 - Windows Push Notification System Platform 285 | iid: df8e9480-ca73-448e-b8f0-da000f581428 - IID_IWpnPlatform 286 | Name: Windows Push Notification System Platform 287 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{1FD1B5A7-5C96-4711-A7C3-FFF6D21F93D9} 288 | AppID: {34E76A18-223B-4E23-BEAD-F59358CC0A90} 289 | 290 | TypeName: System.__ComObject 291 | 292 | Name MemberType Definition 293 | ---- ---------- ---------- 294 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 295 | Equals Method bool Equals(System.Object obj) 296 | GetHashCode Method int GetHashCode() 297 | GetLifetimeService Method System.Object GetLifetimeService() 298 | GetType Method type GetType() 299 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 300 | ToString Method string ToString() 301 | 302 | ------------------------------------------------------------------------------------------------------- 303 | 304 | COM object creation at 1800046cd 305 | uuid: 0000034e-0000-0000-c000-000000000046 - CLSID_ContextSwitcher 306 | iid: 000001da-0000-0000-c000-000000000046 - IID_IContextCallback 307 | 308 | TypeName: System.__ComObject 309 | 310 | Name MemberType Definition 311 | ---- ---------- ---------- 312 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 313 | Equals Method bool Equals(System.Object obj) 314 | GetHashCode Method int GetHashCode() 315 | GetLifetimeService Method System.Object GetLifetimeService() 316 | GetType Method type GetType() 317 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 318 | ToString Method string ToString() 319 | 320 | ------------------------------------------------------------------------------------------------------- 321 | 322 | COM object creation at 180030741 323 | uuid: 66d0db14-5638-475f-a386-629522d8c461 - ConfigManager2 324 | iid: 56a4bdd5-835a-4dd5-95b5-44805ca37db0 325 | Name: ConfigManager2 326 | Path: %systemroot%\system32\configmanager2.dll 327 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{66D0DB14-5638-475f-A386-629522D8C461} 328 | 329 | TypeName: System.__ComObject 330 | 331 | Name MemberType Definition 332 | ---- ---------- ---------- 333 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 334 | Equals Method bool Equals(System.Object obj) 335 | GetHashCode Method int GetHashCode() 336 | GetLifetimeService Method System.Object GetLifetimeService() 337 | GetType Method type GetType() 338 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 339 | ToString Method string ToString() 340 | 341 | ------------------------------------------------------------------------------------------------------- 342 | 343 | COM object creation at 18002f816 344 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 345 | iid: e833feb2-c58a-45e4-8d93-08874744febb 346 | Name: Flight Settings API Broker 347 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 348 | Path: %SystemRoot%\System32\FlightSettings.dll 349 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 350 | 351 | Instantiation failed 352 | 353 | ------------------------------------------------------------------------------------------------------- 354 | 355 | COM object creation at 18007a7d5 356 | uuid: b91d5831-b1bd-4608-8198-d72e155020f7 - UpdateSessionOrchestrator 357 | iid: 07f3afac-7c8a-4ce7-a5e0-3d24ee8a77e0 358 | Name: UpdateSessionOrchestrator 359 | AppID: {E7299E79-75E5-47BB-A03D-6D319FB7F886} 360 | Path: %SystemRoot%\System32\usosvc.dll 361 | 362 | Instantiation failed 363 | 364 | ------------------------------------------------------------------------------------------------------- 365 | -------------------------------------------------------------------------------- /COMResearch/telllib.dll/c83da515d2082a22483d1f9bff022aa1/notes.txt: -------------------------------------------------------------------------------- 1 | 2 | ------------------------------------------------------------------------------------------------------- 3 | 4 | COM object creation at 18008fa3e 5 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 6 | iid: e833feb2-c58a-45e4-8d93-08874744febb 7 | Name: Flight Settings API Broker 8 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 9 | Path: %SystemRoot%\System32\FlightSettings.dll 10 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 11 | 12 | Instantiation failed 13 | 14 | ------------------------------------------------------------------------------------------------------- 15 | 16 | COM object creation at 1801eb625 17 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 18 | iid: e833feb2-c58a-45e4-8d93-08874744febb 19 | Name: Flight Settings API Broker 20 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 21 | Path: %SystemRoot%\System32\FlightSettings.dll 22 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 23 | 24 | Instantiation failed 25 | 26 | ------------------------------------------------------------------------------------------------------- 27 | 28 | COM object creation at 1801eb82e 29 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 30 | iid: 79588f37-5be1-4a35-b23d-29832257cada 31 | Name: Flight Ids Client API 32 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 33 | Path: %SystemRoot%\System32\FlightSettings.dll 34 | 35 | 36 | TypeName: System.__ComObject 37 | 38 | Name MemberType Definition 39 | ---- ---------- ---------- 40 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 41 | Equals Method bool Equals(System.Object obj) 42 | GetHashCode Method int GetHashCode() 43 | GetLifetimeService Method System.Object GetLifetimeService() 44 | GetType Method type GetType() 45 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 46 | ToString Method string ToString() 47 | 48 | ------------------------------------------------------------------------------------------------------- 49 | 50 | COM object creation at 18008f81b 51 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 52 | iid: e833feb2-c58a-45e4-8d93-08874744febb 53 | Name: Flight Settings API Broker 54 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 55 | Path: %SystemRoot%\System32\FlightSettings.dll 56 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 57 | 58 | Instantiation failed 59 | 60 | ------------------------------------------------------------------------------------------------------- 61 | 62 | COM object creation at 18010eb23 63 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 64 | iid: 79588f37-5be1-4a35-b23d-29832257cada 65 | Name: Flight Ids Client API 66 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 67 | Path: %SystemRoot%\System32\FlightSettings.dll 68 | 69 | TypeName: System.__ComObject 70 | 71 | Name MemberType Definition 72 | ---- ---------- ---------- 73 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 74 | Equals Method bool Equals(System.Object obj) 75 | GetHashCode Method int GetHashCode() 76 | GetLifetimeService Method System.Object GetLifetimeService() 77 | GetType Method type GetType() 78 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 79 | ToString Method string ToString() 80 | 81 | ------------------------------------------------------------------------------------------------------- 82 | 83 | COM object creation at 1800eaeff 84 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 85 | iid: 79588f37-5be1-4a35-b23d-29832257cada 86 | Name: Flight Ids Client API 87 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 88 | Path: %SystemRoot%\System32\FlightSettings.dll 89 | 90 | TypeName: System.__ComObject 91 | 92 | Name MemberType Definition 93 | ---- ---------- ---------- 94 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 95 | Equals Method bool Equals(System.Object obj) 96 | GetHashCode Method int GetHashCode() 97 | GetLifetimeService Method System.Object GetLifetimeService() 98 | GetType Method type GetType() 99 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 100 | ToString Method string ToString() 101 | 102 | ------------------------------------------------------------------------------------------------------- 103 | 104 | COM object creation at 18024e566 105 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 106 | iid: e833feb2-c58a-45e4-8d93-08874744febb 107 | Name: Flight Settings API Broker 108 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 109 | Path: %SystemRoot%\System32\FlightSettings.dll 110 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 111 | 112 | Instantiation failed 113 | 114 | ------------------------------------------------------------------------------------------------------- 115 | 116 | COM object creation at 18003aa4e 117 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 118 | iid: 79588f37-5be1-4a35-b23d-29832257cada 119 | Name: Flight Ids Client API 120 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 121 | Path: %SystemRoot%\System32\FlightSettings.dll 122 | 123 | TypeName: System.__ComObject 124 | 125 | Name MemberType Definition 126 | ---- ---------- ---------- 127 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 128 | Equals Method bool Equals(System.Object obj) 129 | GetHashCode Method int GetHashCode() 130 | GetLifetimeService Method System.Object GetLifetimeService() 131 | GetType Method type GetType() 132 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 133 | ToString Method string ToString() 134 | 135 | ------------------------------------------------------------------------------------------------------- 136 | 137 | COM object creation at 180232017 138 | uuid: 0f87369f-a4e5-4cfc-bd3e-73e6154572dd - TaskScheduler 139 | iid: 2faba4c7-4da9-4013-9697-20cc3fd40f85 - IID_ITaskService 140 | 141 | TypeName: System.__ComObject#{2faba4c7-4da9-4013-9697-20cc3fd40f85} 142 | 143 | Name MemberType Definition 144 | ---- ---------- ---------- 145 | Connect Method void Connect (Variant, Variant, Variant, Variant) 146 | GetFolder Method ITaskFolder GetFolder (string) 147 | GetRunningTasks Method IRunningTaskCollection GetRunningTasks (int) 148 | NewTask Method ITaskDefinition NewTask (uint) 149 | Connected Property bool Connected () {get} 150 | ConnectedDomain Property string ConnectedDomain () {get} 151 | ConnectedUser Property string ConnectedUser () {get} 152 | HighestVersion Property uint HighestVersion () {get} 153 | TargetServer Property string TargetServer () {get} 154 | 155 | ------------------------------------------------------------------------------------------------------- 156 | 157 | COM object creation at 1800b1769 158 | uuid: 17e24fbc-4d64-459e-8595-fd7154c6d113 - CLSID_HVSIContainerManager 159 | iid: 2524d4e0-180b-40f1-99b3-73b65847d0df 160 | Key: Computer\HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{17e24fbc-4d64-459e-8595-fd7154c6d113} 161 | AppID: {24c7514d-82c5-4522-9030-c915a4291a6e} 162 | 163 | Instantiation failed 164 | 165 | ------------------------------------------------------------------------------------------------------- 166 | 167 | COM object creation at 1800a4904 168 | uuid: 0134a8b2-3407-4b45-ad25-e9f7c92a80bc - XblAuthManager 169 | iid: 097ad6b8-203b-4506-a509-02e4b11b6bb5 170 | LocalService: XblAuthManager 171 | 172 | TypeName: System.__ComObject 173 | 174 | Name MemberType Definition 175 | ---- ---------- ---------- 176 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 177 | Equals Method bool Equals(System.Object obj) 178 | GetHashCode Method int GetHashCode() 179 | GetLifetimeService Method System.Object GetLifetimeService() 180 | GetType Method type GetType() 181 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 182 | ToString Method string ToString() 183 | 184 | ------------------------------------------------------------------------------------------------------- 185 | 186 | COM object creation at 18012427b 187 | uuid: b31c57ac-4a31-470f-bbee-dba1e5b246be - Flight Ids Client API 188 | iid: 79588f37-5be1-4a35-b23d-29832257cada 189 | Name: Flight Ids Client API 190 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{b31c57ac-4a31-470f-bbee-dba1e5b246be} 191 | Path: %SystemRoot%\System32\FlightSettings.dll 192 | 193 | TypeName: System.__ComObject 194 | 195 | Name MemberType Definition 196 | ---- ---------- ---------- 197 | CreateObjRef Method System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType) 198 | Equals Method bool Equals(System.Object obj) 199 | GetHashCode Method int GetHashCode() 200 | GetLifetimeService Method System.Object GetLifetimeService() 201 | GetType Method type GetType() 202 | InitializeLifetimeService Method System.Object InitializeLifetimeService() 203 | ToString Method string ToString() 204 | 205 | ------------------------------------------------------------------------------------------------------- 206 | 207 | COM object creation at 1800cdd28 208 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 209 | iid: e833feb2-c58a-45e4-8d93-08874744febb 210 | Name: Flight Settings API Broker 211 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 212 | Path: %SystemRoot%\System32\FlightSettings.dll 213 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 214 | 215 | Instantiation failed 216 | 217 | ------------------------------------------------------------------------------------------------------- 218 | 219 | COM object creation at 1800cdf7f 220 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 221 | iid: e833feb2-c58a-45e4-8d93-08874744febb 222 | Name: Flight Settings API Broker 223 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 224 | Path: %SystemRoot%\System32\FlightSettings.dll 225 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 226 | 227 | Instantiation failed 228 | 229 | ------------------------------------------------------------------------------------------------------- 230 | 231 | COM object creation at 1800cdd28 232 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 233 | iid: e833feb2-c58a-45e4-8d93-08874744febb 234 | Name: Flight Settings API Broker 235 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 236 | Path: %SystemRoot%\System32\FlightSettings.dll 237 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 238 | 239 | Instantiation failed 240 | 241 | ------------------------------------------------------------------------------------------------------- 242 | 243 | COM object creation at 1800cdf7f 244 | uuid: 3185a766-b338-11e4-a71e-12e3f512a338 - CLSID_FlightSettingsAPIBroker 245 | iid: e833feb2-c58a-45e4-8d93-08874744febb 246 | Name: Flight Settings API Broker 247 | Key: Computer\HKEY_CLASSES_ROOT\CLSID\{3185a766-b338-11e4-a71e-12e3f512a338} 248 | Path: %SystemRoot%\System32\FlightSettings.dll 249 | AppID: {7006698d-2974-4091-a424-85dd0b909e23} 250 | 251 | Instantiation failed 252 | 253 | ------------------------------------------------------------------------------------------------------- 254 | -------------------------------------------------------------------------------- /FileRepository/DirectoryMonitorProOutput: -------------------------------------------------------------------------------- 1 | The following shows the cadence of how often Windows interacted with EventTranscript.db during the course of an afternoon while actively using a computer. 2 | 3 | Accessed (5/9/2021 12:01:59): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 4 | Modified (5/9/2021 12:01:59): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 5 | Accessed (5/9/2021 12:02:01): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 6 | Modified (5/9/2021 12:02:01): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 7 | Modified (5/9/2021 12:02:03): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 8 | Accessed (5/9/2021 12:02:03): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 9 | Accessed (5/9/2021 12:02:03): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db 10 | Modified (5/9/2021 12:02:03): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db 11 | Modified (5/9/2021 12:14:08): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 12 | Accessed (5/9/2021 12:14:08): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 13 | Modified (5/9/2021 12:28:39): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 14 | Accessed (5/9/2021 12:28:39): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 15 | Modified (5/9/2021 12:37:52): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 16 | Accessed (5/9/2021 12:37:52): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 17 | Modified (5/9/2021 12:46:58): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 18 | Accessed (5/9/2021 12:46:58): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 19 | Modified (5/9/2021 13:00:30): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 20 | Accessed (5/9/2021 13:00:30): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 21 | Modified (5/9/2021 13:06:20): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 22 | Accessed (5/9/2021 13:06:20): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 23 | Modified (5/9/2021 13:11:56): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 24 | Accessed (5/9/2021 13:11:56): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 25 | Modified (5/9/2021 13:26:35): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 26 | Accessed (5/9/2021 13:26:35): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 27 | Modified (5/9/2021 13:31:59): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 28 | Accessed (5/9/2021 13:31:59): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 29 | Modified (5/9/2021 13:46:57): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 30 | Accessed (5/9/2021 13:46:57): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 31 | Modified (5/9/2021 13:52:38): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 32 | Accessed (5/9/2021 13:52:38): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 33 | Accessed (5/9/2021 13:54:07): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db 34 | Modified (5/9/2021 13:55:32): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 35 | Accessed (5/9/2021 13:55:32): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 36 | Modified (5/9/2021 14:01:59): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 37 | Accessed (5/9/2021 14:01:59): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 38 | Modified (5/9/2021 14:07:04): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 39 | Accessed (5/9/2021 14:07:04): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 40 | Modified (5/9/2021 14:26:39): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 41 | Accessed (5/9/2021 14:26:39): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 42 | Modified (5/9/2021 14:31:59): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 43 | Accessed (5/9/2021 14:31:59): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 44 | Modified (5/9/2021 14:43:41): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 45 | Accessed (5/9/2021 14:43:41): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 46 | Modified (5/9/2021 14:51:39): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 47 | Accessed (5/9/2021 14:51:39): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 48 | Modified (5/9/2021 14:57:37): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 49 | Accessed (5/9/2021 14:57:37): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 50 | Modified (5/9/2021 15:13:02): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 51 | Accessed (5/9/2021 15:13:02): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 52 | Modified (5/9/2021 15:21:15): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 53 | Accessed (5/9/2021 15:21:15): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 54 | Modified (5/9/2021 15:21:56): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 55 | Accessed (5/9/2021 15:21:56): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 56 | Accessed (5/9/2021 15:22:06): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 57 | Modified (5/9/2021 15:22:06): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 58 | Accessed (5/9/2021 15:23:29): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db 59 | Modified (5/9/2021 15:31:59): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 60 | Accessed (5/9/2021 15:31:59): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 61 | Modified (5/9/2021 15:44:11): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 62 | Accessed (5/9/2021 15:44:11): C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db-wal 63 | -------------------------------------------------------------------------------- /FullEventNames/Browsing History/BrowsingHistory_FullEventNames.txt: -------------------------------------------------------------------------------- 1 | Aria.218d658af29e41b6bc37144bd03f018d.Microsoft.WebBrowser.HistoryJournal.HJ_BeforeNavigateExtended 2 | Aria.218d658af29e41b6bc37144bd03f018d.Microsoft.WebBrowser.HistoryJournal.HJ_HistoryAddUrl 3 | Aria.218d658af29e41b6bc37144bd03f018d.Microsoft.WebBrowser.HistoryJournal.HJ_NavigateCompleteExtended 4 | Aria.218d658af29e41b6bc37144bd03f018d.Microsoft.WebBrowser.HistoryJournal.HJ_NavigateElementClicked 5 | Aria.218d658af29e41b6bc37144bd03f018d.Microsoft.WebBrowser.HistoryJournal.HJ_PageContentInfo 6 | Aria.218d658af29e41b6bc37144bd03f018d.Microsoft.WebBrowser.HistoryJournal.HJ_W3cNavTiming 7 | Aria.4bb4d6f7cafc4e9292f972dca2dcde42.evt_stats 8 | Microsoft.OSG.Web.WinInet.Http2RstStreamReceived 9 | Microsoft.OSG.Web.WinInet.SameSiteSetCookie 10 | Microsoft.OSG.Web.WinInet.TLSHandshakeSucceeded 11 | Microsoft.Web.Platform.AppCacheManifestResourceQuotaCheck 12 | Microsoft.Web.Platform.BeforeNavigate 13 | Microsoft.Web.Platform.Chakra.ScriptContextTelemetry 14 | Microsoft.Web.Platform.NavigateComplete 15 | Microsoft.Web.Platform.NavigationStopped 16 | Microsoft.Web.Platform.ResProtocolUsageInstance 17 | Microsoft.Web.Platform.SetUri 18 | Microsoft.Web.Platform.UpdateTravelLog 19 | Microsoft.Windows.AppModel.AppUriHandlerRegistrationVerifier.VerifyFromWeb 20 | -------------------------------------------------------------------------------- /FullEventNames/Device Connectivity and Configuration/Census JSON Examples.txt: -------------------------------------------------------------------------------- 1 | { 2 | "ver": "4.0", 3 | "name": "Census.Battery", 4 | "time": "2021-05-21T15:20:23.0437036Z", 5 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 6 | "ext": { 7 | "utc": { 8 | "eventFlags": 514, 9 | "pgName": "WINCORE", 10 | "flags": 503317040, 11 | "epoch": "600830", 12 | "seq": 546 13 | }, 14 | "metadata": { 15 | "privTags": 16779264 16 | }, 17 | "mscv": { 18 | "cV": "R3+hicuwW0iwwxxP.0", 19 | "cV": "t/q4SyOHC0S915Bo.0" 20 | }, 21 | "os": { 22 | "bootId": 6, 23 | "name": "Windows", 24 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 25 | }, 26 | "app": { 27 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 28 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 29 | "asId": 483 30 | }, 31 | "device": { 32 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 33 | "deviceClass": "Windows.Desktop" 34 | }, 35 | "protocol": { 36 | "devMake": "VMware, Inc.", 37 | "devModel": "VMware7,1" 38 | }, 39 | "user": { 40 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 41 | }, 42 | "loc": { 43 | "tz": "-07:00" 44 | } 45 | }, 46 | "data": { 47 | "InternalBatteryCapablities": 4294967295, 48 | "InternalBatteryCapacityCurrent": 4294967295, 49 | "InternalBatteryCapacityDesign": 4294967295, 50 | "InternalBatteryNumberOfCharges": 4294967295, 51 | "IsAlwaysOnAlwaysConnectedCapable": "0" 52 | } 53 | }, 54 | { 55 | "ver": "4.0", 56 | "name": "Census.Enterprise", 57 | "time": "2021-05-21T15:20:23.7522238Z", 58 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 59 | "ext": { 60 | "utc": { 61 | "eventFlags": 514, 62 | "pgName": "WINCORE", 63 | "flags": 503317040, 64 | "epoch": "600830", 65 | "seq": 547 66 | }, 67 | "metadata": { 68 | "privTags": 2048 69 | }, 70 | "mscv": { 71 | "cV": "R3+hicuwW0iwwxxP.0", 72 | "cV": "t/q4SyOHC0S915Bo.0" 73 | }, 74 | "os": { 75 | "bootId": 6, 76 | "name": "Windows", 77 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 78 | }, 79 | "app": { 80 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 81 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 82 | "asId": 483 83 | }, 84 | "device": { 85 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 86 | "deviceClass": "Windows.Desktop" 87 | }, 88 | "protocol": { 89 | "devMake": "VMware, Inc.", 90 | "devModel": "VMware7,1" 91 | }, 92 | "user": { 93 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 94 | }, 95 | "loc": { 96 | "tz": "-07:00" 97 | } 98 | }, 99 | "data": { 100 | "IsCloudDomainJoined": "0", 101 | "IsMDMEnrolled": "0", 102 | "CDJType": 4294967295, 103 | "ServerFeatures": "#", 104 | "CommercialId": "#", 105 | "AzureVMType": "#", 106 | "AzureOSIDPresent": false, 107 | "HashedDomain": "#", 108 | "SystemCenterID": "#", 109 | "MPNId": "#", 110 | "SCCMClientId": "#", 111 | "IsDeviceProtected": "DEVICE_NOT_PROTECTED|NO_FDV_EXISTS", 112 | "IsDERequirementMet": "DEVICE_SOFTWARE_REQ_MET|HW_TPM_NOT_CONFIGRUED", 113 | "IsEDPEnabled": "EDP_NOT_ENABLED|DPL_NONE", 114 | "AADDeviceId": "#", 115 | "ContainerType": 4294967295, 116 | "EnrollmentType": 4294967295, 117 | "MDMServiceProvider": "#" 118 | } 119 | }, 120 | { 121 | "ver": "4.0", 122 | "name": "Census.Firmware", 123 | "time": "2021-05-21T15:20:23.7679581Z", 124 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 125 | "ext": { 126 | "utc": { 127 | "eventFlags": 514, 128 | "pgName": "WINCORE", 129 | "flags": 503317040, 130 | "epoch": "600830", 131 | "seq": 548 132 | }, 133 | "metadata": { 134 | "f": { 135 | "FirmwareType": 2 136 | }, 137 | "privTags": 2048 138 | }, 139 | "mscv": { 140 | "cV": "R3+hicuwW0iwwxxP.0", 141 | "cV": "t/q4SyOHC0S915Bo.0" 142 | }, 143 | "os": { 144 | "bootId": 6, 145 | "name": "Windows", 146 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 147 | }, 148 | "app": { 149 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 150 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 151 | "asId": 483 152 | }, 153 | "device": { 154 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 155 | "deviceClass": "Windows.Desktop" 156 | }, 157 | "protocol": { 158 | "devMake": "VMware, Inc.", 159 | "devModel": "VMware7,1" 160 | }, 161 | "user": { 162 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 163 | }, 164 | "loc": { 165 | "tz": "-07:00" 166 | } 167 | }, 168 | "data": { 169 | "FirmwareManufacturer": "VMware, Inc.", 170 | "FirmwareReleaseDate": "08/10/2020", 171 | "FirmwareType": 2, 172 | "FirmwareVersion": "VMW71.00V.16722896.B64.2008100651" 173 | } 174 | }, 175 | { 176 | "ver": "4.0", 177 | "name": "Census.Flighting", 178 | "time": "2021-05-21T15:20:24.3230813Z", 179 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 180 | "ext": { 181 | "utc": { 182 | "eventFlags": 514, 183 | "pgName": "WINCORE", 184 | "flags": 503317040, 185 | "epoch": "600830", 186 | "seq": 549 187 | }, 188 | "metadata": { 189 | "f": { 190 | "DeviceSampleRate": 6 191 | }, 192 | "privTags": 2048 193 | }, 194 | "mscv": { 195 | "cV": "R3+hicuwW0iwwxxP.0", 196 | "cV": "t/q4SyOHC0S915Bo.0" 197 | }, 198 | "os": { 199 | "bootId": 6, 200 | "name": "Windows", 201 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 202 | }, 203 | "app": { 204 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 205 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 206 | "asId": 483 207 | }, 208 | "device": { 209 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 210 | "deviceClass": "Windows.Desktop" 211 | }, 212 | "protocol": { 213 | "devMake": "VMware, Inc.", 214 | "devModel": "VMware7,1" 215 | }, 216 | "user": { 217 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 218 | }, 219 | "loc": { 220 | "tz": "-07:00" 221 | } 222 | }, 223 | "data": { 224 | "FlightIds": "FX:117B97D4,FX:117B9872,FX:1183210E,FX:119E26AD,FX:11C0E96C,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11C96C7A,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75", 225 | "MSA_Accounts": "", 226 | "IsFlightsDisabled": 0, 227 | "FlightingBranchName": "#", 228 | "DeviceSampleRate": 45.105174000000005, 229 | "SSRK": "#", 230 | "DriverTargetRing": "#", 231 | "EnablePreviewBuilds": 4294967295 232 | } 233 | }, 234 | { 235 | "ver": "4.0", 236 | "name": "Census.VM", 237 | "time": "2021-05-21T15:20:24.3281390Z", 238 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 239 | "ext": { 240 | "utc": { 241 | "eventFlags": 514, 242 | "pgName": "WINCORE", 243 | "flags": 503317040, 244 | "epoch": "600830", 245 | "seq": 550 246 | }, 247 | "metadata": { 248 | "privTags": 2048 249 | }, 250 | "mscv": { 251 | "cV": "R3+hicuwW0iwwxxP.0", 252 | "cV": "t/q4SyOHC0S915Bo.0" 253 | }, 254 | "os": { 255 | "bootId": 6, 256 | "name": "Windows", 257 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 258 | }, 259 | "app": { 260 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 261 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 262 | "asId": 483 263 | }, 264 | "device": { 265 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 266 | "deviceClass": "Windows.Desktop" 267 | }, 268 | "protocol": { 269 | "devMake": "VMware, Inc.", 270 | "devModel": "VMware7,1" 271 | }, 272 | "user": { 273 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 274 | }, 275 | "loc": { 276 | "tz": "-07:00" 277 | } 278 | }, 279 | "data": { 280 | "VirtualizationFirmwareEnabled": "0", 281 | "SLATSupported": "0", 282 | "IOMMUPresent": 0, 283 | "IsVirtualDevice": "1", 284 | "HyperVisor": 1, 285 | "IsVDI": false, 286 | "CloudService": "#", 287 | "VMId": "AF904D56-3130-CCC7-CA60-1F0E66F71B81" 288 | } 289 | }, 290 | { 291 | "ver": "4.0", 292 | "name": "Census.Hardware", 293 | "time": "2021-05-21T15:20:24.5615465Z", 294 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 295 | "ext": { 296 | "utc": { 297 | "eventFlags": 514, 298 | "pgName": "WINCORE", 299 | "flags": 503317040, 300 | "epoch": "600830", 301 | "seq": 551 302 | }, 303 | "metadata": { 304 | "f": { 305 | "ChassisType": 2, 306 | "EnclosureKind": 2, 307 | "TPMVersion": 2, 308 | "DigitizerSupport": 2, 309 | "ActiveMicCount": 2 310 | }, 311 | "privTags": 2048 312 | }, 313 | "mscv": { 314 | "cV": "R3+hicuwW0iwwxxP.0", 315 | "cV": "t/q4SyOHC0S915Bo.0" 316 | }, 317 | "os": { 318 | "bootId": 6, 319 | "name": "Windows", 320 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 321 | }, 322 | "app": { 323 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 324 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 325 | "asId": 483 326 | }, 327 | "device": { 328 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 329 | "deviceClass": "Windows.Desktop" 330 | }, 331 | "protocol": { 332 | "devMake": "VMware, Inc.", 333 | "devModel": "VMware7,1" 334 | }, 335 | "user": { 336 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 337 | }, 338 | "loc": { 339 | "tz": "-07:00" 340 | } 341 | }, 342 | "data": { 343 | "ChassisType": 1, 344 | "DeviceName": "#", 345 | "EnclosureKind": -1, 346 | "OEMDigitalMarkerFileName": "#", 347 | "OEMManufacturerName": "VMware, Inc.", 348 | "OEMModelNumber": "VMware7,1", 349 | "OEMModelName": "#", 350 | "OEMModelSKU": "", 351 | "OEMModelBaseBoard": "440BX Desktop Reference Platform", 352 | "OEMModelBaseBoardVersion": "None", 353 | "OEMModelSystemFamily": "", 354 | "OEMModelSystemVersion": "None", 355 | "OEMOptionalIdentifier": "#", 356 | "OEMSerialNumber": "VMware-56 4d 90 af 30 31 c7 cc-ca 60 1f 0e 66 f7 1b 81", 357 | "PhoneManufacturer": "#", 358 | "SoCName": "#", 359 | "InventoryId": "{EF03816C-D381-BAA8-7904-7272C69C962F}", 360 | "VoiceSupported": "PowerOff", 361 | "D3DMaxFeatureLevel": "D3D_FEATURE_LEVEL_11_0", 362 | "TPMManufacturerVersion": "#", 363 | "TPMManufacturerId": "#", 364 | "PowerPlatformRole": 1, 365 | "TPMVersion": 0, 366 | "StudyID": 0, 367 | "TelemetryLevel": 3, 368 | "TelemetrySettingAuthority": 2, 369 | "DeviceForm": 0, 370 | "DigitizerSupport": 0, 371 | "ActiveMicCount": 1, 372 | "Gyroscope": false, 373 | "Magnetometer": false, 374 | "NFCProximity": false, 375 | "TelemetryLevelLimitEnhanced": 0 376 | } 377 | }, 378 | { 379 | "ver": "4.0", 380 | "name": "Census.Memory", 381 | "time": "2021-05-21T15:20:24.5620681Z", 382 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 383 | "ext": { 384 | "utc": { 385 | "eventFlags": 514, 386 | "pgName": "WINCORE", 387 | "flags": 503317040, 388 | "epoch": "600830", 389 | "seq": 552 390 | }, 391 | "metadata": { 392 | "f": { 393 | "TotalPhysicalRAM": 2 394 | }, 395 | "privTags": 2048 396 | }, 397 | "mscv": { 398 | "cV": "R3+hicuwW0iwwxxP.0", 399 | "cV": "t/q4SyOHC0S915Bo.0" 400 | }, 401 | "os": { 402 | "bootId": 6, 403 | "name": "Windows", 404 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 405 | }, 406 | "app": { 407 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 408 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 409 | "asId": 483 410 | }, 411 | "device": { 412 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 413 | "deviceClass": "Windows.Desktop" 414 | }, 415 | "protocol": { 416 | "devMake": "VMware, Inc.", 417 | "devModel": "VMware7,1" 418 | }, 419 | "user": { 420 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 421 | }, 422 | "loc": { 423 | "tz": "-07:00" 424 | } 425 | }, 426 | "data": { 427 | "TotalPhysicalRAM": 2048, 428 | "TotalVisibleMemory": 2046 429 | } 430 | }, 431 | { 432 | "ver": "4.0", 433 | "name": "Census.Network", 434 | "time": "2021-05-21T15:20:24.5670110Z", 435 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 436 | "ext": { 437 | "utc": { 438 | "eventFlags": 514, 439 | "pgName": "WINCORE", 440 | "flags": 503317040, 441 | "epoch": "600830", 442 | "seq": 553 443 | }, 444 | "metadata": { 445 | "privTags": 2048 446 | }, 447 | "mscv": { 448 | "cV": "R3+hicuwW0iwwxxP.0", 449 | "cV": "t/q4SyOHC0S915Bo.0" 450 | }, 451 | "os": { 452 | "bootId": 6, 453 | "name": "Windows", 454 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 455 | }, 456 | "app": { 457 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 458 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 459 | "asId": 483 460 | }, 461 | "device": { 462 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 463 | "deviceClass": "Windows.Desktop" 464 | }, 465 | "protocol": { 466 | "devMake": "VMware, Inc.", 467 | "devModel": "VMware7,1" 468 | }, 469 | "user": { 470 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 471 | }, 472 | "loc": { 473 | "tz": "-07:00" 474 | } 475 | }, 476 | "data": { 477 | "MobileOperatorBilling": "#", 478 | "MobileOperatorCommercialized": "#", 479 | "NetworkAdapterGUID": "{DAB58C59-7489-47B2-A299-B4432683CDB2}", 480 | "IMEI0": "#", 481 | "SPN0": "#", 482 | "MobileOperatorNetwork0": "#", 483 | "MCC0": "#", 484 | "MNC0": "#", 485 | "IMEI1": "#", 486 | "SPN1": "#", 487 | "MobileOperatorNetwork1": "#", 488 | "MCC1": "#", 489 | "MNC1": "#", 490 | "MEID": "#" 491 | } 492 | }, 493 | { 494 | "ver": "4.0", 495 | "name": "Census.OS", 496 | "time": "2021-05-21T15:20:24.8056425Z", 497 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 498 | "ext": { 499 | "utc": { 500 | "eventFlags": 514, 501 | "pgName": "WINCORE", 502 | "flags": 503317040, 503 | "epoch": "600830", 504 | "seq": 554 505 | }, 506 | "metadata": { 507 | "f": { 508 | "LicenseStateReason": 2, 509 | "ProductActivationTime": 5 510 | }, 511 | "privTags": 2048 512 | }, 513 | "mscv": { 514 | "cV": "R3+hicuwW0iwwxxP.0", 515 | "cV": "t/q4SyOHC0S915Bo.0" 516 | }, 517 | "os": { 518 | "bootId": 6, 519 | "name": "Windows", 520 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 521 | }, 522 | "app": { 523 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 524 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 525 | "asId": 483 526 | }, 527 | "device": { 528 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 529 | "deviceClass": "Windows.Desktop" 530 | }, 531 | "protocol": { 532 | "devMake": "VMware, Inc.", 533 | "devModel": "VMware7,1" 534 | }, 535 | "user": { 536 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 537 | }, 538 | "loc": { 539 | "tz": "-07:00" 540 | } 541 | }, 542 | "data": { 543 | "GenuineState": 0, 544 | "IsPortableOperatingSystem": "0", 545 | "IsSecureBootEnabled": "0", 546 | "OSEdition": "Professional", 547 | "InstallationType": "Client", 548 | "OSInstallType": 1, 549 | "OSOOBEDateTime": "2021-05-20T13:49:22.552", 550 | "OSSKU": 48, 551 | "DeviceTimeZone": "Pacific Standard Time", 552 | "OSUILocale": "en-US", 553 | "RACw7Id": "#", 554 | "CompactOS": "1", 555 | "Signature": 4294967295, 556 | "IsDeviceRetailDemo": 0, 557 | "ActivationChannel": "Retail", 558 | "LicenseStateReason": 1074066433, 559 | "OA3xOriginalProductKey": "#", 560 | "ProductKeyID2": "00330-81495-05788-AA244", 561 | "ServiceMachineIP": "", 562 | "ServiceProductKeyID": "", 563 | "ServiceMachinePort": 0, 564 | "OSSubscriptionTypeId": 4294967295, 565 | "OSSubscriptionStatus": 4294967295, 566 | "SLICVersion": 4294967295, 567 | "SLICStatus": 0, 568 | "LanguagePacks": "en-US;", 569 | "InstallLanguage": "en-US", 570 | "IsEduData": 0, 571 | "SharedPCMode": 4294967295, 572 | "ProductActivationTime": 0, 573 | "ProductActivationResult": 4294967295, 574 | "AssignedAccessStatus": "None", 575 | "DeveloperUnlockStatus": 0 576 | } 577 | }, 578 | { 579 | "ver": "4.0", 580 | "name": "Census.PrivacySettings", 581 | "time": "2021-05-21T15:20:25.0327115Z", 582 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 583 | "ext": { 584 | "utc": { 585 | "eventFlags": 258, 586 | "pgName": "WINCORE", 587 | "flags": 503317040, 588 | "epoch": "600830", 589 | "seq": 555 590 | }, 591 | "metadata": { 592 | "f": { 593 | "Activity": 2, 594 | "AppDiagnostics": 2, 595 | "Appointments": 2, 596 | "Bluetooth": 2, 597 | "BluetoothSync": 2, 598 | "BroadFileSystemAccess": 2, 599 | "CellularData": 2, 600 | "Chat": 2, 601 | "Contacts": 2, 602 | "DocumentsLibrary": 2, 603 | "Email": 2, 604 | "GazeInput": 2, 605 | "HumanInterfaceDevice": 2, 606 | "Location": 2, 607 | "LocationHistory": 2, 608 | "Microphone": 2, 609 | "PhoneCall": 2, 610 | "PhoneCallHistory": 2, 611 | "PicturesLibrary": 2, 612 | "Radios": 2, 613 | "SensorsCustom": 2, 614 | "SerialCommunication": 2, 615 | "Sms": 2, 616 | "USB": 2, 617 | "UserAccountInformation": 2, 618 | "UserDataTasks": 2, 619 | "UserNotificationListener": 2, 620 | "VideosLibrary": 2, 621 | "Webcam": 2, 622 | "WifiData": 2, 623 | "WiFiDirect": 2, 624 | "ActivityHistoryCollection": 2, 625 | "ActivityHistoryCloudSync": 2, 626 | "AdvertisingId": 2, 627 | "SpeechPersonalization": 2, 628 | "InkTypeImprovement": 2, 629 | "FindMyDevice": 2 630 | }, 631 | "privTags": 2048 632 | }, 633 | "mscv": { 634 | "cV": "R3+hicuwW0iwwxxP.0", 635 | "cV": "t/q4SyOHC0S915Bo.0" 636 | }, 637 | "os": { 638 | "bootId": 6, 639 | "name": "Windows", 640 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 641 | }, 642 | "app": { 643 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 644 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 645 | "asId": 483 646 | }, 647 | "device": { 648 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 649 | "deviceClass": "Windows.Desktop" 650 | }, 651 | "protocol": { 652 | "devMake": "VMware, Inc.", 653 | "devModel": "VMware7,1" 654 | }, 655 | "user": { 656 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 657 | }, 658 | "loc": { 659 | "tz": "-07:00" 660 | } 661 | }, 662 | "data": { 663 | "Activity": 256, 664 | "AppDiagnostics": 256, 665 | "Appointments": 256, 666 | "Bluetooth": 256, 667 | "BluetoothSync": 256, 668 | "BroadFileSystemAccess": 256, 669 | "CellularData": 256, 670 | "Chat": 256, 671 | "Contacts": 256, 672 | "DocumentsLibrary": 256, 673 | "Email": 256, 674 | "GazeInput": 256, 675 | "HumanInterfaceDevice": 256, 676 | "Location": 256, 677 | "LocationHistory": 256, 678 | "Microphone": 256, 679 | "PhoneCall": 256, 680 | "PhoneCallHistory": 256, 681 | "PicturesLibrary": 256, 682 | "Radios": 256, 683 | "SensorsCustom": 256, 684 | "SerialCommunication": 256, 685 | "Sms": 256, 686 | "USB": 256, 687 | "UserAccountInformation": 256, 688 | "UserDataTasks": 256, 689 | "UserNotificationListener": 256, 690 | "VideosLibrary": 256, 691 | "Webcam": 256, 692 | "WifiData": 256, 693 | "WiFiDirect": 256, 694 | "ActivityHistoryCollection": -258, 695 | "ActivityHistoryCloudSync": -258, 696 | "AdvertisingId": 256, 697 | "SpeechPersonalization": 517, 698 | "InkTypeImprovement": 262, 699 | "FindMyDevice": 512 700 | } 701 | }, 702 | { 703 | "ver": "4.0", 704 | "name": "Census.Processor", 705 | "time": "2021-05-21T15:20:25.0330523Z", 706 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 707 | "ext": { 708 | "utc": { 709 | "eventFlags": 514, 710 | "pgName": "WINCORE", 711 | "flags": 503317040, 712 | "epoch": "600830", 713 | "seq": 556 714 | }, 715 | "metadata": { 716 | "f": { 717 | "ProcessorCores": 2, 718 | "ProcessorPhysicalCores": 2, 719 | "ProcessorUpdateRevision": 5, 720 | "PreviousUpdateRevision": 5, 721 | "SocketCount": 2 722 | }, 723 | "privTags": 2048 724 | }, 725 | "mscv": { 726 | "cV": "R3+hicuwW0iwwxxP.0", 727 | "cV": "t/q4SyOHC0S915Bo.0" 728 | }, 729 | "os": { 730 | "bootId": 6, 731 | "name": "Windows", 732 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 733 | }, 734 | "app": { 735 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 736 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 737 | "asId": 483 738 | }, 739 | "device": { 740 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 741 | "deviceClass": "Windows.Desktop" 742 | }, 743 | "protocol": { 744 | "devMake": "VMware, Inc.", 745 | "devModel": "VMware7,1" 746 | }, 747 | "user": { 748 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 749 | }, 750 | "loc": { 751 | "tz": "-07:00" 752 | } 753 | }, 754 | "data": { 755 | "ProcessorCores": 2, 756 | "ProcessorPhysicalCores": 2, 757 | "ProcessorArchitecture": 9, 758 | "ProcessorClockSpeed": 2400, 759 | "ProcessorManufacturer": "GenuineIntel", 760 | "ProcessorModel": "Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz", 761 | "ProcessorIdentifier": "Intel64 Family 6 Model 158 Stepping 13", 762 | "ProcessorUpdateRevision": 816043786240, 763 | "PreviousUpdateRevision": 816043786240, 764 | "SocketCount": 1, 765 | "KvaShadow": 416, 766 | "SpeculationControl": 92378105, 767 | "MMSettingOverride": 4294967295, 768 | "MMSettingOverrideMask": 4294967295, 769 | "ProcessorUpdateStatus": 2 770 | } 771 | }, 772 | { 773 | "ver": "4.0", 774 | "name": "Census.Security", 775 | "time": "2021-05-21T15:20:25.1678469Z", 776 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 777 | "ext": { 778 | "utc": { 779 | "eventFlags": 514, 780 | "pgName": "WINCORE", 781 | "flags": 503317040, 782 | "epoch": "600830", 783 | "seq": 557 784 | }, 785 | "metadata": { 786 | "f": { 787 | "DGState": 5, 788 | "WdagPolicyValue": 2 789 | }, 790 | "privTags": 2048 791 | }, 792 | "mscv": { 793 | "cV": "R3+hicuwW0iwwxxP.0", 794 | "cV": "t/q4SyOHC0S915Bo.0" 795 | }, 796 | "os": { 797 | "bootId": 6, 798 | "name": "Windows", 799 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 800 | }, 801 | "app": { 802 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 803 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 804 | "asId": 483 805 | }, 806 | "device": { 807 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 808 | "deviceClass": "Windows.Desktop" 809 | }, 810 | "protocol": { 811 | "devMake": "VMware, Inc.", 812 | "devModel": "VMware7,1" 813 | }, 814 | "user": { 815 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 816 | }, 817 | "loc": { 818 | "tz": "-07:00" 819 | } 820 | }, 821 | "data": { 822 | "HVCIRunning": false, 823 | "CGRunning": false, 824 | "VBSState": 0, 825 | "SecureBootCapable": 1, 826 | "RequiredSecurityProperties": 0, 827 | "AvailableSecurityProperties": 56, 828 | "SModeState": 0, 829 | "IsSawHost": false, 830 | "IsSawGuest": false, 831 | "DGState": 469762561, 832 | "IsWdagFeatureEnabled": 4294967295, 833 | "WdagPolicyValue": 0, 834 | "TpmReadyState": 255, 835 | "SystemGuardState": 0, 836 | "ShadowStack": 0 837 | } 838 | }, 839 | { 840 | "ver": "4.0", 841 | "name": "Census.Speech", 842 | "time": "2021-05-21T15:20:25.1683531Z", 843 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 844 | "ext": { 845 | "utc": { 846 | "eventFlags": 258, 847 | "pgName": "WINCORE", 848 | "flags": 503317040, 849 | "epoch": "600830", 850 | "seq": 558 851 | }, 852 | "metadata": { 853 | "f": { 854 | "RemotelyManaged": 2, 855 | "GPAllowInputPersonalization": 2, 856 | "MDMAllowInputPersonalization": 2, 857 | "KeyVer": 2, 858 | "SpeechServicesValueSource": 2 859 | }, 860 | "privTags": 2048 861 | }, 862 | "mscv": { 863 | "cV": "R3+hicuwW0iwwxxP.0", 864 | "cV": "t/q4SyOHC0S915Bo.0" 865 | }, 866 | "os": { 867 | "bootId": 6, 868 | "name": "Windows", 869 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 870 | }, 871 | "app": { 872 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 873 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 874 | "asId": 483 875 | }, 876 | "device": { 877 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 878 | "deviceClass": "Windows.Desktop" 879 | }, 880 | "protocol": { 881 | "devMake": "VMware, Inc.", 882 | "devModel": "VMware7,1" 883 | }, 884 | "user": { 885 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 886 | }, 887 | "loc": { 888 | "tz": "-07:00" 889 | } 890 | }, 891 | "data": { 892 | "KWSEnabled": "DSMAUser:[]LastLoggedOnUser:[(0,1)]DeviceUsers:[(0,1)]", 893 | "SpeakerIdEnabled": "DSMAUser:[]LastLoggedOnUser:[(2,1)]DeviceUsers:[(2,1)]", 894 | "AboveLockEnabled": "DSMAUser:[]LastLoggedOnUser:[(0,1)]DeviceUsers:[(0,1)]", 895 | "HolographicSpeechInputDisabled": "DSMAUser:[]LastLoggedOnUser:[(1,1)]DeviceUsers:[(1,1)]", 896 | "HolographicSpeechInputDisabledRemote": "DSMAUser:[]LastLoggedOnUser:[(2,1)]DeviceUsers:[(2,1)]", 897 | "SpeechServicesEnabled": "DSMAUser:[]LastLoggedOnUser:[(0,1)]DeviceUsers:[(0,1)]", 898 | "RemotelyManaged": 100, 899 | "GPAllowInputPersonalization": 1, 900 | "MDMAllowInputPersonalization": 100, 901 | "KeyVer": 2, 902 | "SpeechServicesValueSource": 1 903 | } 904 | }, 905 | { 906 | "ver": "4.0", 907 | "name": "Census.Storage", 908 | "time": "2021-05-21T15:20:25.1685580Z", 909 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 910 | "ext": { 911 | "utc": { 912 | "eventFlags": 514, 913 | "pgName": "WINCORE", 914 | "flags": 503317040, 915 | "epoch": "600830", 916 | "seq": 559 917 | }, 918 | "metadata": { 919 | "f": { 920 | "PrimaryDiskTotalCapacity": 4, 921 | "SystemVolumeTotalCapacity": 4 922 | }, 923 | "privTags": 2048 924 | }, 925 | "mscv": { 926 | "cV": "R3+hicuwW0iwwxxP.0", 927 | "cV": "t/q4SyOHC0S915Bo.0" 928 | }, 929 | "os": { 930 | "bootId": 6, 931 | "name": "Windows", 932 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 933 | }, 934 | "app": { 935 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 936 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 937 | "asId": 483 938 | }, 939 | "device": { 940 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 941 | "deviceClass": "Windows.Desktop" 942 | }, 943 | "protocol": { 944 | "devMake": "VMware, Inc.", 945 | "devModel": "VMware7,1" 946 | }, 947 | "user": { 948 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 949 | }, 950 | "loc": { 951 | "tz": "-07:00" 952 | } 953 | }, 954 | "data": { 955 | "PrimaryDiskTotalCapacity": 61440, 956 | "SystemVolumeTotalCapacity": 60821, 957 | "PrimaryDiskType": 4, 958 | "StorageReservePassedPolicy": 1 959 | } 960 | }, 961 | { 962 | "ver": "4.0", 963 | "name": "Census.WU", 964 | "time": "2021-05-21T15:20:26.3703825Z", 965 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 966 | "ext": { 967 | "utc": { 968 | "eventFlags": 514, 969 | "pgName": "WINCORE", 970 | "flags": 503317040, 971 | "epoch": "600830", 972 | "seq": 561 973 | }, 974 | "metadata": { 975 | "f": { 976 | "WUDeferUpgradePeriod": 2, 977 | "WUDeferUpdatePeriod": 2 978 | }, 979 | "privTags": 2147485696 980 | }, 981 | "mscv": { 982 | "cV": "R3+hicuwW0iwwxxP.0", 983 | "cV": "t/q4SyOHC0S915Bo.0" 984 | }, 985 | "os": { 986 | "bootId": 6, 987 | "name": "Windows", 988 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 989 | }, 990 | "app": { 991 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 992 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 993 | "asId": 483 994 | }, 995 | "device": { 996 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 997 | "deviceClass": "Windows.Desktop" 998 | }, 999 | "protocol": { 1000 | "devMake": "VMware, Inc.", 1001 | "devModel": "VMware7,1" 1002 | }, 1003 | "user": { 1004 | "localId": "w:76EFB15A-BF32-7E7D-871F-8EF13C84CA70" 1005 | }, 1006 | "loc": { 1007 | "tz": "-07:00" 1008 | } 1009 | }, 1010 | "data": { 1011 | "WUMachineId": "90d11724-7e1d-4720-8024-a053531cb000", 1012 | "WUServer": "#", 1013 | "WUDODownloadMode": 1, 1014 | "OSWUAutoUpdateOptions": 4, 1015 | "OSWUAutoUpdateOptionsSource": "Default", 1016 | "AppStoreAutoUpdate": 4294967295, 1017 | "AppStoreAutoUpdatePolicy": 4294967295, 1018 | "AppStoreAutoUpdateMDM": 2, 1019 | "DelayUpgrade": "False", 1020 | "UpdateServiceURLConfigured": "0", 1021 | "WUDeferUpgradePeriod": -1, 1022 | "WUDeferUpdatePeriod": -1, 1023 | "WUPauseState": "#", 1024 | "OSUninstalled": false, 1025 | "OSRolledBack": false, 1026 | "OSRollbackCount": 4294967295, 1027 | "UninstallActive": 4294967295, 1028 | "AppraiserGatedStatus": "#", 1029 | "OSAssessmentForFeatureUpdate": 0, 1030 | "OSAssessmentForQualityUpdate": 0, 1031 | "OSAssessmentForSecurityUpdate": 0, 1032 | "OSAssessmentFeatureOutOfDate": 0, 1033 | "OSAssessmentQualityOutOfDate": 0, 1034 | "OSAssessmentReleaseInfoTime": "2021-05-18T22:54:57.039" 1035 | } 1036 | }, 1037 | { 1038 | "ver": "4.0", 1039 | "name": "Census.UserDisplay", 1040 | "time": "2021-05-21T19:48:44.9992182Z", 1041 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 1042 | "ext": { 1043 | "utc": { 1044 | "shellId": 33786497805320195, 1045 | "eventFlags": 514, 1046 | "pgName": "WINCORE", 1047 | "flags": 506462768, 1048 | "epoch": "900325", 1049 | "seq": 1745 1050 | }, 1051 | "metadata": { 1052 | "f": { 1053 | "InternalPrimaryDisplayResolutionHorizontal": 2, 1054 | "InternalPrimaryDisplayResolutionVertical": 2, 1055 | "InternalPrimaryDisplaySizePhysicalH": 2, 1056 | "InternalPrimaryDisplaySizePhysicalY": 2, 1057 | "NumberofInternalDisplays": 2, 1058 | "NumberofExternalDisplays": 2 1059 | }, 1060 | "privTags": 2048 1061 | }, 1062 | "mscv": { 1063 | "cV": "7g3Zq7GhHky8hrJR.0", 1064 | "cV": "7+xGrpmFek2DSzyo.0" 1065 | }, 1066 | "os": { 1067 | "bootId": 9, 1068 | "name": "Windows", 1069 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 1070 | }, 1071 | "app": { 1072 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 1073 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 1074 | "asId": 1087 1075 | }, 1076 | "device": { 1077 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 1078 | "deviceClass": "Windows.Desktop" 1079 | }, 1080 | "protocol": { 1081 | "devMake": "VMware, Inc.", 1082 | "devModel": "VMware7,1", 1083 | "ticketKeys": [ 1084 | "23810040" 1085 | ] 1086 | }, 1087 | "user": { 1088 | "localId": "m:a5f16b5cd9dd213c" 1089 | }, 1090 | "loc": { 1091 | "tz": "-07:00" 1092 | } 1093 | }, 1094 | "data": { 1095 | "InternalPrimaryDisplayLogicalDPIX": 96, 1096 | "InternalPrimaryDisplayLogicalDPIY": 96, 1097 | "InternalPrimaryDisplayPhysicalDPIX": 4294967295, 1098 | "InternalPrimaryDisplayPhysicalDPIY": 4294967295, 1099 | "InternalPrimaryDisplayResolutionHorizontal": 3326, 1100 | "InternalPrimaryDisplayResolutionVertical": 1964, 1101 | "InternalPrimaryDisplaySizePhysicalH": 880, 1102 | "InternalPrimaryDisplaySizePhysicalY": 520, 1103 | "NumberofInternalDisplays": 0, 1104 | "NumberofExternalDisplays": 1, 1105 | "VRAMDedicated": 4, 1106 | "VRAMDedicatedSystem": 0, 1107 | "VRAMSharedSystem": 1023 1108 | } 1109 | }, 1110 | { 1111 | "ver": "4.0", 1112 | "name": "Census.UserNLS", 1113 | "time": "2021-05-21T19:48:45.3172670Z", 1114 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 1115 | "ext": { 1116 | "utc": { 1117 | "shellId": 33786497805320195, 1118 | "eventFlags": 514, 1119 | "pgName": "WINCORE", 1120 | "flags": 506462768, 1121 | "epoch": "900325", 1122 | "seq": 1746 1123 | }, 1124 | "metadata": { 1125 | "privTags": 2048 1126 | }, 1127 | "mscv": { 1128 | "cV": "7g3Zq7GhHky8hrJR.0", 1129 | "cV": "7+xGrpmFek2DSzyo.0" 1130 | }, 1131 | "os": { 1132 | "bootId": 9, 1133 | "name": "Windows", 1134 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 1135 | }, 1136 | "app": { 1137 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 1138 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 1139 | "asId": 1087 1140 | }, 1141 | "device": { 1142 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 1143 | "deviceClass": "Windows.Desktop" 1144 | }, 1145 | "protocol": { 1146 | "devMake": "VMware, Inc.", 1147 | "devModel": "VMware7,1", 1148 | "ticketKeys": [ 1149 | "23810040" 1150 | ] 1151 | }, 1152 | "user": { 1153 | "localId": "m:a5f16b5cd9dd213c" 1154 | }, 1155 | "loc": { 1156 | "tz": "-07:00" 1157 | } 1158 | }, 1159 | "data": { 1160 | "DefaultAppLanguage": "en-US", 1161 | "HomeLocation": 244, 1162 | "DisplayLanguage": "en-US", 1163 | "SpeechInputLanguages": "en-US", 1164 | "KeyboardInputLanguages": "0409:00000409;" 1165 | } 1166 | }, 1167 | { 1168 | "ver": "4.0", 1169 | "name": "Census.Userdefault", 1170 | "time": "2021-05-21T19:48:45.3180543Z", 1171 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 1172 | "ext": { 1173 | "utc": { 1174 | "shellId": 33786497805320195, 1175 | "eventFlags": 514, 1176 | "pgName": "WINCORE", 1177 | "flags": 506462768, 1178 | "epoch": "900325", 1179 | "seq": 1747 1180 | }, 1181 | "metadata": { 1182 | "privTags": 2147485696 1183 | }, 1184 | "mscv": { 1185 | "cV": "7g3Zq7GhHky8hrJR.0", 1186 | "cV": "7+xGrpmFek2DSzyo.0" 1187 | }, 1188 | "os": { 1189 | "bootId": 9, 1190 | "name": "Windows", 1191 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 1192 | }, 1193 | "app": { 1194 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 1195 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 1196 | "asId": 1087 1197 | }, 1198 | "device": { 1199 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 1200 | "deviceClass": "Windows.Desktop" 1201 | }, 1202 | "protocol": { 1203 | "devMake": "VMware, Inc.", 1204 | "devModel": "VMware7,1", 1205 | "ticketKeys": [ 1206 | "23810040" 1207 | ] 1208 | }, 1209 | "user": { 1210 | "localId": "m:a5f16b5cd9dd213c" 1211 | }, 1212 | "loc": { 1213 | "tz": "-07:00" 1214 | } 1215 | }, 1216 | "data": { 1217 | "DefaultBrowserProgId": "MSEdgeHTM", 1218 | "DefaultApp": ".html:MSEdgeHTM|.htm:MSEdgeHTM|.jpg:AppX43hnxtbyyps62jhe9sqpdzxn1790zetc|.jpeg:AppX43hnxtbyyps62jhe9sqpdzxn1790zetc|.png:AppX43hnxtbyyps62jhe9sqpdzxn1790zetc|.mp3:AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs|.mp4:AppX6eg8h5sxqq90pv53845wmnbewywdqq5h|.mov:AppX6eg8h5sxqq90pv53845wmnbewywdqq5h|.pdf:MSEdgePDF|http:MSEdgeHTM|https:MSEdgeHTM|mailto:AppXydk58wgm44se4b399557yyyj1w7mbmvd", 1219 | "CalendarType": "1", 1220 | "ShortDateFormat": "M/d/yyyy", 1221 | "LongDateFormat": "dddd, MMMM d, yyyy", 1222 | "LocaleName": "en-US" 1223 | } 1224 | }, 1225 | { 1226 | "ver": "4.0", 1227 | "name": "Census.UserPrivacySettings", 1228 | "time": "2021-05-21T19:48:45.5857362Z", 1229 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 1230 | "ext": { 1231 | "utc": { 1232 | "shellId": 33786497805320195, 1233 | "eventFlags": 258, 1234 | "pgName": "WINCORE", 1235 | "flags": 506462768, 1236 | "epoch": "900325", 1237 | "seq": 1748 1238 | }, 1239 | "metadata": { 1240 | "f": { 1241 | "Activity": 2, 1242 | "AppDiagnostics": 2, 1243 | "Appointments": 2, 1244 | "Bluetooth": 2, 1245 | "BluetoothSync": 2, 1246 | "BroadFileSystemAccess": 2, 1247 | "CellularData": 2, 1248 | "Chat": 2, 1249 | "Contacts": 2, 1250 | "DocumentsLibrary": 2, 1251 | "Email": 2, 1252 | "GazeInput": 2, 1253 | "HumanInterfaceDevice": 2, 1254 | "Location": 2, 1255 | "LocationHistory": 2, 1256 | "Microphone": 2, 1257 | "PhoneCall": 2, 1258 | "PhoneCallHistory": 2, 1259 | "PicturesLibrary": 2, 1260 | "Radios": 2, 1261 | "SensorsCustom": 2, 1262 | "SerialCommunication": 2, 1263 | "Sms": 2, 1264 | "USB": 2, 1265 | "UserAccountInformation": 2, 1266 | "UserDataTasks": 2, 1267 | "UserNotificationListener": 2, 1268 | "VideosLibrary": 2, 1269 | "Webcam": 2, 1270 | "WifiData": 2, 1271 | "WiFiDirect": 2, 1272 | "ActivityHistoryCollection": 2, 1273 | "ActivityHistoryCloudSync": 2, 1274 | "AdvertisingId": 2, 1275 | "SpeechPersonalization": 2, 1276 | "InkTypePersonalization": 2, 1277 | "InkTypeImprovement": 2 1278 | }, 1279 | "privTags": 2048 1280 | }, 1281 | "mscv": { 1282 | "cV": "7g3Zq7GhHky8hrJR.0", 1283 | "cV": "7+xGrpmFek2DSzyo.0" 1284 | }, 1285 | "os": { 1286 | "bootId": 9, 1287 | "name": "Windows", 1288 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 1289 | }, 1290 | "app": { 1291 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!00009914f5914c02add1d3590844a628b3c5a5fa2c48!devicecensus.exe", 1292 | "ver": "2039/05/19:12:13:02!18342!devicecensus.exe", 1293 | "asId": 1087 1294 | }, 1295 | "device": { 1296 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 1297 | "deviceClass": "Windows.Desktop" 1298 | }, 1299 | "protocol": { 1300 | "devMake": "VMware, Inc.", 1301 | "devModel": "VMware7,1", 1302 | "ticketKeys": [ 1303 | "23813156" 1304 | ] 1305 | }, 1306 | "user": { 1307 | "localId": "m:a5f16b5cd9dd213c" 1308 | }, 1309 | "loc": { 1310 | "tz": "-07:00" 1311 | } 1312 | }, 1313 | "data": { 1314 | "Activity": 256, 1315 | "AppDiagnostics": 256, 1316 | "Appointments": 256, 1317 | "Bluetooth": 256, 1318 | "BluetoothSync": 256, 1319 | "BroadFileSystemAccess": 256, 1320 | "CellularData": 256, 1321 | "Chat": 256, 1322 | "Contacts": 256, 1323 | "DocumentsLibrary": 256, 1324 | "Email": 256, 1325 | "GazeInput": 256, 1326 | "HumanInterfaceDevice": 256, 1327 | "Location": 256, 1328 | "LocationHistory": 256, 1329 | "Microphone": 256, 1330 | "PhoneCall": 256, 1331 | "PhoneCallHistory": 256, 1332 | "PicturesLibrary": 256, 1333 | "Radios": 256, 1334 | "SensorsCustom": 256, 1335 | "SerialCommunication": 256, 1336 | "Sms": 256, 1337 | "USB": 256, 1338 | "UserAccountInformation": 256, 1339 | "UserDataTasks": 256, 1340 | "UserNotificationListener": 256, 1341 | "VideosLibrary": 256, 1342 | "Webcam": 256, 1343 | "WifiData": 256, 1344 | "WiFiDirect": 256, 1345 | "ActivityHistoryCollection": 256, 1346 | "ActivityHistoryCloudSync": 512, 1347 | "AdvertisingId": 256, 1348 | "SpeechPersonalization": 517, 1349 | "InkTypePersonalization": 256, 1350 | "InkTypeImprovement": 256 1351 | } 1352 | } 1353 | -------------------------------------------------------------------------------- /FullEventNames/Device Connectivity and Configuration/DeviceConnectivityandConfiguration_FullEventNames.txt: -------------------------------------------------------------------------------- 1 | 52FC89F8-995E-434C-A91E-199986449890.129_0 2 | AC52AD17-CC01-4F85-8DF5-4DCE4333C99B.43_2 3 | Aria.218d658af29e41b6bc37144bd03f018d.Microsoft.WebBrowser.HistoryJournal.HJ_BrowserInfo 4 | Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.Protobuf.UMA.Histograms.Group1 5 | Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.Protobuf.UMA.Histograms.Group3 6 | Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.Protobuf.UMA.SystemProfile 7 | Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config 8 | Aria.ac279d3495274f1681e7e87dd94f8e71.Microsoft.WebBrowser.Protobuf.UKM.Aggregates 9 | Aria.ac279d3495274f1681e7e87dd94f8e71.Microsoft.WebBrowser.Protobuf.UKM.SystemProfile 10 | Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping 11 | Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.UsageStats 12 | Aria.d5a8f02229be41efb047bd8f883ba799.Assert 13 | Aria.d5a8f02229be41efb047bd8f883ba799.BootSafeModeState 14 | Aria.d5a8f02229be41efb047bd8f883ba799.FlightingChanged 15 | Aria.d5a8f02229be41efb047bd8f883ba799.KeyIndexStats 16 | Aria.d5a8f02229be41efb047bd8f883ba799.StorageMaintenanceStatus 17 | Aria.d5a8f02229be41efb047bd8f883ba799.SuccessfulBoot 18 | Aria.d5a8f02229be41efb047bd8f883ba799.TaskbarPinInfo 19 | Aria.d5a8f02229be41efb047bd8f883ba799.Trace 20 | CbsServicingProvider.CbsPackageChangeBeginV3 21 | CbsServicingProvider.CbsPackageChangeEndV2 22 | CbsServicingProvider.CbsSelectableUpdateChangeV2 23 | Census.Battery 24 | Census.Enterprise 25 | Census.Firmware 26 | Census.Flighting 27 | Census.Hardware 28 | Census.Memory 29 | Census.Network 30 | Census.OS 31 | Census.PrivacySettings 32 | Census.Processor 33 | Census.Security 34 | Census.Speech 35 | Census.Storage 36 | Census.Userdefault 37 | Census.UserDisplay 38 | Census.UserNLS 39 | Census.UserPrivacySettings 40 | Census.VM 41 | Census.WU 42 | DxgKrnlTelemetry.BddDiag 43 | DxgKrnlTelemetry.DisplayConnectivityNotification 44 | DxgKrnlTelemetry.DisplayInventoryV2 45 | DxgKrnlTelemetry.GPUAdapterInventoryV2 46 | DxgKrnlTelemetry.GPUAdapterStop 47 | IumTelemetryProvider.EfiRuntimeServices 48 | Microsoft.CAndE.ADFabric.CDJ.NgcPolicyCheck 49 | Microsoft.OneCore.NetworkingTriage.GetConnected.FirewallGlobalConfigurationChangedEvent 50 | Microsoft.OneCore.NetworkingTriage.GetConnected.FirewallReadyEvent 51 | Microsoft.OneCore.NetworkingTriage.GetConnected.InterfaceCapabilityChangedEvent 52 | Microsoft.OneCore.NetworkingTriage.GetConnected.InterfaceConnectedStateChangedEvent 53 | Microsoft.OneCore.NetworkingTriage.GetConnected.InterfaceDisconnectedStateChangedEvent 54 | Microsoft.OneCore.NetworkingTriage.GetConnected.InterfaceStateUnhiddenAction 55 | Microsoft.OneCore.NetworkingTriage.GetConnected.MachineConnectivityChangedEvent 56 | Microsoft.OneCore.NetworkingTriage.GetConnected.ProfilePushedToFirewallEvent 57 | Microsoft.OneCore.NetworkingTriage.GetConnected.RouteAddedEvent 58 | Microsoft.OneCore.NetworkingTriage.GetConnected.RouteRefreshedEvent 59 | Microsoft.OneCore.NetworkingTriage.GetConnected.UXViewDesktopIconUpdateAction 60 | Microsoft.OneCore.NetworkingTriage.GetConnected.UXViewIconChangedEvent 61 | Microsoft.OSG.Web.WinInet.CacheAccessStatsAggregate 62 | Microsoft.OSG.Web.WinInet.CacheFileIO 63 | Microsoft.OSG.Web.WinInet.Http2ConnectionSharingResend 64 | Microsoft.OSG.Web.WinInet.Http2RstStreamReceived 65 | Microsoft.OSG.Web.WinInet.HttpPreConnect unnecessary 66 | Microsoft.OSG.Web.WinInet.PLTandLinkedWininetTelemetry 67 | Microsoft.OSG.Web.WinInet.SameSiteSetCookie 68 | Microsoft.OSG.Web.WinInet.TLSHandshakeSucceeded 69 | Microsoft.Web.Platform.DXAdapterDesc 70 | Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd 71 | Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd 72 | Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove 73 | Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd 74 | Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd 75 | Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd 76 | Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd 77 | Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd 78 | Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove 79 | Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd 80 | Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd 81 | Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd 82 | Microsoft.Windows.Appraiser.General.DecisionSModeStateAdd 83 | Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd 84 | Microsoft.Windows.Appraiser.General.DecisionSystemDiskSizeAdd 85 | Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuCoresAdd 86 | Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuModelAdd 87 | Microsoft.Windows.Appraiser.General.DecisionSystemProcessorCpuSpeedAdd 88 | Microsoft.Windows.Appraiser.General.DecisionTpmVersionAdd 89 | Microsoft.Windows.Appraiser.General.DecisionUefiSecureBootAdd 90 | Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd 91 | Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd 92 | Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd 93 | Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd 94 | Microsoft.Windows.Appraiser.General.SystemMemoryAdd 95 | Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd 96 | Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd 97 | Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd 98 | Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd 99 | Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add 100 | Microsoft.Windows.Appraiser.General.SystemTouchAdd 101 | Microsoft.Windows.Appraiser.General.SystemWimAdd 102 | Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd 103 | Microsoft.Windows.Appraiser.General.SystemWlanAdd 104 | Microsoft.Windows.Appraiser.General.WmdrmAdd 105 | Microsoft.Windows.Audio.AcousticEchoCancellation.Initialize 106 | Microsoft.Windows.Audio.Client.AudioClientInitialize 107 | Microsoft.Windows.Audio.DeviceGraph.AudioProcessingObjectInfo 108 | Microsoft.Windows.Audio.EndpointBuilder.AudioMigrationDefaultData 109 | Microsoft.Windows.Audio.EndpointBuilder.AudioMigrationDeviceInformation 110 | Microsoft.Windows.Audio.EndpointBuilder.AudioMigrationProblem 111 | Microsoft.Windows.Audio.EndpointBuilder.DefaultEndpointChange 112 | Microsoft.Windows.Audio.EndpointBuilder.DeviceCreationFailure 113 | Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo 114 | Microsoft.Windows.Audio.EndpointBuilder.DeviceRemoved 115 | Microsoft.Windows.Audio.EndpointBuilder.DeviceStateChange 116 | Microsoft.Windows.Audio.PolicyConfig.SetDefaultEndpoint 117 | Microsoft.Windows.Audio.Service.AudioJournal 118 | Microsoft.Windows.Audio.Spatial.Renderer.LockForProcess 119 | Microsoft.Windows.Audio.Spatial.Renderer.UnlockForProcess 120 | Microsoft.Windows.BcastDVR.Error 121 | Microsoft.Windows.Bluetooth.Avctp.ComponentLoad 122 | Microsoft.Windows.Bluetooth.BthPort.LocalDriverInfo 123 | Microsoft.Windows.Capture.USBVideo.PinInfo 124 | Microsoft.Windows.Capture.USBVideo.UVC-Categories 125 | Microsoft.Windows.Capture.USBVideo.UVC-ConfigurationDescriptor 126 | Microsoft.Windows.Capture.USBVideo.UVC-ExtensionUnitGUID 127 | Microsoft.Windows.Capture.USBVideo.UVC-FaultyInterruptEndpoint 128 | Microsoft.Windows.CDP.AFS.ActivityStoreEvent 129 | Microsoft.Windows.CDP.MetricsManagerEvent 130 | Microsoft.Windows.ConnectionManager.AvoidedBadConnectivityState 131 | Microsoft.Windows.ConnectionManager.GetCdePolicies(Aggregate) 132 | Microsoft.Windows.ConnectionManager.GetCellularFailoverPolicy(Aggregate) 133 | Microsoft.Windows.ConnectionManager.GetDisableIPv6BadStateTrackingPolicy(Aggregate) 134 | Microsoft.Windows.ConnectionManager.GetEnableBadStateTrackingPolicy(Aggregate) 135 | Microsoft.Windows.ConnectionManager.GetIgnoreNonRoutableEthernetPolicy(Aggregate) 136 | Microsoft.Windows.ConnectionManager.GetSoftDisconnectPolicy(Aggregate) 137 | Microsoft.Windows.ConnectionManager.GetWcmGroupOrLocalPolicy(Aggregate) 138 | Microsoft.Windows.ConnectionManager.RouteManagerTriggerEvaluationCompleted 139 | Microsoft.Windows.ConnectionManager.StartBadConnectivityState 140 | Microsoft.Windows.ConnectionManager.StopBadConnectivityState 141 | Microsoft.Windows.ConnectionManager.WcmPdcInterfaceAdded 142 | Microsoft.Windows.ConnectionManager.WcmPdcInterfaceRemoved 143 | Microsoft.Windows.ContentDeliveryManager.IsContentDeliveryAllowed 144 | Microsoft.Windows.ContentDeliveryManager.RegisterTaskInFuture 145 | Microsoft.Windows.ContentDeliveryManager.RegisterTaskInFutureByDueDateTime 146 | Microsoft.Windows.Defender.App.DatamodelInitialization 147 | Microsoft.Windows.Defender.App.DefenderAppStartup 148 | Microsoft.Windows.Defender.App.Error 149 | Microsoft.Windows.Defender.App.NavigatedToDefenderPage 150 | Microsoft.Windows.Defender.App.OnLaunch 151 | Microsoft.Windows.Defender.App.ShieldProviderInterfaceCreateEvent 152 | Microsoft.Windows.Defender.App.ShieldStatePillarStatus 153 | Microsoft.Windows.Defender.App.Suspending 154 | Microsoft.Windows.Defender.Shield.ShieldHeartbeat 155 | Microsoft.Windows.DriverInstall.DeviceInstall 156 | Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd 157 | Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart 158 | Microsoft.Windows.DriverInstall.UserModePnpDeviceInstall 159 | Microsoft.Windows.DShow.MFproxy.DShowKsProxyEvents 160 | Microsoft.Windows.DusmSvc.BackgroundRestriction 161 | Microsoft.Windows.Firewall.API.FwManualStart 162 | Microsoft.Windows.Firewall.FwConnectionSecurityRulesPresent 163 | Microsoft.Windows.Firewall.FwEnabledORDisabled 164 | Microsoft.Windows.Firewall.FwPerProfileConfiguration 165 | Microsoft.Windows.Firewall.FwPerProfileFirewallEnabledORDisabled 166 | Microsoft.Windows.Firewall.FwRuleMergeEnabled 167 | Microsoft.Windows.Firewall.NetworkIsolationCapabilityViolations 168 | Microsoft.Windows.Firewall.QueryUser 169 | Microsoft.Windows.Graphics.D3D12.CreateDevice 170 | Microsoft.Windows.Graphics.Display.AggIoDeviceControl 171 | Microsoft.Windows.Graphics.Display.AggSetMonitorsDimState 172 | Microsoft.Windows.Graphics.Display.DisplayEnhancementService.OEMSettingsEvent 173 | Microsoft.Windows.Graphics.Display.DisplayScenarioRestoreV3 174 | Microsoft.Windows.Graphics.Display.DisplayScenarioV3 175 | Microsoft.Windows.Graphics.Display.MonitorCapabilities 176 | Microsoft.Windows.Graphics.Display.MonitorOnOff 177 | Microsoft.Windows.Graphics.Display.OPMContextCreate 178 | Microsoft.Windows.Graphics.Display.SetMonitorsDimState 179 | Microsoft.Windows.Graphics.DisplayBroker.Aggregate.DisplayManagerAcquireTarget 180 | Microsoft.Windows.Graphics.DxgDiagnostics.RapidHpdTrigger 181 | Microsoft.Windows.Graphics.DxgDiagnostics.SET_VIDPN_SOURCE_VISIBILITY 182 | Microsoft.Windows.Graphics.DXGI.GpuPreferenceInfo 183 | Microsoft.Windows.Graphics.IddCx.AdapterStart 184 | Microsoft.Windows.Graphics.IddCx.DisplayConfigUpdateAg 185 | Microsoft.Windows.Graphics.IddCx.MonitorActivityAg 186 | Microsoft.Windows.Graphics.IddCx.MonitorFirstFrameTransmitted 187 | Microsoft.Windows.Graphics.IddCx.MonitorFirstPathActive 188 | Microsoft.Windows.HidTelephony.GetDeviceInfo 189 | Microsoft.Windows.HidTelephony.OnFileClose 190 | Microsoft.Windows.HidTelephony.OnFileOpen 191 | Microsoft.Windows.HidTelephony.UnSupportedInputButton 192 | Microsoft.Windows.HidTelephony.UnSupportedOutputButton 193 | Microsoft.Windows.Hyper.V.NetMgmt.NetMgmt::CreateInternalEthernetAdapter 194 | Microsoft.Windows.Hyper.V.NetMgmt.NetMgmt::CreateInternalEthernetAdapterLW 195 | Microsoft.Windows.Hyper.V.NetMgmt.NetMgmt::CreateVirtualSwitch 196 | Microsoft.Windows.Hyper.V.VmsIf.VmsIfNicInitializeMiniport 197 | Microsoft.Windows.Hyper.V.VmsIf.VmsIfNicInitializeMiniportLW 198 | Microsoft.Windows.Hyper.V.VmsIf.VmsIfSwitchCreate 199 | Microsoft.Windows.HyperV.Compute.GlobalMemoryBalancerReserves 200 | Microsoft.Windows.Hyper-V.VmSwitch.ExtDefaultNicConnect 201 | Microsoft.Windows.Hyper-V.VmSwitch.IoctlOperation 202 | Microsoft.Windows.Hyper-V.VmSwitch.MiniportNicConnect 203 | Microsoft.Windows.Hyper-V.VmSwitch.NicDisconnect 204 | Microsoft.Windows.Hyper-V.VmSwitch.SwitchCreate 205 | Microsoft.Windows.Hyper-V.VmSwitch.SwitchDelete 206 | Microsoft.Windows.Input.MouClass.PrivilegeNotFoundForCreate 207 | Microsoft.Windows.Inventory.Core.InventoryApplicationAdd 208 | Microsoft.Windows.Inventory.Core.InventoryApplicationRemove 209 | Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync 210 | Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd 211 | Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove 212 | Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync 213 | Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd 214 | Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync 215 | Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd 216 | Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync 217 | Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd 218 | Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove 219 | Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync 220 | Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd 221 | Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync 222 | Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd 223 | Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync 224 | Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd 225 | Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync 226 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousAdd 227 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousAntivirusInformationAdd 228 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousCpuidAdd 229 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousCpuidStartSync 230 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousDiskInfoAdd 231 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousDiskPartitionInfoAdd 232 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousGptDiskAdd 233 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousInstalledDotNetFrameworkAdd 234 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousMbrDiskAdd 235 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousMicrocodeInformationAdd 236 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousMonitorDataAdd 237 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousPhysicalDiskInfoAdd 238 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousPhysicalDiskInfoStartSync 239 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousSetupBootedFromAuditModeAdd 240 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousSetupBootedFromVHDAdd 241 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousSetupPendingFirmwareUpdateWithPowerAdd 242 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousSystemMemoryInfoAdd 243 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousSystemMemoryInfoStartSync 244 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousUserAccountTypeEnumerationAdd 245 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousUserAdd 246 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd 247 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove 248 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync 249 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousVolumeInfoAdd 250 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousWAMAccountsAdd 251 | Microsoft.Windows.Inventory.Indicators.Checksum 252 | Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd 253 | Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync 254 | Microsoft.Windows.IUIRadioManager.UIToggleDisabled 255 | Microsoft.Windows.IUIRadioManager.UIToggleDisabledTimerExpired 256 | Microsoft.Windows.Kernel.BootEnvironment.TxtInfo 257 | Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig 258 | Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem 259 | Microsoft.Windows.Kernel.PnP.AggregateDmaGuardDevicePolicy 260 | Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem 261 | Microsoft.Windows.Kernel.PnP.DmaGuardSystemPolicy 262 | Microsoft.Windows.MediaFoundation.FrameServer.FrameServerClientClose 263 | Microsoft.Windows.MediaFoundation.FrameServer.FrameServerClientCreate 264 | Microsoft.Windows.MediaFoundation.FrameServer.FrameServerSourceCreate 265 | Microsoft.Windows.MediaFoundation.FrameServer.FSStreamStart 266 | Microsoft.Windows.MediaFoundation.FrameServer.FSStreamStop 267 | Microsoft.Windows.MediaFoundation.SensorGroup.MFCaptureDevicePnpStats 268 | Microsoft.Windows.MediaFoundation.SensorGroup.MFSensorGroupPublish 269 | Microsoft.Windows.MediaFoundation.SensorGroup.MFSensorGroupRevoke 270 | Microsoft.Windows.MediaFoundation.UVC.InfCustomization 271 | Microsoft.Windows.MediaFoundation.UVC.MetadataConfiguration 272 | Microsoft.Windows.MediaFoundation.UVC.MetadataObserved 273 | Microsoft.Windows.MobilityExperience.YourPhone.Inventory.InventorySummaryCensus 274 | Microsoft.Windows.MobilityExperience.YourPhone.MismatchedContractVersions 275 | Microsoft.Windows.NDIS.AddDeviceSuccessful 276 | Microsoft.Windows.NDIS.InitializeDeviceFailed 277 | Microsoft.Windows.NDIS.InitializeDeviceSuccessful 278 | Microsoft.Windows.NDIS.RemoveDevice 279 | Microsoft.Windows.NetworkInformation.MethodDurationByResult(Aggregate) 280 | Microsoft.Windows.NetworkInformation.NlmCoCreateDuringSetup 281 | Microsoft.Windows.Networking.BFE.Filter.FilterAdd 282 | Microsoft.Windows.Networking.BFE.Filter.FilterDelete 283 | Microsoft.Windows.Networking.BFE.Provider.ProviderAdd 284 | Microsoft.Windows.Networking.BFE.Provider.ProviderDelete 285 | Microsoft.Windows.Networking.BFE.SubLayer.SubLayerAdd 286 | Microsoft.Windows.Networking.BFE.SubLayer.SubLayerDelete 287 | Microsoft.Windows.Networking.DHCP.AddressPlumbed 288 | Microsoft.Windows.Networking.DHCP.Dhcpv4Options 289 | Microsoft.Windows.Networking.DHCP.DiscoveryAttempt 290 | Microsoft.Windows.Networking.DHCP.RenewalAttempt 291 | Microsoft.Windows.Networking.DHCP.RequestAttempt 292 | Microsoft.Windows.Networking.DHCP.TimeToPlumbAddress 293 | Microsoft.Windows.Networking.DHCPv6.SolicitAttempt 294 | Microsoft.Windows.Networking.DNS.DnsQueryStats 295 | Microsoft.Windows.Networking.DNS.DnsServerConfig 296 | Microsoft.Windows.Networking.DNS.DnsServerFailureStats 297 | Microsoft.Windows.Networking.DNS.DnsServerStatistics 298 | Microsoft.Windows.Networking.EDP.Census 299 | Microsoft.Windows.Networking.NetworkSetupShim.InstallNonPnPDriver 300 | Microsoft.Windows.Networking.NetworkSetupSvc.InstallPnPDevice 301 | Microsoft.Windows.Networking.WFP.Ale.AleAuthConnectionTimes 302 | Microsoft.Windows.Networking.WFP.FilterEngineTelemetry.AleAuthLayerMemUsage 303 | Microsoft.Windows.Networking.WFP.FilterEngineTelemetry.WfpCalloutInfo 304 | Microsoft.Windows.Networking.WFP.Kernel.CalloutRegister 305 | Microsoft.Windows.NetworkListManager.ClientProcessDestructionTelemetry 306 | Microsoft.Windows.NetworkListManager.DeviceConnectivityChanged 307 | Microsoft.Windows.NetworkListManager.GlobalConnectivityStateChange 308 | Microsoft.Windows.NetworkListManager.InterfaceCapabilityChanged 309 | Microsoft.Windows.NetworkListManager.InterfaceHidden 310 | Microsoft.Windows.NetworkListManager.NlmCoCreateDuringSetup 311 | Microsoft.Windows.NetworkListManager.NlmSignatures-LogSignatureChanges-InterfaceIsIdentifying 312 | Microsoft.Windows.NetworkListManager.NlmSignatures-LogSignatureChanges-InterfaceIsUnidentified 313 | Microsoft.Windows.NetworkListManager.NsiNetworkCategory 314 | Microsoft.Windows.PlatformExtensions.IsExtensionAvailable 315 | Microsoft.Windows.PlatformExtensions.TryActivateContractExtension 316 | Microsoft.Windows.Power.PlatformCapabilities.Flags 317 | Microsoft.Windows.Power.PlatformCapabilities.PlatformRole 318 | Microsoft.Windows.Power.PlatformCapabilities.Ppm 319 | Microsoft.Windows.Power.PlatformCapabilities.ProcessorStates 320 | Microsoft.Windows.Power.PlatformCapabilities.Sleep 321 | Microsoft.Windows.Power.PowerPolicy.ConsolidatedPowerPolicy 322 | Microsoft.Windows.Power.PowerPolicy.EffectiveProcessorPolicy 323 | Microsoft.Windows.Security.Biometrics.Service.PipelineLoadPlugIns 324 | Microsoft.Windows.Security.BitLocker.EncryptionDelay.BitLocker.OOBE.Complete 325 | Microsoft.Windows.Security.CodeIntegrity.State.Current 326 | Microsoft.Windows.Security.CredHelper.FilterUserArray 327 | Microsoft.Windows.Security.CredHelper.ShouldRemovePasswordUser 328 | Microsoft.Windows.Security.Kerberos.GetTgtStop_Aggregate 329 | Microsoft.Windows.Security.Kerberos.NtlmFallback_Aggregate 330 | Microsoft.Windows.Security.Kerberos.ReadRegistryValue_Aggregate 331 | Microsoft.Windows.Security.LsaSrv.ArsoNotifyUserLogon 332 | Microsoft.Windows.Security.LUA.LUASettings 333 | Microsoft.Windows.Security.NGC.CredProv.InitializationContext 334 | Microsoft.Windows.Security.NGC.CredProv.PaintedPinTiles 335 | Microsoft.Windows.Security.NGC.CredProv.SerializeResponseInternal 336 | Microsoft.Windows.Security.NGC.CryptNgc.NgcPackAuthBuffer 337 | Microsoft.Windows.Security.NGC.CryptNgc.NgcQueryEnabled 338 | Microsoft.Windows.Security.NGC.CryptNgc.PolicyManager.GetManagedPolicy 339 | Microsoft.Windows.Security.NGC.CryptNgc.PolicyManager.QueryIsNgcEnabled 340 | Microsoft.Windows.Security.NGC.CryptNgc.QueryWindowHelloStates 341 | Microsoft.Windows.Security.NGC.KeyStaging.NgcPregenKey 342 | Microsoft.Windows.Security.NGC.KspSvc.NgcContainerCacheEntryState 343 | Microsoft.Windows.Security.NGC.KspSvc.PerformLocalOperationWithGesture 344 | Microsoft.Windows.Security.NGC.KspSvc.UserCacheEntryState 345 | Microsoft.Windows.Security.NGC.KspSvc.VerifyAndFixCtnrSvcAppDirectoryAcl 346 | Microsoft.Windows.Security.NGC.NgcCtnr.ContainerLoad 347 | Microsoft.Windows.Security.NGC.NgcCtnr.GetSoftLockoutInfo 348 | Microsoft.Windows.Security.NGC.NgcCtnr.SoftLockoutCounterUpdated 349 | Microsoft.Windows.Security.NGC.NgcCtnrSvc.AuthenticateGesture 350 | Microsoft.Windows.Security.NGC.NgcCtnrSvc.PolicyManager.GetManagedPolicy 351 | Microsoft.Windows.Security.NGC.NgcCtnrSvc.ResetContainerLockout 352 | Microsoft.Windows.Security.NGC.NgcCtnrSvc.RsaDecryptWithPkcs1 353 | Microsoft.Windows.Security.Ntlm.HardcodedNtlmCall_Aggregate 354 | Microsoft.Windows.Security.Ntlm.LocalSAMLogon_Aggregate 355 | Microsoft.Windows.Security.Ntlm.LogonUserStop_Aggregate 356 | Microsoft.Windows.Security.Ntlm.ReadRegistryValue_Aggregate 357 | Microsoft.Windows.Security.PasswordlessPolicy.IsAccountPasswordless 358 | Microsoft.Windows.Security.Schannel.TlsHandshakeInfoClientAggregated 359 | Microsoft.Windows.Security.Schannel.TlsHandshakeInfoServerCipherSuiteAggregated 360 | Microsoft.Windows.Security.WSC.RegisterAntiVirus 361 | Microsoft.Windows.SetupApi.SetupInstallFilesFromInfSection 362 | Microsoft.Windows.SetupApi.SetupInstallFromInfSection 363 | Microsoft.Windows.SetupApi.SetupInstallServicesFromInfSectionEx 364 | Microsoft.Windows.Shell.OpenWith.SetDefaultProgramLogOn 365 | Microsoft.Windows.Shell.RunOnce.RunOnceCommandLength 366 | Microsoft.Windows.ShellPlacements.SpotlightMode 367 | Microsoft.Windows.SrumSvc.DataUsageAggregateTimer 368 | Microsoft.Windows.Storage.Crashdmp.CrashdumpDumpDriverLoaded 369 | Microsoft.Windows.Storage.Crashdmp.CrashdumpRegistrySettings 370 | Microsoft.Windows.Sysprep.PnP.PnpSpecialize 371 | Microsoft.Windows.System.RemoteSystem.HandleOnDevice 372 | Microsoft.Windows.TextInput.SpellCheckerEngine.SpellerSettings 373 | Microsoft.Windows.UEFI.ESRT 374 | Microsoft.Windows.WiFiCloudStore.CdsTriggeredWlanSync 375 | Microsoft.Windows.WiFiCloudStore.WlanTriggeredSync 376 | Microsoft.Windows.Win32kBase.Input.RimDeviceCreated 377 | Microsoft.Windows.Win32kBase.Input.RimDeviceDestroyed 378 | Microsoft.Windows.Win32kBase.Input.RIMOpenDev 379 | Microsoft.Windows.Win32kBase.Input.RIMStartDeviceSpecificRead 380 | Microsoft.Xbox.WinHttp.OutgoingServiceRequestSummary 381 | MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CiCatalogReloadAudit 382 | MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CiTraceImageVerificationFailureGenericInfo 383 | MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CiTraceInitialization 384 | MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CiTraceSignatureVerificationFailure 385 | MicrosoftWindowsCodeIntegrityTraceLoggingProvider.VSMKeyReport 386 | Microsoft-Windows-Desktop-Shell-Windowing.TabletModeSettings 387 | Microsoft-Windows-Host-Network-Service.HNSLayerCreated 388 | Microsoft-Windows-Host-Network-Service.HNSLayerRemoved 389 | Microsoft-Windows-Host-Network-Service.HNSNamespaceCreated 390 | Microsoft-Windows-Host-Network-Service.HNSNetworkCreated 391 | Microsoft-Windows-Host-Network-Service.HNSResourceCreate 392 | Microsoft-Windows-Host-Network-Service.LayeredResourceTimeCreate 393 | Microsoft-Windows-Host-Network-Service.LayeredResourceTimeTearDown 394 | Microsoft-Windows-Host-Network-Service.MirroredNetworkingRequested 395 | Microsoft-Windows-Host-Network-Service.NetworkOperationTimeCreate 396 | Microsoft-Windows-Host-Network-Service.NetworkOperationTimeTearDown 397 | Microsoft-Windows-Host-Network-Service.NotifyAddressChange 398 | MicrosoftWindowsShellNetworkUX.EthernetConnectionStatus 399 | MicrosoftWindowsShellNetworkUX.UXMgrMediaManagerCount 400 | Microsoft-Windows-TCPIP.Histogram 401 | Microsoft-Windows-TCPIP.OidFailed 402 | Microsoft-Windows-TCPIP.TcpThrottleInitialCwnd 403 | Microsoft-Windows-TCPIP.TfoHistogram 404 | MSAClientTraceLoggingProvider.InternetPresenceAtLogon 405 | MSAClientTraceLoggingProvider.NetworkCallDetails 406 | NCSI.ActiveProbe 407 | NCSI.CapabilityChange 408 | NCSI.NcsiClassifyPacket_Aggregate 409 | NCSI.NoneCheckResult 410 | NCSI.PerformNoneCheck 411 | NCSI.ResetFirewallHotspotHostAddresses 412 | NCSI.RetryDNSTcpWhenHTTPRequestFails 413 | NCSI.RetryDNSUdpWhenHTTPRequestFails 414 | NCSI.RetryTcpWhenDNSUdpFails 415 | NLA.IdentifyingInterface 416 | NLA.InterfaceAdded 417 | NLA.InterfaceAuthenticationChange 418 | NLA.InterfaceIdentified 419 | NLA.InterfaceRemoved 420 | NLA.InterfaceUnidentified 421 | NLA.NSP: WSM_NSPLookupServiceBegin_v2 422 | NLA.NSP: WSM_NSPLookupServiceNext_v2 423 | PciTraceLoggingProvider.PciHPXSupported 424 | PciTraceLoggingProvider.PciIgnoreBootConfigInformation 425 | PciTraceLoggingProvider.PciNativeExpressMode 426 | PciTraceLoggingProvider.PciTraceLogInitialized 427 | RDP.Graphics.RDPClientOSType 428 | RDP.Graphics.RDPGraphicsAdapterDeviceName 429 | RDP.Graphics.RDPGraphicsMonitorInfo 430 | RDP.Graphics.RDPGraphicsProfile 431 | RDP.Graphics.RDPGraphicsSystemSettings 432 | RDP.ServerStack.RDPDisconnectReason 433 | RDP.Transport.RDPTransportUDPProfile 434 | TelClientSynthetic.AuthorizationInfo_RuntimeTransition 435 | TelClientSynthetic.ConnectivityHeartBeat_0 436 | TelClientSynthetic.HeartBeat_5 437 | TelClientSynthetic.HeartBeat_Aria_5 438 | -------------------------------------------------------------------------------- /FullEventNames/Inking Typing and Speech Utterance/InkingTypingandSpeechUtterance_FullEventNames.txt: -------------------------------------------------------------------------------- 1 | Microsoft.Windows.Narrator.Asimov.NarratorKeyLog -------------------------------------------------------------------------------- /FullEventNames/Inking Typing and Speech Utterance/Microsoft.Windows.TextInput.LinguisticData JSON Examples.txt: -------------------------------------------------------------------------------- 1 | { 2 | ver: 4.0, 3 | name: Microsoft.Windows.TextInput.LinguisticData.ShapeWrittenText, 4 | time: "2021-05-22T20:30:45.9808878Z", 5 | iKey: "o:0a89d516ae714e01ae89c96d185e9ae3", 6 | ext: 7 | { 8 | utc: 9 | { 10 | shellId: 33786497918042115, 11 | eventFlags: 2621697, 12 | pgName: WIN, 13 | flags: 742394672, 14 | providerGuid: 864C5689-9310-594C-5CEF-000695F5ACE8, 15 | loggingBinary: InputService.dll 16 | }, 17 | metadata: 18 | { 19 | f: 20 | { 21 | editId: 8 22 | }, 23 | privTags: 131072 24 | }, 25 | os: 26 | { 27 | bootId: 86, 28 | name: Windows, 29 | ver: 10.0.19043.985.amd64fre.vb_release.191206-1406, 30 | expId: "FX:114145DF,FX:1152FE25,FX:1152FF13,FX:118C9A83,FX:118FEB19,FX:11BAF854,FX:11CC1118,FX:11D5BFCD,FX:11DF5B46,FX:11DF5B86" 31 | }, 32 | app: 33 | { 34 | id: "W:0000f519feec486de87ed73cb92d3cac802400000000!0000abb864e1911c59f785b0e1822701b9a5ab31ba1e!ctfmon.exe", 35 | ver: "2021/06/12:00:23:36!118E7!ctfmon.exe", 36 | asId: 31926 37 | }, 38 | device: 39 | { 40 | localId: "r:10777549386564349867", 41 | deviceClass: Windows.Desktop 42 | }, 43 | protocol: 44 | { 45 | devMake: System manufacturer, 46 | devModel: System Product Name 47 | }, 48 | xbl: 49 | { 50 | sbx: RETAIL, 51 | xid: "x:" 52 | }, 53 | loc: 54 | { 55 | tz: "-04:00" 56 | } 57 | }, 58 | data: 59 | { 60 | editId: 00000000-0000-0000-0000-000000000000, 61 | applicationName: SearchApp.exe, 62 | inputScope: 52, 63 | userText: "{ 64 | ""runs"": 65 | [ 66 | { 67 | ""locale"": ""en-US"", ""words"": 68 | [ 69 | { 70 | ""word"": ""calc"" 71 | } 72 | ] 73 | } 74 | ] 75 | } 76 | 77 | { 78 | ver: 4.0, 79 | name: Microsoft.Windows.TextInput.LinguisticData.DPTipcSample, 80 | time: "2021-05-21T02:50:35.7911634Z", 81 | iKey: "o:0a89d516ae714e01ae89c96d185e9ae3", 82 | ext: 83 | { 84 | utc: 85 | { 86 | shellId: 33786497918042115, 87 | eventFlags: 2621697, 88 | pgName: WIN, 89 | flags: 742394672, 90 | providerGuid: 864C5689-9310-594C-5CEF-000695F5ACE8, 91 | loggingBinary: InputService.dll 92 | }, 93 | metadata: 94 | { 95 | f: 96 | { 97 | editId: 8 98 | }, 99 | privTags: 131072 100 | }, 101 | os: 102 | { 103 | bootId: 86, 104 | name: Windows, 105 | ver: 10.0.19043.985.amd64fre.vb_release.191206-1406, 106 | expId: "FX:114145DF,FX:1152FE25,FX:1152FF13,FX:118C9A83,FX:118FEB19,FX:11BAF854,FX:11CC1118,FX:11D5BFCD,FX:11DF5B46,FX:11DF5B86" 107 | }, 108 | app: 109 | { 110 | id: "W:0000f519feec486de87ed73cb92d3cac802400000000!0000abb864e1911c59f785b0e1822701b9a5ab31ba1e!ctfmon.exe", 111 | ver: "2021/06/12:00:23:36!118E7!ctfmon.exe", 112 | asId: 18742 113 | }, 114 | device: 115 | { 116 | localId: "r:14305086207568640939", 117 | deviceClass: Windows.Desktop 118 | }, 119 | protocol: 120 | { 121 | devMake: System manufacturer, 122 | devModel: System Product Name 123 | }, 124 | xbl: 125 | { 126 | sbx: RETAIL, 127 | xid: "x:" 128 | }, 129 | loc: 130 | { 131 | tz: "-04:00" 132 | } 133 | }, 134 | data: 135 | { 136 | editId: 00000000-0000-0000-0000-000000000000, 137 | applicationName: Todo.exe, 138 | inputScope: 57, 139 | userText: "{ 140 | ""runs"": 141 | [ 142 | { 143 | ""locale"": ""en-US"", ""words"": 144 | [ 145 | { 146 | ""word"": ""https:\/\/labs.sentinelone.com\/building-a-custom-malware-analysis-lab-environment\/"" 147 | } 148 | ] 149 | } 150 | ] 151 | } 152 | 153 | { 154 | ver: 4.0, 155 | name: Microsoft.Windows.TextInput.LinguisticData.DPTipcSample, 156 | time: "2021-05-20T19:45:33.6301409Z", 157 | iKey: "o:0a89d516ae714e01ae89c96d185e9ae3", 158 | ext: 159 | { 160 | utc: 161 | { 162 | shellId: 33786497918042115, 163 | eventFlags: 2621697, 164 | pgName: WIN, 165 | flags: 742394672, 166 | providerGuid: 864C5689-9310-594C-5CEF-000695F5ACE8, 167 | loggingBinary: InputService.dll 168 | }, 169 | metadata: 170 | { 171 | f: 172 | { 173 | editId: 8 174 | }, 175 | privTags: 131072 176 | }, 177 | os: 178 | { 179 | bootId: 86, 180 | name: Windows, 181 | ver: 10.0.19043.985.amd64fre.vb_release.191206-1406, 182 | expId: "FX:114145DF,FX:1152FE25,FX:1152FF13,FX:118C9A83,FX:118FEB19,FX:11BAF854,FX:11CC1118,FX:11D5BFCD,FX:11DF5B46,FX:11DF5B86" 183 | }, 184 | app: 185 | { 186 | id: "W:0000f519feec486de87ed73cb92d3cac802400000000!0000abb864e1911c59f785b0e1822701b9a5ab31ba1e!ctfmon.exe", 187 | ver: "2021/06/12:00:23:36!118E7!ctfmon.exe", 188 | asId: 18742 189 | }, 190 | device: 191 | { 192 | localId: "r:13653532424194119499", 193 | deviceClass: Windows.Desktop 194 | }, 195 | protocol: 196 | { 197 | devMake: System manufacturer, 198 | devModel: System Product Name 199 | }, 200 | xbl: 201 | { 202 | sbx: RETAIL, 203 | xid: "x:" 204 | }, 205 | loc: 206 | { 207 | tz: "-04:00" 208 | } 209 | }, 210 | data: 211 | { 212 | editId: 00000000-0000-0000-0000-000000000000, 213 | applicationName: YourPhone.exe, 214 | inputScope: 57, 215 | userText: "{ 216 | ""runs"": 217 | [ 218 | { 219 | ""locale"": ""en-US"", ""words"": 220 | [ 221 | { 222 | ""word"": ""recently?"" 223 | } 224 | ] 225 | } 226 | ] 227 | } -------------------------------------------------------------------------------- /FullEventNames/Office Diagnostics/OfficeDiagnostics_FullEventNames.txt: -------------------------------------------------------------------------------- 1 | Office.AirSpace.AirSpaceWinCompIsEnabled 2 | Office.AirSpace.Backend.Graphics.AirSpaceWin32RawGraphicsDeviceCreated 3 | Office.AirTrafficControl.GovernanceAssetsProvider.InitializeGovernanceAssets 4 | Office.AirTrafficControl.GovernanceAssetsProvider.InitializeProvider 5 | Office.AirTrafficControl.GovernanceAssetsProvider.LoadMessageStore 6 | Office.AirTrafficControl.GovernanceAssetsProvider.LoadMetadata 7 | Office.AirTrafficControl.Liblet.SetupAirTrafficControlEngine 8 | Office.AirTrafficControl.RoamingMessageInteractionStore.BuildCacheFromRoamingList 9 | Office.AirTrafficControl.RoamingMessageInteractionStore.PurgeRoamingList 10 | Office.AirTrafficControl.RoamingMessageInteractionStore.UpdateRoamingService 11 | Office.AppDocs.AppDocs.Init 12 | Office.AppDocs.DocumentTemplateService.CDocumentTemplatesCallback 13 | Office.AppDocs.DocumentTemplateService.DocumentTemplate.RequestImageCallback 14 | Office.AppDocs.DocumentTemplateService.DocumentTemplates.RequestDocumentTemplates 15 | Office.Charting.ChartDllLoaded 16 | Office.Compliance.LinkedIn.Settings.LinkedInComplianceCheck 17 | Office.Diagnostics.TraceThrottled 18 | Office.Docs.CollabCorner.EditorsSnapshotUpdateDocumentTelemetry 19 | Office.Docs.DesktopBackstage.GettingStartedMRUSlabIsLocationAllowed 20 | Office.Docs.DesktopBackstage.NavigationInAppNavServiceClicked 21 | Office.Docs.DesktopBackstage.OpenRecentLocationsViewClicked 22 | Office.Docs.DesktopBackstage.PlacesGrouperAccountInfo 23 | Office.Docs.DesktopBackstage.SaveAsDefaultServiceSelection 24 | Office.Docs.DesktopBackstage.SaveAsSaveButtonClicked 25 | Office.Docs.DesktopSharing.ExperienceManagerDisplayShareUIFromRibbon 26 | Office.Docs.DesktopSharing.SharingExperienceManagerIsCurrentDocEnterpriseProtected 27 | Office.Docs.DocumentActivities.ActivityLogAsyncTask 28 | Office.Docs.DocumentActivities.ActivityLogCacheCapability 29 | Office.Docs.DocumentActivities.ActivityLogCacheDocumentInfo 30 | Office.Docs.DocumentActivities.ActivityLogSaveNewFile 31 | Office.Docs.DocumentActivities.TransmitQueueCreateInsance 32 | Office.Docs.DocumentActivities.TransmitQueueInitFilePath 33 | Office.Docs.DocumentActivities.TransmitQueueLoadAsync 34 | Office.Docs.DocumentActivityIntegration.SetIsMentionActivityCaptureEnabledForServerLocationType 35 | Office.Docs.DocumentActivityIntegration.SetIsUrlInUserHomeTenant 36 | Office.Docs.EDP.PolicyMetadata 37 | Office.Docs.HistoryUX.OfficeActivityCommandIsAvailable 38 | Office.Docs.MruServiceApi.Documents.SendPendingWriteRequests 39 | Office.Docs.MruServiceApi.Places.SendPendingWriteRequests 40 | Office.Docs.MsoSharing.CMsoSharingServiceHelperCreateMsoSharingServiceHelper 41 | Office.Docs.MsoSharing.SharingProxyFactoryCreateProxy 42 | Office.Docs.MsoShellIntegration.UpdateCustomJumpListCommitList 43 | Office.Docs.OfficeSpace.DesktopBackstageNavigation.LoadFromFileCache 44 | Office.Docs.OfficeSpace.DesktopBackstageNavigation.ReadLocalFolder 45 | Office.Docs.OfficeSpace.DesktopBackstageNavigation.ReadThisPCRoot 46 | Office.Docs.OfficeSpace.DesktopBackstageNavigation.SaveIntoFileCache 47 | Office.Docs.OutSpace.DesktopBackstage.ActivePlaceChange 48 | Office.Docs.OutSpace.DesktopBackstage.LargeMRUFileTypeFrequency 49 | Office.Docs.OutSpace.DesktopBackstage.SaveAsLaunchCFDViaBrowseButton 50 | Office.Docs.OutSpace.GetSaveAsFileTypeList 51 | Office.Docs.OutSpace.GroupsSitesIsFeatureBackendEnabledHelper 52 | Office.Docs.OutSpace.GroupsSitesIsFeatureEnabledHelper 53 | Office.Docs.OutSpace.ShowBackstage 54 | Office.Docs.SharedComments.CommentsContextCreated 55 | Office.Docs.SharingClientAPI.ClearPermissionsAndLinksCache 56 | Office.Docs.SharingClientAPI.GetHostCapabilitiesAsync 57 | Office.Docs.SharingLegacyClient.TryGetCachedWebUrl 58 | Office.Docs.SharingUI.CollabCoordinator.GetCollaborationData 59 | Office.Docs.SharingUI.ExperienceManager.CanDisplayWebExperience 60 | Office.Docs.SharingUI.ExperienceManager.LaunchWebDialogIfAvailable 61 | Office.Docs.SharingUI.ShareDialog.CreateWebDialog 62 | Office.Excel.AddinDefinedFunction.InstallFunctionsFromCache 63 | Office.Excel.Coauth.ClearOcsDisableReason 64 | Office.Excel.Coauth.CloseSyncedBackFile 65 | Office.Excel.Coauth.CloseWorkbook 66 | Office.Excel.Coauth.FEndpointCoherencyFailure 67 | Office.Excel.Coauth.FSaveChangesEx 68 | Office.Excel.Coauth.HrUpdateRtcConnection 69 | Office.Excel.Coauth.NsvDuplicateOnDuplicateSheet 70 | Office.Excel.Coauth.OcsCleanOnCloseCall 71 | Office.Excel.Coauth.OcsNotifyWorkbookInClose 72 | Office.Excel.Coauth.OcsOpNotAllowed 73 | Office.Excel.Coauth.OcsSyncMergeOnCloseCall 74 | Office.Excel.Coauth.OpenFile 75 | Office.Excel.Coauth.PrecenseSuspendResume 76 | Office.Excel.Coauth.ResetCoauth 77 | Office.Excel.Coauth.SessionFeatureSupport 78 | Office.Excel.Coauth.XlSyncStateChangeListenerUnregister 79 | Office.Excel.Command.CloseAllWorkbooks 80 | Office.Excel.Command.DoClose 81 | Office.Excel.Command.ExcelUserInputDelay 82 | Office.Excel.Command.FnSaveAs 83 | Office.Excel.Command.PivotFilterOnPropertyChanged 84 | Office.Excel.Command.ShowAlert 85 | Office.Excel.Command.Sx12NewPivot 86 | Office.Excel.Extensibility.DllPrevention 87 | Office.Excel.Extensibility.ForeignTextFileProtectedViewSettingInit 88 | Office.Excel.FileContent.WorkbookContentSummary 89 | Office.Excel.FileOps.AutoRecoverySetting 90 | Office.Excel.FileOps.AutoSaveUnblocked 91 | Office.Excel.FileOps.Boot 92 | Office.Excel.FileOps.DoSafeSave 93 | Office.Excel.FileOps.EnableAutoSave 94 | Office.Excel.FileOps.MergeInstances 95 | Office.Excel.FileOps.MergeInstancesRejection 96 | Office.Excel.FileOps.SaveAsInternal 97 | Office.Excel.FileSave.SaveAsSaveFile 98 | Office.Excel.Infra.DataLossWorkbookCount 99 | Office.Excel.Infra.SilentAppExit 100 | Office.Excel.LinkedEntities.HandshakeInitialized 101 | Office.Excel.LinkedEntities.HrGetConfigDetailsFromSkydance 102 | Office.Excel.LinkedEntities.HrLoadBloomFilter 103 | Office.Excel.LinkedEntities.UserFunnelStart 104 | Office.Excel.LinkedEntities.WolframLicensingCheck 105 | Office.Excel.LinkedEntitiesDiagnostic 106 | Office.Excel.PerfData.ApplicationBoot 107 | Office.Excel.PerfData.IdleLoop 108 | Office.Excel.PerfData.MainLoop 109 | Office.Excel.PerfData.SlowPrinter 110 | Office.Excel.PerfData.ValidateBaselines 111 | Office.Excel.Performance.ModalDialogDuration 112 | Office.Excel.Performance.WorkbookNormalizedGridLayerRenderTime 113 | Office.Excel.PivotTable.CreateWizard 114 | Office.Excel.PivotTable.ExpandCollapse 115 | Office.Excel.PivotTable.New 116 | Office.Excel.PivotTable.OpenWorkbook 117 | Office.Excel.PivotTable.Sort 118 | Office.Excel.RichData.AdvancedAnalyticsLicenseDownload 119 | Office.Excel.XlEditSession 120 | Office.Experimentation.ABConfigTreatmentTypeUnexpected 121 | Office.Experimentation.ConfigLoadComplete 122 | Office.Experimentation.DeserializeEcsConfig 123 | Office.Experimentation.EarlyLoadEcsConfig 124 | Office.Experimentation.EcsFetch 125 | Office.Experimentation.EndPoint 126 | Office.Experimentation.GetFeaturesForSDXUnexpected 127 | Office.Experimentation.LoadEcsConfig 128 | Office.Experimentation.LoadOverridesFromFile 129 | Office.Experimentation.LoadPersistentSettingsFile 130 | Office.Experimentation.ParseEcsConfig 131 | Office.Experimentation.ReadEcsConfig 132 | Office.Experimentation.UpdateConfigCache 133 | Office.Experimentation.WriteEcsConfig 134 | Office.Extensibility.Activation.CreateSolutionRefInternal 135 | Office.Extensibility.Activation.CRemoterProxy 136 | Office.Extensibility.AuthenticationRichApi.GetAccessToken 137 | Office.Extensibility.AuthenticationRichApi.GetAccessTokenV2Background 138 | Office.Extensibility.AuthenticationRichApi.GetAccessTokenV2Main 139 | Office.Extensibility.AuthenticationRichApi.GetAuthToken 140 | Office.Extensibility.AuthenticationRichApi.GetAuthTokenTicket 141 | Office.Extensibility.AuthenticationRichApi.GetPrimaryIdentityInfo 142 | Office.Extensibility.AuthenticationRichApi.GetUserIdentity 143 | Office.Extensibility.AuthenticationRichApi.MakeServiceParams 144 | Office.Extensibility.CheckTagDiagnostics 145 | Office.Extensibility.Diagnostics 146 | Office.Extensibility.ManifestParser.ParseManifest 147 | Office.Extensibility.PackageCache.BuildPackageSolution 148 | Office.Extensibility.RichApiBatch 149 | Office.Extensibility.Sandbox.Activation 150 | Office.Extensibility.Sandbox.CheckAnaheimBrowser 151 | Office.Extensibility.Sandbox.CreateOsfControlV2 152 | Office.Extensibility.Sandbox.CreateRemoter 153 | Office.Extensibility.Sandbox.DeleteOsfControl 154 | Office.Extensibility.Sandbox.ODPActivationHeartbeat 155 | Office.Extensibility.Sandbox.ODPTaskpaneActivation 156 | Office.Extensibility.Sandbox.ODPTaskpaneControlCreation 157 | Office.Extensibility.Sandbox.ODPTaskpaneControlCreationWithPrivacyCheck 158 | Office.Extensibility.Sandbox.PageLoad 159 | Office.Extensibility.Sandbox.PostOsfControlMessage 160 | Office.Extensibility.Sandbox.SandboxCreation 161 | Office.Extensibility.Sandbox.SetOMTokenOnTridentHost 162 | Office.Extensibility.Sandbox.SetTridentHost 163 | Office.Extensibility.UX.AgaveUxMinorBlocked 164 | Office.Extensibility.UX.ShowLoadingState 165 | Office.Feedback.Survey.FloodgateClient.SurveyTracked 166 | Office.Feedback.Survey.FloodgateClient.TriggerMet 167 | Office.FileIO.CSI.AccessModeManagerCamOnSave 168 | Office.FileIO.CSI.AccessModeManagerCamOnUpdateAccessMode 169 | Office.FileIO.CSI.AccessModeManagerUpdateAccessMode 170 | Office.FileIO.CSI.CancelAsyncRequest 171 | Office.FileIO.CSI.CCachedFileRequestReleaseServerFileLock 172 | Office.FileIO.CSI.CCsiDavClientExecuteOPTIONSRequest 173 | Office.FileIO.CSI.CloseSyncBackedFile 174 | Office.FileIO.CSI.CoAuthCacheProviderWaitForOpenAsync 175 | Office.FileIO.CSI.MakeIrmCrypto 176 | Office.FileIO.CSI.MitigationLevelChanged 177 | Office.FileIO.CSI.OpenRequestManagerCamFactoryMakeCam 178 | Office.FileIO.CSI.ReconcilerCamFactoryMakeCam 179 | Office.FileIO.CSI.SaveModeLockTimeout 180 | Office.FileIO.CSI.SyncBackedReconcilerRebuildBaseWithOnlineModel 181 | Office.FileIO.CSI.SyncBackedReconcilerTriggerSyncAfterOnlineTransition 182 | Office.FileIO.CSI.WaitForRequestResult 183 | Office.FileIO.MSO.AutoSaveStatus 184 | Office.FileIO.MSO.CloseCsiDocumentModal 185 | Office.FileIO.MSO.CMsoOLDocBaseDestructor 186 | Office.FileIO.MSO.ShouldOpenServerOnlyAsync 187 | Office.FileIO.ResourceInfoSendOptionsRequest 188 | Office.FileIO.WebServices.CreateXmlSoapResponseFailure 189 | Office.Floodgate.Client.CampaignDefinitionHelper.IsCampaignValid 190 | Office.Floodgate.Client.FileBasedCampaignDefinitionProvider.LoadDefinitions 191 | Office.Floodgate.Client.PersonalizationBasedCampaignDefinitionProvider.LoadDefinitions 192 | Office.Floodgate.Client.UserFactsProvider.LoadUserFacts 193 | Office.Floodgate.Client.UserFactsProvider.WaitForOptionalSharedFuture 194 | Office.Floodgate.Launcher.Conversion.TrackTcidActivateConversionForSurvey 195 | Office.Floodgate.Launcher.TeachingCallout.ShowTeachingCallout 196 | Office.Floodgate.Launcher.TeachingCallout.TeachingCalloutClosed 197 | Office.Globalization.PluggableUI.Liblet.MatchWindowsDisplayLanguage 198 | Office.Globalization.PluggableUI.PlugUIAsyncReport 199 | Office.Graphics.AdapterVersionSupported 200 | Office.Graphics.AirSpaceShutdown 201 | Office.Graphics.ARCAirSpaceDeviceCheck 202 | Office.Graphics.CreateDevice 203 | Office.Graphics.CreateDeviceD3D10 204 | Office.Graphics.CreateDeviceD3D11 205 | Office.Graphics.DefBlobManagerUserOnLoadBinaryData 206 | Office.Graphics.KeyboardDetachEvent 207 | Office.Identity.DoBackgroundTasks 208 | Office.Identity.EnumerateWamIdentitiesAad 209 | Office.Identity.EnumerateWamIdentitiesMsa 210 | Office.Identity.FindAllWebAccountsAsync 211 | Office.Identity.GetAuthenticatedServiceTicketResultsCount 212 | Office.Identity.GetBlockingService 213 | Office.Identity.GetServiceUrlForFederationProviderAnalysis 214 | Office.Identity.IdentityCountOnShutdown 215 | Office.Identity.IdentityWarningsAggregation 216 | Office.Identity.ODCUserConnectedServices 217 | Office.Identity.OSMHandleServicesCatalog 218 | Office.Identity.OSMUpdateFederatedUserServices 219 | Office.Identity.ServiceUrlStatus 220 | Office.Identity.SharedCredDataLoadAllCreds 221 | Office.Identity.SilentWamTokenRequestMsa 222 | Office.IntelligentServices.PrivacyConsent.FirstRunStarted 223 | Office.IntelligentServices.PrivacyConsent.PrivacyEvent 224 | Office.Licensing.AttemptSilentSkuConversion 225 | Office.Licensing.Branding.ShouldUseMicrosoft365Branding 226 | Office.Licensing.CanRunFeatureCache 227 | Office.Licensing.IsNulSkuToSkuNeeded 228 | Office.Licensing.Licensed 229 | Office.Licensing.LicenseService.RestHeaderEmptyFieldLogger 230 | Office.Licensing.NextUserLicensingMode 231 | Office.Licensing.Nul.Api.CreateRequest 232 | Office.Licensing.Nul.Api.GetUrlForIdentity 233 | Office.Licensing.Nul.Api.ReceiveResponse 234 | Office.Licensing.Nul.Api.SendRequest 235 | Office.Licensing.Nul.Errors.CheckModelForErrors 236 | Office.Licensing.Nul.Errors.GetRegistryErrorCode 237 | Office.Licensing.Nul.Errors.HandleErrors 238 | Office.Licensing.Nul.Errors.InitHandler 239 | Office.Licensing.Nul.Errors.RemovingNotificationDelayRegkey 240 | Office.Licensing.Nul.Fetcher.MakeRequest 241 | Office.Licensing.Nul.Fetcher.RenewAllLicenses 242 | Office.Licensing.Nul.Fetcher.RenewLicense 243 | Office.Licensing.Nul.Fetcher.RenewTimerTriggered 244 | Office.Licensing.Nul.Fetcher.ShouldRenewLicense 245 | Office.Licensing.Nul.Mode.GetMode 246 | Office.Licensing.Nul.Mode.SetMode 247 | Office.Licensing.Nul.Model.Deserialize 248 | Office.Licensing.Nul.Model.GetAllLicenseCategories 249 | Office.Licensing.Nul.Model.GetLicenseCategory 250 | Office.Licensing.Nul.Model.ParseRawResponse 251 | Office.Licensing.Nul.Storage.AddUserIdToLicenseIdsMapping 252 | Office.Licensing.Nul.Storage.GetPerpetualLicenseStoragePath 253 | Office.Licensing.Nul.Storage.GetUnverifiedFilePathFromMetadataIdAndPrid 254 | Office.Licensing.Nul.Storage.GetUnverifiedFilePathFromModel 255 | Office.Licensing.Nul.Storage.GetUnverifiedStoragePath 256 | Office.Licensing.Nul.Storage.LoadModel 257 | Office.Licensing.Nul.Storage.LoadModels 258 | Office.Licensing.Nul.Storage.ReadFromFileHandle 259 | Office.Licensing.Nul.Storage.ReadFromFileName 260 | Office.Licensing.Nul.Storage.RenameFileToUseUpdatedHash 261 | Office.Licensing.Nul.Storage.StoreModel 262 | Office.Licensing.Nul.Storage.WriteToFile 263 | Office.Licensing.Nul.Validation.QuickValidation 264 | Office.Licensing.Nul.Validation.ValidateModelSignature 265 | Office.Licensing.Nul.Validator.MatchingHarwaredId 266 | Office.Licensing.Nul.Validator.VerifyCertificates 267 | Office.Licensing.Nul.Validator.VerifySignature 268 | Office.Licensing.NULValidation 269 | Office.Licensing.PerformLicensingNotifications 270 | Office.Licensing.Properties.UpdateLicenseCategories 271 | Office.Licensing.Tenant.SetTenantId 272 | Office.NaturalLanguage.Critiques.LocalGrammarAnalysisStats 273 | Office.NaturalLanguage.Critiques.Views.ContextMenu.SetCritique 274 | Office.NaturalLanguage.Proofing.Behaviors.Speller.Change 275 | Office.NaturalLanguage.Proofing.Behaviors.Speller.EditFlagToNoError 276 | Office.OneNote.Canvas.CopyPaste.PasteFromClipboard 277 | Office.OneNote.Canvas.Text.Typing 278 | Office.OneNote.Navigation.ClickNavigation 279 | Office.OneNote.Navigation.Navigate 280 | Office.OneNote.NotebookManagement.Metrics 281 | Office.OneNote.ON16NotebookSync.TypeAndLocaleDetails 282 | Office.OneNote.SIGS.SIGSSignalStatus 283 | Office.OneNote.SIGS.SIGSSignalStatusMetadata 284 | Office.OneNote.Storage.Backup.MaxBackupFolderSize 285 | Office.OneNote.Storage.RealTime.TryCreateInstanceUnknownJcid 286 | Office.OneNote.Storage.Replication.LegacySyncAverageInboundTimes 287 | Office.OneNote.Storage.Replication.LegacySyncAverageOutboundTimes 288 | Office.OneNote.Storage.WaitLocalCacheSave 289 | Office.Outlook.Desktop.AddIns.AddInLoaded 290 | Office.Outlook.Desktop.CloudSettings.HrReadSettings 291 | Office.Outlook.Desktop.CloudSettings.HrWriteSettings 292 | Office.Outlook.Desktop.CloudSettings.SyncScope 293 | Office.Outlook.Desktop.CloudSettings.WritePendingSettings 294 | Office.Outlook.Desktop.CloudSettings.WriteSetting 295 | Office.Outlook.Desktop.DiagnosticsV2.GetDiagnosticsOnAcceptPrivacyAgreement 296 | Office.Outlook.Desktop.DiagnosticsV2.GetWAMLogs 297 | Office.Outlook.Desktop.DiagnosticsV2.InAppContactSupportPane.ContactSupportButtonVisibility 298 | Office.Outlook.Desktop.DiagnosticsV2.REConAvailabilityLog 299 | Office.Outlook.Desktop.FIsSovereignCloud 300 | Office.Outlook.Desktop.Mail.AtMentionsOption 301 | Office.Outlook.Desktop.PCXDataMode 302 | Office.Outlook.Desktop.UI.HandleDpiChanged 303 | Office.People.CloseCard 304 | Office.People.ClosePeopleCard 305 | Office.People.ContactLinkingEnabled 306 | Office.People.CreateCard 307 | Office.Performance.Boot 308 | Office.Performance.InputDelayMonitor.ResponsivenessHealth 309 | Office.Performance.InputDelayMonitor.SessionDetails 310 | Office.Performance.InputDelayMonitor.TopScopesAttributionShip 311 | Office.Performance.PerfScenario.Scope 312 | Office.Personalization.CampaignAction.SendCampaignAction 313 | Office.Personalization.ClientMetadata.GetExperimentFlights 314 | Office.Personalization.ContentApi.GetContent 315 | Office.Personalization.FileInsightCacheManager.ReadInsights 316 | Office.Personalization.FileInsightCacheManager.ReadInsightsFromSingleFile 317 | Office.Personalization.FileInsightCacheManager.WriteInsights 318 | Office.Personalization.FileInsightCacheManager.WriteInsightsToSingleFile 319 | Office.Personalization.Governance.GetCampaigns 320 | Office.Personalization.Governance.GetUserGovernanceData 321 | Office.Personalization.Governance.RefreshGovernanceDataInCache 322 | Office.Personalization.Governance.UpdateCampaignRefreshConfig 323 | Office.Personalization.Governance.UpdateUserGovernanceDataRefreshConfig 324 | Office.Personalization.InsightsController.GetInsights 325 | Office.Personalization.InsightsController.GetInsightsSync 326 | Office.Personalization.ProgramOptIn.IsOptedInToProgram 327 | Office.Personalization.Providers.TMSInsightsProvider.GetInsights 328 | Office.Personalization.Providers.UserFactsInsightsProvider.GetInsights 329 | Office.Personalization.Providers.UserFactsInsightsProvider.GetUserFactsInsightResultCombined 330 | Office.Personalization.Senders.TMSCampaignActionSender.Send 331 | Office.Personalization.UserActionProcessor.SendUserAction 332 | Office.Personalization.UserFacts.ConvertInsightResultToUserFactsResult 333 | Office.Personalization.UserFacts.GetUserFactsFromService 334 | Office.Personalization.UserFacts.GetUserFactsInternal 335 | Office.Personalization.UserFacts.GetUserFactsResultFromCombinedInsight 336 | Office.Personalization.UserFacts.ParseUserFactsFromServiceResponse 337 | Office.PowerPoint.Actions.ActionId43 338 | Office.PowerPoint.Actions.Tcid14484 339 | Office.PowerPoint.Actions.Tcid20577 340 | Office.PowerPoint.Actions.Tcid22 341 | Office.PowerPoint.Actions.Tcid27636 342 | Office.PowerPoint.Actions.Tcid3 343 | Office.PowerPoint.Actions.Tcid33524 344 | Office.PowerPoint.Actions.Tcid5793 345 | Office.PowerPoint.Actions.Tcid5864 346 | Office.PowerPoint.Actions.Tcid6549 347 | Office.PowerPoint.CLP.LoadAndUpconvertLabelData 348 | Office.PowerPoint.ConnectedGalleries.ApplyTheme 349 | Office.PowerPoint.Designer.SelectionChange 350 | Office.PowerPoint.DocOperation.Open 351 | Office.PowerPoint.DocOperation.Save 352 | Office.PowerPoint.OCS.PersistStackTracker 353 | Office.PowerPoint.PPT.Desktop.DesignerDisplaySuggestionStats 354 | Office.PowerPoint.PPT.Desktop.DesignerSuggestSlidePerf 355 | Office.PowerPoint.PPT.Desktop.FileSave 356 | Office.PowerPoint.PPT.Desktop.PPTActionsMainRule 357 | Office.PowerPoint.PPT.Desktop.ZoomCountOnCloseRule 358 | Office.PowerPoint.PPT.Immersive.OARTActionsAggregate 359 | Office.PowerPoint.PPT.Shared.PackageTracking.SaveCompleted 360 | Office.PowerPoint.PPT.Shared.PackageTracking.UploadCompleted 361 | Office.PowerPoint.RevTrack.DeserializeChangesInfo 362 | Office.PowerPoint.RevTrack.PurgeChangesInfo 363 | Office.PowerPoint.RevTrack.SerializeChangesInfo 364 | Office.PowerPoint.RevTrack.TryEnableRevisionTracking 365 | Office.Programmability.Addins.CreateAddInsList 366 | Office.Programmability.Addins.InternalSetConnect 367 | Office.ProgrammableSurfaces.Banner.HideBanner 368 | Office.ProgrammableSurfaces.Banner.StartBannerLoadTimer 369 | Office.ProgrammableSurfaces.Banner.TryFulfillContentPromise 370 | Office.ProgrammableSurfaces.Banner.TryParseContentResult 371 | Office.ProgrammableSurfaces.BusinessBar.TrySendCampaignFeedback 372 | Office.ProgrammableSurfaces.ReactNativeDialogHost.MakeReactNativeDialogHost 373 | Office.ProgrammableSurfaces.SubscriptionCenter.CaptionControlReady 374 | Office.Release.AudienceApi.GetCurrentInsiderLevel 375 | Office.Release.AudienceApi.InitAudienceData 376 | Office.SDX.Runtime.ReactNativeHost.Initialize 377 | Office.SDX.Runtime.ReactNativeHost.InstanceInitialize 378 | Office.SDX.Runtime.ReactNativeHost.MakeViewHost 379 | Office.SDX.Runtime.ReactNativeHost.RegisterCxxModuleProvider 380 | Office.SDX.Runtime.ReactNativeHost.UnregisterCxxModuleProvider 381 | Office.Security.ActivationFilter.GUIDsToScanFromService 382 | Office.Security.ActivationFilter.ParseAndGetGUIDs 383 | Office.Security.AntiVirusLiblet.IsScanNeeded 384 | Office.Security.Clp.ProcessAuditOnSave 385 | Office.Security.Clp.UseNativeLabelingRegKey 386 | Office.Security.Crypto.AlgorithmInformation 387 | Office.Security.Crypto.ComputeEncryptionKey 388 | Office.Security.CryptoCore.ComputePasswordHashWindows 389 | Office.Security.SecureReaderHost.ProtectedViewValidation 390 | Office.System.SystemHealthErrorsWithTag 391 | Office.System.SystemHealthUsage.ClickStream 392 | Office.System.SystemHealthUsage.NonTCIDClickStream 393 | Office.TargetedMessaging.EnsureCached 394 | Office.Telemetry.InitUngracefulReliabilityMetadata 395 | Office.Text.DWriteAssistant.CreateFontCollection 396 | Office.Text.DWriteAssistant.FontCollectionInit 397 | Office.Text.DWriteAssistant.LoadSystemFonts 398 | Office.Text.FontSubstitution.CreateFontSubstitutionManager 399 | Office.Text.FontSubstitution.GetSubstitutionFromNameMappingTable 400 | Office.Text.ResourceClient.ReadFontElements 401 | Office.UX.AccChecker.BackgroundAccCheckerEnabledState 402 | Office.UX.AccChecker.DisabledResults 403 | Office.UX.AccChecker.ShowTaskpane 404 | Office.UX.BusBar.AddBusBarPart 405 | Office.UX.BusBar.BusBarClick 406 | Office.UX.BusBar.BusBarLifetimeTracking 407 | Office.UX.DynamicDpi.DisplayAssistantPerMonitorMode 408 | Office.UX.DynamicDpi.DisplayTopologyChanged 409 | Office.UX.DynamicDpi.DisplayTopologyEnumeration 410 | Office.UX.OfficeInsider.RegisterByActionInsiderEmail 411 | Office.UX.ShowContextualUI 412 | Office.UX.TabbedPaneOpenCloseEvent 413 | Office.UX.TeachingCallout.ShowCalloutWin32 414 | Office.UX.TeachingCalloutTimeOnScreen 415 | Office.UX.Theming.ReadRoamedTheme 416 | Office.UX.Theming.SetRoamedTheme 417 | Office.UX.Theming.SetTheme 418 | Office.UX.WhatsNewCantOpen 419 | Office.Word.AddinDisabler.LicenseCheckResult 420 | Office.Word.AddinDisabler.OAEInvokeDelays 421 | Office.Word.AutoSave.DocUpdateEnablerStatus 422 | Office.Word.Boot.BootSummarySTE 423 | Office.Word.Boot.InitializeSCIFonts 424 | Office.Word.Boot.TimingData 425 | Office.Word.CoAuthoring.DynamicSaveTimeToAlwaysSave 426 | Office.Word.CoAuthoring.FileUploadStatusUpdated 427 | Office.Word.CoAuthoring.IsSubscribedForAutoSave 428 | Office.Word.Commanding.AccessibilityChecker 429 | Office.Word.Commanding.DigitalPrint 430 | Office.Word.Commanding.DocumentActionsPane 431 | Office.Word.Commanding.FileInLocationSaveAsNoCFD 432 | Office.Word.Commanding.FileSaveWithLocationPicker 433 | Office.Word.Commanding.StartOfLineExtend 434 | Office.Word.Commanding.UpgradeDocument 435 | Office.Word.DesktopWwdViewTypeChangeApplied 436 | Office.Word.Display.ParelsTriggerSignal 437 | Office.Word.Display.StartWithDarkMode 438 | Office.Word.DocRecovery.ActivationWithDataLoss 439 | Office.Word.DocRecovery.ActivationWithNoDataLoss 440 | Office.Word.DocRecovery.PrepareDrp 441 | Office.Word.DocumentInformationPanel.OpenByDefault 442 | Office.Word.Experimentation.DocumentStatsOnCloseAndSuspend 443 | Office.Word.FileNew.CreateNewFile 444 | Office.Word.FileOpen.FirstMergeContent 445 | Office.Word.FileOpen.Supplemental 446 | Office.Word.FileOpen.UpconvertClpLabelData 447 | Office.Word.FileOpen.UserInitiatedOpen 448 | Office.Word.FileSave.ActCmdGosubSaveAs 449 | Office.Word.FileSave.ActFConfirmSaveDocCoreQuerySave 450 | Office.Word.FileSave.ActSaveCoroutine 451 | Office.Word.FileSave.ActStartBackSave 452 | Office.Word.FileSave.ClpDocOnSaveComplete 453 | Office.Word.FileSave.EidSaveFile 454 | Office.Word.FileSave.SaveAsSaveFile 455 | Office.Word.FileSave.Supplemental 456 | Office.Word.Links.CreateHyperLink 457 | Office.Word.ObjectModel.OMPerformance 458 | Office.Word.Proofing.CanvasContextualBoot 459 | Office.Word.Proofing.CanvasContextualDrawSquiggle 460 | Office.Word.Proofing.CanvasContextualLeftClick 461 | Office.Word.Proofing.CanvasContextualPerf 462 | Office.Word.Proofing.CanvasContextualProofState 463 | Office.Word.Proofing.CanvasContextualReactHostInitializedWin32 464 | Office.Word.Proofing.CanvasContextualSTK 465 | Office.Word.Proofing.CanvasContextualTrigger 466 | Office.Word.Proofing.GrammarCheckTextCall 467 | Office.Word.Proofing.SuggestionAction 468 | Office.Word.ResumeReading.Show 469 | Office.Word.Save.AutorecoverySaveOptions 470 | Office.Word.Save.CloseApp 471 | Office.Word.Save.CmdDoSaveAsDlgWin 472 | Office.Word.Save.CmdDoSaveAsDlgWithActivityLogging 473 | Office.Word.Save.CmdSaveFileCore 474 | Office.Word.Save.CmdSaveFileEdpi 475 | Office.Word.Save.COAIolDocCmdSave 476 | Office.Word.Save.EidLaunchBkgndSaveStatic 477 | Office.Word.Save.FWriteFnDsrs 478 | Office.Word.Save.FWriteMetro 479 | Office.Word.Save.HrAllocPersisterFromIOLDocOrCaso 480 | Office.Word.Save.HrCommitCStreamSaveTransaction 481 | Office.Word.Save.HrCommitCStreamSaveTransactionFuture 482 | Office.Word.Save.HrCommitIOLDocLocalSaveTransaction 483 | Office.Word.Save.HrCommitIOTransactionPersister 484 | Office.Word.Save.HrInterruptSaveUntilFutureIsDone 485 | Office.Word.Save.HrReplaceSavedFile 486 | Office.Word.Save.HrSetClpLabelForCloudSaveAsIfNeeded 487 | Office.Word.Save.HrStartTransactionSpiotPersister 488 | Office.Word.Save.IOTransactionPersisterHrInitiate 489 | Office.Word.Save.LoadClpLabelData 490 | Office.Word.Save.PrsistrMsoCommitTransaction 491 | Office.Word.Save.ReportAutosaveUserSetting 492 | Office.Word.Save.ReportSaveUnresponsivenessBucketedData 493 | Office.Word.Save.RtcEditorsCount 494 | Office.Word.Save.SaveClpLabelData 495 | Office.Word.Word.CoAuthCsiUploadResult 496 | Office.Word.Word.DocumentDirtyFlagChanged 497 | Office.Word.Word.OpenTime100nsTruncatedExtensions 498 | -------------------------------------------------------------------------------- /FullEventNames/Office Diagnostics/OfficeDiagnostics_SortedByApp.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/FullEventNames/Office Diagnostics/OfficeDiagnostics_SortedByApp.xlsx -------------------------------------------------------------------------------- /FullEventNames/Product and Service Performance/Microsoft.Windows.Kernel.Power.OSStateChange JSON Example.txt: -------------------------------------------------------------------------------- 1 | { 2 | "ver": "4.0", 3 | "name": "Microsoft.Windows.Kernel.Power.OSStateChange", 4 | "time": "2021-05-23T16:00:55.1289680Z", 5 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 6 | "ext": { 7 | "utc": { 8 | "eventFlags": 258, 9 | "pgName": "WIN", 10 | "flags": 1008730628, 11 | "epoch": "1303624", 12 | "seq": 1866 13 | }, 14 | "metadata": { 15 | "f": { 16 | "StateDurationMS": 5, 17 | "BootTimeUTC": 9, 18 | "UptimeDeltaMS": 5, 19 | "TotalDurationMS": 5, 20 | "TotalUptimeMS": 5, 21 | "EnergyChangeV2": 4 22 | }, 23 | "privTags": 16777216 24 | }, 25 | "os": { 26 | "bootId": 14, 27 | "name": "Windows", 28 | "ver": "10.0.19042.985.amd64fre.vb_release.191206-1406" 29 | }, 30 | "app": { 31 | "id": "W:0000da39a3ee5e6b4b0d3255bfef95601890afd80709!00001100000000000000000000000000000000000000!", 32 | "ver": "1970/01/01:00:00:00!0!", 33 | "asId": 1 34 | }, 35 | "device": { 36 | "localId": "s:19F5F5BF-4BF4-4E3C-998D-3DBD62F9F507", 37 | "deviceClass": "Windows.Desktop" 38 | }, 39 | "protocol": { 40 | "devMake": "Notebook", 41 | "devModel": "PB50_70RF,RD,RC" 42 | }, 43 | "user": { 44 | "localId": "w:B04E2543-63EB-D3C6-4722-FBFE64FA31C0" 45 | }, 46 | "loc": { 47 | "tz": "-04:00" 48 | } 49 | }, 50 | "data": { 51 | "StateTransition": 4, 52 | "StateTransitionSub": 6, 53 | "StateDurationMS": 586, 54 | "BootId": 14, 55 | "BootTimeUTC": "2021-05-21T19:37:06.5796717Z", 56 | "UptimeDeltaMS": 585, 57 | "TotalDurationMS": 159826281, 58 | "TotalUptimeMS": 44149801, 59 | "LastStateTransition": 4, 60 | "LastStateTransitionSub": 4, 61 | "EventSequence": 17, 62 | "ActualTransitions": 16, 63 | "TransitionsToOn": 11, 64 | "BatteryCapacity": 61550, 65 | "BatteryCharge": 77, 66 | "EnergyChangeV2": 0, 67 | "EnergyChangeV2Flags": 0, 68 | "AcPowerOnline": true, 69 | "BatteryDischarging": false 70 | } 71 | } 72 | -------------------------------------------------------------------------------- /FullEventNames/Product and Service Usage/LSM Reconnect and Disconnect JSON Example.txt: -------------------------------------------------------------------------------- 1 | { 2 | "ver": "4.0", 3 | "name": "LSM.ReconnectTime", 4 | "time": "2021-04-24T16:46:28.8756290Z", 5 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 6 | "ext": { 7 | "utc": { 8 | "aId": "F420C668-995E-4D66-BAC8-7FAD4A7C0000", 9 | "eventFlags": 257, 10 | "pgName": "WIN", 11 | "flags": 744491824, 12 | "providerGuid": "557D257B-180E-4AAE-8F06-86C4E46E9D00", 13 | "loggingBinary": "lsm.dll", 14 | "epoch": "6606117", 15 | "seq": 158398 16 | }, 17 | "metadata": { 18 | "f": { 19 | "ConnectTime": 5, 20 | "TimeToConnect": 5, 21 | "stConnectTime": 9, 22 | "stReconnectTime": 9, 23 | "TimeToConnectSeconds": 5, 24 | "ActivityID": 8 25 | }, 26 | "privTags": 33554432 27 | }, 28 | "os": { 29 | "bootId": 79, 30 | "name": "Windows", 31 | "ver": "10.0.19043.962.amd64fre.vb_release.191206-1406", 32 | "expId": "FX:114145DF,FX:1152FE25,FX:1152FF13,FX:118C9A83,FX:118FEB19,FX:11BAF854,FX:11CC1118,FX:11D5BFCD,FX:11DF5B46,FX:11DF5B86" 33 | }, 34 | "app": { 35 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!0000010db07461e45b41c886192df6fd425ba8d42d82!svchost.exe", 36 | "ver": "1972/12/14:16:22:50!1C364!svchost.exe", 37 | "asId": 18 38 | }, 39 | "device": { 40 | "localId": "s:D2738014-A1C9-4A0A-8E55-7B6184029538", 41 | "deviceClass": "Windows.Desktop" 42 | }, 43 | "protocol": { 44 | "devMake": "System manufacturer", 45 | "devModel": "System Product Name", 46 | "ticketKeys": [ 47 | "2076477998" 48 | ] 49 | }, 50 | "user": { 51 | "localId": "m:4b30d36f9be11107" 52 | }, 53 | "xbl": { 54 | "sbx": "RETAIL", 55 | "did": "F900E802E00B88C5", 56 | "xid": "x:2533274804582403" 57 | }, 58 | "loc": { 59 | "tz": "-04:00" 60 | } 61 | }, 62 | "data": { 63 | "ConnectTime": 132637563888480428, 64 | "TimeToConnect": 1879889, 65 | "stConnectTime": "2021-04-24T16:46:28.8480000Z", 66 | "stReconnectTime": "2021-04-24T16:46:28.6600000Z", 67 | "TimeToConnectSeconds": 0, 68 | "ActivityID": "F420C668-995E-4D66-BAC8-7FAD4A7C0000" 69 | } 70 | }, 71 | { 72 | "ver": "4.0", 73 | "name": "LSM.DisconnectTime", 74 | "time": "2021-04-24T16:47:30.7124741Z", 75 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 76 | "ext": { 77 | "utc": { 78 | "aId": "F420C668-995E-4D66-BAC8-7FAD4A7C0000", 79 | "eventFlags": 257, 80 | "pgName": "WIN", 81 | "flags": 743443248, 82 | "providerGuid": "557D257B-180E-4AAE-8F06-86C4E46E9D00", 83 | "loggingBinary": "lsm.dll", 84 | "epoch": "6606117", 85 | "seq": 158873 86 | }, 87 | "metadata": { 88 | "f": { 89 | "DisconnectTime": 5, 90 | "LogonTime": 5, 91 | "ActivityID": 8, 92 | "ConnectTime": 5, 93 | "ConnectionDuration": 5, 94 | "ConnectionDurationSeconds": 5, 95 | "this->stConnectTime": 9, 96 | "this->stDisconnectTime": 9, 97 | "this->stLogonTime": 9 98 | }, 99 | "privTags": 33554432 100 | }, 101 | "os": { 102 | "bootId": 79, 103 | "name": "Windows", 104 | "ver": "10.0.19043.962.amd64fre.vb_release.191206-1406", 105 | "expId": "FX:114145DF,FX:1152FE25,FX:1152FF13,FX:118C9A83,FX:118FEB19,FX:11BAF854,FX:11CC1118,FX:11D5BFCD,FX:11DF5B46,FX:11DF5B86" 106 | }, 107 | "app": { 108 | "id": "W:0000f519feec486de87ed73cb92d3cac802400000000!0000010db07461e45b41c886192df6fd425ba8d42d82!svchost.exe", 109 | "ver": "1972/12/14:16:22:50!1C364!svchost.exe", 110 | "asId": 18 111 | }, 112 | "device": { 113 | "localId": "s:D2738014-A1C9-4A0A-8E55-7B6184029538", 114 | "deviceClass": "Windows.Desktop" 115 | }, 116 | "protocol": { 117 | "devMake": "System manufacturer", 118 | "devModel": "System Product Name" 119 | }, 120 | "user": { 121 | "localId": "w:B04E2543-63EB-D3C6-4722-FBFE64FA31C0" 122 | }, 123 | "xbl": { 124 | "sbx": "RETAIL", 125 | "did": "F900E802E00B88C5" 126 | }, 127 | "loc": { 128 | "tz": "-04:00" 129 | } 130 | }, 131 | "data": { 132 | "DisconnectTime": 132637564443895608, 133 | "LogonTime": 132635984783438014, 134 | "ActivityID": "F420C668-995E-4D66-BAC8-7FAD4A7C0000", 135 | "ConnectTime": 132637563888480428, 136 | "ConnectionDuration": 555415180, 137 | "ConnectionDurationSeconds": 55, 138 | "this->stConnectTime": "2021-04-24T16:46:28.8480000Z", 139 | "this->stDisconnectTime": "2021-04-24T16:47:30.6840000Z", 140 | "this->stLogonTime": "2021-04-24T15:17:44.6690000Z" 141 | } 142 | } 143 | -------------------------------------------------------------------------------- /FullEventNames/Product and Service Usage/Size.exe Artifact Timestamp Comparison.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/FullEventNames/Product and Service Usage/Size.exe Artifact Timestamp Comparison.xlsx -------------------------------------------------------------------------------- /FullEventNames/Product and Service Usage/Win32kTraceLogging.AppInteractivitySummary JSON Example.txt: -------------------------------------------------------------------------------- 1 | Size.exe 2 | https://www.virustotal.com/gui/file/6beb4a5bcbdaf33f697eea6a4f7f2e9704cc88c20c265d0ce42287d930d06345/community 3 | https://www.joesandbox.com/analysis/377823/0/html 4 | 5 | { 6 | "ver": "4.0", 7 | "name": "Win32kTraceLogging.AppInteractivitySummary", 8 | "time": "2021-05-21T21:07:09.7696180Z", 9 | "iKey": "o:0a89d516ae714e01ae89c96d185e9ae3", 10 | "ext": { 11 | "utc": { 12 | "shellId": 33786497805320195, 13 | "eventFlags": 258, 14 | "pgName": "WIN", 15 | "stId": "288E44E9-4E6F-4DED-B74F-4CB31F5E1638", 16 | "flags": 469762608, 17 | "epoch": "1105750", 18 | "seq": 601 19 | }, 20 | "metadata": { 21 | "f": { 22 | "PartATransform_AppSessionGuidToUserSid": 8, 23 | "AppSessionId": 8, 24 | "AggregationStartTime": 9, 25 | "ViewFlags": 5, 26 | "EventSequence": 5 27 | }, 28 | "privTags": 33554432 29 | }, 30 | "os": { 31 | "bootId": 11, 32 | "name": "Windows", 33 | "ver": "10.0.19043.985.amd64fre.vb_release.191206-1406" 34 | }, 35 | "app": { 36 | "id": "W:0006200ed41a5508b16dcd14fbbc2bbae8f00000ffff!0000a93ebdd16c5862b178d6e5c58d3e074df772a021!size.exe", 37 | "ver": "2019/12/05:07:37:23!0!size.exe", 38 | "asId": 318 39 | }, 40 | "device": { 41 | "localId": "s:6765A30B-E04D-4B4A-9954-55AA49BA79EF", 42 | "deviceClass": "Windows.Desktop" 43 | }, 44 | "protocol": { 45 | "devMake": "VMware, Inc.", 46 | "devModel": "VMware7,1", 47 | "ticketKeys": [ 48 | "2648478" 49 | ] 50 | }, 51 | "user": { 52 | "localId": "m:a5f16b5cd9dd213c" 53 | }, 54 | "loc": { 55 | "tz": "-07:00" 56 | } 57 | }, 58 | "data": { 59 | "AppId": "W:0006200ed41a5508b16dcd14fbbc2bbae8f00000ffff!0000a93ebdd16c5862b178d6e5c58d3e074df772a021!size.exe", 60 | "AppVersion": "2019/12/05:07:37:23!0!size.exe", 61 | "CommandLineHash": 2437988017, 62 | "AppSessionId": "000014D8-0001-000B-FCCF-6341854ED701", 63 | "AggregationStartTime": "2021-05-21T20:57:26.2298826Z", 64 | "AggregationDurationMS": 583531, 65 | "InFocusDurationMS": 797, 66 | "FocusLostCount": 2, 67 | "NewProcessCount": 1, 68 | "UserActiveDurationMS": 797, 69 | "UserOrDisplayActiveDurationMS": 797, 70 | "UserActiveTransitionCount": 0, 71 | "InFocusBitmap": "0x0000002000000000", 72 | "InputSec": 2, 73 | "KeyboardInputSec": 0, 74 | "SipKeyboardInputSec": 0, 75 | "InjectedKeyboardInputSec": 0, 76 | "MouseInputSec": 2, 77 | "InjectedMouseInputSec": 0, 78 | "TouchInputSec": 0, 79 | "InjectedTouchInputSec": 0, 80 | "PenInputSec": 0, 81 | "InjectedPenInputSec": 0, 82 | "PrecisionTouchpadInputSec": 0, 83 | "InjectedPrecisionTouchpadInputSec": 0, 84 | "HidInputSec": 0, 85 | "WindowWidth": 527, 86 | "WindowHeight": 393, 87 | "MonitorWidth": 3326, 88 | "MonitorHeight": 1964, 89 | "MonitorFlags": 0, 90 | "WindowFlags": 8, 91 | "InteractiveTimeoutPeriodMS": 60000, 92 | "AggregationPeriodMS": 1200000, 93 | "BitPeriodMS": 20000, 94 | "AggregationFlags": 49, 95 | "SummaryRound": 1, 96 | "SpeechRecognitionSec": 0, 97 | "GameInputSec": 0, 98 | "TargetAsId": 318, 99 | "CompositionRenderedSec": 0, 100 | "CompositionDirtyGeneratedSec": 1, 101 | "CompositionDirtyPropagatedSec": 0, 102 | "BackgroundMouseSec": 0, 103 | "AudioInMS": 0, 104 | "AudioOutMS": 0, 105 | "ViewFlags": 0, 106 | "SinceFirstInteractivityMS": 2531, 107 | "EventSequence": 29 108 | } 109 | } 110 | -------------------------------------------------------------------------------- /FullEventNames/RequiredOnly.txt: -------------------------------------------------------------------------------- 1 | A list of events observed within my instance of Diagnostic Data Viewer (front end for EventTranscript.db) with the Required Only switch on. So this ONLY the Required Full Event Names observed on my personal system as of 9/10/2021. 2 | 3 | Aria.6660cc65b74b4291b30536aea7ed6ead.Microsoft.WebBrowser.SystemInfo.Config 4 | Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.SystemInfo.Config 5 | CbsServicingProvider.CbsPackageRemoval 6 | Census.App 7 | Census.Battery 8 | Census.Enterprise 9 | Census.Firmware 10 | Census.Flighting 11 | Census.Hardware 12 | Census.Memory 13 | Census.Network 14 | Census.OS 15 | Census.PrivacySettings 16 | Census.Processor 17 | Census.Security 18 | Census.Speech 19 | Census.Storage 20 | Census.Userdefault 21 | Census.UserDisplay 22 | Census.UserNLS 23 | Census.UserPrivacySettings 24 | Census.VM 25 | Census.WU 26 | DxgKrnlTelemetry.GPUAdapterInventoryV2 27 | Microsoft.Gaming.Critical.ProviderRegistered 28 | Microsoft.OneDrive.Sync.Client.OneDriveIDsV2 29 | Microsoft.OneDrive.Sync.Updater.OverlayIconStatus 30 | Microsoft.OneDrive.Sync.Updater.UpdateOverallResult 31 | Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResultV2 32 | Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted 33 | Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused 34 | Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted 35 | Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication 36 | Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount 37 | Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd 38 | Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove 39 | Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd 40 | Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd 41 | Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove 42 | Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd 43 | Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd 44 | Microsoft.Windows.Appraiser.General.RunContext 45 | Microsoft.Windows.Appraiser.General.SystemMemoryAdd 46 | Microsoft.Windows.Appraiser.General.TelemetryRunHealth 47 | Microsoft.Windows.DriverInstall.DeviceInstall 48 | Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd 49 | Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart 50 | Microsoft.Windows.FaultReporting.AppCrashEvent 51 | Microsoft.Windows.FeatureQuality.Heartbeat 52 | Microsoft.Windows.FeatureQuality.StateChange 53 | Microsoft.Windows.HangReporting.AppHangEvent 54 | Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum 55 | Microsoft.Windows.Inventory.Core.InventoryApplicationAdd 56 | Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd 57 | Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove 58 | Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd 59 | Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd 60 | Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove 61 | Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd 62 | Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd 63 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd 64 | Microsoft.Windows.Inventory.Indicators.Checksum 65 | Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd 66 | Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig 67 | Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem 68 | Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem 69 | Microsoft.Windows.OneSettingsClient.Heartbeat 70 | Microsoft.Windows.Security.CodeIntegrity.State.IsProductionConfiguration 71 | Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense 72 | Microsoft.Windows.StoreAgent.Telemetry.EndDownload 73 | Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate 74 | Microsoft.Windows.StoreAgent.Telemetry.EndInstall 75 | Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates 76 | Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete 77 | Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate 78 | Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation 79 | Microsoft.Windows.StoreAgent.Telemetry.StateTransition 80 | Microsoft.Windows.Update.Orchestrator.Worker.OobeUpdateApproved 81 | Microsoft.Windows.Update.Orchestrator.Worker.UpdateActionCritical 82 | Microsoft.Windows.UpdateReserveManager.InitializeReserves 83 | Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager 84 | Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization 85 | Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment 86 | Microsoft.Windows.WaaSMedic.SummaryEvent 87 | SoftwareUpdateClientTelemetry.CheckForUpdates 88 | SoftwareUpdateClientTelemetry.Download 89 | SoftwareUpdateClientTelemetry.DownloadCheckpoint 90 | SoftwareUpdateClientTelemetry.Install 91 | SoftwareUpdateClientTelemetry.TaskRun 92 | SoftwareUpdateClientTelemetry.UpdateDetected 93 | TelClientSynthetic.ConnectivityHeartBeat_0 94 | TelClientSynthetic.HeartBeat_5 95 | Update360Telemetry.UpdateAgentDownloadRequest 96 | Update360Telemetry.UpdateAgentExpand 97 | Update360Telemetry.UpdateAgentInitialize 98 | Update360Telemetry.UpdateAgentInstall 99 | Update360Telemetry.UpdateAgentMitigationResult 100 | Update360Telemetry.UpdateAgentMitigationSummary 101 | Update360Telemetry.UpdateAgentModeStart 102 | Update360Telemetry.UpdateAgentOneSettings 103 | Update360Telemetry.UpdateAgentPostRebootResult 104 | -------------------------------------------------------------------------------- /FullEventNames/Software Setup and Inventory/SoftwareandSetupInventory_FullEventNames.txt: -------------------------------------------------------------------------------- 1 | 75EBC33E-997F-49CF-B49F-ECC50184B75D.1002_0 2 | Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.Protobuf.UMA.Histograms.Group1 3 | Aria.7005b72804a64fa4b2138faab88f877b.Microsoft.WebBrowser.Protobuf.UMA.Histograms.Group3 4 | Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping 5 | Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.UsageStats 6 | Aria.d5a8f02229be41efb047bd8f883ba799.Assert 7 | Aria.d5a8f02229be41efb047bd8f883ba799.BootSafeModeState 8 | Aria.d5a8f02229be41efb047bd8f883ba799.FlightingChanged 9 | Aria.d5a8f02229be41efb047bd8f883ba799.KeyIndexStats 10 | Aria.d5a8f02229be41efb047bd8f883ba799.StorageMaintenanceStatus 11 | Aria.d5a8f02229be41efb047bd8f883ba799.SuccessfulBoot 12 | Aria.d5a8f02229be41efb047bd8f883ba799.TaskbarPinInfo 13 | Aria.d5a8f02229be41efb047bd8f883ba799.Trace 14 | CbsServicingProvider.CapabilityChange 15 | CbsServicingProvider.CbsCapabilityEnumeration 16 | CbsServicingProvider.CbsCapabilitySessionFinalize 17 | CbsServicingProvider.CbsCapabilitySessionPended 18 | CbsServicingProvider.CbsExecutionInitialized 19 | CbsServicingProvider.CbsPackageChangeBeginV3 20 | CbsServicingProvider.CbsPackageChangeEndV2 21 | CbsServicingProvider.CbsQualityUpdateInstall 22 | CbsServicingProvider.CBSReadCustomInformation 23 | CbsServicingProvider.CbsSelectableUpdateChangeV2 24 | Census.App 25 | Census.Userdefault 26 | Census.WU 27 | Microsoft.Office.TelemetryEngine.ShutdownComplete 28 | Microsoft.Office.TelemetryEngine.SuspendComplete 29 | Microsoft.OneDrive.Sync.Client.OneDriveIDsV2 30 | Microsoft.OneDrive.Sync.Setup.SetupCommonDataV2 31 | Microsoft.OneDrive.Sync.Updater.OverlayIconStatus 32 | Microsoft.OneDrive.Sync.Updater.UpdateOverallResult 33 | Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResultV2 34 | Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted 35 | Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused 36 | Microsoft.OSG.DU.DeliveryOptClient.DownloadProgress 37 | Microsoft.OSG.DU.DeliveryOptClient.DownloadResumed 38 | Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted 39 | Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication 40 | Microsoft.OSG.DU.DeliveryOptClient.Upload 41 | Microsoft.Web.Platform.Chakra.GCTelemetry_0 42 | Microsoft.Windows.Apps.StoreRatingPromotion.SetupComplete 43 | Microsoft.Windows.Apps.StoreRatingPromotion.SetupStart 44 | Microsoft.Windows.AppXDeploymentServer.InPlaceUpdate 45 | Microsoft.Windows.AppXDeploymentServer.PackageManagerMainPackageSuccess 46 | Microsoft.Windows.AppXDeploymentServer.PackageManagerStartDeployment 47 | Microsoft.Windows.AppXDeploymentServer.PackageManagerSummaryError 48 | Microsoft.Windows.AppXDeploymentServer.PackageManagerUninstall 49 | Microsoft.Windows.AppXDeploymentServer.ProcessDeferredRequestStatesEnd 50 | Microsoft.Windows.Compatibility.Encapsulation.Api 51 | Microsoft.Windows.Compatibility.Encapsulation.ProcessLoggingFile 52 | Microsoft.Windows.Compatibility.Encapsulation.ProcessLoggingRegistry 53 | Microsoft.Windows.Darwin.MsiInstallProduct 54 | Microsoft.Windows.Desktop.Shell.TwinUI.BroadcastDVR.KGLLoaded 55 | Microsoft.Windows.DynamicApi.Data.Coverage 56 | Microsoft.Windows.FeatureExperiment.AggregatedStagingState 57 | Microsoft.Windows.FeatureQuality.FlightIdRegistered 58 | Microsoft.Windows.FeatureQuality.FlightIdUnregistered 59 | Microsoft.Windows.FeatureQuality.Heartbeat 60 | Microsoft.Windows.FeatureQuality.StateChange 61 | Microsoft.Windows.Graphics.DXCore.CreateAdapterList 62 | Microsoft.Windows.Graphics.DXCore.DXCoreCreateAdapterFactory 63 | Microsoft.Windows.Graphics.DXCore.GetAdapter 64 | Microsoft.Windows.Graphics.DXCore.GetAdapterByLuid 65 | Microsoft.Windows.Graphics.DXCore.GetProperty 66 | Microsoft.Windows.Graphics.DXCore.IsAttributeSupported 67 | Microsoft.Windows.Inventory.Core.InventoryApplicationAdd 68 | Microsoft.Windows.Inventory.Core.InventoryApplicationRemove 69 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousAdd 70 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousAntivirusInformationAdd 71 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousChromeAppAdd 72 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousChromeRlzAdd 73 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousCITModuleLoadedAdd 74 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd 75 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInUsageAdd 76 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousServicesAdd 77 | Microsoft.Windows.Inventory.General.InventoryMiscellaneousUserAdd 78 | Microsoft.Windows.MigrationCore.MigObjectCountDLUsr 79 | Microsoft.Windows.MigrationCore.MigObjectCountKFSys 80 | Microsoft.Windows.MigrationCore.MigObjectCountKFUsr 81 | Microsoft.Windows.OneSettingsClient.Heartbeat 82 | Microsoft.Windows.OneSettingsClient.OneSettingsPayloadDownload 83 | Microsoft.Windows.OneSettingsClient.UnusedRegistrySetting 84 | Microsoft.Windows.PushToInstall.OutgoingServiceRequest 85 | Microsoft.Windows.Setup.SetupClnPlugin.SetupClnPluginSpaceUsed 86 | Microsoft.Windows.Shell.Taskbar.ClipboardHistoryHotkeyRegistration 87 | Microsoft.Windows.Shell.Userenv.WINAPICreateProfile 88 | Microsoft.Windows.Shell.Userenv.WINAPILoadUserProfile 89 | Microsoft.Windows.Shell.Userenv.WINAPIUnloadUserProfile 90 | Microsoft.Windows.Shell.UserProfiles.RecordInterferingProcessViaRegistry 91 | Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation 92 | Microsoft.Windows.StoreAgent.Telemetry.BeginAcquireLicense 93 | Microsoft.Windows.StoreAgent.Telemetry.BeginDownload 94 | Microsoft.Windows.StoreAgent.Telemetry.BeginInstall 95 | Microsoft.Windows.StoreAgent.Telemetry.BeginScanForUpdates 96 | Microsoft.Windows.StoreAgent.Telemetry.DownloadUrl 97 | Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense 98 | Microsoft.Windows.StoreAgent.Telemetry.EndDownload 99 | Microsoft.Windows.StoreAgent.Telemetry.EndInstall 100 | Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates 101 | Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages 102 | Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData 103 | Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete 104 | Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate 105 | Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest 106 | Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation 107 | Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest 108 | Microsoft.Windows.StoreAgent.Telemetry.StateTransition 109 | Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest 110 | Microsoft.Windows.Sysprep.SysprepFunctionStart 111 | Microsoft.Windows.Sysprep.SysprepFunctionStop 112 | Microsoft.Windows.Sysprep.SysprepRebootPendingPlugins 113 | Microsoft.Windows.TaskScheduler.Migration.TopLevelCopy 114 | Microsoft.Windows.TaskScheduler.Migration.TopLevelCopyFailed 115 | Microsoft.Windows.Update.WUClientExt.UUSLoadModuleSucceeded 116 | Microsoft.Windows.UpdateReserveManager.ClearReserve 117 | Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment 118 | Microsoft.Windows.UpdateReserveManager.EndScenario 119 | Microsoft.Windows.UpdateReserveManager.InitializeReserves 120 | Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager 121 | Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization 122 | Microsoft.Windows.UpdateReserveManager.ReevaluatePolicy 123 | Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment 124 | Microsoft.Windows.WinRE.Agent.CreatePartition 125 | Microsoft.Windows.WinRE.Agent.CreatePartitionSucceed 126 | Microsoft.Windows.WinRE.Agent.CreateWinRePartition 127 | Microsoft.Windows.WinRE.Agent.CreateWinRePartitionSucceed 128 | Microsoft.Windows.WinRE.Agent.FindTargetPartitionSucceed 129 | Microsoft.Windows.WinRE.Agent.InstallType 130 | Microsoft.Windows.WinRE.Agent.InstallWinRE 131 | Microsoft.Windows.WinRE.Agent.InstallWinRESucceed 132 | Microsoft.Windows.WinRE.Agent.MigrateDriversToWinRe 133 | Microsoft.Windows.WinRE.Agent.MigrateDriversToWinReSucceed 134 | Microsoft.Windows.WinRE.Agent.MigrateOemToolsToWinRE 135 | Microsoft.Windows.WinRE.Agent.MigrateOemToolsToWinREFailed 136 | Microsoft.Windows.WinRE.Agent.ShrinkOsPartition 137 | Microsoft.Windows.WinRE.Agent.ShrinkOsPartitionSucceed 138 | MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CiTraceImageVerificationFailureGenericInfo 139 | MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CiTraceInitialization 140 | MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CiTraceSignatureVerificationFailure 141 | MicrosoftWindowsCodeIntegrityTraceLoggingProvider.HstiInformationV2 142 | Microsoft-Windows-Kernel-Mm.NonRetpolineSystemImageLoadedAggregate 143 | Microsoft-Windows-Kernel-Mm.SystemImagePinAddressAggregate 144 | RDP.Graphics.RDPClientOSType 145 | Setup360Telemetry.PostRebootInstall 146 | Setup360Telemetry.Setup360 147 | SetupPlatformTel.SetupPlatformTelEvent 148 | SoftwareUpdateClientTelemetry.CheckForUpdates 149 | SoftwareUpdateClientTelemetry.Download 150 | SoftwareUpdateClientTelemetry.DownloadCheckpoint 151 | SoftwareUpdateClientTelemetry.Install 152 | SoftwareUpdateClientTelemetry.SLSDiscovery 153 | SoftwareUpdateClientTelemetry.TaskRun 154 | SoftwareUpdateClientTelemetry.UpdateDetected 155 | SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity 156 | Update360Telemetry.UpdateAgentDownloadRequest 157 | Update360Telemetry.UpdateAgentInitialize 158 | Update360Telemetry.UpdateAgentMitigationResult 159 | Update360Telemetry.UpdateAgentMitigationSummary 160 | Update360Telemetry.UpdateAgentModeStart 161 | Update360Telemetry.UpdateAgentOneSettings 162 | Update360Telemetry.UpdateAgentPostRebootResult 163 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 Andrew Rathbun 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Pictures/DiagnosticDataOverviewFilteringandNewEventsOverview.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/DiagnosticDataOverviewFilteringandNewEventsOverview.gif -------------------------------------------------------------------------------- /Pictures/DiagnosticDataSettings.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/DiagnosticDataSettings.gif -------------------------------------------------------------------------------- /Pictures/DiagnosticDataViewer.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/DiagnosticDataViewer.jpg -------------------------------------------------------------------------------- /Pictures/DiagnosticDataViewerAboutYourData.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/DiagnosticDataViewerAboutYourData.jpg -------------------------------------------------------------------------------- /Pictures/DiagnosticDataViewerProblemReports.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/DiagnosticDataViewerProblemReports.jpg -------------------------------------------------------------------------------- /Pictures/DiagnosticsandFeedbackSettings.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/DiagnosticsandFeedbackSettings.jpg -------------------------------------------------------------------------------- /Pictures/DiagnosticsandFeedbackSettingsMarkedUp.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/DiagnosticsandFeedbackSettingsMarkedUp.jpg -------------------------------------------------------------------------------- /Pictures/JSONExtractExamples.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/JSONExtractExamples.jpg -------------------------------------------------------------------------------- /Pictures/OfficeDiagnosticData.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/OfficeDiagnosticData.jpg -------------------------------------------------------------------------------- /Pictures/Pasted image 20210518161731.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/Pasted image 20210518161731.png -------------------------------------------------------------------------------- /Pictures/Pasted image 20210518162055.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/Pasted image 20210518162055.png -------------------------------------------------------------------------------- /Pictures/Pasted image 20210518164349.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/Pasted image 20210518164349.png -------------------------------------------------------------------------------- /Pictures/Pasted image 20210518165200.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AndrewRathbun/EventTranscript.db-Research/a07e42a8a4fc9bfbe1fbf1c500fa79d0d4de92ed/Pictures/Pasted image 20210518165200.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # EventTranscript.db Research 2 | 3 | This repository serves to provide all currently known information about EventTranscript.db. 4 | 5 | [Forensically Unpacking EventTranscript.db: An Investigative Series](https://www.kroll.com/en/insights/publications/cyber/forensically-unpacking-eventtranscript) - articles at the bottom of this landing page 6 | 7 | # DFIR Community-created Parsers 8 | 9 | - [EventTranscriptParser](https://github.com/stuxnet999/EventTranscriptParser) by [Abhiram Kumar](https://github.com/stuxnet999) 10 | 11 | ## What is EventTranscript.db? 12 | 13 | EventTranscript.db is a SQLite database that appears to record lots of diagnostic-related information about events that occur on the Windows operating system in real-time. This database is not enabled by default and, if enabled, can be enormous in size and potentially serve as a treasure trove of data. 14 | 15 | ## Where is EventTranscript.db located? 16 | 17 | `C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db` 18 | 19 | ## What does EventTranscript.db record? 20 | 21 | There is a table within EventTranscript.db that provides the following information within the Tag Descriptions table. 22 | 23 | ### Tag Descriptions 24 | 25 | | Tag ID | Locale Name | Tag Name | Description | 26 | |-|-|-|-| 27 | | 1 | en-US | Browsing History | Records of the web browsing history when using the capabilities of the application or cloud service, stored in either the service or the application. | 28 | | 11 | en-US |Device Connectivity and Configuration | Data that describes the connections and configuration of the devices connected to the service and the network, including device identifiers (e.g. IP addresses) configuration, setting and performance. | 29 | | 17 | en-US | Inking Typing and Speech Utterance | Record of the input data provided by the end user through an interaction method or action such as inking, typing, speech utterance or gesture. | 30 | | 24 | en-US | Product and Service Performance | Data collected about the measurement, performance and operation of the capabilities of the product or service. This data represents information about the capability and its use, with a focus on providing the capabilities of the product or service. | 31 | | 25 | en-US | Product and Service Usage | Data provided or captured about the end user’s interaction with the service or products by the cloud service provider. Captured data includes the records of the end user’s preferences and settings for capabilities, the capabilities used and commands provided to the capabilities. | 32 | | 31 | en-US | Software Setup and Inventory | Data that describes the installation, setup and update of software. | 33 | 34 | ## How much data does EventTranscript.db record? 35 | 36 | The answer to everything in DFIR: "It depends". The user can specify the size and scope of the database, as seen below: 37 | 38 | ![DiagnosticDataSettings](https://github.com/rathbuna/EventTranscript.db-Research/blob/main/Pictures/DiagnosticDataSettings.gif) 39 | 40 | ## How can I parse EventTranscript.db? 41 | 42 | SQLECmd has a Map that'll parse EventTranscript.db into 6 separate CSVs, one for each Tag Description. From there, it's strongly suggested to filter on Full Event Name column for potentially relevant findings. 43 | 44 | ### Parsing Considerations 45 | 46 | Full Event Name is a column within the EventTranscript.db database which appears to give a high level summary of the event, similar to the description of an event provided in Windows Event Logs. For each event entry in this database, there is a JSON Payload that appears to differ between each Full Event Name. What that means is likely no "one size fits all" SQLite query will work for ALL events that exist within this database. 47 | 48 | I've compiled a deduplicated list of Full Event Names I observed on my own system [here](https://github.com/rathbuna/EventTranscript.db-Research/tree/main/FullEventNames). Please feel free to add ones that my system didn't happen to record so a more complete list can be maintained for the benefit of the community. 49 | 50 | ### Writing Your Own SQLite Queries to Parse EventTranscript.db 51 | 52 | Since the JSON Payload appears to be different for each Full Event Name, you'll want to leverage `json_extract` for parsing out data from the JSON Payload column. 53 | 54 | It appears every event has the following names and corresponding values 55 | * `ver` 56 | * `name` 57 | * `time` 58 | * `iKey` 59 | * `ext` 60 | * `data` 61 | 62 | The `data` name is where data differentiates between each Full Event Name. If you want to parse the SessionID value from the `data` node, it would look something like this: 63 | 64 | `json_extract ( payload, '$.data.sessionID' ) AS SessionID,` 65 | 66 | To illustrate there, here are some more examples of what the SQLite query would look like for parsing a particular value that's nested within the JSON Payload column: 67 | 68 | ![JSONExtractExamples](https://github.com/rathbuna/EventTranscript.db-Research/blob/main/Pictures/JSONExtractExamples.jpg) 69 | 70 | More documentation can be found [here](https://www.sqlite.org/json1.html) on extracting JSON using SQLite queries. 71 | 72 | ## I don't see EventTranscript.db on my own system/a client's system, what's the deal? 73 | 74 | Open the Windows start menu and start typing 'Diagnostics and Feedback Settings'. Within that menu, enable these options. 75 | 76 | ![DiagnosticFeedbackandSettings](https://github.com/rathbuna/EventTranscript.db-Research/blob/main/Pictures/DiagnosticsandFeedbackSettingsMarkedUp.jpg) 77 | 78 | ## What is the data stored within EventTranscript.db used for? 79 | 80 | This database appears to serve as a backend for the Diagnostic Data Viewer application within Windows. 81 | 82 | ![DiagnosticDataViewer](https://github.com/rathbuna/EventTranscript.db-Research/blob/main/Pictures/DiagnosticDataViewer.jpg) 83 | 84 | ## How long has EventTranscript.db existed within Windows? 85 | 86 | Preliminary research shows that EventTranscript.db was being recorded to by Windows [using DiagTrack.dll](https://docs.microsoft.com/en-us/windows/privacy/diagnostic-data-viewer-overview#microsoft-edge-diagnostic-data-appearing-as-a-blob-of-text) starting with [Windows 1709](https://docs.microsoft.com/en-us/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields). Prior to that, Windows recorded to .rbs files that were hardcoded in filename as events00.rbs, events01.rbs, events10.rbs, and events11.rbs. These files were effectively compressed JSON through 1703 until 1709 changed to EventTranscript.db, which is a SQLite database. I personally compare this to the .evt to .evtx transition Microsoft made with Windows Vista, i.e. .rbs = .evt, EventTranscript.db = .evtx. 87 | 88 | For more info on the aforementioned .rbs files, check out this research paper: [Forensic analysis of the Windows telemetry for diagnostics](https://arxiv.org/ftp/arxiv/papers/2002/2002.12506.pdf). 89 | 90 | ## What does Diagnostic Data Viewer allow the end user to do? 91 | 92 | You can do filtering on events stored within this database in real-time using Diagnostic Data Viewer. Also, notice at the end of this GIF that the number of new events automatically updates. 93 | 94 | ![DiagnosticDataOverviewFilteringandNewEventsOverview](https://github.com/rathbuna/EventTranscript.db-Research/blob/main/Pictures/DiagnosticDataOverviewFilteringandNewEventsOverview.gif) 95 | 96 | You can also view Problem Reports within Diagnostic Data Viewer relating to applications suddenly not working as expected. Please note that this reports are the same found in `C:\ProgramData\Microsoft\Windows\WER`. 97 | 98 | ![DiagnosticDataViewerProblemReports](https://github.com/rathbuna/EventTranscript.db-Research/blob/main/Pictures/DiagnosticDataViewerProblemReports.jpg) 99 | 100 | In the About Your Data section, you can view a graphical overview of the data that's being stored in the EventTranscript.db database on your system. 101 | 102 | ![DiagnosticDataViewerAboutYourData](https://github.com/rathbuna/EventTranscript.db-Research/blob/main/Pictures/DiagnosticDataViewerAboutYourData.jpg) 103 | 104 | ## Is there any other data that Diagnostic Data Viewer stores? 105 | 106 | Yes, Office Diagnostic Data is optional and can be turned on in the below settings: 107 | 108 | ![OfficeDiagnosticData](https://github.com/rathbuna/EventTranscript.db-Research/blob/main/Pictures/OfficeDiagnosticData.jpg) 109 | 110 | ## What are the next steps in regards to researching EventTranscript.db? 111 | 112 | There's a lot of opportunity to exploit this database for potentially useful forensic artifacts. Given the sheer volume of events this database records, it may be like finding a needle in a haystack at times. I personally think it will come down to finding out which Full Event Names provide quick wins within the JSON Payload data. 113 | 114 | For instance, minimal research has been done on the following, but there appears to be potential in the following Full Event Names: 115 | 116 | * [Microsoft.Windows.ClipboardHistory.Service.AddItemActivity](https://github.com/rathbuna/EventTranscript.db-Research/blob/f1f648fb8ae4f46bc4719395b9063704ebec238c/FullEventNames/Product%20and%20Service%20Performance/ProductandServicePerformanceFullEventNames.txt#L237) 117 | * [Microsoft.Windows.FileSystem*](https://github.com/rathbuna/EventTranscript.db-Research/blob/f1f648fb8ae4f46bc4719395b9063704ebec238c/FullEventNames/Product%20and%20Service%20Performance/ProductandServicePerformanceFullEventNames.txt#L375) 118 | * [Local Session Manager Events](https://github.com/rathbuna/EventTranscript.db-Research/blob/f1f648fb8ae4f46bc4719395b9063704ebec238c/FullEventNames/Product%20and%20Service%20Usage/ProductandServiceUsageFullEventNames.txt#L8) 119 | * [Microsoft.Windows.Apps.Photos.Analysis.OneDriveStorageStatistics](https://github.com/rathbuna/EventTranscript.db-Research/blob/f1f648fb8ae4f46bc4719395b9063704ebec238c/FullEventNames/Product%20and%20Service%20Usage/ProductandServiceUsageFullEventNames.txt#L71) 120 | 121 | These are just a few that jumped out to me as potentially having forensic value. For each Full Event Name, the JSON Payload will have to be examined for forensic value, documented, and shared with the community. 122 | 123 | ## Supplemental Documention 124 | 125 | EventTranscript.db isn't named by name in any of the below documentation, but all the below links provide invaluable insight into how Windows utilizes and records diagnostic data that resides in this database. 126 | 127 | [Diagnostics, feedback, and privacy in Windows 10](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-10-28808a2b-a31b-dd73-dcd3-4559a5199319) 128 | 129 | [Diagnostic Data Viewer Overview](https://docs.microsoft.com/en-us/windows/privacy/diagnostic-data-viewer-overview) 130 | 131 | [Feedback & Diagnostics Settings](https://answers.microsoft.com/en-us/windows/forum/windows_10-other_settings-winpc/feedback-diagnostics-settings/c300bfe3-8562-45f6-9341-d7373cc85d9c) 132 | 133 | [Forensic analysis of the Windows telemetry for diagnostics](https://arxiv.org/ftp/arxiv/papers/2002/2002.12506.pdf) 134 | 135 | [Windows 10, version 1709 and newer optional diagnostic data](https://docs.microsoft.com/en-us/windows/privacy/windows-diagnostic-data) 136 | 137 | [Windows 10 diagnostic data events and fields collected through the limit enhanced diagnostic data policy](https://docs.microsoft.com/en-us/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields) 138 | 139 | ## Parsing EventTranscript.db with PowerShell 140 | 141 | ### Installation 142 | EventTranscript.db can be parsed with PowerShell. To interact with the service and retrieve the database contents you to install the Microsoft.DiagnosticsDataViewer PowerShell module as outlined at (https://docs.microsoft.com/en-us/windows/privacy/microsoft-diagnosticdataviewer). 143 | 144 | ```PowerShell 145 | Install-Module -Name Microsoft.DiagnosticDataViewer 146 | ``` 147 | 148 | The module is also available at PSGallery (https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer/2.0.0.1). 149 | 150 | ### Usage 151 | Usage of the PowerShell module is farily straight-forward but has a few issues. It allows for control of the logging capabilities the provided by the DiagTrack service. However, it requires installation of the Diagnostic Data Viewer application from the Microsoft Store. Once that is installed, you need to enable diagnostic data viewing via the Enable-DiagnosticDataViewing cmdlet. 152 | 153 | ```PowerShell 154 | PS C:\WINDOWS\system32> Enable-DiagnosticDataViewing 155 | Diagnostic Data Viewing is enabled now 156 | ``` 157 | 158 | Next, You can view the various categories of diagnostic data by using the Get-DiagnosticDataCategories. The documentation at (https://docs.microsoft.com/en-us/powershell/module/microsoft.diagnosticdataviewer/?view=windowsserver2019-ps) list the cmdlet as Get-DiagnosticDataTypes. As shown below, this is incorrect. 159 | 160 | ```PowerShell 161 | PS C:\WINDOWS\system32> Get-DiagnosticDataCategories 162 | 163 | Id Name Description 164 | -- ---- ----------- 165 | -1 Incorrect Data Category Event is incorrectly categorized. Microsoft is working on fixing such events 166 | 1 Browsing History Records of the web browsing history when using the capabilities of the appl... 167 | 11 Device Connectivity and Configuration Data that describes the connections and configuration of the devices connec... 168 | 17 Inking Typing and Speech Utterance Record of the input data provided by the end user through an interaction me... 169 | 24 Product and Service Performance Data collected about the measurement, performance and operation of the capa... 170 | 25 Product and Service Usage Data provided or captured about the end user’s interaction with the service... 171 | 31 Software Setup and Inventory Data that describes the installation, setup and update of software. 172 | 173 | 174 | PS C:\WINDOWS\system32> Get-DiagnosticDataTypes 175 | Get-DiagnosticDataTypes : The term 'Get-DiagnosticDataTypes' is not recognized as the name of a cmdlet, function, 176 | script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is 177 | correct and try again. 178 | At line:1 char:1 179 | + Get-DiagnosticDataTypes 180 | + ~~~~~~~~~~~~~~~~~~~~~~~ 181 | + CategoryInfo : ObjectNotFound: (Get-DiagnosticDataTypes:String) [], CommandNotFoundException 182 | + FullyQualifiedErrorId : CommandNotFoundException 183 | ``` 184 | 185 | From this point we are able to extract various diagnostic data and apply filters. The output is typically provided as JSON, but we can also export the data as a CSV. 186 | 187 | ```PowerShell 188 | PS C:\WINDOWS\temp> Get-DiagnosticData -DiagnosticDataCategory 31 -StartTime (Get-Date).AddHours(-12) -EndTime (Get-Date).AddHours(0) | Export-Csv 'tmp.csv' 189 | PS C:\WINDOWS\temp> head -n 3 .\tmp.csv 190 | #TYPE DDVCmdlets.Containers.EventRecord 191 | "Name","Timestamp","Payload","IsRequired","DiagnosticDataCategories" 192 | "Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest","5/18/2021 3:31:42 PM","{""ver"":""4.0"",""name"":""Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest"",""time"":""2021-05-18T15:31:42.5337494Z"",""iKey"":""o:0a89d516ae714e01ae89c96d185e9ae3"",""ext"":{""utc"":{""eventFlags"":514,""pgName"":""WINCORE"",""flags"":905970180,""epoch"":""5901065"",""seq"":6310},""mscv"":{""cV"":""F9pa8KoqmUOiQBHY.10.2""},""os"":{""bootId"":58,""name"":""Windows"",""ver"":""10.0.18363.1440.amd64fre.19h1_release.190318-1202""},""app"":{""id"":""U:Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe!App"",""ver"":""12104.1001.1.0_x64_!2021/04/13:01:49:52!0!winstore.app.exe"",""asId"":25724},""device"":{""localId"":""s:8FA50876-DF77-42F6-B2A1-CA2D1D6229F7"",""deviceClass"":""Windows.Desktop""},""protocol"":{""devMake"":""VMware, Inc."",""devModel"":""VMware Virtual Platform""},""user"":{""localId"":""j:00847540-42CD-5ED8-2C47-0F1896FC2BAF""},""loc"":{""tz"":""-00:00""}},""data"":{""ProductId"":""9N8WTRRSQ8F7"",""SkuId"":""0010"",""CatalogId"":"""",""BundleId"":"""",""VolumePath"":""""}}","True","System.Collections.Generic.List`1[System.Int32]" 193 | ``` 194 | 195 | ### Moar Logs!! 196 | On several systems where we tested the logging functionality of EventTranscript.db and the DiagTrack service the Optional diagnostic data option was greyed out in the GUI. 197 | 198 | ![Diagnostic and Feedback - Optional](https://github.com/rathbuna/EventTranscript.db-Research/blob/main/Pictures/Pasted%20image%2020210518161731.png) 199 | 200 | To manually enable the service we can modify the following registry keys: 201 | 202 | ```PowerShell 203 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry REG_DWORD 0x00000003 204 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\MaxTelemetryAllowed REG_DWORD 0x00000003 205 | #and 206 | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry REG_DWORD 0x00000003 207 | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection\MaxTelemetryAllowed REG_DWORD 0x00000003 208 | ``` 209 | 210 | 211 | ![Windows Registry DataCollection](https://github.com/rathbuna/EventTranscript.db-Research/blob/main/Pictures/Pasted%20image%2020210518165200.png) 212 | 213 | Once it is enabled, we can toggle the optional data collection categories. 214 | 215 | ![Improving Inking and Typing and Tailored Experiences](https://github.com/rathbuna/EventTranscript.db-Research/blob/main/Pictures/Pasted%20image%2020210518162055.png) 216 | 217 | Optional data collection enables us to record web traffic visited by Internet Explorer and Edge. Unfortunately, collection of web traffic from Firefox and Google Chrome does not appear to be collected. 218 | 219 | ```PowerShell 220 | PS C:\WINDOWS\temp> Get-DiagnosticData -DiagnosticDataCategory 1 221 | ... 222 | Name : Microsoft.Windows.App.Browser.HJ_BeforeNavigateExtended 223 | Timestamp : 5/18/2021 5:08:46 PM 224 | Payload : {"ver":"4.0","name":"Microsoft.Windows.App.Browser.HJ_BeforeNavigateExtended","time":"2021-0 225 | 5-18T17:08:46.6756009Z","iKey":"o:0a89d516ae714e01ae89c96d185e9ae3","ext":{"utc":{"popSample 226 | ":50,"eventFlags":524546,"pgName":"WIN","flags":469762564,"epoch":"5901065","seq":6563},"met 227 | adata":{"f":{"sessionID":8,"userInputID":8,"AppSessionGuid":8}},"os":{"bootId":58,"name":"Wi 228 | ndows","ver":"10.0.18363.1440.amd64fre.19h1_release.190318-1202"},"app":{"id":"U:Microsoft.M 229 | icrosoftEdge_44.18362.449.0_neutral__8wekyb3d8bbwe!MicrosoftEdge","ver":"44.18362.449.0_neut 230 | ral_!2079/11/26:09:41:53!1E050!microsoftedgecp.exe","asId":26237},"device":{"localId":"s:8FA 231 | 50876-DF77-42F6-B2A1-CA2D1D6229F7","deviceClass":"Windows.Desktop"},"protocol":{"devMake":"V 232 | Mware, Inc.","devModel":"VMware Virtual Platform"},"user":{"localId":"j:00847540-42CD-5ED8-2 233 | C47-0F1896FC2BAF"},"loc":{"tz":"-00:00"}},"data":{"sessionID":"DFCAC27D-B7F9-11EB-B1D4-00505 234 | 6ABB8A0","userInputID":"2BE4207C-34CF-4A55-BAB6-F3A2836DE786","AppSessionGuid":"00001A70-000 235 | 2-003A-CF87-6B6C084CD701","tabId":402,"frameId":1348598048,"managerProcessId":1026,"navigati 236 | onUrlBytes":"0x647777772E6D736E2E636F6D","navigationUrlRejectCode":0,"navigationLocationUrlB 237 | ytes":"0x","navigationLocationUrlRejectCode":30,"isNavLocUrlEqualToUrl":0,"isNavUrlTopLevelU 238 | rl":1,"deviceFeatureStatus":136,"isCortanaEnabled":0,"browserId":"{032D297E-FF55-488E-9307-C 239 | 53C43DC560B}"}} 240 | IsRequired : False 241 | DiagnosticDataCategories : {1, 24} 242 | ... 243 | ``` 244 | 245 | As shown above, the navigationUrlBytes field contains the value 0x647777772E6D736E2E636F6D. Decoded to ASCII this value is dwww.msn.com. 246 | 247 | {032D297E-FF55-488E-9307-C53C43DC560B} 248 | 249 | # TODO 250 | 251 | Add spreadsheet of 2,500+ Full Event Names with Counts. 252 | --------------------------------------------------------------------------------