Fri, Jul 9, 2021

Parsing Diagnostic Data With Powershell and Enhanced Logging

EventTranscript.db can be parsed with PowerShell. To interact with the service and retrieve the database contents, you need to install the Microsoft.DiagnosticsDataViewer PowerShell module as outlined by Microsoft here. Additionally, the module is also available at PSGallery here.

Usage of the PowerShell module is straightforward but suffers from minor issues. The module allows for control of the logging capabilities provided by the DiagTrack service. However, it requires installation of the Diagnostic Data Viewer application from the Microsoft Store. Once that is installed, diagnostic data viewing can be enabled via the Enable-DiagnosticDataViewing cmdlet (Figure 1).

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 1: “Enable-DiagnosticDataViewing” Cmdlet

Viewing the various categories of diagnostic data is accomplished by using the Get-DiagnosticDataCategories cmdlet. The documentation at (https://docs.microsoft.com/en-us/powershell/module/microsoft.diagnosticdataviewer/?view=windowsserver2019-ps) lists the cmdlet as Get-DiagnosticDataTypes. As shown in Figure 2, this is incorrect.

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 2: Enumeration of Data Collection Types 

Next, we can extract various diagnostic data and apply filters. The output is typically provided as JSON (Figure 3), but we can also export the data as a CSV.

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 3: JSON Output

Enhanced Logging

Enhanced logging of telemetry data provided by the DiagTrack service is enabled by selecting the Optional diagnostic data option from the Diagnostics and feedback section in Windows Settings (Figure 4). However, on several systems where we tested the logging functionality of the DiagTrack service, the Optional diagnostic data option was greyed out in the GUI.

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 4:“Optional diagnostic data” Option

To manually enable the additional logging capabilities of the service, we can modify the following registry keys to contain a DWORD value of 0x00000003. This value correlates to the Optional diagnostic data setting as shown above.

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 5: Registry Settings 

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 6: Registry Location 

Once it is enabled, we can toggle the optional data collection categories.

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 7: Optional Data Collection Selection

Optional data collection enables us to record web traffic visited by Internet Explorer and Microsoft Edge. The telemetry collection appears to be enabled via the Aria telemetry collection packages. Settings for these packages can be found under the registry keys (Figure 8).

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 8: Settings for Aria Telemetry Collection Packages

Unfortunately, web traffic from Firefox and Google Chrome does not appear to be collected. However, we can determine partial URL and navigation time from the navigationUrlBytes and time fields of the Browser History diagnostic data category. As shown in Figure 9, the navigationUrlBytes field contains the value 0x646F67732E676F6F676C652E636F6D. Decoded to text, this field contains the domain name and top-level domain (TLD) values google.com.

Parsing Diagnostic Data With Powershell and Enhanced Logging

Figure 9: “navigationUrlBytes” Field



Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.


Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Kroll Artifact Parser And Extractor (KAPE)

Find, collect and process forensically useful artifacts in minutes.


Data Collection and Preservation

Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.