From 43a8aa8aefa863e762afc3980a99c5a4b603d4af Mon Sep 17 00:00:00 2001 From: Costas K <11378310+kacos2000@users.noreply.github.com> Date: Fri, 16 Jul 2021 07:13:52 +0300 Subject: [PATCH] Add files via upload --- Text-InputSession.sql | 95 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 Text-InputSession.sql diff --git a/Text-InputSession.sql b/Text-InputSession.sql new file mode 100644 index 0000000..044fdb6 --- /dev/null +++ b/Text-InputSession.sql @@ -0,0 +1,95 @@ +-- Diagnostic +-- Microsoft.Windows.Desktop.TextInput.TextServiceFramework +-- from C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db + +SELECT + +--Timestamp from db field +json_extract(events_persisted.payload,'$.time') as 'UTC TimeStamp', + +-- Timestamp from json payload +datetime((timestamp - 116444736000000000)/10000000, 'unixepoch','localtime') as 'Local TimeStamp', +json_extract(events_persisted.payload,'$.ext.loc.tz') as 'TimeZome', +json_extract(events_persisted.payload,'$.ext.utc.seq') as 'seq', + +-- Event +replace(events_persisted.full_event_name,'Microsoft.Windows.Desktop.TextInput.TextServiceFramework.InputSession','') as 'InputSession', +json_extract(events_persisted.payload,'$.data.applicationName') as 'applicationName', +json_extract(events_persisted.payload,'$.data.processId') as 'processId', +json_extract(events_persisted.payload,'$.data.staticFlags') as 'staticFlags', + +-- InputScopeNameValue: Specifies a particular named input mode +-- Values list: +-- https://docs.microsoft.com/en-us/uwp/api/windows.ui.xaml.input.inputscopenamevalue?view=winrt-20348 +case json_extract(events_persisted.payload,'$.data.inputScope') + when 0 then 'Default' -- No input scope is applied + when 1 then 'Url' + when 31 then 'Password' + when 50 then 'Search' + when 32 then 'TelephoneNumber' + when 57 then 'Text' + when 5 then 'EmailSmtpAddress' -- (?) Input scope is intended for working with a (SMTP) form e-mail address (accountname@host) + else json_extract(events_persisted.payload,'$.data.inputScope') +end as 'inputScope', +-- https://docs.microsoft.com/en-us/windows/win32/intl/language-identifiers +-- https://docs.microsoft.com/en-us/windows/win32/msi/localizing-the-error-and-actiontext-tables +json_extract(events_persisted.payload,'$.data.langId') as 'langId', +json_extract(events_persisted.payload,'$.data.insertedCharacterCount') as 'InsCharCount', -- nr of inserted characters +json_extract(events_persisted.payload,'$.data.keyCount') as 'keyCount', -- Pressed key count +json_extract(events_persisted.payload,'$.data.imeBackspaceCount') as 'BackspaceCount', -- backspace key press count +strftime('%H:%M:%f',json_extract(events_persisted.payload,'$.data.totalTimeMilliseconds')/1000.0, 'unixepoch') as 'totalTime', + +-- Possible Conversion Mode Values +-- https://docs.microsoft.com/en-us/windows/win32/intl/ime-conversion-mode-values +json_extract(events_persisted.payload,'$.data.conversionMode') as 'conversionMode', + +-- App Info +case substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) + when 'U' then "UWP" + when 'W' then "Win" + else substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) + end as 'App Type', + +-- Application Name +case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64 + then substr(json_extract(events_persisted.payload,'$.ext.app.id'),93) + else substr(json_extract(events_persisted.payload,'$.ext.app.id'),3) + end as 'App Name', + +-- SHA1 Hash of the application that produced this event +case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64 + then upper(substr(json_extract(events_persisted.payload,'$.ext.app.id'),52,40 )) + -- Same as the 'FileId' in Amcache.hve (Root\InventoryApplicationFile\) + end as 'AppId SHA1', -- (SHA1 Base16) checked & verified + +-- ProgramId of the application that produced this event +case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64 + then upper(substr(json_extract(events_persisted.payload,'$.ext.app.id'),3,44 )) + end as 'ProgramId', -- Same as the 'ProgramId' in Amcache.hve (Root\InventoryApplicationFile\) + +-- Version of the application that produced this event +case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64 + then substr(json_extract(events_persisted.payload,'$.ext.app.ver'),1,19 ) + end as 'AppVersion Date', -- Same as the 'LinkDate' in Amcache.hve (Root\InventoryApplicationFile\) + +case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64 + then substr(json_extract(events_persisted.payload,'$.ext.app.ver'),21,(instr(substr(json_extract(events_persisted.payload,'$.ext.app.ver'),21),'!')-1) ) + end as 'PE Header CheckSum', -- PE Header CheckSum variable size (4-6) + +case when substr(json_extract(events_persisted.payload,'$.ext.app.id'),1,1) is 'W' -- Windows Application x32/x64 + then substr(json_extract(events_persisted.payload,'$.ext.app.ver'),(instr(substr(json_extract(events_persisted.payload,'$.ext.app.ver'),22),'!')+22)) + else json_extract(events_persisted.payload,'$.ext.app.ver') + end as 'Executable', + + +-- Local, MS or AAD account +trim(json_extract(events_persisted.payload,'$.ext.user.localId'),'m:') as 'UserId', +sid as 'User SID', + +logging_binary_name + +from events_persisted +where events_persisted.full_event_name like 'Microsoft.Windows.Desktop.TextInput.TextServiceFramework.%' + + -- Sort by event date dscending (newest first) +order by cast(events_persisted.timestamp as integer) desc \ No newline at end of file