WindowsTimeline
Windows 10 (v1803+) ActivitiesCache.db parsers (SQLite, PowerShell, .EXE)
MPL-2.0 License
Stars
176
Committers
1
Ecosystems:
Windows,
PowerShell
Bot releases are hidden (Show)
WindowsTimeline
- WindowsTimeline parser (x64)
Published by kacos2000 over 4 years ago
Changed base query to 'SmartlookupView'
Added support for ActivityType 3
Added cell tooltips/popups
Other minor updates/fixes
Signed
WindowsTimeline
- WindowsTimeline parser (x64)
Published by kacos2000 almost 5 years ago
Works with any ActivitiesCache.db (Windows 1803/1809/1903/1909 ..)
- Decodes Clipboard Text
- Matches ActivitiesCache.db PlatformDeviceId's with device information (DeviceType, Name,Make,Model) from the registry (HKCU or NTuser.dat) at "\Software\Microsoft\Windows\CurrentVersion\TaskFlow\DeviceCache"
- Shows all the important information from JSON blobs ..
- Optionally exports output to "|" delimited .csv in a timestamped folder in the form of "WindowsTimeline_dd-MMM-yyyyTHH-mm-ss".
- Added '.CDP' file viewer.
Parses:
- Standalone ActivitiesCache.db
- CurrentUser's selected ActivitiesCache.db with matching registry (HKCU) device entries
- Standalone ActivitiesCache.db with offline NTUser.dat device entries
- Reads CDP files from the Parent 'ConnectedDevicesPlatform' folder
Note1: Requires "System.Data.SQLite". If not available, it will download and install automatically.
Note2: Runs on Windows 10 x64
Package Rankings
Top 6.61% on Proxy.golang.org
Badges
Extracted from project README
