Skip to content

Releases: kacos2000/WindowsTimeline

WindowsTimeline parser (x64)

11 Apr 12:01
52afaf1
Compare
Choose a tag to compare

Changed base query to 'SmartlookupView'
Added support for ActivityType 3
Added cell tooltips/popups
Other minor updates/fixes
Signed

WindowsTimeline parser (x64)

04 Dec 17:06
13b1eb9
Compare
Choose a tag to compare

Works with any ActivitiesCache.db (Windows 1803/1809/1903/1909 ..)

  • Decodes Clipboard Text
  • Matches ActivitiesCache.db PlatformDeviceId's with device information (DeviceType, Name,Make,Model) from the registry (HKCU or NTuser.dat) at "\Software\Microsoft\Windows\CurrentVersion\TaskFlow\DeviceCache"
  • Shows all the important information from JSON blobs ..
  • Optionally exports output to "|" delimited .csv in a timestamped folder in the form of "WindowsTimeline_dd-MMM-yyyyTHH-mm-ss".
  • Added '.CDP' file viewer.

Parses:

  • Standalone ActivitiesCache.db
  • CurrentUser's selected ActivitiesCache.db with matching registry (HKCU) device entries
  • Standalone ActivitiesCache.db with offline NTUser.dat device entries
  • Reads CDP files from the Parent 'ConnectedDevicesPlatform' folder

Note1: Requires "System.Data.SQLite". If not available, it will download and install automatically.
Note2: Runs on Windows 10 x64