Services and Applications

Extracts rows from the Activity SQLite table that records Windows 10 Timeline events

Extracts driver metadata stored in the AmCache hive

List drivers from various xml report files

Retrieves cached executable file metadata from the Windows AmCache hive

List internet explorer addons from different xml report files

List installed software from various Xml files

Extracts metadata about installed programs from the Windows AmCache hive

Parse installed programs from AEINV WER xml reports

Parse installed programs from FullCompatReport reports

Parse installed programs from AEINV_PREVIOUS reports

Extracts entries from the AppCompatCache value stored in the Windows System hive

Extracts Activity Moderator (BAM/DAM) records from the Windows System hive

Parse output from Sysinternals ListDLL tool that lists loaded DLLs for running processes on Windows

Extracts entries from the per‑user MUI cache stored in the Registry hive

Parses Windows Prefetch files to extract execution metadata

Extracts Windows processes data from an ORC‑generated CSV file

Parses CSV files produced by ORC that enumerate running processes

Extracts information about applications and files recently accessed by a user from the NtUser hive

Extracts entries from the RunMRU in the NTUser hive, which stores commands typed in the Windows + R dialog

Extracts information about the Windows Application Compatibility Shim database stored in the Software hive

Srum table that tracks statistics about inputs (focus, keyboard, mouse, etc

Srum table that tracks ressource usage for every exe that’s executed on the system whether it still exists on disk or not

Parse data from srum

Srum table for windows server 2022 that tracks cpu time

Extracts Subject Interface Package (SIP) records from the Windows Software hive

Extracts execution data stored in the NTUser hive