Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/andrewrathbun/pcaparser
A PowerShell script that can be used to parse and convert to CSV the new Windows 11 artifacts found in C:\Windows\appcompat\pca
https://github.com/andrewrathbun/pcaparser
appcompat dfir powershell windows
Last synced: 27 days ago
JSON representation
A PowerShell script that can be used to parse and convert to CSV the new Windows 11 artifacts found in C:\Windows\appcompat\pca
- Host: GitHub
- URL: https://github.com/andrewrathbun/pcaparser
- Owner: AndrewRathbun
- License: mit
- Created: 2023-06-18T03:53:50.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2023-07-03T04:13:39.000Z (over 1 year ago)
- Last Synced: 2024-05-01T18:45:52.387Z (6 months ago)
- Topics: appcompat, dfir, powershell, windows
- Language: PowerShell
- Homepage: https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/
- Size: 18.6 KB
- Stars: 8
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# PCAParser
A PowerShell 5 script that can be used to parse and convert to CSV the new Windows 11 artifacts found in `C:\Windows\appcompat\pca`
## Documentation
Check out the blog post on AboutDFIR highlighting this new artifact [here](https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/).
## Sample Data
Sample artifacts to test this script on can be found in the DFIRArtifactMuseum, specifically [here](https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows%2FAmcache%2FWin11%2FRathbunVM).