https://github.com/andrewrathbun/pcaparser

A PowerShell script that can be used to parse and convert to CSV the new Windows 11 artifacts found in C:\Windows\appcompat\pca
https://github.com/andrewrathbun/pcaparser

appcompat dfir powershell windows

Last synced: 3 months ago
JSON representation

A PowerShell script that can be used to parse and convert to CSV the new Windows 11 artifacts found in C:\Windows\appcompat\pca

• Host: GitHub
• URL: https://github.com/andrewrathbun/pcaparser
• Owner: AndrewRathbun
• License: mit
• Created: 2023-06-18T03:53:50.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2023-07-03T04:13:39.000Z (almost 2 years ago)
• Last Synced: 2025-02-01T08:25:06.947Z (4 months ago)
• Topics: appcompat, dfir, powershell, windows
• Language: PowerShell
• Homepage: https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/
• Size: 18.6 KB
• Stars: 10
• Watchers: 2
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# PCAParser

 A PowerShell 5 script that can be used to parse and convert to CSV the new Windows 11 artifacts found in `C:\Windows\appcompat\pca`

 

 ## Documentation

 

Check out the blog post on AboutDFIR highlighting this new artifact [here](https://aboutdfir.com/new-windows-11-pro-22h2-evidence-of-execution-artifact/).

## Sample Data

Sample artifacts to test this script on can be found in the DFIRArtifactMuseum, specifically [here](https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows%2FAmcache%2FWin11%2FRathbunVM).