{"id":7780,"date":"2021-05-03T11:09:25","date_gmt":"2021-05-03T11:09:25","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7780"},"modified":"2021-05-03T12:28:09","modified_gmt":"2021-05-03T12:28:09","slug":"sleepstudy-logs","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2021\/05\/03\/sleepstudy-logs\/","title":{"rendered":"SleepStudy logs"},"content":{"rendered":"\n<p><strong>Update<\/strong><\/p>\n\n\n\n<p>After I posted it, <a href=\"http:\/\/twitter.com\/@bmmaloney97\">Bryan<\/a> linked to this <a href=\"https:\/\/www.tenforums.com\/tutorials\/64555-generate-sleep-study-report-windows-10-a.html\">article<\/a> which explains how to generate SleepStudy report. Thx!<\/p>\n\n\n\n<p><strong>Old Post<\/strong><\/p>\n\n\n\n<p>A few days ago I came across ETL logs I have not seen before. They are residing inside c:\\WINDOWS\\System32\\SleepStudy and I <a href=\"https:\/\/twitter.com\/Hexacorn\/status\/1387161657529585667?s=20\">posted<\/a> about them on Twitter. Not sure if anyone looked at them from a forensic perspective in the past &#8211; quick Twitter and Google search returned nothing of interest, hence decided to quickly describe it here.<\/p>\n\n\n\n<p>The logs originate from &#8220;Microsoft-Windows-Kernel-Power&#8221; and &#8220;Microsoft-Windows-UserModePowerService&#8221; ETW providers. Files that can be found inside the directory are as follows:<\/p>\n\n\n\n<ul><li>c:\\WINDOWS\\System32\\SleepStudy\\<ul><li>ScreenOn\\ScreenOnPowerStudyTraceSession-YYYY-MM-DD-HH-MM-SS.etl<\/li><li>UserNotPresentSession.etl<\/li><li>user-not-present-trace-YYYY-MM-DD-HH-MM-SS.etl<\/li><\/ul><\/li><\/ul>\n\n\n\n<p>These marked with a YYYY-MM-DD-HH-MM-SS patterns include timestamps, meaning multiple files following the same file naming pattern exist in the folder.<\/p>\n\n\n\n<p>The user* files can be quickly converted from ETL to XML format by using the following commands:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tracerpt.exe &lt;etlfile&gt;<\/pre>\n\n\n\n<p>or<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tracerpt.exe -of csv<\/pre>\n\n\n\n<p>if you prefer CSV output. The resulting files are dumpfile.xml or dumpfile.csv.<\/p>\n\n\n\n<p>What triggered my interest was the fact we can see both paths and timestamps inside the output user* files:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/SleepStudy.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/SleepStudy.png\" alt=\"\" class=\"wp-image-7781\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/SleepStudy.png 680w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/05\/SleepStudy-300x229.png 300w\" sizes=\"(max-width: 680px) 100vw, 680px\" \/><\/a><\/figure><\/div>\n\n\n\n<p>I don&#8217;t know exactly what these log mean, but it can be yet another source of process execution telemetry.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update After I posted it, Bryan linked to this article which explains how to generate SleepStudy report. Thx! Old Post A few days ago I came across ETL logs I have not seen before. They are residing inside c:\\WINDOWS\\System32\\SleepStudy and &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2021\/05\/03\/sleepstudy-logs\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[19],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7780"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7780"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7780\/revisions"}],"predecessor-version":[{"id":7790,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7780\/revisions\/7790"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}