cam.history¶
$ target-query <path/to/target> -f cam.history
Module |
|
Output |
|
Module documentation
Plugin that iterates various Capability Access Manager registry key locations.
Function documentation
Iterate Capability Access Manager History entries. The Capability Access Manager keeps track of processes that access I/O devices, like the webcam or microphone. Applications are divided into packaged and non-packaged applications meaning Microsoft or non-Microsoft applications. Additional historical entries are since Windows 11 available in a SQL database.
Records are created from the following tables: - NonPackagedUsageHistory - PackagedUsageHistory - NonPackagedIdentityRelationship - NonPackagedGlobalPromptHistory
- References:
Yields CamUsageHistoryRecord, CamIdentityRelationshipHistoryRecord or CamGlobalPromptHistoryRecord:
Record CamUsageHistoryRecord:
last_used_time_stop (datetime): When the application last stopped using the capability.
last_used_time_start (datetime): When the application last started using the capability.
duration (varint): How long the application used the capability.
package_type (string): The application type of the record, originates from the table name.
capability (string): The capability being used; microphone, camera, location etc.
file_id (string): The sha1 hash of the application making use of the capability.
file_id_hash (digest): Digest version of the file_id field.
access_blocked (string): If capability usage was allowed, 0 = Not blocked and 1 = blocked.
program_id (string): Program ID of application, unclear what this value means.
package_family_name (string): Package name of application using capability.
access_guid (string): Unclear what the value of this is.
label (string): Unclear what the value of this is, no joinable table with this ID.
app_name (string): Name of the application using capability.
binary_full_path (path): Path of the application using capability.
service_name (string): Name of the service using capability.
Record CamIdentityRelationshipHistoryRecord:
last_observed_time (datetime): Last time capability was observed.
package_type (string): The application type of the record, originates from the table name.
file_id (string): The sha1 hash of the application making use of the capability.
file_id_hash (digest): Digest version of the file_id field.
program_id (string): Program ID of application, unclear what this value means.
binary_full_path (path): Path of the application using capability.
Record CamGlobalPromptHistoryRecord
shown_time (datetime): Last time capability was observed.
package_type (string): The application type of the record, originates from the table name.
capability (string): The capability being used; microphone, camera, location etc.
file_id (string): The sha1 hash of the application making use of the capability.
file_id_hash (digest): Digest version of the file_id field.
program_id (string): Program ID of application, unclear what this value means.