etl.boot#
$ target-query <path/to/target> -f etl.boot
Module |
|
Output |
|
Module documentation
Plugin for fetching and parsing Windows ETL Files (*.etl)
Function documentation
Return the contents of the ETL files created at last boot.
The plugin reads the content from the BootCKCL.etl file or the BootPerfDiagLogger.etl file (depending on the Windows version).
Yields dynamically created records based on the fields inside an ETL event. At least contains the following fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The TimeCreated_SystemTime field of the event. Provider_Name (string): The Provider_Name field of the event. EventType (string): The type of the event defined by the manifest file.