top of page
Search

ETL File Analysis

There are events that carry information about shell Items, network shares, apps that require privileges, RunKey information etc.;


When the system boots up, it appears that this file is created and It’s location is :

C:\Users<UserName>\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etl.


You can use Tracerpt command-line utility that parses an ETL file’s contents and saves them as a CSV or XML file that can be opened in Excel or any text editor.

Open CMD in the folder where ExplorerStartupLog.etl is copied and run this command from there:“tracerpt ExplorerStartupLog.etl -of CSV”

 
 

Recent Posts

See All
Untitled Goose Tool

Much useful Incident Response (IR) tool released by CISA to run a full investigation against a customer’s Azure Active Directory...

 
 
bottom of page