ActivitiesCache Script

Description: A PowerShell script that automates the parsing of the Windows Activities Cache database. It downloads a dedicated parser executable (ActivitiesCacheParser.exe from Spokwn's GitHub) to perform the analysis.

Requirements: Must be run with Administrator privileges.

Features:

• Downloads the necessary ActivitiesCacheParser.exe to the temporary directory.

• Invokes the parser to extract data into a temporary activities.txt file.

• Retrieves the oldest user logon time (for interactive logons, type 2 or 10) to use as a filter.

• Parses the output file, filtering for activities that occurred after the oldest retrieved logon time.

• For each relevant activity, it extracts and formats:

  • Application Path/Name.

  • Digital Signature status.

  • Generics detected by the parser (formatted with flags like [GenericName]).

  • StartTime and EndTime of the activity.

• Displays the formatted results directly in the PowerShell console.

• Cleans up by removing the downloaded parser and the temporary output file upon completion.

Usage Hint: Useful for quickly reviewing recent user application activity logged in the Activities Cache, filtered to the current user session.