pcasvc executed

Description: A tool designed to parse execution data related to the Program Compatibility Assistant Service (PcaSvc) and potentially PcaClient artifacts. It performs signature checks and generic detections similar to the BAM Parser.

Features:

• Parses last execution information from PcaSvc service and PcaClient artifacts.

• Performs digital signature checks on identified executables.

• Applies a suite of generic heuristic checks to flag suspicious files.

• Checks for file replacements using USN Journal data.

• Offers options to view file information, strings, imports, and run YARA rules.

Usage: Useful for investigating program execution traces logged by the PCA service and related artifacts, complementing Prefetch and BAM analysis, especially on systems where PCA logging is active.

Link: https://github.com/spokwn/pcasvc-executed