# WxTcmd WxTcmd is a tool used to parse the SQLite ActivitiesCache.db file to provide forensic evidence of execution and file interaction. | Tool Name | Version | MITRE ATT\&CK Tactic | MITRE ATT\&CK Technique | | ---------------------------------------------------- | -------- | ----------------------------------------------------- | ----------------------- | | [WxTCmd](https://ericzimmerman.github.io/#!index.md) | V0.6.0.0 | [Execution](https://attack.mitre.org/tactics/TA0002/) | | ## Instructions ### Extracting the ActivitiesCache.db file to a CSV The ActivitiesCache database is stored under the userprofile and can be copied from the directory `C:\Users\%USERPROFILE%\AppData\Local\ConnectedDevicesPlatform\L.%USERPROFILE%\ActivitiesCache.db` ```powershell WxTcmd.exe -f 'C:\Path\To\ActivitiesCache.db' --csv 'C:\Path\To\Output' ``` ### Output Two .csv files will be output to the location succeeding the `--csv` parameter; * Activity.csv * Contains verbose details for accessed files and program execution such as executable name, filepath, Explorer search terms, and timestamps including a duration count. * Activity\_PackageIDs.csv * Contains a smaller subset of data and can provide full filepath for recently executed applications.
WxTcmd Output
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://darkcybe.gitbook.io/darkcybe/guides/dfir/dfir-tools/program-execution/wxtcmd.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.