PCA

Windows Program Compatibility Assistant (PCA) tracks recent applications that are executed.

References:

DFIR blog

Collection

You have to use the artemis api in order to collect PCA entries.

Sample API Script

import { parsePca } from "./artemis-api/mod";

function main() {
    const results = parsePca();
    console.log(JSON.stringify(results));
}

main();

Output Structure

An array of ProgramCompatibilityAssist

export interface ProgramCompatibilityAssist {
    last_run: string;
    path: string;
    run_status: number;
    file_description: string;
    vendor: string;
    version: string;
    program_id: string;
    exit_message: string;
    pca_type: PcaType;
    message: string;
    datetime: string;
    source: string;
    timestamp_desc: "Last Run";
    artifact: "Windows Program Compatibility Assist";
    data_type: "windows:pca:entry";
}

export enum PcaType {
    AppLaunch = "AppLaunch",
    General = "General",
}

Collection​

Sample API Script​

Output Structure​

Collection

Sample API Script

Output Structure