drop system evtx csv and registry export · detect evidence that the system hive was restored to a previous state · identify service and driver configurations inconsistent with event log history · surface rollback attacks hiding configuration changes · runs locally
system evtx + SYSTEM hive
drop System EVTX CSV and SYSTEM hive exports (multi-file)
or click
System log 7045/7040/11 · ControlSet001 · ControlSet002 · CurrentControlSet · LastKnownGood · LastWriteTime column when available
drop System EVTX CSV + SYSTEM hive control-set exports (.reg / csv)