DeepDig
User Guide
DeepDig reads the Windows event logs your PC already records and turns them into plain-English incidents, trends, and a registry security audit. Everything runs 100% locally — no cloud, no third-party telemetry, Windows built-in logs only.
Contents
1. Getting started
- Launch DeepDig. It starts as a normal app (no prompt). If it isn’t running as administrator, a hint appears with a Restart as administrator button — admin rights unlock the live Security log and a few machine-wide registry checks. (You can also just open an exported .evtx file, which needs no admin.)
- Click Scan This PC to analyze this machine, or Open .evtx to analyze an exported log from another machine. You can also drag-and-drop a .evtx file onto the window.
- Results appear in seconds. For a local scan, a registry audit then runs automatically.
The top cards summarize Critical / High / Medium / Low detections and the number of events scanned.
2. Incidents
The default view. The left list shows correlated incidents (related alerts grouped together); select one to read its detail on the right:
- What happened — a plain-English narrative.
- Per-alert detail — explanation, recommended actions, and MITRE ATT&CK mapping.
- Triggering events — the raw Windows events behind the incident.
3. Trends & last reboot
Click Trends to see charts built from your results:
- Over time — a histogram of when things occurred.
- Top event types — the most frequent events (click any bar to see those events, newest first).
- By category / Top channels — a breakdown by attack category or log channel.
- Category detail — pick a category or channel from the dropdown to see its top event types (also clickable).
Use the Detections | All events toggle to switch every chart between active detections only and the entire scanned log.
Last reboot card
Above the tabs, a full-width card shows your last reboot (time, reason, and whether it was planned or unexpected). Click it for the full startup & shutdown history.
4. Registry findings (Security Audit)
After a Scan This PC, DeepDig runs a read-only registry security audit and adds a Registry findings tab. (This is local-only — it does not run for imported .evtx files.) It checks for:
- Startup persistence (Run keys), Winlogon tampering, IFEO debugger hijacks
- UAC-bypass artifacts, Windows Defender disable / exclusions
- PowerShell execution-policy / logging weakening
- Services running from suspicious locations
- Installed remote-access tools (AnyDesk, TeamViewer, etc.)
- USB device history and outbound RDP history (forensic / informational)
Each finding shows the registry path, the evidence found, an explanation, a recommended action, and its MITRE ATT&CK ID. Use Mark as expected to silence authorised findings on future scans.
5. Live monitoring
Flip the Live toggle to stream new alerts in real time. DeepDig seeds a baseline scan, then updates the incidents as new events arrive. Turn it off (or close the app) to stop watching.
6. Export
Click Export to save the current incidents as CSV (spreadsheet) or JSON.
7. Tips & FAQ
Why restart as administrator?
The live Security event log and a few machine-wide registry checks require admin rights. Everything else — .evtx import, Application/System logs, most registry checks, USB history — works without admin. (The Microsoft Store build can’t elevate, so use the .evtx path there for full coverage.)
Nothing notable was found
That’s good news — it means no rules matched your logs.
A finding looks legitimate (e.g. a remote-access tool you installed)
Use Mark as expected to hide it on future scans.
The Registry tab is missing
It only appears after a local Scan This PC, not for imported .evtx files.
Where are the logs?
DeepDig keeps a local log on your PC (last few days only) — handy if you ever need to report an issue. Nothing is sent anywhere.