January 2019

@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Hello Reader,
        Tonight we continued testing Deep Freeze on Windows 10 to find out what data was recoverable and how or if the data had been changed. Here is what we learned:

  • The deleted data appears not just to be partially overwritten but moved physically on the disk
  • When new data is written the older data from a prior reboot may be overwritten if the new data is larger
  • If the subsequent reboots contain smaller amounts of new data, then older data from past reboots will survive

You can watch the video here:

Hello Reader,
         I've been asked quite a lot about recovering data from Windows 10 if deep freeze was installed. Now I've had theories and hypothesis regarding how Deepfreeze works and what should be possible but tonight I got an evaluation version of Deepfreeze and a new Windows 10 VM to find out for sure.

Here is what we learned:

  • Deep freeze is reverting the system back to its prior state on reboot, as advertised
  • When creating resident files if it is a reused mft entry it will be overwritten by the prior entry
  • When creating non resident files any cluster previously in use will be overwritten
  • Any part of the disk that was unallocated before freezing will contain any deleted data after reboot as deep freeze will have no data to overwrite it with
So, yes you can recover data even after rebooting with deep freeze, just not everything.

More testing to understand more about what is happening with deep freeze to come! 
You can watch the video here:

Hello Reader,
            Yogesh Khatri continues to push out new OSX forensic tools, if you haven't used mac_apt you really should be https://github.com/ydkhatri/mac_apt. Now Yogesh has given us a Unified Log Parser which will allow you to parse unified logs on any platform and since its python it should be easy to extend or reuse his code which is generously MIT licensed.

Go here and check it out:
https://github.com/ydkhatri/UnifiedLogReader

Hello Reader,
           So I've been pretty bad at pre-scheduling forensic lunches lately so I decided to look at my calendar and commit to a schedule for the first quarter of 2019. So what follows are the scheduled dates for the first quarter of 2019. I already have guests lined up for 2/1/19 and I'll be looking to firm up more for the rest of the quarter.


  • 2/1/19  - Blanche Lagny and the DFIR Review Team
  • 2/15/19
  • 3/1/19
  • 3/15/19
  • 4/2-4/3/19 MUS
  • 4/26/19 

Hello Reader,
            Last week I may have asked a bit much, so I'm reeling myself back in. This week I've posted a lot of links to other peoples work as I've been teaching SANS FOR500 during the day at the CTI Summit and doing my case work at night. However thanks to great students sharing stories and asking great questions I'm walking away with even more insights and questions to answer. This week let's push our knowledge of shellbags forward.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 2/1/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
Within a single shellbags entry answer the following:
1. What within the shellbags entry would tell you how the user had set their directory viewing preferences (sort order, thumbnail view, standard view)
2. What is the default view if they don't change anything?
3. If a user attempts to access the system volume information directory and a shellbag entry gets created (it should deny them access) what directory viewing settings are left behind

Hello Reader,
              Looks like my 2019 streak is now broken, this week we have no qualifying answers. When this happens I take it as a sign that the question was harder than I expected which means I really need to focus on finding a real answer myself. I'll be working on that and the other unanswered challenges in the year to come. Tomorrow come back for another challenge and I'll adjust my questions accordingly.

The winning answer: None this week

The Challenge:
On a Server 2008 R2 system make 4 copies of mimikatz (your choice of versions) 64 bit and 32 bit versions. Run them from 4 locations (of your choice) and determine what criteria determines when and if the executable gets logged in the Syscache hive and what dates are associated with the registry keys. 

Hello Reader,
          A new organization within an organization has formed! The DFIR Review group within DFRWS has officially emerged from 'stealth mode' and is ready to give your DFIR research peer review and fast feedback. With a combination of academics and practitioners volunteering their time they are pledging to help you validate your work and look for what you can do next. 

If this excites you, then go directly to:
http://dfrws.org/dfir-review

And get your work in!

Hello Reader,
             SANS is announcing a new DFIR course written by Kevin Ripa and Eric Zimmerman called FOR498: Battlefield Forensics & Data Acquisition. It's a course that focuses on dealing with all the onsite triage you will encounter when gathering evidence in a variety of environments with a big focus on preserving data from a very wide variety of sources.

From RAIDs, RAM, Cloud an Cell Phones this course will run you through the gauntlet of data sources that the modern examiner will encounter in the field.

If you are interested go here: https://www.sans.org/course/battlefield-forensics-and-data-acquisition

I'm looking forward to seeing the final material and labs!

Hello Reader,
           I know this came out a week ago but I don't think I wrote about it. I found this article written by Elcomsoft employee Oleg Afonin to be fascinating! Oleg is writing all about how to get a SSD drive into factory access mode allowing an examiner to get access to all the data on a SSD without a chip off! This whole article was a fascinating read, if any of you out there has a PC3000 SSD let me know as I'd love to do some testing to find out what is actually recoverable from this method.

Read the article here: https://blog.elcomsoft.com/2019/01/life-after-trim-using-factory-access-mode-for-imaging-ssd-drives/

Hello Reader,
             Between calls and work I got to watch some of the CTI Summit this week in DC prior to my class that starts tomorrow. I will admit that I look at CTI mainly from the outside trying to understand how it really works and what is real vs marketing. Prior to the CTI Summit I have read Scott Roberts and Rebekah Brown's book Intelligence Driven Incident Response:
 https://www.amazon.com/Intelligence-Driven-Incident-Response-Outwitting-Adversary/dp/1491934948 and I've talked to the CTI instructors about what they do in FOR578. ,

All of that though was just a foundation to understand the edges of the world of threat intelligence. Here where the words I heard repeated today:

  • Bias 
  • Cognitive Bias
  • ATT&CK
  • Pyramid of Pain
  • Peer Review
  • Threat actor
Each time I heard these major terms it came with a different perspective, one that would turn how the idea of 'product' for the 'consumer' was to be judged. 

As someone who focuses on the solid remnants of an incident the idea of this large grey area was outside of my comfort zone. I'm very comfortable when I can test and recreate an action to determine a prior action, but the idea of assembling possibilities and 'dossiers' based on events, actors and threats makes me very glad that there are other people who have found their passion in this.

So I salute you CTI professionals, I think we are both glad to be looking at each other over the fence between us in the widening world that is DFIR. 

Hello Reader,
      If you've been following the blog and the test kitchens you would have seen that both myself and Maxim Suhanov have been testing and talking alot about the Amcache which lead to our findings about the Syscache hive. Well, it looks like we are not alone in our quest to truely understand this artifact since Blanche Lagny of the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) aka the French National Cybersecurity Agency has released today atleast a years worth of research into not only the Amcache structure but also:

  • What processes populate the Amcache
  • What determines the format of the Amcache data (dll versions not windows versions)
  • What determines the behavior of the Amcache storage (again its dll versions)
  • and much more

If you are at all interested in the Amcache and want to understand it at a deeper level I would highly recommend you read this:
http://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf

Please note as with any other paper Lagny has both timing and scope limitations so this paper doesn't include every possible facet of the Amcache,  such as what it does not log or how the latest version of Windows 10 populates it. It's not that she is not aware of the other data points its that they are hopefully going to be covered by future papers. 

Hello Reader,
            Last week's challenge brought out some great research and new tools. I hope that this streak of great responses continues through 2019! Let's switch focus back to the Syscache hive for this weeks challenge.


The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 1/25/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
On a Server 2008 R2 system make 4 copies of mimikatz (your choice of versions) 64 bit and 32 bit versions. Run them from 4 locations (of your choice) and determine what criteria determines when and if the executable gets logged in the Syscache hive and what dates are associated with the registry keys. 

Hello Reader,
        This weeks' challenge has an interesting twist, I have two answers but neither was submitted before the deadline. So I thought I would post the two answers for everyone's benefit so it's not lost to the twitter timeline.

The Challenge:
In Windows 10 what behavior appears to determine if a program will show up in the UserAssist entries with 0 run count versus actually tracking a run count and last execution date

The Answers:
Matt Seyer: 

Matt worked up and tested three hypotheses for conditions where the UserAssist value did not get set or updated. Matt also released a really neat tool that will allow you to monitor UserAssist values in real time which will make testing much easier.

Maxim Suhanov:

Maxim tested a different method, he noticed that if GUI apps were executed from the command line (which should include exec scenarios within other programs) that the same behavior occurs. 

The common thread that I can find between all of these tests is that UserAssist is tracking executions outside of the direct user context now. This means ... you guessed it ... more testing! I think this helped leap forward quite a bit but I look forward to really pushing this out over the next week. 

Hello Reader,
          Well I attempted to do a test kitchen tonight but VMWare Workstation didn't want to cooperate. What I wanted to show is summarized in the below blog post from Eric Zimmerman:

https://binaryforay.blogspot.com/2019/01/locked-file-support-added-to.html

Eric has added the ability for his registry tools and the MFT explorer to be able to access the locked live files running on the live system. This means you can now access shellbag data with dates, view and search registries, parse amcache hives, run registry plugins and parse MFTs all without imaging or extracting files from the live system.

This is a pretty big step and it will require running the programs as the administrator in order to access the raw disk. I hope you take a moment to give them a spin as I will when I get a VM to boot!

Hello Reader,
            I saw this article over on the verge:
https://www.theverge.com/2019/1/16/18185490/microsoft-cortana-windows-10-search-changes

In this article they describe how Cortana is going to be separated from the search function. Currently we find the Windows 10 search artifacts in the NTUSER registry under the \software\microsoft\windows\current version\search. So keep an eye out for this change as we expect changes in how this data is stored and possibly new entries for cortana.

This is interesting since Cortana has been rapidly changing artifact wise and a return to more locally stored Cortana artifacts would be welcome. 

Hello Reader,
   Tonight we just had a short testing session (8 minutes of actual testing) were we checked in on last nights test. Here is what we learned:

  • The time delay did not effect our results
  • A shutdown/power on did not add a new entries
  • The registry explorer and hasher entries still had no hash
  • We still saw no entries for the other mimikatz executables
On the next broadcast we will be testing the same behavior in Windows 7 and parsing the whole MFT and Syscache rather than individual records to make sure we aren't missing anything.

You can watch the video here:

Hello Reader,
       Tonight we returned to the test kitchen to try to solve the mystery of the Multiple mimikatz executables now showing up in the Syscache

Tonight we learned:

  • Syscache does not appear to duplicate entries by hash
  • We got some entries to appear without a hash
  • We are giving the VM enough time to run its background processes to get the Syscache full written to with a new test tomorrow night
  • The last write time does not appear to be updated when the program is executed again
  • 64bit and 32bit executables are being recorded
You can watch the video here:

Hello Reader,
          I was out late helping a friend so rather than a test kitchen tonight I'm going to do a tool highlight. David Dym our colleague at G-C Partners, LLC has written a number of tools we use like:

  • ShadowKit
  • MetaDiver
  • SqliteDiver
and now he's come out with a new tool MDViewer or Meta Diver Viewer. 

MDViewer let's you quickly view all of the metadata of a file and is built on top of Apache Tika with the ability to drag and drop files on it to view not only metadata but also hex/strings and more. 

You can grab a copy here:

https://www.easymetadata.com/2019/01/mdviewer-1-0-initial-release/

Hello Reader,
          We've had a back to back great answers in this new year which I hope is just sitting the trend for the rest of 2019. We've bounced around a couple of topics but let's see if you can finish one out for all of us.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 1/18/19 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post


The Challenge:
In Windows 10 what behavior appears to determine if a program will show up in the UserAssist entries with 0 run count versus actually tracking a run count and last execution date

Hello Reader,
        I had two great submissions this week and one of them surprised me because it was from my own fellow g-c'er Matt Seyer. Matt won this weeks competition because he took one step farther in his testing to show not only what the new tables in the Server 2019 SRUM database meant, he also showed where to go in the registry to get the answer.

The Winning Answer:
Matt Seyer (@forensic_matt)

Sunday Funday Submission

The Challenge

Server 2019 got SRUM, what if any differences are there between SRUM on Windows 10 and SRUM on Server 2019?

Methodology

Compare the SRUM database schemas of a Windows 10 system and Server 2019. The most obvious differences should appear in the database schemas. Because the SRUM database uses the Extensible Storage Engine (ESE) format, we should work directly with the ESE database itself and not use tools that interpret its data into a different format (many tools will convert the ESE to SQLite). Because SRUM uses Extensions that are recorded in the SOFTWARE hive, the SOFTWARE hive should also be checked for differences.

Windows Versions Used

The following versions were used for generating the data in this research.
Server 2019 Version: Windows Server 2019 Standard (Desktop Experience)
Windows 10 Version: Windows 10 Enterprise

Table Differences

The following table schemas are resolved with a script (srum_schema.py) that uses pyesedb and yarp to resolve SRUM data. pyesedb allows us to work with the ESE format and yarp allows us to work with Registry and take transaction logs into account.

Base Tables

After reviewing SRUM’s base set of tables (tables not in the extensions), they appear to remain the same across Windows 10 and Server 2019.
Windows 10
Server 2019 Desktop Experience
Status
---------------------------------------
Table: MSysObjects
---------------------------------------
ObjidTable -> INTEGER_32BIT_SIGNED
Type -> INTEGER_16BIT_SIGNED
Id -> INTEGER_32BIT_SIGNED
ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED
SpaceUsage -> INTEGER_32BIT_SIGNED
Flags -> INTEGER_32BIT_SIGNED
PagesOrLocale -> INTEGER_32BIT_SIGNED
RootFlag -> BOOLEAN
RecordOffset -> INTEGER_16BIT_SIGNED
LCMapFlags -> INTEGER_32BIT_SIGNED
KeyMost -> INTEGER_16BIT_UNSIGNED
LVChunkMax -> INTEGER_32BIT_SIGNED
Name -> TEXT
Stats -> BINARY_DATA
TemplateTable -> TEXT
DefaultValue -> BINARY_DATA
KeyFldIDs -> BINARY_DATA
VarSegMac -> BINARY_DATA
ConditionalColumns -> BINARY_DATA
TupleLimits -> BINARY_DATA
Version -> BINARY_DATA
SortID -> BINARY_DATA
CallbackData -> LARGE_BINARY_DATA
CallbackDependencies -> LARGE_BINARY_DATA
SeparateLV -> LARGE_BINARY_DATA
SpaceHints -> LARGE_BINARY_DATA
SpaceDeferredLVHints -> LARGE_BINARY_DATA
LocaleName -> LARGE_BINARY_DATA
---------------------------------------
Table: MSysObjects
---------------------------------------
ObjidTable -> INTEGER_32BIT_SIGNED
Type -> INTEGER_16BIT_SIGNED
Id -> INTEGER_32BIT_SIGNED
ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED
SpaceUsage -> INTEGER_32BIT_SIGNED
Flags -> INTEGER_32BIT_SIGNED
PagesOrLocale -> INTEGER_32BIT_SIGNED
RootFlag -> BOOLEAN
RecordOffset -> INTEGER_16BIT_SIGNED
LCMapFlags -> INTEGER_32BIT_SIGNED
KeyMost -> INTEGER_16BIT_UNSIGNED
LVChunkMax -> INTEGER_32BIT_SIGNED
Name -> TEXT
Stats -> BINARY_DATA
TemplateTable -> TEXT
DefaultValue -> BINARY_DATA
KeyFldIDs -> BINARY_DATA
VarSegMac -> BINARY_DATA
ConditionalColumns -> BINARY_DATA
TupleLimits -> BINARY_DATA
Version -> BINARY_DATA
SortID -> BINARY_DATA
CallbackData -> LARGE_BINARY_DATA
CallbackDependencies -> LARGE_BINARY_DATA
SeparateLV -> LARGE_BINARY_DATA
SpaceHints -> LARGE_BINARY_DATA
SpaceDeferredLVHints -> LARGE_BINARY_DATA
LocaleName -> LARGE_BINARY_DATA
Both table schemas match.
---------------------------------------
Table: MSysObjectsShadow
---------------------------------------
ObjidTable -> INTEGER_32BIT_SIGNED
Type -> INTEGER_16BIT_SIGNED
Id -> INTEGER_32BIT_SIGNED
ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED
SpaceUsage -> INTEGER_32BIT_SIGNED
Flags -> INTEGER_32BIT_SIGNED
PagesOrLocale -> INTEGER_32BIT_SIGNED
RootFlag -> BOOLEAN
RecordOffset -> INTEGER_16BIT_SIGNED
LCMapFlags -> INTEGER_32BIT_SIGNED
KeyMost -> INTEGER_16BIT_UNSIGNED
LVChunkMax -> INTEGER_32BIT_SIGNED
Name -> TEXT
Stats -> BINARY_DATA
TemplateTable -> TEXT
DefaultValue -> BINARY_DATA
KeyFldIDs -> BINARY_DATA
VarSegMac -> BINARY_DATA
ConditionalColumns -> BINARY_DATA
TupleLimits -> BINARY_DATA
Version -> BINARY_DATA
SortID -> BINARY_DATA
CallbackData -> LARGE_BINARY_DATA
CallbackDependencies -> LARGE_BINARY_DATA
SeparateLV -> LARGE_BINARY_DATA
SpaceHints -> LARGE_BINARY_DATA
SpaceDeferredLVHints -> LARGE_BINARY_DATA
LocaleName -> LARGE_BINARY_DATA
---------------------------------------
Table: MSysObjectsShadow
---------------------------------------
ObjidTable -> INTEGER_32BIT_SIGNED
Type -> INTEGER_16BIT_SIGNED
Id -> INTEGER_32BIT_SIGNED
ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED
SpaceUsage -> INTEGER_32BIT_SIGNED
Flags -> INTEGER_32BIT_SIGNED
PagesOrLocale -> INTEGER_32BIT_SIGNED
RootFlag -> BOOLEAN
RecordOffset -> INTEGER_16BIT_SIGNED
LCMapFlags -> INTEGER_32BIT_SIGNED
KeyMost -> INTEGER_16BIT_UNSIGNED
LVChunkMax -> INTEGER_32BIT_SIGNED
Name -> TEXT
Stats -> BINARY_DATA
TemplateTable -> TEXT
DefaultValue -> BINARY_DATA
KeyFldIDs -> BINARY_DATA
VarSegMac -> BINARY_DATA
ConditionalColumns -> BINARY_DATA
TupleLimits -> BINARY_DATA
Version -> BINARY_DATA
SortID -> BINARY_DATA
CallbackData -> LARGE_BINARY_DATA
CallbackDependencies -> LARGE_BINARY_DATA
SeparateLV -> LARGE_BINARY_DATA
SpaceHints -> LARGE_BINARY_DATA
SpaceDeferredLVHints -> LARGE_BINARY_DATA
LocaleName -> LARGE_BINARY_DATA
Both table schemas match.
---------------------------------------
Table: MSysObjids
---------------------------------------
objid -> INTEGER_32BIT_SIGNED
objidTable -> INTEGER_32BIT_SIGNED
type -> INTEGER_16BIT_SIGNED
---------------------------------------
Table: MSysObjids
---------------------------------------
objid -> INTEGER_32BIT_SIGNED
objidTable -> INTEGER_32BIT_SIGNED
type -> INTEGER_16BIT_SIGNED
Both table schemas match.
---------------------------------------
Table: MSysLocales
---------------------------------------
Type -> INTEGER_8BIT_UNSIGNED
iValue -> INTEGER_32BIT_SIGNED
Key -> BINARY_DATA
---------------------------------------
Table: MSysLocales
---------------------------------------
Type -> INTEGER_8BIT_UNSIGNED
iValue -> INTEGER_32BIT_SIGNED
Key -> BINARY_DATA
Both table schemas match.
---------------------------------------
Table: SruDbIdMapTable
---------------------------------------
IdType -> INTEGER_8BIT_UNSIGNED
IdIndex -> INTEGER_32BIT_SIGNED
IdBlob -> LARGE_BINARY_DATA
---------------------------------------
Table: SruDbIdMapTable
---------------------------------------
IdType -> INTEGER_8BIT_UNSIGNED
IdIndex -> INTEGER_32BIT_SIGNED
IdBlob -> LARGE_BINARY_DATA
Both table schemas match.
---------------------------------------
Table: SruDbCheckpointTable
---------------------------------------
ProviderId -> GUID
CheckpointId -> INTEGER_32BIT_SIGNED
NextIncId -> INTEGER_32BIT_SIGNED
SeqNumber -> BINARY_DATA
RecordSet -> LARGE_BINARY_DATA
---------------------------------------
Table: SruDbCheckpointTable
---------------------------------------
ProviderId -> GUID
CheckpointId -> INTEGER_32BIT_SIGNED
NextIncId -> INTEGER_32BIT_SIGNED
SeqNumber -> BINARY_DATA
RecordSet -> LARGE_BINARY_DATA
Both table schemas match.

Extended Tables

The differences between Windows 10 and Server 2019 start appearing when looking at the “Extension” tables. See the section Resolving Extended GUIDs for more information on registered Extensions and their enumeration. It would appear that DLLs register the Extension and thus it is expected to see differences of these tables between systems depending on services or application that exist. That being said, let’s look at some common tables.
Windows 10
Server 2019 Desktop Experience
Notes
---------------------------------------
Table: {973F5D5C-1D90-4944-BE8E-24B94231A174}
[Windows Network Data Usage Monitor]
-- Extension Key Values from SOFTWARE hive --
: Windows Network Data Usage Monitor
DllName: %SystemRoot%\System32\nduprov.dll
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
InterfaceLuid -> INTEGER_64BIT_SIGNED
L2ProfileId -> INTEGER_32BIT_SIGNED
L2ProfileFlags -> INTEGER_32BIT_SIGNED
BytesSent -> INTEGER_64BIT_SIGNED
BytesRecvd -> INTEGER_64BIT_SIGNED

This is where things get interesting. The “Windows Network Data Usage Monitor” table does not seem to exist on my Server 2019 Standard fresh install. This has been a very useful table and is used by SrumMonkey to generate meaning full network data reports.

Upon examining the Server 2019’s Windows\System32 folder, no ‘nduprov.dll’ exists.

Though Server 2019’s table “{EEE2F477-0659-5C47-EF03-6D6BEFD441B3}” (SDP Network Provider) appears to be some what of a replacement for network byte usage. [Further down in table]
---------------------------------------
Table: {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} [Application Resource Usage Provider]
-- Extension Key Values from SOFTWARE hive --
: Application Resource Usage Provider
DllName: %SystemRoot%\System32\appsruprov.dll
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
ForegroundCycleTime -> INTEGER_64BIT_SIGNED
BackgroundCycleTime -> INTEGER_64BIT_SIGNED
FaceTime -> INTEGER_64BIT_SIGNED
ForegroundContextSwitches -> INTEGER_32BIT_SIGNED
BackgroundContextSwitches -> INTEGER_32BIT_SIGNED
ForegroundBytesRead -> INTEGER_64BIT_SIGNED
ForegroundBytesWritten -> INTEGER_64BIT_SIGNED
ForegroundNumReadOperations -> INTEGER_32BIT_SIGNED
ForegroundNumWriteOperations -> INTEGER_32BIT_SIGNED
ForegroundNumberOfFlushes -> INTEGER_32BIT_SIGNED
BackgroundBytesRead -> INTEGER_64BIT_SIGNED
BackgroundBytesWritten -> INTEGER_64BIT_SIGNED
BackgroundNumReadOperations -> INTEGER_32BIT_SIGNED
BackgroundNumWriteOperations -> INTEGER_32BIT_SIGNED
BackgroundNumberOfFlushes -> INTEGER_32BIT_SIGNED
---------------------------------------
Table: {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} [Application Resource Usage Provider]
-- Extension Key Values from SOFTWARE hive --
: Application Resource Usage Provider
DllName: %SystemRoot%\System32\appsruprov.dll
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
ForegroundCycleTime -> INTEGER_64BIT_SIGNED
BackgroundCycleTime -> INTEGER_64BIT_SIGNED
FaceTime -> INTEGER_64BIT_SIGNED
ForegroundContextSwitches -> INTEGER_32BIT_SIGNED
BackgroundContextSwitches -> INTEGER_32BIT_SIGNED
ForegroundBytesRead -> INTEGER_64BIT_SIGNED
ForegroundBytesWritten -> INTEGER_64BIT_SIGNED
ForegroundNumReadOperations -> INTEGER_32BIT_SIGNED
ForegroundNumWriteOperations -> INTEGER_32BIT_SIGNED
ForegroundNumberOfFlushes -> INTEGER_32BIT_SIGNED
BackgroundBytesRead -> INTEGER_64BIT_SIGNED
BackgroundBytesWritten -> INTEGER_64BIT_SIGNED
BackgroundNumReadOperations -> INTEGER_32BIT_SIGNED
BackgroundNumWriteOperations -> INTEGER_32BIT_SIGNED
BackgroundNumberOfFlushes -> INTEGER_32BIT_SIGNED
This table is utilized by appsruprov.dll (Application Resource Usage Provider) and its schema remains unchanged on Server 2019 Standard. This is a common table to utilize for most tools including SrumMonkey.
---------------------------------------
Table: {DA73FB89-2BEA-4DDC-86B8-6E048C6DA477}
[Energy Estimation Provider]
-- Extension Key Values from SOFTWARE hive --
: Energy Estimation Provider
CapabilityFlags: 506
DllName: %SystemRoot%\System32\eeprov.dll
Tier2MaxEntries: 168
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
BinaryData -> BINARY_DATA

Does not exist on Server 2019
---------------------------------------
Table: {DD6636C4-8929-4683-974E-22C046A43763}
[Windows Network Connectivity Usage Monitor]
-- Extension Key Values from SOFTWARE hive --
: Windows Network Connectivity Usage Monitor
DllName: %SystemRoot%\System32\ncuprov.dll
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
InterfaceLuid -> INTEGER_64BIT_SIGNED
L2ProfileId -> INTEGER_32BIT_SIGNED
ConnectedTime -> INTEGER_32BIT_SIGNED
ConnectStartTime -> INTEGER_64BIT_SIGNED
L2ProfileFlags -> INTEGER_32BIT_SIGNED
---------------------------------------
Table: {DD6636C4-8929-4683-974E-22C046A43763}
[Windows Network Connectivity Usage Monitor]
-- Extension Key Values from SOFTWARE hive --
: Windows Network Connectivity Usage Monitor
DllName: %SystemRoot%\System32\ncuprov.dll
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
InterfaceLuid -> INTEGER_64BIT_SIGNED
L2ProfileId -> INTEGER_32BIT_SIGNED
ConnectedTime -> INTEGER_32BIT_SIGNED
ConnectStartTime -> INTEGER_64BIT_SIGNED
L2ProfileFlags -> INTEGER_32BIT_SIGNED
Both table schemas match.
---------------------------------------
Table: {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86}
[WPN SRUM Provider]
-- Extension Key Values from SOFTWARE hive --
: WPN SRUM Provider
DllName: %SystemRoot%\System32\wpnsruprov.dll
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
NotificationType -> INTEGER_32BIT_SIGNED
PayloadSize -> INTEGER_32BIT_SIGNED
NetworkType -> INTEGER_32BIT_SIGNED

Does not exist on Server 2019
---------------------------------------
Table: {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}
[Energy Usage Provider]
-- Extension Key Values from SOFTWARE hive --
: Energy Usage Provider
CapabilityFlags: 25
DllName: %SystemRoot%\System32\energyprov.dll
LastLongTermUpdate: 131898800885695180
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
EventTimestamp -> INTEGER_64BIT_SIGNED
StateTransition -> INTEGER_32BIT_SIGNED
DesignedCapacity -> INTEGER_32BIT_SIGNED
FullChargedCapacity -> INTEGER_32BIT_SIGNED
ChargeLevel -> INTEGER_32BIT_SIGNED
CycleCount -> INTEGER_32BIT_SIGNED
ConfigurationHash -> INTEGER_64BIT_SIGNED

Does not exist on Server 2019
---------------------------------------
Table: {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT
[Energy Usage Provider]
-- Extension Key Values from SOFTWARE hive --
: Energy Usage Provider
CapabilityFlags: 25
DllName: %SystemRoot%\System32\energyprov.dll
LastLongTermUpdate: 131898800885695180
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
ActiveAcTime -> INTEGER_32BIT_SIGNED
CsAcTime -> INTEGER_32BIT_SIGNED
ActiveDcTime -> INTEGER_32BIT_SIGNED
CsDcTime -> INTEGER_32BIT_SIGNED
ActiveDischargeTime -> INTEGER_32BIT_SIGNED
CsDischargeTime -> INTEGER_32BIT_SIGNED
ActiveEnergy -> INTEGER_32BIT_SIGNED
CsEnergy -> INTEGER_32BIT_SIGNED
DesignedCapacity -> INTEGER_32BIT_SIGNED
FullChargedCapacity -> INTEGER_32BIT_SIGNED
CycleCount -> INTEGER_32BIT_SIGNED
ConfigurationHash -> INTEGER_64BIT_SIGNED

Does not exist on Server 2019
---------------------------------------
Table: {5C8CF1C7-7257-4F13-B223-970EF5939312}
[App Timeline Provider]
-- Extension Key Values from SOFTWARE hive --
: App Timeline Provider
CapabilityFlags: 250
DllName: %SystemRoot%\System32\eeprov.dll
Tier2MaxEntries: 168
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
Flags -> INTEGER_32BIT_SIGNED
EndTime -> INTEGER_64BIT_SIGNED
DurationMS -> INTEGER_32BIT_SIGNED
SpanMS -> INTEGER_32BIT_SIGNED
TimelineEnd -> INTEGER_32BIT_SIGNED
InFocusTimeline -> INTEGER_64BIT_SIGNED
UserInputTimeline -> INTEGER_64BIT_SIGNED
CompRenderedTimeline -> INTEGER_64BIT_SIGNED
CompDirtiedTimeline -> INTEGER_64BIT_SIGNED
CompPropagatedTimeline -> INTEGER_64BIT_SIGNED
AudioInTimeline -> INTEGER_64BIT_SIGNED
AudioOutTimeline -> INTEGER_64BIT_SIGNED
CpuTimeline -> INTEGER_64BIT_SIGNED
DiskTimeline -> INTEGER_64BIT_SIGNED
NetworkTimeline -> INTEGER_64BIT_SIGNED
MBBTimeline -> INTEGER_64BIT_SIGNED
InFocusS -> INTEGER_32BIT_SIGNED
PSMForegroundS -> INTEGER_32BIT_SIGNED
UserInputS -> INTEGER_32BIT_SIGNED
CompRenderedS -> INTEGER_32BIT_SIGNED
CompDirtiedS -> INTEGER_32BIT_SIGNED
CompPropagatedS -> INTEGER_32BIT_SIGNED
AudioInS -> INTEGER_32BIT_SIGNED
AudioOutS -> INTEGER_32BIT_SIGNED
Cycles -> INTEGER_64BIT_SIGNED
CyclesBreakdown -> INTEGER_64BIT_SIGNED
CyclesAttr -> INTEGER_64BIT_SIGNED
CyclesAttrBreakdown -> INTEGER_64BIT_SIGNED
CyclesWOB -> INTEGER_64BIT_SIGNED
CyclesWOBBreakdown -> INTEGER_64BIT_SIGNED
DiskRaw -> INTEGER_64BIT_SIGNED
NetworkTailRaw -> INTEGER_64BIT_SIGNED
NetworkBytesRaw -> INTEGER_64BIT_SIGNED
MBBTailRaw -> INTEGER_64BIT_SIGNED
MBBBytesRaw -> INTEGER_64BIT_SIGNED
DisplayRequiredS -> INTEGER_32BIT_SIGNED
DisplayRequiredTimeline -> INTEGER_64BIT_SIGNED
KeyboardInputTimeline -> INTEGER_64BIT_SIGNED
KeyboardInputS -> INTEGER_32BIT_SIGNED
MouseInputS -> INTEGER_32BIT_SIGNED

Does not exist on Server 2019
---------------------------------------
Table: {7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F}
[vfuprov]
-- Extension Key Values from SOFTWARE hive --
: vfuprov
DllName: %SystemRoot%\System32\vfuprov.dll
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
Flags -> INTEGER_32BIT_SIGNED
StartTime -> INTEGER_64BIT_SIGNED
EndTime -> INTEGER_64BIT_SIGNED
Usage -> BINARY_DATA

Does not exist on Server 2019

---------------------------------------
Table: {17F4D97B-F26A-5E79-3A82-90040A47D13D}
[SDP Volume Provider]
-- Extension Key Values from SOFTWARE hive --
: SDP Volume Provider
CapabilityFlags: 0
DllName: %SystemRoot%\System32\sdprov.dll
Tier2MaxEntries: 9000
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
Total -> INTEGER_64BIT_SIGNED
Used -> INTEGER_64BIT_SIGNED
Does not exist on Windows 10

---------------------------------------
Table: {841A7317-3805-518B-C2EA-AD224CB4AF84}
[SDP Physical Disk Provider]
-- Extension Key Values from SOFTWARE hive --
: SDP Physical Disk Provider
CapabilityFlags: 0
DllName: %SystemRoot%\System32\sdprov.dll
Tier2MaxEntries: 9000
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
SizeInBytes -> INTEGER_64BIT_SIGNED
Does not exist on Windows 10

---------------------------------------
Table: {DC3D3B50-BB90-5066-FA4E-A5F90DD8B677}
[SDP Cpu Provider]
-- Extension Key Values from SOFTWARE hive --
: SDP Cpu Provider
CapabilityFlags: 0
DllName: %SystemRoot%\System32\sdprov.dll
Tier2MaxEntries: 9000
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
ProcessorTime -> INTEGER_64BIT_SIGNED
Does not exist on Windows 10

---------------------------------------
Table: {EEE2F477-0659-5C47-EF03-6D6BEFD441B3}
[SDP Network Provider]
-- Extension Key Values from SOFTWARE hive --
: SDP Network Provider
CapabilityFlags: 0
DllName: %SystemRoot%\System32\sdprov.dll
Tier2MaxEntries: 9000
---------------------------------------
AutoIncId -> INTEGER_32BIT_SIGNED
TimeStamp -> DATE_TIME
AppId -> INTEGER_32BIT_SIGNED
UserId -> INTEGER_32BIT_SIGNED
BytesInBound -> INTEGER_64BIT_SIGNED
BytesOutBound -> INTEGER_64BIT_SIGNED
BytesTotal -> INTEGER_64BIT_SIGNED
Does not exist on Windows 10

Seems like a replacement for the Windows 10 “Windows Network Data Usage Monitor” table. That being said, it lacks interface IDs.


Resolving Extended GUIDs

As with Windows 10, Server 2019 maintains the SRUM extended GUIDs and format under the SOFTWARE registry key `Microsoft\Windows NT\CurrentVersion\SRUM\Extensions`. This key has multiple sub-keys which are the GUIDs. For each GUID key, the default value is the descriptor of the GUID. See below for example: