Daily Blog #595: Solution Saturday 1/12/19

Hello Reader,
        I had two great submissions this week and one of them surprised me because it was from my own fellow g-c'er Matt Seyer. Matt won this weeks competition because he took one step farther in his testing to show not only what the new tables in the Server 2019 SRUM database meant, he also showed where to go in the registry to get the answer.

The Winning Answer:
Matt Seyer (@forensic_matt)

Sunday Funday Submission

The Challenge

Server 2019 got SRUM, what if any differences are there between SRUM on Windows 10 and SRUM on Server 2019?

Methodology

Compare the SRUM database schemas of a Windows 10 system and Server 2019. The most obvious differences should appear in the database schemas. Because the SRUM database uses the Extensible Storage Engine (ESE) format, we should work directly with the ESE database itself and not use tools that interpret its data into a different format (many tools will convert the ESE to SQLite). Because SRUM uses Extensions that are recorded in the SOFTWARE hive, the SOFTWARE hive should also be checked for differences.

Windows Versions Used

The following versions were used for generating the data in this research.

Server 2019 Version: Windows Server 2019 Standard (Desktop Experience)

Windows 10 Version: Windows 10 Enterprise

Table Differences

The following table schemas are resolved with a script (srum_schema.py) that uses pyesedb and yarp to resolve SRUM data. pyesedb allows us to work with the ESE format and yarp allows us to work with Registry and take transaction logs into account.

Base Tables

After reviewing SRUM’s base set of tables (tables not in the extensions), they appear to remain the same across Windows 10 and Server 2019.

Windows 10	Server 2019 Desktop Experience	Status
--------------------------------------- Table: MSysObjects --------------------------------------- ObjidTable -> INTEGER_32BIT_SIGNED Type -> INTEGER_16BIT_SIGNED Id -> INTEGER_32BIT_SIGNED ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED SpaceUsage -> INTEGER_32BIT_SIGNED Flags -> INTEGER_32BIT_SIGNED PagesOrLocale -> INTEGER_32BIT_SIGNED RootFlag -> BOOLEAN RecordOffset -> INTEGER_16BIT_SIGNED LCMapFlags -> INTEGER_32BIT_SIGNED KeyMost -> INTEGER_16BIT_UNSIGNED LVChunkMax -> INTEGER_32BIT_SIGNED Name -> TEXT Stats -> BINARY_DATA TemplateTable -> TEXT DefaultValue -> BINARY_DATA KeyFldIDs -> BINARY_DATA VarSegMac -> BINARY_DATA ConditionalColumns -> BINARY_DATA TupleLimits -> BINARY_DATA Version -> BINARY_DATA SortID -> BINARY_DATA CallbackData -> LARGE_BINARY_DATA CallbackDependencies -> LARGE_BINARY_DATA SeparateLV -> LARGE_BINARY_DATA SpaceHints -> LARGE_BINARY_DATA SpaceDeferredLVHints -> LARGE_BINARY_DATA LocaleName -> LARGE_BINARY_DATA	--------------------------------------- Table: MSysObjects --------------------------------------- ObjidTable -> INTEGER_32BIT_SIGNED Type -> INTEGER_16BIT_SIGNED Id -> INTEGER_32BIT_SIGNED ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED SpaceUsage -> INTEGER_32BIT_SIGNED Flags -> INTEGER_32BIT_SIGNED PagesOrLocale -> INTEGER_32BIT_SIGNED RootFlag -> BOOLEAN RecordOffset -> INTEGER_16BIT_SIGNED LCMapFlags -> INTEGER_32BIT_SIGNED KeyMost -> INTEGER_16BIT_UNSIGNED LVChunkMax -> INTEGER_32BIT_SIGNED Name -> TEXT Stats -> BINARY_DATA TemplateTable -> TEXT DefaultValue -> BINARY_DATA KeyFldIDs -> BINARY_DATA VarSegMac -> BINARY_DATA ConditionalColumns -> BINARY_DATA TupleLimits -> BINARY_DATA Version -> BINARY_DATA SortID -> BINARY_DATA CallbackData -> LARGE_BINARY_DATA CallbackDependencies -> LARGE_BINARY_DATA SeparateLV -> LARGE_BINARY_DATA SpaceHints -> LARGE_BINARY_DATA SpaceDeferredLVHints -> LARGE_BINARY_DATA LocaleName -> LARGE_BINARY_DATA	Both table schemas match.
--------------------------------------- Table: MSysObjectsShadow --------------------------------------- ObjidTable -> INTEGER_32BIT_SIGNED Type -> INTEGER_16BIT_SIGNED Id -> INTEGER_32BIT_SIGNED ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED SpaceUsage -> INTEGER_32BIT_SIGNED Flags -> INTEGER_32BIT_SIGNED PagesOrLocale -> INTEGER_32BIT_SIGNED RootFlag -> BOOLEAN RecordOffset -> INTEGER_16BIT_SIGNED LCMapFlags -> INTEGER_32BIT_SIGNED KeyMost -> INTEGER_16BIT_UNSIGNED LVChunkMax -> INTEGER_32BIT_SIGNED Name -> TEXT Stats -> BINARY_DATA TemplateTable -> TEXT DefaultValue -> BINARY_DATA KeyFldIDs -> BINARY_DATA VarSegMac -> BINARY_DATA ConditionalColumns -> BINARY_DATA TupleLimits -> BINARY_DATA Version -> BINARY_DATA SortID -> BINARY_DATA CallbackData -> LARGE_BINARY_DATA CallbackDependencies -> LARGE_BINARY_DATA SeparateLV -> LARGE_BINARY_DATA SpaceHints -> LARGE_BINARY_DATA SpaceDeferredLVHints -> LARGE_BINARY_DATA LocaleName -> LARGE_BINARY_DATA	--------------------------------------- Table: MSysObjectsShadow --------------------------------------- ObjidTable -> INTEGER_32BIT_SIGNED Type -> INTEGER_16BIT_SIGNED Id -> INTEGER_32BIT_SIGNED ColtypOrPgnoFDP -> INTEGER_32BIT_SIGNED SpaceUsage -> INTEGER_32BIT_SIGNED Flags -> INTEGER_32BIT_SIGNED PagesOrLocale -> INTEGER_32BIT_SIGNED RootFlag -> BOOLEAN RecordOffset -> INTEGER_16BIT_SIGNED LCMapFlags -> INTEGER_32BIT_SIGNED KeyMost -> INTEGER_16BIT_UNSIGNED LVChunkMax -> INTEGER_32BIT_SIGNED Name -> TEXT Stats -> BINARY_DATA TemplateTable -> TEXT DefaultValue -> BINARY_DATA KeyFldIDs -> BINARY_DATA VarSegMac -> BINARY_DATA ConditionalColumns -> BINARY_DATA TupleLimits -> BINARY_DATA Version -> BINARY_DATA SortID -> BINARY_DATA CallbackData -> LARGE_BINARY_DATA CallbackDependencies -> LARGE_BINARY_DATA SeparateLV -> LARGE_BINARY_DATA SpaceHints -> LARGE_BINARY_DATA SpaceDeferredLVHints -> LARGE_BINARY_DATA LocaleName -> LARGE_BINARY_DATA	Both table schemas match.
--------------------------------------- Table: MSysObjids --------------------------------------- objid -> INTEGER_32BIT_SIGNED objidTable -> INTEGER_32BIT_SIGNED type -> INTEGER_16BIT_SIGNED	--------------------------------------- Table: MSysObjids --------------------------------------- objid -> INTEGER_32BIT_SIGNED objidTable -> INTEGER_32BIT_SIGNED type -> INTEGER_16BIT_SIGNED	Both table schemas match.
--------------------------------------- Table: MSysLocales --------------------------------------- Type -> INTEGER_8BIT_UNSIGNED iValue -> INTEGER_32BIT_SIGNED Key -> BINARY_DATA	--------------------------------------- Table: MSysLocales --------------------------------------- Type -> INTEGER_8BIT_UNSIGNED iValue -> INTEGER_32BIT_SIGNED Key -> BINARY_DATA	Both table schemas match.
--------------------------------------- Table: SruDbIdMapTable --------------------------------------- IdType -> INTEGER_8BIT_UNSIGNED IdIndex -> INTEGER_32BIT_SIGNED IdBlob -> LARGE_BINARY_DATA	--------------------------------------- Table: SruDbIdMapTable --------------------------------------- IdType -> INTEGER_8BIT_UNSIGNED IdIndex -> INTEGER_32BIT_SIGNED IdBlob -> LARGE_BINARY_DATA	Both table schemas match.
--------------------------------------- Table: SruDbCheckpointTable --------------------------------------- ProviderId -> GUID CheckpointId -> INTEGER_32BIT_SIGNED NextIncId -> INTEGER_32BIT_SIGNED SeqNumber -> BINARY_DATA RecordSet -> LARGE_BINARY_DATA	--------------------------------------- Table: SruDbCheckpointTable --------------------------------------- ProviderId -> GUID CheckpointId -> INTEGER_32BIT_SIGNED NextIncId -> INTEGER_32BIT_SIGNED SeqNumber -> BINARY_DATA RecordSet -> LARGE_BINARY_DATA	Both table schemas match.

Extended Tables

The differences between Windows 10 and Server 2019 start appearing when looking at the “Extension” tables. See the section Resolving Extended GUIDs for more information on registered Extensions and their enumeration. It would appear that DLLs register the Extension and thus it is expected to see differences of these tables between systems depending on services or application that exist. That being said, let’s look at some common tables.

Windows 10	Server 2019 Desktop Experience	Notes
--------------------------------------- Table: {973F5D5C-1D90-4944-BE8E-24B94231A174} [Windows Network Data Usage Monitor] -- Extension Key Values from SOFTWARE hive -- : Windows Network Data Usage Monitor DllName: %SystemRoot%\System32\nduprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED InterfaceLuid -> INTEGER_64BIT_SIGNED L2ProfileId -> INTEGER_32BIT_SIGNED L2ProfileFlags -> INTEGER_32BIT_SIGNED BytesSent -> INTEGER_64BIT_SIGNED BytesRecvd -> INTEGER_64BIT_SIGNED		This is where things get interesting. The “Windows Network Data Usage Monitor” table does not seem to exist on my Server 2019 Standard fresh install. This has been a very useful table and is used by SrumMonkey to generate meaning full network data reports. Upon examining the Server 2019’s Windows\System32 folder, no ‘nduprov.dll’ exists. Though Server 2019’s table “{EEE2F477-0659-5C47-EF03-6D6BEFD441B3}” (SDP Network Provider) appears to be some what of a replacement for network byte usage. [Further down in table]
--------------------------------------- Table: {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} [Application Resource Usage Provider] -- Extension Key Values from SOFTWARE hive -- : Application Resource Usage Provider DllName: %SystemRoot%\System32\appsruprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED ForegroundCycleTime -> INTEGER_64BIT_SIGNED BackgroundCycleTime -> INTEGER_64BIT_SIGNED FaceTime -> INTEGER_64BIT_SIGNED ForegroundContextSwitches -> INTEGER_32BIT_SIGNED BackgroundContextSwitches -> INTEGER_32BIT_SIGNED ForegroundBytesRead -> INTEGER_64BIT_SIGNED ForegroundBytesWritten -> INTEGER_64BIT_SIGNED ForegroundNumReadOperations -> INTEGER_32BIT_SIGNED ForegroundNumWriteOperations -> INTEGER_32BIT_SIGNED ForegroundNumberOfFlushes -> INTEGER_32BIT_SIGNED BackgroundBytesRead -> INTEGER_64BIT_SIGNED BackgroundBytesWritten -> INTEGER_64BIT_SIGNED BackgroundNumReadOperations -> INTEGER_32BIT_SIGNED BackgroundNumWriteOperations -> INTEGER_32BIT_SIGNED BackgroundNumberOfFlushes -> INTEGER_32BIT_SIGNED	--------------------------------------- Table: {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} [Application Resource Usage Provider] -- Extension Key Values from SOFTWARE hive -- : Application Resource Usage Provider DllName: %SystemRoot%\System32\appsruprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED ForegroundCycleTime -> INTEGER_64BIT_SIGNED BackgroundCycleTime -> INTEGER_64BIT_SIGNED FaceTime -> INTEGER_64BIT_SIGNED ForegroundContextSwitches -> INTEGER_32BIT_SIGNED BackgroundContextSwitches -> INTEGER_32BIT_SIGNED ForegroundBytesRead -> INTEGER_64BIT_SIGNED ForegroundBytesWritten -> INTEGER_64BIT_SIGNED ForegroundNumReadOperations -> INTEGER_32BIT_SIGNED ForegroundNumWriteOperations -> INTEGER_32BIT_SIGNED ForegroundNumberOfFlushes -> INTEGER_32BIT_SIGNED BackgroundBytesRead -> INTEGER_64BIT_SIGNED BackgroundBytesWritten -> INTEGER_64BIT_SIGNED BackgroundNumReadOperations -> INTEGER_32BIT_SIGNED BackgroundNumWriteOperations -> INTEGER_32BIT_SIGNED BackgroundNumberOfFlushes -> INTEGER_32BIT_SIGNED	This table is utilized by appsruprov.dll (Application Resource Usage Provider) and its schema remains unchanged on Server 2019 Standard. This is a common table to utilize for most tools including SrumMonkey.
--------------------------------------- Table: {DA73FB89-2BEA-4DDC-86B8-6E048C6DA477} [Energy Estimation Provider] -- Extension Key Values from SOFTWARE hive -- : Energy Estimation Provider CapabilityFlags: 506 DllName: %SystemRoot%\System32\eeprov.dll Tier2MaxEntries: 168 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED BinaryData -> BINARY_DATA		Does not exist on Server 2019
--------------------------------------- Table: {DD6636C4-8929-4683-974E-22C046A43763} [Windows Network Connectivity Usage Monitor] -- Extension Key Values from SOFTWARE hive -- : Windows Network Connectivity Usage Monitor DllName: %SystemRoot%\System32\ncuprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED InterfaceLuid -> INTEGER_64BIT_SIGNED L2ProfileId -> INTEGER_32BIT_SIGNED ConnectedTime -> INTEGER_32BIT_SIGNED ConnectStartTime -> INTEGER_64BIT_SIGNED L2ProfileFlags -> INTEGER_32BIT_SIGNED	--------------------------------------- Table: {DD6636C4-8929-4683-974E-22C046A43763} [Windows Network Connectivity Usage Monitor] -- Extension Key Values from SOFTWARE hive -- : Windows Network Connectivity Usage Monitor DllName: %SystemRoot%\System32\ncuprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED InterfaceLuid -> INTEGER_64BIT_SIGNED L2ProfileId -> INTEGER_32BIT_SIGNED ConnectedTime -> INTEGER_32BIT_SIGNED ConnectStartTime -> INTEGER_64BIT_SIGNED L2ProfileFlags -> INTEGER_32BIT_SIGNED	Both table schemas match.
--------------------------------------- Table: {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86} [WPN SRUM Provider] -- Extension Key Values from SOFTWARE hive -- : WPN SRUM Provider DllName: %SystemRoot%\System32\wpnsruprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED NotificationType -> INTEGER_32BIT_SIGNED PayloadSize -> INTEGER_32BIT_SIGNED NetworkType -> INTEGER_32BIT_SIGNED		Does not exist on Server 2019
--------------------------------------- Table: {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} [Energy Usage Provider] -- Extension Key Values from SOFTWARE hive -- : Energy Usage Provider CapabilityFlags: 25 DllName: %SystemRoot%\System32\energyprov.dll LastLongTermUpdate: 131898800885695180 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED EventTimestamp -> INTEGER_64BIT_SIGNED StateTransition -> INTEGER_32BIT_SIGNED DesignedCapacity -> INTEGER_32BIT_SIGNED FullChargedCapacity -> INTEGER_32BIT_SIGNED ChargeLevel -> INTEGER_32BIT_SIGNED CycleCount -> INTEGER_32BIT_SIGNED ConfigurationHash -> INTEGER_64BIT_SIGNED		Does not exist on Server 2019
--------------------------------------- Table: {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT [Energy Usage Provider] -- Extension Key Values from SOFTWARE hive -- : Energy Usage Provider CapabilityFlags: 25 DllName: %SystemRoot%\System32\energyprov.dll LastLongTermUpdate: 131898800885695180 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED ActiveAcTime -> INTEGER_32BIT_SIGNED CsAcTime -> INTEGER_32BIT_SIGNED ActiveDcTime -> INTEGER_32BIT_SIGNED CsDcTime -> INTEGER_32BIT_SIGNED ActiveDischargeTime -> INTEGER_32BIT_SIGNED CsDischargeTime -> INTEGER_32BIT_SIGNED ActiveEnergy -> INTEGER_32BIT_SIGNED CsEnergy -> INTEGER_32BIT_SIGNED DesignedCapacity -> INTEGER_32BIT_SIGNED FullChargedCapacity -> INTEGER_32BIT_SIGNED CycleCount -> INTEGER_32BIT_SIGNED ConfigurationHash -> INTEGER_64BIT_SIGNED		Does not exist on Server 2019
--------------------------------------- Table: {5C8CF1C7-7257-4F13-B223-970EF5939312} [App Timeline Provider] -- Extension Key Values from SOFTWARE hive -- : App Timeline Provider CapabilityFlags: 250 DllName: %SystemRoot%\System32\eeprov.dll Tier2MaxEntries: 168 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED Flags -> INTEGER_32BIT_SIGNED EndTime -> INTEGER_64BIT_SIGNED DurationMS -> INTEGER_32BIT_SIGNED SpanMS -> INTEGER_32BIT_SIGNED TimelineEnd -> INTEGER_32BIT_SIGNED InFocusTimeline -> INTEGER_64BIT_SIGNED UserInputTimeline -> INTEGER_64BIT_SIGNED CompRenderedTimeline -> INTEGER_64BIT_SIGNED CompDirtiedTimeline -> INTEGER_64BIT_SIGNED CompPropagatedTimeline -> INTEGER_64BIT_SIGNED AudioInTimeline -> INTEGER_64BIT_SIGNED AudioOutTimeline -> INTEGER_64BIT_SIGNED CpuTimeline -> INTEGER_64BIT_SIGNED DiskTimeline -> INTEGER_64BIT_SIGNED NetworkTimeline -> INTEGER_64BIT_SIGNED MBBTimeline -> INTEGER_64BIT_SIGNED InFocusS -> INTEGER_32BIT_SIGNED PSMForegroundS -> INTEGER_32BIT_SIGNED UserInputS -> INTEGER_32BIT_SIGNED CompRenderedS -> INTEGER_32BIT_SIGNED CompDirtiedS -> INTEGER_32BIT_SIGNED CompPropagatedS -> INTEGER_32BIT_SIGNED AudioInS -> INTEGER_32BIT_SIGNED AudioOutS -> INTEGER_32BIT_SIGNED Cycles -> INTEGER_64BIT_SIGNED CyclesBreakdown -> INTEGER_64BIT_SIGNED CyclesAttr -> INTEGER_64BIT_SIGNED CyclesAttrBreakdown -> INTEGER_64BIT_SIGNED CyclesWOB -> INTEGER_64BIT_SIGNED CyclesWOBBreakdown -> INTEGER_64BIT_SIGNED DiskRaw -> INTEGER_64BIT_SIGNED NetworkTailRaw -> INTEGER_64BIT_SIGNED NetworkBytesRaw -> INTEGER_64BIT_SIGNED MBBTailRaw -> INTEGER_64BIT_SIGNED MBBBytesRaw -> INTEGER_64BIT_SIGNED DisplayRequiredS -> INTEGER_32BIT_SIGNED DisplayRequiredTimeline -> INTEGER_64BIT_SIGNED KeyboardInputTimeline -> INTEGER_64BIT_SIGNED KeyboardInputS -> INTEGER_32BIT_SIGNED MouseInputS -> INTEGER_32BIT_SIGNED		Does not exist on Server 2019
--------------------------------------- Table: {7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F} [vfuprov] -- Extension Key Values from SOFTWARE hive -- : vfuprov DllName: %SystemRoot%\System32\vfuprov.dll --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED Flags -> INTEGER_32BIT_SIGNED StartTime -> INTEGER_64BIT_SIGNED EndTime -> INTEGER_64BIT_SIGNED Usage -> BINARY_DATA		Does not exist on Server 2019
	--------------------------------------- Table: {17F4D97B-F26A-5E79-3A82-90040A47D13D} [SDP Volume Provider] -- Extension Key Values from SOFTWARE hive -- : SDP Volume Provider CapabilityFlags: 0 DllName: %SystemRoot%\System32\sdprov.dll Tier2MaxEntries: 9000 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED Total -> INTEGER_64BIT_SIGNED Used -> INTEGER_64BIT_SIGNED	Does not exist on Windows 10
	--------------------------------------- Table: {841A7317-3805-518B-C2EA-AD224CB4AF84} [SDP Physical Disk Provider] -- Extension Key Values from SOFTWARE hive -- : SDP Physical Disk Provider CapabilityFlags: 0 DllName: %SystemRoot%\System32\sdprov.dll Tier2MaxEntries: 9000 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED SizeInBytes -> INTEGER_64BIT_SIGNED	Does not exist on Windows 10
	--------------------------------------- Table: {DC3D3B50-BB90-5066-FA4E-A5F90DD8B677} [SDP Cpu Provider] -- Extension Key Values from SOFTWARE hive -- : SDP Cpu Provider CapabilityFlags: 0 DllName: %SystemRoot%\System32\sdprov.dll Tier2MaxEntries: 9000 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED ProcessorTime -> INTEGER_64BIT_SIGNED	Does not exist on Windows 10
	--------------------------------------- Table: {EEE2F477-0659-5C47-EF03-6D6BEFD441B3} [SDP Network Provider] -- Extension Key Values from SOFTWARE hive -- : SDP Network Provider CapabilityFlags: 0 DllName: %SystemRoot%\System32\sdprov.dll Tier2MaxEntries: 9000 --------------------------------------- AutoIncId -> INTEGER_32BIT_SIGNED TimeStamp -> DATE_TIME AppId -> INTEGER_32BIT_SIGNED UserId -> INTEGER_32BIT_SIGNED BytesInBound -> INTEGER_64BIT_SIGNED BytesOutBound -> INTEGER_64BIT_SIGNED BytesTotal -> INTEGER_64BIT_SIGNED	Does not exist on Windows 10 Seems like a replacement for the Windows 10 “Windows Network Data Usage Monitor” table. That being said, it lacks interface IDs.

Resolving Extended GUIDs

As with Windows 10, Server 2019 maintains the SRUM extended GUIDs and format under the SOFTWARE registry key `Microsoft\Windows NT\CurrentVersion\SRUM\Extensions`. This key has multiple sub-keys which are the GUIDs. For each GUID key, the default value is the descriptor of the GUID. See below for example: