Windows 7 Reliability Monitor Forensic Artifacts

The ParseRacWmi tool mentioned here has been updated! See this post for more information.

————————————-

The Windows Reliability Monitor is a tool that runs by default on all editions of Windows 7 and 8, as well as Vista and Server 2008. This diagnostic tool records changes to a computer that could possibly affect it’s stability, and can be reported on in a live system by digging deep into the control panel. This information can prove useful in developing a timeline of events for a forensic or incident response examination.

Some of the information logged by the Reliability Monitor include:

  • Software installs, updates, modifications, and uninstalls
  • Driver installation
  • Windows Update installs (and failed installs)
  • Application Faults
  • Unexpected Shutdowns
  • OS Information changes (Computer name change, etc)

As you can see, there are cases where having this information could be extremely useful. This information is not easily removed from the system, so even after someone clears event logs, this information would still be available.In all editions of Windows before 8.1 (more on that later), the data is stored in a SQL CE database called

C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf

The data we are looking for is stored in a series of tables. There are other tables related to the Reliability Index, but the tables we are most interested in are:

  • RacWmiEventData
  • RacWmiEventStringHash
  • RacWmiEventDetailStringHash
  • RacWmiEventDataDetail
  • RacWmiMessageStringHash
  • RacWmiEventProductNameStringHash

With the exception of RacWmiEventData and RacWmiEventDataDetail, each table has the same columns:

  • Idx (INT)
  • HashValue (Long INT)
  • StringData (Text)

RacWmiEventDataDetail has the following columns:

  • Idx (INT)
  • Fk_Idx (INT) – Foreign key that points to the Idx value in RacWmiEventData
  • PositionID (INT)
  • StringID (Long INT)

RacWmiEventData is the main table, with pointers to the HashValues stored in the sub tables:

  • Idx
  • DataSetID
  • ChannelID
  • ProviderID
  • EventID
  • ComputerNameID
  • ProductNameID
  • UserNameID
  • MessageID
  • EventTime
  • RecordNumber
  • RelmonID

We can bring all of this information together by using a monster SQL JOIN:

SELECT distinct  RacWmiEventData.Idx, RacWmiEventData.EventID, RacWmiEventData.EventTime, RacWmiEventData.RecordNumber,
RacWmiEventProductNameStringHash.StringData, RacWmiMessageStringHash.StringData AS Expr1, RacWmiEventStringHash.StringData AS UserName,
RacWmiEventStringHash_1.StringData AS ProviderName, RacWmiEventStringHash_2.StringData AS Channel,
RacWmiEventStringHash_3.StringData AS ComputerName
FROM RacWmiEventStringHash AS RacWmiEventStringHash_1 INNER JOIN
RacWmiEventData INNER JOIN
RacWmiEventStringHash ON RacWmiEventData.UserNameID = RacWmiEventStringHash.HashValue ON
RacWmiEventStringHash_1.HashValue = RacWmiEventData.ProviderID INNER JOIN
RacWmiEventStringHash AS RacWmiEventStringHash_2 ON RacWmiEventData.ChannelID = RacWmiEventStringHash_2.HashValue INNER JOIN
RacWmiEventStringHash AS RacWmiEventStringHash_3 ON RacWmiEventData.ComputerNameID = RacWmiEventStringHash_3.HashValue LEFT OUTER JOIN
RacWmiEventDataDetail ON RacWmiEventData.Idx = RacWmiEventDataDetail.Fk_Idx LEFT OUTER JOIN
RacWmiMessageStringHash ON RacWmiEventData.MessageID = RacWmiMessageStringHash.HashValue LEFT OUTER JOIN
RacWmiEventProductNameStringHash ON RacWmiEventData.ProductNameID = RacWmiEventProductNameStringHash.HashValue

Getting the multiline string values for the detail requires an additional query:

SELECT RacWmiEventData.Idx, RacWmiEventDetailStringHash.StringData AS Expr2 FROM     RacWmiEventDetailStringHash INNER JOIN            RacWmiEventDataDetail ON RacWmiEventDetailStringHash.HashValue = RacWmiEventDataDetail.StringID RIGHT OUTER JOIN RacWmiEventData ON RacWmiEventDataDetail.Fk_Idx = RacWmiEventData.Idx  ORDER BY RacWmiEventData.Idx, RacWmiEventDataDetail.PositionID

ParseRacWMI

I have written a utility that can parse this information for you, called (oddly enough) ParseRacWmi. This is a command line utility that has the following usage:

ParseRacWMI -csv|-l2t [-detail] path\to\RacWmiDatabase.sdf

The CSV option kicks out a comma delimited file with all of the data from the query above. The L2T option outputs the data in a format suitable to include in a timeline. The -detail option is used if you want to include the multiline details for each row.

Windows 8.1

I first developed this tool for Windows 7 and was thrilled when Windows 8 kept the same format. Unfortunately, Microsoft decided to change the format in Windows 8.1. The file has been renamed to wmi.db and is now an ESE database file. The tables within the database do not appear to have changed, which is good news!

I am working on an updated version of the tool, and will post it here as soon as it is ready. Stay tuned!

About these ads
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

3 Responses to Windows 7 Reliability Monitor Forensic Artifacts

  1. Pingback: Windows Reliability Monitor Forensic Artifacts [Updated!] | phx4n6

  2. Brian says:

    Good day- this will be a time saver however- I continue to receive the following when attempting to run on database. Any thoughts? “Unhandled Exception: System.IO.FileNotFoundException: Could not load file or assembly ‘System.Data.S
    qlServerCe, Version=3.5.1.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91′ or one of its depende
    ncies. The system cannot find the file specified.
    at ParseRacWMI.Module1.ConnectSQLCEdb()
    at ParseRacWMI.Module1.Main()”

    I’ve attempted on multiple machines with multiple databases.

  3. phx4n6 says:

    Sorry for the confusion on that. I definitely should have mentioned that you will need to install SQL Server Compact 3.5 (found here: http://www.microsoft.com/en-us/download/details.aspx?id=5783) on your analysis machine to open Win7 or Win8.0 databases.

    Please let me know if you have any more trouble!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s