Windows 7 Reliability Monitor Forensic Artifacts

The ParseRacWmi tool mentioned here has been updated! See this post for more information.

————————————-

The Windows Reliability Monitor is a tool that runs by default on all editions of Windows 7 and 8, as well as Vista and Server 2008. This diagnostic tool records changes to a computer that could possibly affect it’s stability, and can be reported on in a live system by digging deep into the control panel. This information can prove useful in developing a timeline of events for a forensic or incident response examination.

Some of the information logged by the Reliability Monitor include:

• Software installs, updates, modifications, and uninstalls
• Driver installation
• Windows Update installs (and failed installs)
• Application Faults
• Unexpected Shutdowns
• OS Information changes (Computer name change, etc)

As you can see, there are cases where having this information could be extremely useful. This information is not easily removed from the system, so even after someone clears event logs, this information would still be available.In all editions of Windows before 8.1 (more on that later), the data is stored in a SQL CE database called

C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf

The data we are looking for is stored in a series of tables. There are other tables related to the Reliability Index, but the tables we are most interested in are:

• RacWmiEventData
• RacWmiEventStringHash
• RacWmiEventDetailStringHash
• RacWmiEventDataDetail
• RacWmiMessageStringHash
• RacWmiEventProductNameStringHash

With the exception of RacWmiEventData and RacWmiEventDataDetail, each table has the same columns:

• Idx (INT)
• HashValue (Long INT)
• StringData (Text)

RacWmiEventDataDetail has the following columns:

• Idx (INT)
• Fk_Idx (INT) – Foreign key that points to the Idx value in RacWmiEventData
• PositionID (INT)
• StringID (Long INT)

RacWmiEventData is the main table, with pointers to the HashValues stored in the sub tables:

• Idx
• DataSetID
• ChannelID
• ProviderID
• EventID
• ComputerNameID
• ProductNameID
• UserNameID
• MessageID
• EventTime
• RecordNumber
• RelmonID

We can bring all of this information together by using a monster SQL JOIN:

SELECT distinct  RacWmiEventData.Idx, RacWmiEventData.EventID, RacWmiEventData.EventTime, RacWmiEventData.RecordNumber,
RacWmiEventProductNameStringHash.StringData, RacWmiMessageStringHash.StringData AS Expr1, RacWmiEventStringHash.StringData AS UserName,
RacWmiEventStringHash_1.StringData AS ProviderName, RacWmiEventStringHash_2.StringData AS Channel,
RacWmiEventStringHash_3.StringData AS ComputerName
FROM RacWmiEventStringHash AS RacWmiEventStringHash_1 INNER JOIN
RacWmiEventData INNER JOIN
RacWmiEventStringHash ON RacWmiEventData.UserNameID = RacWmiEventStringHash.HashValue ON
RacWmiEventStringHash_1.HashValue = RacWmiEventData.ProviderID INNER JOIN
RacWmiEventStringHash AS RacWmiEventStringHash_2 ON RacWmiEventData.ChannelID = RacWmiEventStringHash_2.HashValue INNER JOIN
RacWmiEventStringHash AS RacWmiEventStringHash_3 ON RacWmiEventData.ComputerNameID = RacWmiEventStringHash_3.HashValue LEFT OUTER JOIN
RacWmiEventDataDetail ON RacWmiEventData.Idx = RacWmiEventDataDetail.Fk_Idx LEFT OUTER JOIN
RacWmiMessageStringHash ON RacWmiEventData.MessageID = RacWmiMessageStringHash.HashValue LEFT OUTER JOIN
RacWmiEventProductNameStringHash ON RacWmiEventData.ProductNameID = RacWmiEventProductNameStringHash.HashValue

Getting the multiline string values for the detail requires an additional query:

SELECT RacWmiEventData.Idx, RacWmiEventDetailStringHash.StringData AS Expr2 FROM     RacWmiEventDetailStringHash INNER JOIN            RacWmiEventDataDetail ON RacWmiEventDetailStringHash.HashValue = RacWmiEventDataDetail.StringID RIGHT OUTER JOIN RacWmiEventData ON RacWmiEventDataDetail.Fk_Idx = RacWmiEventData.Idx  ORDER BY RacWmiEventData.Idx, RacWmiEventDataDetail.PositionID

ParseRacWMI

I have written a utility that can parse this information for you, called (oddly enough) ParseRacWmi. This is a command line utility that has the following usage:

ParseRacWMI -csv|-l2t [-detail] path\to\RacWmiDatabase.sdf

The CSV option kicks out a comma delimited file with all of the data from the query above. The L2T option outputs the data in a format suitable to include in a timeline. The -detail option is used if you want to include the multiline details for each row.

Windows 8.1

I first developed this tool for Windows 7 and was thrilled when Windows 8 kept the same format. Unfortunately, Microsoft decided to change the format in Windows 8.1. The file has been renamed to wmi.db and is now an ESE database file. The tables within the database do not appear to have changed, which is good news!

I am working on an updated version of the tool, and will post it here as soon as it is ready. Stay tuned!