Windows Reliability Monitor Forensic Artifacts [Updated!]

As a follow up to my earlier post on Reliability Monitor analysis, I have finished updating the ParseRacWmi tool to include the ability to parse the new Wmi.db format used by WIndows 8.1. You can download the tool here (SQL Compact 3.5 required to parse Windows 7 & 8 sdf files, get it here: http://www.microsoft.com/en-us/download/details.aspx?id=5783), or read on for more information about what has changed. The updated tool also has a few changes under the hood for processing the old SDF files, speeding up the process significantly. The proper usage from the command line is:

ParseRacWMI.exe [-win81] [-csv|-l2t] [-detail] path\to\[RacWmiDatabase.sdf|Wmi.db]

Note: Make a copy of the database file in another location and point the tool at the copy if you are running against a live machine.

There is now a DLL included with the executable, as I needed to tap into the wonderful Managed Esent API to read the new ESE format. The DLL needs to reside in the same directory as the executable.

The tool outputs to the console, so you will need to redirect the output to a file. CSV is a straight dump of all available fields, while L2T gives output suitable for inclusion into a timeline.

Windows 8.1 and ESE databases

With the release of Windows 8.1, Microsoft changed the format of the Reliability Monitor database. Now instead of a simple SQL CE database, they have moved to an Extensible Storage Engine (ESE) database.file. This database is in the same location as the old SQL CE file (C:\ProgramData\Microsoft\RAC\PublishedData) but is now called “Wmi.db” instead of “RacWmiDatabase.sdf”

Thankfully, the table layouts are the same in the new version, but there have been some changes to the data stored in each field. For example, HashValue columns that used to be Int32 are now Int64.

Another field that changed from Int32 to Int64 is EventTime. Along with this change, the time is stored in a different format. The old SQL CE database stored EventTimes in an Int32 column as the number of seconds elapsed since the Unix epoch (1/1/1970). This new format stores the number of “Ticks” (100 nano-second intervals) since 1/1/1601. I’m sure someone has a very good reason for picking a start date more than 400 years ago.

Speaking of start dates, when a machine is upgraded from Windows 7 or Windows 8 to 8.1 there are virtually no events in the new database from prior to the upgrade date. I did find a couple of instances of driver installs prior to the upgrade date, but nothing else.

There is a great deal of information in this file about the history of the computer. Application Install logs can tell you what programs used to be installed and when. App Hangs can tell you about misbehaving software (which could include poorly written malware).

Advertisements
This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s