Windows User Access Logs (UAL)

Windows Server Artefact

Overview

Artefact Features

  • C:\Windows\System32\LogFiles\SUM\Current.mdb
  • C:\Windows\System32\LogFiles\SUM\SystemIdentity.mdb
  • C:\Windows\System32\LogFiles\SUM\<GUID>.mdb

Format: ESE Databases
Current Parsing Tools:

Retention: 2–3 years. Current.mdb contains the most recent 24 hours (by default) and is then moved into the database for the current year named with a unique GUID. The last 2 years are retained in separate databases aswell:

If an attacker has cleared all logs from the environment and there is no centralised logging, UAL could be a valuable resource used in investigations.

Acquisition

RawCopy.exe /FileNamePath:c:\Windows\System32\LogFiles\Sum\Current.mdb /Outpath:c:\Dev\Sum\

A tool like Velociraptor will also allow you to copy the files of a live system.

Repairing the Databases

If you attempt to run SumECmd.exe, depending on how you acquire the files, you will get an error stating the databases need to be repaired. Using esentutl.exe, you can repair the *.mdb files:

esentutl.exe /p Current.mdbesentutl.exe /p SystemIdentity.mdbesentutl.exe /p "{<GUID>}.mdb"

Here is an example of the repair command on SystemIdentity.mdb:

Parsing and Analysis

SumECmd.exe -d C:\Location\of\Sumfiles\ --csv C:\Output\Directory

The output should provide a number of csv exports for review.

The <date>_SumECmd_DETAIL_ClientDetailed_Output.csv contains something like the following which maps certain user activity with first and last access times and Role description.

NOTE: It is not documented or tested on what specific activities qualify an entry to be recorded for each Microsoft role.

Querying on Live Machines

WMI Example
Gwmi -Namespace “root\AccessLogging” -query “SELECT * FROM MsftUal_DeviceAccess WHERE LastSeen >=’1/01/2013' and LastSeen <=’3/31/2013
PowerShell Commandlets (more here)
Get-UalUserAccess
Get-UalDailyUserAccess

Example of Get-UalDailyUserAccess:

If you are testing, you can decrease the polling time from the default 24 hours (for example two minutes):

reg.exe ADD HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\Sum /v PollingInterval /t REG_DWORD /d 120000 /F

I’m looking forward to see how the DFIR community uses this artefact as appears to have a wealth of historical knowledge.

Thanks,
Zach