Windows User Access Logs (UAL)

Windows Server Artefact


Artefact Features

  • C:\Windows\System32\LogFiles\SUM\Current.mdb
  • C:\Windows\System32\LogFiles\SUM\SystemIdentity.mdb
  • C:\Windows\System32\LogFiles\SUM\<GUID>.mdb


RawCopy.exe /FileNamePath:c:\Windows\System32\LogFiles\Sum\Current.mdb /Outpath:c:\Dev\Sum\

Repairing the Databases

esentutl.exe /p Current.mdbesentutl.exe /p SystemIdentity.mdbesentutl.exe /p "{<GUID>}.mdb"

Parsing and Analysis

SumECmd.exe -d C:\Location\of\Sumfiles\ --csv C:\Output\Directory

Querying on Live Machines

WMI Example
Gwmi -Namespace “root\AccessLogging” -query “SELECT * FROM MsftUal_DeviceAccess WHERE LastSeen >=’1/01/2013' and LastSeen <=’3/31/2013
PowerShell Commandlets (more here)
reg.exe ADD HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\Sum /v PollingInterval /t REG_DWORD /d 120000 /F



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store