Srum icon indicating copy to clipboard operation
Srum copied to clipboard
verified publisher icon EricZimmerman

New tables to parse

Open AndrewRathbun opened this issue 1 year ago • 2 comments

Observed on Server 2022 SRUM earlier today:

  • [ ] DC3D3B50-BB90-5066-FA4E-A5F90DD8B677
  • [ ] 841A7317-3805-518B-C2EA-AD224CB4AF84
  • [ ] 17F4D97B-F26A-5E79-3A82-90040A47D13D
  • [ ] EEE2F477-0659-5C47-EF03-6D6BEFD441B3 - appears to have BytesInbound/BytesOutbound/BytesTotal, could be NetworkUsages equivalent on Server 2022

AndrewRathbun avatar Jul 15 '24 19:07 AndrewRathbun

@EricZimmerman I'll do more of a workup on this, but I'm just putting this down here for tracking purposes

AndrewRathbun avatar Jul 15 '24 19:07 AndrewRathbun

From a Server 2022 SRUDB.dat:

Table: {17F4D97B-F26A-5E79-3A82-90040A47D13D}
  Column: AppId
  Column: AutoIncId
  Column: TimeStamp
  Column: Total
  Column: Used
  Column: UserId

Table: {841A7317-3805-518B-C2EA-AD224CB4AF84}
  Column: AppId
  Column: AutoIncId
  Column: SizeInBytes
  Column: TimeStamp
  Column: UserId

Table: {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}
  Column: AppId
  Column: AutoIncId
  Column: BackgroundBytesRead
  Column: BackgroundBytesWritten
  Column: BackgroundContextSwitches
  Column: BackgroundCycleTime
  Column: BackgroundNumberOfFlushes
  Column: BackgroundNumReadOperations
  Column: BackgroundNumWriteOperations
  Column: FaceTime
  Column: ForegroundBytesRead
  Column: ForegroundBytesWritten
  Column: ForegroundContextSwitches
  Column: ForegroundCycleTime
  Column: ForegroundNumberOfFlushes
  Column: ForegroundNumReadOperations
  Column: ForegroundNumWriteOperations
  Column: TimeStamp
  Column: UserId

Table: {DC3D3B50-BB90-5066-FA4E-A5F90DD8B677}
  Column: AppId
  Column: AutoIncId
  Column: ProcessorTime
  Column: TimeStamp
  Column: UserId

Table: {DD6636C4-8929-4683-974E-22C046A43763}
  Column: AppId
  Column: AutoIncId
  Column: ConnectedTime
  Column: ConnectStartTime
  Column: InterfaceLuid
  Column: L2ProfileFlags
  Column: L2ProfileId
  Column: TimeStamp
  Column: UserId

Table: {EEE2F477-0659-5C47-EF03-6D6BEFD441B3}
  Column: AppId
  Column: AutoIncId
  Column: BytesInBound
  Column: BytesOutBound
  Column: BytesTotal
  Column: TimeStamp
  Column: UserId

Table: SruDbCheckpointTable
  Column: CheckpointId
  Column: NextIncId
  Column: ProviderId
  Column: RecordSet
  Column: SeqNumber

Table: SruDbIdMapTable
  Column: IdBlob
  Column: IdIndex
  Column: IdType

Per the SOFTWARE hive on the Server 2022 host:

Registry file: K:\temp\SOFTWARE
Key: Microsoft\Windows NT\CurrentVersion\SRUM\Extensions\{17f4d97b-f26a-5e79-3a82-90040a47d13d}
Last write: 2021-05-08 09:38:46
Value: (default) (RegSz)
Data: SDP Volume Provider
Slack: 00-00-00-00

Registry file: K:\temp\SOFTWARE
Key: Microsoft\Windows NT\CurrentVersion\SRUM\Extensions\{38ad6548-9313-58f8-45c7-d293bafdc879}
Last write: 2021-05-08 09:38:46
Value: (default) (RegSz)
Data: SDP Perf Counter Provider

Registry file: K:\temp\SOFTWARE
Key: Microsoft\Windows NT\CurrentVersion\SRUM\Extensions\{841a7317-3805-518b-c2ea-ad224cb4af84}
Last write: 2021-05-08 09:38:46
Value: (default) (RegSz)
Data: SDP Physical Disk Provider
Slack: 00-00-00-00-00-00

Registry file: K:\temp\SOFTWARE
Key: Microsoft\Windows NT\CurrentVersion\SRUM\Extensions\{cdf8ebf6-7c0f-5ac2-158f-dbfbee981152}
Last write: 2021-05-08 09:38:46
Value: (default) (RegSz)
Data: SDP Event Log Provider
Slack: 00-00-00-00-00-00

Registry file: K:\temp\SOFTWARE
Key: Microsoft\Windows NT\CurrentVersion\SRUM\Extensions\{d10ca2fe-6fcf-4f6d-848e-b2e99266fa86}
Last write: 2021-05-08 08:24:19
Value: (default) (RegSz)
Data: WPN SRUM Provider

Registry file: K:\temp\SOFTWARE
Key: Microsoft\Windows NT\CurrentVersion\SRUM\Extensions\{d10ca2fe-6fcf-4f6d-848e-b2e99266fa89}
Last write: 2021-05-08 08:24:19
Value: (default) (RegSz)
Data: Application Resource Usage Provider
Slack: 00-00-00-00

Registry file: K:\temp\SOFTWARE
Key: Microsoft\Windows NT\CurrentVersion\SRUM\Extensions\{dc3d3b50-bb90-5066-fa4e-a5f90dd8b677}
Last write: 2021-05-08 09:38:46
Value: (default) (RegSz)
Data: SDP Cpu Provider
Slack: 00-10

Registry file: K:\temp\SOFTWARE
Key: Microsoft\Windows NT\CurrentVersion\SRUM\Extensions\{DD6636C4-8929-4683-974E-22C046A43763}
Last write: 2021-05-08 08:24:19
Value: (default) (RegSz)
Data: Windows Network Connectivity Usage Monitor
Slack: 00-00-00-00-00-00

Registry file: K:\temp\SOFTWARE
Key: Microsoft\Windows NT\CurrentVersion\SRUM\Extensions\{eee2f477-0659-5c47-ef03-6d6befd441b3}
Last write: 2021-05-08 09:38:46
Value: (default) (RegSz)
Data: SDP Network Provider
Slack: DD-AA

AndrewRathbun avatar Jul 28 '24 04:07 AndrewRathbun