2019-01-11

Testing of SRUM on Windows Server 2019 (continued)

After my unsuccessful attempts to test SRUM in Windows Server 2019 earlier in the week I followed up with Dave Cowen who confirmed the name of the install media he had used, and went about installing Server 2019 from the same media. Specifically this was:

en_windows_server_2019_x64_dvd_4cb967d8.iso - A876D230944ABE3BF2B5C2B40DA6C4A3

Lo and behold, when I checked for the presence of a SRUM directory...


The Windows version information associated with this install is as follows:


Putting aside the strangeness that SRUM doesn't appear to be enabled by default in certain circumstances, lets look at how it compares to SRUM within Windows 10.

Noted differences between Windows 10 SRUM and Sever 2019 SRUM

As per the methodology outlined in my previous post, I extracted the SRUDB.dat from the following systems: 
  • Fresh install of Server 2019
  • Fresh install of Windows 10
  • Used install of Windows 10
  • Used install of Windows 8
I parsed out a list of tables and their associated fields for each of the SRUDB.dat files I had and compared the tables and their content. A table outlining what tables were present within the SRUDB associated with each of the examined OS samples is provided below:


Notable observations were as follows:

  • The Server 2019 install had four new tables which had not been seen in previous iterations of the OS (or not in my testing):
    • {17F4D97B-F26A-5E79-3A82-90040A47D13D}
    • {841A7317-3805-518B-C2EA-AD224CB4AF84}
    • {DC3D3B50-BB90-5066-FA4E-A5F90DD8B677}
    • {EEE2F477-0659-5C47-EF03-6D6BEFD441B3}
  • The Application Resource usage data table {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} and Network Connectivity data {DD6636C4-8929-4683-974E-22C046A43763} remain. 
  • The fields present in these tables have not changed.
  • In my testing Network Usage {973F5D5C-1D90-4944-BE8E-24B94231A174}, Energy Usage{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} and Energy Usage Long Term {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT Tables were absent.
  • In my test the Push Notification Data {D10CA2FE-6FCF-4F6D-848E-B2E99266FA86} table was also absent however I note that it was absent from a fresh install of Windows 10 and may need to have push notifications enabled, or to have them occur, before the table is created and populated.
I have had limited time to perform testing of the new tables so include for reference their field headings, as this may shed some light on the function of the tables:

{17F4D97B-F26A-5E79-3A82-90040A47D13D}
AutoIncId
TimeStamp
AppId
UserId
Total
Used

{841A7317-3805-518B-C2EA-AD224CB4AF84}
AutoIncId
TimeStamp
AppId
UserId
SizeInBytes

{DC3D3B50-BB90-5066-FA4E-A5F90DD8B677}
AutoIncId
TimeStamp
AppId
UserId
ProcessorTime

{EEE2F477-0659-5C47-EF03-6D6BEFD441B3}
AutoIncId
TimeStamp
AppId
UserId
BytesInBound
BytesOutBound
BytesTotal

Parsing SRUM

I performed some limited testing to see about parsing useful data from SRUM on Server 2019 and I am pleased to report that where tables have remained consistent my previous go to tool, Mark Baggett's srum-dump still parses this data successfully.

While it does display errors per the below, it will proceed and extract what it can from the common tables:


Unfortunately the only two tables which fall into this are the Application Resource usage data table {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} and Network Connectivity data table{DD6636C4-8929-4683-974E-22C046A43763}.

If i have time in the next couple of weeks I will look into these new tables in an effort to derive how they are populated. I'm also keen to try and establish what caused SRUM to be disabled on some of the installs I used for testing but not others.

No comments:

Post a Comment