Closed 0xAtn-a closed 5 years ago
If the user I’d recorded in the SRUM database is blank then it says the SID is none.
What circumstances causes Windows to record a blank user SID are not known but it happens.
Mark
On Jan 29, 2019, at 9:03 AM, antunDuranec notifications@github.com wrote:
Hy Mark,
I'm using srum-dump to analyze SRUDB.dat on Windows 10 (1809)...
For now, all result of User's SID in Application Resource Usage was "None". I tried it on the multiple SRUDB.dat (exported with FTK Imager) files, with or without template and SOFTWARE hive. There is no error message in cmd...
Any idea why I can't get user's SIDs?
Best regards
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
I was finally able to check if SID records are blank...
I exported SURDB.dat file again and I run it through srum-dump.exe. Output file again contains only "None" values in the user SID column of application resource usage sheet.
To make sure that SIDs are not blank I opened same SRUDB.dat file in ESEDatabaseView tool. I was able to find the correct user's SID in SruDbIdMapTable so I can confirm that the database is not blank.
Not sure how to proceed...
Best regards, Antun
I was able to reproduce this issue. The problem is an error in the EXE version of the tool. But the problem does not occur in the .PY python version.
Please give this python3 version a try and let me know if you have any trouble.
Installation and use instructions are on the README.
Mark
On Thu, Feb 7, 2019 at 8:35 AM antunD notifications@github.com wrote:
I was finally able to check if SID records are blank...
I exported SURDB.dat file again and I run it through srum-dump.exe. Output file again contains only "None" values in the user SID column of application resource usage sheet.
To make sure that SIDs are not blank I opened same SRUDB.dat file in ESEDatabaseView tool. I was able to find the correct user's SID in SruDbIdMapTable so I can confirm that the database is not blank.
Not sure how to proceed...
Best regards, Antun
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/12#issuecomment-461420903, or mute the thread https://github.com/notifications/unsubscribe-auth/AAtZDdYbrwBn65Le6xaL8mpPVh5W4szLks5vLCuZgaJpZM4aYHKQ .
Hy Mark,
Just wanna let you know that srum-dump.PY indeed pulled SIDs.
Thank you, Antun
Thanks for the feedback. I’ll update the EXE soon.
Mark
On Feb 8, 2019, at 3:48 AM, antunD notifications@github.com wrote:
Hy Mark,
Just wanna let you know that srum-dump.PY indeed pulled SIDs.
Thank you, Antun
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Mark,
Looks like this is still an issue with the EXE. I'll attach a sample SRUDB file for your testing. SRUDB.zip
Hi @TroySchnack Sorry for the late reply. I didn't see this note since the issue was closed. The SRUDB.zip file you sent is empty. The file is locked by the OS. Even though a simple copy may appear to work it will not. You must use a tool to extract a copy from the os to analyze it. If you run srum-dump as an administrator it will extract a copy and analyze it for you.
Hy Mark,
I'm using srum-dump to analyze SRUDB.dat on Windows 10 (1809)...
For now, all result of User's SID in Application Resource Usage was "None". I tried it on the multiple SRUDB.dat (exported with FTK Imager) files, with or without template and SOFTWARE hive. There is no error message in cmd...
Any idea why I can't get user's SIDs?
Best regards