MarkBaggett / srum-dump

A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet.
GNU General Public License v3.0
595 stars 96 forks source link

Not Working On Windows 10 #3

Closed jstore closed 7 years ago

jstore commented 7 years ago

Hmmm... I get following when I use the default template:

Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue. Error : Finished!

And I get this when I use the small template:

Traceback (most recent call last): File "", line 347, in AttributeError: 'NoneType' object has no attribute 'replace'

This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.

MarkBaggett commented 7 years ago

The message "Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}" is just a Warning and can be ignored. It means that that table doesn't exist in the SRUM file you are analyzing. If you would like you can just delete the Undocumented Windows 10 tab from the template file and it wont try to analyze that any more.

The message "I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue" occurs when the program is unable to write the output file you specified on the command line to disk. Make sure you have permissions to create the xlsx file that you specified with the output argument.

The small template isn't intended for production. It is just an example of how you can set other attributes up in the template file and change fonts.

Thanks, Mark Baggett

On Tue, Jan 24, 2017 at 12:00 PM, jstore notifications@github.com wrote:

Hmmm... I get following when I use the default template:

Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue. Error : Finished!

And I get this when I use the small template:

Traceback (most recent call last): File "", line 347, in AttributeError: 'NoneType' object has no attribute 'replace'

This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/AAtZDabNMSeyKcdYIxIUeozs5_13d48Qks5rVi4ZgaJpZM4LshQw .

jstore commented 7 years ago

Hi Mark,

I'm running the exe as a local admin and an ouput.xlsx file is created (almost 2 MB), but when I go to open it in Excel 2016 it says, "The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt".

This happens using either template so I thought it was related to the error messages I was seeing.

-Justin

Justin Store Security Architect Michigan Tech University http://www.mtu.edu/ Information Technology http://www.it.mtu.edu/ 906.487.1477

On Tue, Jan 24, 2017 at 12:47 PM, MarkBaggett notifications@github.com wrote:

The message "Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}" is just a Warning and can be ignored. It means that that table doesn't exist in the SRUM file you are analyzing. If you would like you can just delete the Undocumented Windows 10 tab from the template file and it wont try to analyze that any more.

The message "I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue" occurs when the program is unable to write the output file you specified on the command line to disk. Make sure you have permissions to create the xlsx file that you specified with the output argument.

The small template isn't intended for production. It is just an example of how you can set other attributes up in the template file and change fonts.

Thanks, Mark Baggett

On Tue, Jan 24, 2017 at 12:00 PM, jstore notifications@github.com wrote:

Hmmm... I get following when I use the default template:

Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue. Error : Finished!

And I get this when I use the small template:

Traceback (most recent call last): File "", line 347, in AttributeError: 'NoneType' object has no attribute 'replace'

This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/ AAtZDabNMSeyKcdYIxIUeozs5_13d48Qks5rVi4ZgaJpZM4LshQw .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3#issuecomment-274880483, or mute the thread https://github.com/notifications/unsubscribe-auth/AI7DKFW7a0IZIDLnIEP8pBpFB108GyB7ks5rVjkwgaJpZM4LshQw .

jstore commented 7 years ago

Hi Mark,

I've done some more testing with a different SRUDB.dat file and the tools works as expected.

The original SRUDB.dat file I was using was taken from my Windows 10 machine while using the system. I didn't get any errors about the file being locked or open so I figured it would work.

The second SRUDB.dat file was taken from a Windows 8.1 machine while using the system. I had to disable a couple of services to release the hold on the file.

Assuming you've tested this on Windows 10 SRUDB.dat files, I believe the issue may be related to copying it while in use. Oddly, Windows didn't have any issue with me copying it as long as I was a local admin. I've re-copied the file from my live system and get the same result (corrupt output file).

-Justin

Justin Store Security Architect Michigan Tech University http://www.mtu.edu/ Information Technology http://www.it.mtu.edu/ 906.487.1477

On Tue, Jan 24, 2017 at 12:47 PM, MarkBaggett notifications@github.com wrote:

The message "Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}" is just a Warning and can be ignored. It means that that table doesn't exist in the SRUM file you are analyzing. If you would like you can just delete the Undocumented Windows 10 tab from the template file and it wont try to analyze that any more.

The message "I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue" occurs when the program is unable to write the output file you specified on the command line to disk. Make sure you have permissions to create the xlsx file that you specified with the output argument.

The small template isn't intended for production. It is just an example of how you can set other attributes up in the template file and change fonts.

Thanks, Mark Baggett

On Tue, Jan 24, 2017 at 12:00 PM, jstore notifications@github.com wrote:

Hmmm... I get following when I use the default template:

Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue. Error : Finished!

And I get this when I use the small template:

Traceback (most recent call last): File "", line 347, in AttributeError: 'NoneType' object has no attribute 'replace'

This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/ AAtZDabNMSeyKcdYIxIUeozs5_13d48Qks5rVi4ZgaJpZM4LshQw .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3#issuecomment-274880483, or mute the thread https://github.com/notifications/unsubscribe-auth/AI7DKFW7a0IZIDLnIEP8pBpFB108GyB7ks5rVjkwgaJpZM4LshQw .

MarkBaggett commented 7 years ago

Justin, Thanks for taking my call yesterday and thanks for the feedback. It has been tested extensively on Windows 10.

There is some discussion in the comments on this post about how to grab the file on system where it is locked. I use Volume Shadow copies but the Invoke-NinjaCopy utility is a good option also.

Mark

On Wed, Jan 25, 2017 at 10:36 AM, jstore notifications@github.com wrote:

Hi Mark,

I've done some more testing with a different SRUDB.dat file and the tools works as expected.

The original SRUDB.dat file I was using was taken from my Windows 10 machine while using the system. I didn't get any errors about the file being locked or open so I figured it would work.

The second SRUDB.dat file was taken from a Windows 8.1 machine while using the system. I had to disable a couple of services to release the hold on the file.

Assuming you've tested this on Windows 10 SRUDB.dat files, I believe the issue may be related to copying it while in use. Oddly, Windows didn't have any issue with me copying it as long as I was a local admin. I've re-copied the file from my live system and get the same result (corrupt output file).

-Justin

Justin Store Security Architect Michigan Tech University http://www.mtu.edu/ Information Technology http://www.it.mtu.edu/ 906.487.1477 <(906)%20487-1477>

On Tue, Jan 24, 2017 at 12:47 PM, MarkBaggett notifications@github.com wrote:

The message "Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}" is just a Warning and can be ignored. It means that that table doesn't exist in the SRUM file you are analyzing. If you would like you can just delete the Undocumented Windows 10 tab from the template file and it wont try to analyze that any more.

The message "I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue" occurs when the program is unable to write the output file you specified on the command line to disk. Make sure you have permissions to create the xlsx file that you specified with the output argument.

The small template isn't intended for production. It is just an example of how you can set other attributes up in the template file and change fonts.

Thanks, Mark Baggett

On Tue, Jan 24, 2017 at 12:00 PM, jstore notifications@github.com wrote:

Hmmm... I get following when I use the default template:

Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue. Error : Finished!

And I get this when I use the small template:

Traceback (most recent call last): File "", line 347, in AttributeError: 'NoneType' object has no attribute 'replace'

This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/ AAtZDabNMSeyKcdYIxIUeozs5_13d48Qks5rVi4ZgaJpZM4LshQw .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/ 3#issuecomment-274880483, or mute the thread https://github.com/notifications/unsubscribe-auth/ AI7DKFW7a0IZIDLnIEP8pBpFB108GyB7ks5rVjkwgaJpZM4LshQw .

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3#issuecomment-275140647, or mute the thread https://github.com/notifications/unsubscribe-auth/AAtZDXczPRJFgVwh3qrnhgUcz-zFRmf-ks5rV2v2gaJpZM4LshQw .

jstore commented 7 years ago

Thanks Mark,

I saw that, but didn't think it would be required if the OS didn't complain.

Thanks for following up,

-Justin

Justin Store Security Architect Michigan Tech University http://www.mtu.edu/ Information Technology http://www.it.mtu.edu/ 906.487.1477

On Wed, Jan 25, 2017 at 11:05 AM, MarkBaggett notifications@github.com wrote:

Justin, Thanks for taking my call yesterday and thanks for the feedback. It has been tested extensively on Windows 10.

There is some discussion in the comments on this post about how to grab the file on system where it is locked. I use Volume Shadow copies but the Invoke-NinjaCopy utility is a good option also.

Mark

On Wed, Jan 25, 2017 at 10:36 AM, jstore notifications@github.com wrote:

Hi Mark,

I've done some more testing with a different SRUDB.dat file and the tools works as expected.

The original SRUDB.dat file I was using was taken from my Windows 10 machine while using the system. I didn't get any errors about the file being locked or open so I figured it would work.

The second SRUDB.dat file was taken from a Windows 8.1 machine while using the system. I had to disable a couple of services to release the hold on the file.

Assuming you've tested this on Windows 10 SRUDB.dat files, I believe the issue may be related to copying it while in use. Oddly, Windows didn't have any issue with me copying it as long as I was a local admin. I've re-copied the file from my live system and get the same result (corrupt output file).

-Justin

Justin Store Security Architect Michigan Tech University http://www.mtu.edu/ Information Technology http://www.it.mtu.edu/ 906.487.1477 <(906)%20487-1477>

On Tue, Jan 24, 2017 at 12:47 PM, MarkBaggett notifications@github.com wrote:

The message "Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}" is just a Warning and can be ignored. It means that that table doesn't exist in the SRUM file you are analyzing. If you would like you can just delete the Undocumented Windows 10 tab from the template file and it wont try to analyze that any more.

The message "I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue" occurs when the program is unable to write the output file you specified on the command line to disk. Make sure you have permissions to create the xlsx file that you specified with the output argument.

The small template isn't intended for production. It is just an example of how you can set other attributes up in the template file and change fonts.

Thanks, Mark Baggett

On Tue, Jan 24, 2017 at 12:00 PM, jstore notifications@github.com wrote:

Hmmm... I get following when I use the default template:

Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue. Error : Finished!

And I get this when I use the small template:

Traceback (most recent call last): File "", line 347, in AttributeError: 'NoneType' object has no attribute 'replace'

This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/ AAtZDabNMSeyKcdYIxIUeozs5_13d48Qks5rVi4ZgaJpZM4LshQw .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/ 3#issuecomment-274880483, or mute the thread https://github.com/notifications/unsubscribe-auth/ AI7DKFW7a0IZIDLnIEP8pBpFB108GyB7ks5rVjkwgaJpZM4LshQw .

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/ 3#issuecomment-275140647, or mute the thread https://github.com/notifications/unsubscribe-auth/ AAtZDXczPRJFgVwh3qrnhgUcz-zFRmf-ks5rV2v2gaJpZM4LshQw .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3#issuecomment-275149664, or mute the thread https://github.com/notifications/unsubscribe-auth/AI7DKFCkhuiCStgfWiJbK_rokrOBcqXQks5rV3LSgaJpZM4LshQw .

MarkBaggett commented 7 years ago

This and similar issues all appear to be related to corrupt srudb.dat files as a result of file system locks. I am closing the ticket. Please let me know if any further attention is required.