A consolidation of information and links
to what you’re seeing in
Windows Task Manager and History.The information below is not my discovery and
the links to credits are at the beginning of this
journal entry for an immediate TL:DR
These are just details I’ve found to journal about in my investigation of;
“WTF is Windows Task Manager Doing?”
Credits:
- Paul’s Security Weekly – Episode 580 – https://wiki.securityweekly.com/Episode580 –https://www.youtube.com/watch?v=XKPruFqeKhM
- https://twitter.com/MarkBaggett
- https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492184583.pdf
- https://isc.sans.edu/forums/diary/System+Resource+Utilization+Monitor/21927/
I’ve gathered the above information because I wanted to create and journal my findings in a “Cheat Sheet” summary of whats happening and I even encourage you to immediately look at the above links.
Starting with Windows 8, Microsoft introduced the collection of data about the Application Processes, Network and CPU utilization statistics of user accounts. The Windows system resources being logged are to enable the Customer Experience Reporting to get details on errors and issues (BSOD, etc) with enough details that if you share it to Microsoft they have a better view into the system and its processes for their investigation. This information is how the Application History Tab gets created and sorted for that Task Manager view.
It saves this information as a Database in a system locked file located in the Windows 32 folder. The file you’re going to want to check in on is at ” C:\Windows\System32\sru “ and named ” SRUDB.dat “ and if you want to get this file – you need use a file tool that will copy locked files – I used Robocopy with a /B to pull this file to another location.
RoboCopy pulls the files without problem, elevated command prompt needed it appears to make sure the /B can effectively run:
If you do decide to grab this file and are going to review it – I recommend the links above by http://www.markbaggett.com because he has created all the tools you need to grab this file, convert it an Excel document and then sort and review all the items available.
Once the Excel document is created with Mark’s templates and tools – you can audit a significant amount of details from the CPU, Process, and network traffic captured
The articles cited above really dig into the amount of details and what you can do with this information that Microsoft is collecting about your Windows 8 or 10 Computer.
I will be using the articles and videos at the beginning of this post to continue my own investigation of this database and will also be looking for scripting techniques to possible remove regularly.