UAL Thank Us Later: Leveraging User Access Logging for Forensic Investigations

June 08, 2021

| Patrick Bennett | Endpoint Security & XDR

CrowdStrike analysts recently began researching and leveraging User Access Logging (UAL), a newer forensic artifact on Windows Server operating system that offers a wealth of data to support forensic investigations. UAL has proven beneficial to help correlate an account and the source IP address with actions performed remotely on systems.

To help your investigations, this blog post provides an overview of UAL databases and offers examples of interpreting the treasure trove of data that they contain.

What Is User Access Logging?

UAL is a feature included by default in Server editions of Microsoft Windows, starting with Server 2012. As defined by Microsoft, UAL is a feature that “logs unique client access requests, in the form of IP addresses and user names, of installed products and roles on the local server.” This means that UAL records user access to various services running on a Windows Server. The access is logged to databases on disk that contain information on the type of service accessed, the user account that performed the access and the source IP address from which the access occurred. One key element of UAL is that each record is based on the combination of username, source IP and service accessed — so it’s naturally suited for identifying anomalous or rare access to a system. With default settings, this information is retained for up to three years. Naturally, this data can be extremely valuable in forensic investigations. Unfortunately, there’s a marked lack of awareness of this type of artifact in the digital forensic community. Many forensic solutions do not parse these databases, and therefore threat analysts could potentially miss data relevant to an investigation.

Where to Find UAL Data

UAL database files are stored under the directory C:\Windows\System32\LogFiles\Sum. Inside this directory, you’ll find up to five Extensible Storage Engine (ESE) database files with .mdb extensions. The screenshot in Figure 1 provides an example of what the contents might look like.

Figure 1. C:\Windows\System32\LogFiles\Sum sample contents

The files shown above include:

Current.mdb (UAL database — current year; active copy)
<GUID>.mdb (UAL database — current year)
<GUID>.mdb (UAL database — previous year)
<GUID>.mdb (UAL database — two years prior)
Systemidentity.mdb (database containing information about the server, including a map of RoleGuid values to Role names – more on this below)

The Current.mdb file contains UAL data for the current year, while the two previous years are stored in .mdb files with GUID-style filenames. Per Microsoft:

“UAL makes a copy of the active database file, current.mdb, to a file named GUID.mdb every 24 hours. On the first day of the year, UAL will create a new GUID.mdb. The old GUID.mdb is retained as an archive. After two years, the original GUID.mdb will be overwritten.” This means there can be up to three years of historical data stored on the UAL (i.e., data from the previous year, two years prior and the current year up to the present).

Following the above, Current.mdb and the GUID-style files contain the same set of tables. These files will include the CLIENTS table, where some of the juiciest forensic data is stored — this is where you’ll find the historical records of users accessing various services. Table 1 shows a sample record from the CLIENTS table. Please note that some of the fields are omitted for visibility (see Appendix for a full listing of all tables and fields in the UAL databases).

RoleGuid	TotalAccesses	InsertDate	LastAccess	Address	AuthenticatedUserName
10a9226f-50ee-49d8-a393-9a501d47ce04	1	2019-03-12T18:06:56Z	2019-03-12T18:06:56Z	0a0a0cc8	DOMAIN\User1

Table 1. Sample UAL CLIENTS table record In the above example, the UAL record indicates that the user DOMAIN\User1 accessed the system via SMB on 2019-03-12 at 18:06:56 UTC, coming from the source IP address 10.10.12.200.

The source IP address is stored in the Address field in hexadecimal (0a 0a 0c c8 = 10 10 12 200). The InsertDate field contains the UTC timestamp of the first access for the year for the combination of user, RoleGuid and source IP. LastAccess is similar but represents the most recent access for the year. The TotalAccesses value of 1 indicates that this was the only access for the year (again, based on the combination of user, source IP and RoleGuid). If access occurred on additional days between the InsertDate and LastAccess, the total count would be included in this field. In addition, a daily count of the number of accesses per day would be included in additional fields named Day1 up to Day366, which represent the day of the year the access occurred (see Appendix for more details). Unfortunately, a full timestamp is only included for InsertDate and LastAccess — nothing in between. But as will be shown, this is plenty.

The RoleGuid field represents the type of service that was accessed. In this case, it was 10a9226f-50ee-49d8-a393-9a501d47ce04, which corresponds with what is known as the File Server Role. This typically represents SMB access, though it’s possible other protocols may be logged here as well. RoleGuid values are mapped to human-readable Role Names in the SystemIdentity.mdb database, under the ROLE_IDS table. Table 2 shows a sample ROLE_IDS table.

RoleGuid	ProductName	RoleName
c50fcc83-bc8d-4df5-8a3d-89d7f80f074b	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	Active Directory Certificate Services
b4cdd739-089c-417e-878d-855f90081be7	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	Active Directory Rights Management Service
48eed6b2-9cdc-4358-b5a5-8dea3b2f3f6a	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	DHCP Server
7cc4b071-292c-4732-97a1-cf9a7301195d	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	FAX Server
10a9226f-50ee-49d8-a393-9a501d47ce04	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	File Server
bbd85b29-9dcc-4fd9-865d-3846dcba75c7	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	Network Policy and Access Services
7fb09bd3-7fe6-435e-8348-7d8aefb6cea3	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	Print and Document Services
d6256cf7-98fb-4eb4-aa18-303f1da1f770	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	Web Server
4116a14d-3840-4f42-a67f-f2f9ff46eb4c	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	Windows Deployment Services
d8dc1c8e-ea13-49ce-9a68-c9dca8db8b33	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	Windows Server Update Services
c23f1c6a-30a8-41b6-bbf7-f266563dfcd6	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	FTP Server
910cbaf9-b612-4782-a21f-f7c75105434a	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	BranchCache
952285d9-edb7-4b6b-9d85-0c09e3da0bbd	0997dbd9-4db4-49aa-8ec5-8f5c6ae1c870	Remote Access

Table 2. Sample ROLE_IDS table

A Note on Roles

The Roles referenced by UAL data are tied directly to Server Roles installed on Windows Server systems. This is done via the Server Manager application, by clicking on Manage → Add Roles and Features.

Figure 2. Server Manager Roles and Features menu

This will bring up a menu that lists available Roles that can be installed, which will look similar to what’s shown in Figure 3.

Figure 3. Server Manager Server Roles menu

Certain Roles are included in the ROLE_IDS table by default, regardless of whether or not they are enabled. Other Roles may get added to the bottom of the ROLE_IDS table when they are installed via the Server Manager. For example, when making a server into a Domain Controller, one would install the Active Directory Domain Services Role, at which point this server would be added to the bottom of the ROLE_IDS table, and access under this Role would start being logged in the CLIENTS table. However, not every installed Role will necessarily end up being tracked by UAL.

File Server Role

From a forensic perspective, one of the most fruitful Roles in UAL analysis is the File Server Role. It can be found as a subitem under File and Storage Services in the Server Manager menu.

Figure 4. File and Storage Services

As shown in Figure 4, Microsoft notes that the File Server Role “manages shared folders and enables users to access files on computer from the network.” The consequence is that SMB access is logged in UAL databases under the File Server RoleGuid. This means UAL databases potentially contain up to three years of historical SMB access. This data can be extremely valuable during investigations, as we’ll demonstrate in the next section.

It’s important to note that this SMB logging includes when, for example, a user maps a file share and performs actions that use SMB under the hood, including SMB named pipes. For example, remotely interacting with a service using sc.exe will result in File Server UAL entries on the target system, because an SMB named pipe (\\.\PIPE\svcctl) is used. Similarly, a UAL File Server entry for a user doesn’t necessarily mean that the user purposefully used SMB. As a side note, even if the File Server Role is not explicitly enabled, SMB access will still be logged by UAL (as long as the firewall rules to allow SMB access are enabled). When the File Server Role is installed, these firewall rules are automatically enabled.

Interpreting UAL Data

Let’s step through some quick examples to demonstrate just how powerful UAL analysis can be. Please note that the following data is simulated, but this information is very similar to what you’d see in real-world scenarios when analyzing UAL data. In this first example, we’re analyzing a system called WEBSRV01. We already know that PsExec was used to execute the malicious file C:\Windows\malware.exe on 2020-11-04 at 19:53:08 UTC through analysis of host artifacts. However, all event logs have rolled and were not forwarded elsewhere. We’re trying to understand which user account executed PsExec targeting WEBSRV01 and from which system the activity originated. After parsing the UAL CLIENTS table (from the 2020 database file), the following results are returned.

RoleGuid	TotalAccesses	InsertDate	LastAccess	Address	AuthenticatedUserName
10a9226f-50ee-49d8-a393-9a501d47ce04	686	2020-01-01T05:16:43Z	2020-12-31T23:30:33Z	::1	WEBSRV01\Administrator
10a9226f-50ee-49d8-a393-9a501d47ce04	942	2020-01-12T13:11:46Z	2020-12-31T23:41:31Z	10.20.49.101	CORP\WEBSVC
10a9226f-50ee-49d8-a393-9a501d47ce04	14	2020-03-23T07:50:48Z	2020-12-08T12:22:43Z	10.15.100.249	CORP\lstevens
10a9226f-50ee-49d8-a393-9a501d47ce04	35	2020-03-23T08:30:01Z	2020-12-12T03:48:12Z	10.20.100.100	CORP\lstevens-adm
10a9226f-50ee-49d8-a393-9a501d47ce04	1	2020-08-12T23:42:08Z	2020-08-12T23:42:08Z	10.15.100.103	CORP\rsmith
10a9226f-50ee-49d8-a393-9a501d47ce04	3	2020-11-04T19:53:07Z	2020-11-04T19:53:08Z	10.20.49.201	CORP\banderson
10a9226f-50ee-49d8-a393-9a501d47ce04	33	2020-11-12T02:01:42Z	2020-12-30T15:28:07Z	10.20.115.32	CORP\CORPSVC
10a9226f-50ee-49d8-a393-9a501d47ce04	1	2020-11-13T13:03:13Z	2020-11-13T13:03:13Z	10.20.100.142	WERSRV01\Administrator
10a9226f-50ee-49d8-a393-9a501d47ce04	273	2020-12-01T18:46:12Z	2020-12-25T04:00:00Z	10.1.73.48	CORP\hconway

Table 3. Sample CLIENTS table The first thing that immediately jumps out is the row related to the account CORP\banderson that has a LastAccess value matching precisely the time of PsExec usage identified via other artifacts. This record’s address value is 10.20.49.201, meaning the activity originated from a device with this IP. We also note that the TotalAccesses value is 3. This means that for all of 2020, the CORP\banderson account only accessed WEBSRV01 via SMB from this IP address three times — and what’s more, all three occurred around the time of the PsExec activity (because all of the accesses would have occured between the InsertDate and LastAccess times). Another anomaly in the above is we have the local Administrator account for WEBSRV01 accessing it from the IP address of another system. Based on the TotalAccesses value, this is a rare activity, having only occurred once in 2020, with all of the other local Administrator access coming from localhost.

Simplify forensic data collection and analysis with the CrowdStrike Falcon® Forensics™ solution. Incident responders can respond faster to investigations and conduct compromise assessments, threat hunting and monitoring all in one location with Falcon Forensics. Responders can gather comprehensive data and analyze it quickly via pre-built dashboards and easy search capabilities for both live and historical artifacts.

Learn more about how Falcon Forensics works.

UAL at Scale

Things get even more exciting when you start pulling UAL at scale from many systems at once. Even simply sorting the output by InsertDate can quickly identify suspicious activity. When aggregating CLIENTS table data from multiple systems, it’s not uncommon to observe scenarios similar to the example in Table 4.

System Name	RoleGuid	TotalAccesses	InsertDate	LastAccess	Address	AuthenticatedUserName
APPSRV01	10a9226f-50ee-49d8-a393-9a501d47ce04	1	2020-11-30T14:26:17Z	2020-11-30T14:26:17Z	10.20.52.40	CORP\abcsvc
APPSRV02	10a9226f-50ee-49d8-a393-9a501d47ce04	1	2020-11-30T14:26:17Z	2020-11-30T14:26:17Z	10.20.52.40	CORP\abcsvc
DC01	10a9226f-50ee-49d8-a393-9a501d47ce04	1	2020-11-30T14:26:17Z	2020-11-30T14:26:17Z	10.20.52.40	CORP\abcsvc
FILESRV01	10a9226f-50ee-49d8-a393-9a501d47ce04	1	2020-11-30T14:26:18Z	2020-11-30T14:26:18Z	10.20.52.40	CORP\abcsvc
FILESRV02	10a9226f-50ee-49d8-a393-9a501d47ce04	1	2020-11-30T14:26:18Z	2020-11-30T14:26:18Z	10.20.52.40	CORP\abcsvc
WEBSRV01	10a9226f-50ee-49d8-a393-9a501d47ce04	1	2020-11-30T14:26:19Z	2020-11-30T14:26:19Z	10.20.52.40	CORP\abcsvc
WEBSRV02	10a9226f-50ee-49d8-a393-9a501d47ce04	1	2020-11-30T14:26:19Z	2020-11-30T14:26:19Z	10.20.52.40	CORP\abcsvc

Table 4. Sample UAL data from multiple systems In this example, the account CORP\abcsvc accessed eight systems in rapid succession via SMB, coming from the IP address 10.20.52.40. Further, in each case the TotalAccesses value is 1, meaning this was the only time for the year that this account accessed each system via SMB from the source IP address. When combined with other indicators to pivot from, UAL analysis at scale can help drive the direction of the investigation. For example, if there is a known compromised user account, UAL analysis can quickly identify other (Server 2012+) systems that the account accessed, by searching for records where the AuthenticatedUserName value matches the compromised user name. Similarly, if there is a system that’s known to be compromised, analyzing UAL at scale can provide rapid insights into threat actor lateral movement activities. This can be accomplished by finding UAL entries where the Address field matches the IP address of the compromised system. This can quickly provide an overview of which accounts a threat actor was using from the compromised server, as well as systems targeted for lateral movement. (Did we mention this data is retained for up to 3 years by default?) Armed with pivot points like these as a starting point, one can quickly glean critical insights from UAL data. Even without any other indicators to go on, it’s possible to spot anomalous activity by looking out for rare combinations of user, source IP address and RoleGuid via the TotalAccesses field.

Correlating UAL Data

Correlating UAL data with other artifacts can also help fill in the blanks when event log data is unavailable. An investigation timeline populated via host artifact analysis may yield something like that shown in Table 5.

System Name	Timestamp	Event	Details
APPSRV01	2020-12-01T04:10:50Z	File created	C:\Windows\malware.exe
APPSRV02	2020-12-01T04:10:50Z	File created	C:\Windows\malware.exe
DC01	2020-12-01T04:10:50Z	File created	C:\Windows\malware.exe
FILESRV01	2020-12-01T04:10:51Z	File created	C:\Windows\malware.exe
FILESRV02	2020-12-01T04:10:51Z	File created	C:\Windows\malware.exe
WEBSRV01	2020-12-01T04:10:52Z	File created	C:\Windows\malware.exe
WEBSRV02	2020-12-01T04:10:52Z	File created	C:\Windows\malware.exe

Table 5. Sample timeline before UAL enrichment By adding UAL data to the timeline and sorting by timestamp, everything falls into place, as shown in Table 6.

System Name	Timestamp	Event	Details
APPSRV01	2020-12-01T04:10:50Z	UAL entry	RoleGuid: File Server \| AuthenticatedUserName: CORP\rsmith-adm \| Address: 10.100.2.201 \| TotalAccesses: 1
APPSRV01	2020-12-01T04:10:50Z	File created	C:\Windows\malware.exe
APPSRV02	2020-12-01T04:10:50Z	UAL entry	RoleGuid: File Server \| AuthenticatedUserName: CORP\rsmith-adm \| Address: 10.100.2.201 \| TotalAccesses: 1
APPSRV02	2020-12-01T04:10:50Z	File created	C:\Windows\malware.exe
DC01	2020-12-01T04:10:50Z	UAL entry	RoleGuid: File Server \| AuthenticatedUserName: CORP\rsmith-adm \| Address: 10.100.2.201 \| TotalAccesses: 1
DC01	2020-12-01T04:10:50Z	File created	C:\Windows\malware.exe
FILESRV01	2020-12-01T04:10:51Z	UAL entry	RoleGuid: File Server \| AuthenticatedUserName: CORP\rsmith-adm \| Address: 10.100.2.201 \| TotalAccesses: 1
FILESRV01	2020-12-01T04:10:51Z	File created	C:\Windows\malware.exe
FILESRV02	2020-12-01T04:10:51Z	UAL entry	RoleGuid: File Server \| AuthenticatedUserName: CORP\rsmith-adm \| Address: 10.100.2.201 \| TotalAccesses: 1
FILESRV02	2020-12-01T04:10:51Z	File created	C:\Windows\malware.exe
WEBSRV01	2020-12-01T04:10:52Z	UAL entry	RoleGuid: File Server \| AuthenticatedUserName: CORP\rsmith-adm \| Address: 10.100.2.201 \| TotalAccesses: 1
WEBSRV01	2020-12-01T04:10:52Z	File created	C:\Windows\malware.exe
WEBSRV02	2020-12-01T04:10:52Z	UAL entry	RoleGuid: File Server \| AuthenticatedUserName: CORP\rsmith-adm \| Address: 10.100.2.201 \| TotalAccesses: 1
WEBSRV02	2020-12-01T04:10:52Z	File created	C:\Windows\malware.exe

Table 6. Sample timeline after UAL enrichment After adding UAL data, we can now clearly see that malware.exe was copied to all of these systems by CORP\rsmith-adm; and that this activity originated from the IP address 10.100.2.201. Aside from subsequently focusing analysis efforts on that system, you can also identify additional systems of interest by searching the aggregated UAL data for entries with matching Address or AuthenticatedUserName values from around the same timeframe.

UAL Analysis Tools

On live systems, analysts can access UAL data via PowerShell cmdlets or WMI. In image analysis, UAL databases can be parsed with any tool that supports parsing ESE databases, such as esedbexport, which is part of Joachim Metz’s libesedb project.

At least two recently developed solutions are used for parsing UAL data from a forensic perspective: Eric Zimmerman’s SumECmd and Brian Moran’s KStrike. These tools add value by automatically converting RoleGuids to Role Names and automatically parsing the Address field to a human-readable IP address.

More to Come

These examples are only a tiny glimpse into the many powerful applications of UAL data in forensic investigations. The forensic analysis of UAL databases can provide exceptional insights to the forensic analyst. Currently, it’s an understudied artifact that’s also under-represented by forensic tools. We hope that this information is helpful for your analyses; additional research and testing are needed to learn more about this artifact and the valuable insights it can provide.

Appendix: UAL Databases and Tables

Here is a description of all tables included with the UAL database files. Current.mdb (and <GUID>.mdb files) CLIENTS As mentioned, this table stores the heart of the UAL data. It includes the information on user accounts accessing services on the server. Each row is based on the combination of user + source IP + RoleGuid. (In other words, if a user accesses a system via SMB from two different source IP addresses, each will get their own row). The CLIENTS table includes nine fields.

Field Name	Description
AuthenticatedUserName	Domain\User account performing the access. Can include local accounts and domain accounts, including computer accounts.
Address	Source IP address from which access occurred. Can include IPv4 or IPv6, as well as localhost values.
RoleGuid	The type of service accessed. RoleGuids are mapped to Role names in SystemIdentity.mdb.
InsertDate	UTC timestamp of the first access for the year
LastAccess	UTC timestamp of the most recent access for the year
TotalAccesses	Count of accesses for the year (based on RoleGuid + AuthenticatedUserName + Address)
Day1 … Day366	Count of accesses per day for each day of the year
TenantId	Have seen this populated in relation to the Active Directory Domain Services RoleGuid, but interpretation is unclear. Microsoft defines it as “a unique GUID for a tenant client of an installed role or product that accompanies the UAL data, if applicable.”
ClientName	Unknown, have not seen it populated in the wild

Table 7. CLIENTS table fields DNS The DNS table contains historical IP to hostname mappings. It appears this table is only populated if the server being analyzed has the DNS Server Role installed. The hostnames and IPs are likely related to clients of the DNS server, but more research is needed to determine what specifically causes this table to be populated. This table can aid in determining previous IP addresses associated with systems in instances where DHCP logs are not available. The DNS table includes three fields.

Field Name	Description
LastSeen	UTC timestamp
Address	IP address
HostName	Hostname associated with the IP address

Table 8. DNS table fields ROLE_ACCESS The ROLE_ACCESS table contains a high-level view of the types of Roles that have been accessed on the system, and when the first and last accesses occurred. It contains three fields.

Field Name	Description
RoleGuid	RoleGuid value (associated with human-readable Role Name in SystemIdentity.mdb)
FirstSeen	UTC timestamp of the earliest access to the Role type for the year
LastSeen	UTC timestamp of the most recent access to the Role type for the year

Table 9. ROLE_ACCESS table fields VIRTUALMACHINES The VIRTUALMACHINES table contains information on HyperV virtual machines running on the system. As of this writing, we have not come across it populated in the wild. It contains the following fields:

Field Name

VmGuid

BIOSGuid

CreationTime

LastSeenActive

SerialNumber

Table 10. VIRTUALMACHINES table fields SystemIdentity.mdb ROLE_IDS As mentioned, the ROLE_IDS table contains a mapping of RoleGuid values to human-readable Role Names. It includes three fields.

Field Name	Description
RoleGuid	RoleGuid (GUID value)
ProductName	Typically related to the OS edition, it can be GUID value or human-readable. Microsoft defines as “The name of the software parent product, such as Windows, that is providing UAL data.”
RoleName	Human-readable Role Name for the RoleGuid

Table 11. ROLE_IDS table fields CHAINED_DATABASES This table provides a mapping associated with the year for storing the <GUID>.mdb files. Each row contains two fields.

Field Name	Description
Year	Year associated with database filename (e.g., 2021)
Filename	Database filename associated with the year

Table 12. CHAINED_DATABASES table fields SYSTEM_IDENTITY This table contains information related to the operating system and hardware of the system. It contains the following fields, most of which are self-explanatory.

Field Name	Field Name
CreationTime	OSSuiteMask
PhysicalProcessorCount	OSProductType
CoresPerPhysicalProcessor	SystemManufacturer
LogicalProcessorsPerPhysicalProcessor	SystemProductName
MaximumMemory	SystemSerialNumber
OSMajor	SystemDNSHostName
OSMinor	SystemDomainName
OSBuildNumber	OSSerialNumber
OSPlatformId	OSCountryCode
ServicePackMajor	OSLastBootUpTime

Table 13. SYSTEM_IDENTITY table fields One interesting aspect of the SYSTEM_IDENTITY table is that it appears to have a new entry created each time one of the fields changes. For example, when changing a system’s hostname or domain, a new row will be created showing the new SystemDNSHostName and SystemDomainName, while the old data will still be available in previous rows. The LastBootUpTime field will then only continue to be updated for the latest row. Table 14 provides an example of this.

CreationTime	SystemDNSHostName	SystemDomainName	LastBootUpTime
2020-02-12T15:06:23.632Z	DESKTOP-A3F2BCF9	WORKGROUP	20210315092316.243752+000
2020-03-15T10:06:12.742Z	WEBSRV01	CORP	20211207021136.195304+000

Table 14. Sample SYSTEM_IDENTITY table data

UAL Thank Us Later: Leveraging User Access Logging for Forensic Investigations

What Is User Access Logging?