# User Access Logging (UAL)

**Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on:** [**artefacts.help**](https://artefacts.help/)**.**

### Overview

Location: `%SystemRoot%\System32\Logfiles\SUM\` folder.

Yield Information related to **user access and activity**.\
On Domain Controllers, yield information on **sessions opening on domain-joined computers** (if the given DC was reached for authentication / `Group Policy` retrieval).

`User Access Logging (UAL)` is a feature introduced, and enabled by default, in `Windows Server 2012` that consolidates data on client activity. Among other information, user access on specific Windows Server roles (such as `Active Directory Domain Services` on Domain Controller) are logged by the `UAL`. The specific activity triggering an entry to be logged for a given role is not documented.

The information is stored locally in up to five `Extensible Storage Engine (ESE)` database files (`.mdb`):

* `Current.mdb` which contains data for the last 24-hour.
* Up to three `<GUID>.mdb` files, which contain data for an entire year (first to last day), going back to 2 years. The data in the `Current.mdb` database is copied each day to the corresponding (`<GUID>.mdb`) database for the current year.
* `Systemidentity.mdb` which contains metadata on the local server, including a mapping on roles' GUIDs and names.

Historical data going back to 2 years (2020 as of 2022) may thus be retrieved in the `UAL` database files.

### Information of interest

The `CLIENTS` table of the aforementioned database files contain multiple information of interest:

* Accessed Windows Server role `GUID` and description. Among others, the following roles can be encountered:
  * `Active Directory Domain Services` (GUID: `ad495fc3-0eaa-413d-ba7d-8b13fa7ec598`).
  * `File Server` (GUID: `10a9226f-50ee-49d8-a393-9a501d47ce04`).
  * `Active Directory Certificate Services` (GUID: `c50fcc83-bc8d-4df5-8a3d-89d7f80f074b`).
* The client domain and username.
* Total number of access.
* First, last, and daily access timestamps.
* Client `IPv4` or `IPv6` address. On Domain Controllers, the hostname associated the `IP` address at that time may be retrievable as machine accounts of domain-joined computers also authenticate on `AD DS`.

Each entry in the `CLIENTS` table is composed of a unique set of a Windows Server role, a client's domain / username, and a source `IP` address.

The `DNS` table of the aforementioned database files contain information about `DNS` resolutions: hostname, associated `IP` address, and timestamp of last resolution.

### Parsing

**Live forensics**

The PowerShell cmdlets of the `UserAccessLogging` module can be used to retrieve `UAL` data on a live system:

```bash
# Enumerates the roles installed on the system.
Get-UalOverview

# Retrieves UAL data for user access (data stored in the CLIENTS table).
Get-UalUserAccess

# Retrieves UAL data for client access by device for a given service, ordered by date (data stored in the CLIENTS table).
# The cmdlets returns the date that the client accessed the service and how many times the client accessed the service during that day.
Get-UalDailyAccess

# Retrieves information on DNS resolutions (data stored in the DNS table).
Get-UalDns
```

**Triaged UAL database files**

A direct copy of the `UAL` database files is not possible as the files are being locked due to continued access. The files should be copied through a `shadow copy` volume or using utilities implementing raw disk reads (such as [`Velociraptor`](https://github.com/Velocidex/velociraptor) or [`RawCopy`](https://github.com/jschicht/RawCopy)).

```bash
# Example of low level file copy bypassing file locking using RawCopy.
RawCopy64.exe /FileNamePath:"<C:\Windows\System32\LogFiles\Sum\Current.mdb | UAL_DB_FILE>" /OutputPath:"<OUTPUT_DIRECTORY>"
```

As the databases copied will not be in a "clean state", the database files will have to be repaired. This can be accomplished using the `esentutl` utility:

```
# The following commands should be executed in the directory containing the UAL database files.

esentutl.exe /r sru /i

esentutl.exe /p <Current.mdb | UAL_DB_FILE>
```

The Eric Zimmerman's `SumECmd.exe` tool or the [`KStrike`](https://github.com/brimorlabs/KStrike) Python script can be used to parse `UAL` database files:

```bash
# Parses the specified individual UAL database file.
KStrike.py <Current.mdb | UAL_DB_FILE>

# Parses the UAL database files (Current.mdb, SystemIdentity.mdb, etc.) in the specified directory.
# The results will be aggregated in single CSV files per category (client access, DNS requests, etc.).
SumECmd.exe --csv <CSV_DIRECTORY_OUTPUT> -d <DIRECTORY_WITH_UAL_DB_FILES>
```

***

### References

<https://advisory.kpmg.us/blog/2021/digital-forensics-incident-response.html>

<https://www.youtube.com/watch?v=rVHKXUXhhWA>

<https://docs.microsoft.com/en-us/windows-server/administration/user-access-logging/get-started-with-user-access-logging>

<https://www.crowdstrike.com/blog/user-access-logging-ual-overview/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.qazeer.io/dfir/windows/_artefacts_overview/user_access_logging.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.