[Qemu-devel] Win2k-SP3

[Qemu-devel] Win2k-SP3

[Brad Campbell]

G'day all,

The latest changes to QEMU-CVS have made the installation phase much quicker.
The hardware detection seems more reliable and moves through faster, but there is still the issue of 
the disk full messages.

Now I loopback mounted the entire NTFS filesystem and copied all 2.9GB of log files from the 
WINNT\security directory onto another drive for examination.
I now have 2751 log files to examine. edb.log -> edb00A05.log.
I tried copying some of them to a win2k box and loading them with event viewer to no avail.
Using "less" I can see that the files contain some information but I can't seem to make any sense 
from it. I can see some form of filenames and paths, but nothing I can make sense of.

Strings is not helpful here apparently as the strings output on any of the files is below :-

srv:/raid0/tmp/security# strings edb00A05.log
C:\WINNT\Security\
C:\WINNT\Security\
C:\WINNT\Security\Database\secedit.sdb
srv:/raid0/tmp/security#

Does anyone know what I can use to extract some information from these files?

Incidentally, the entire 2.9GB of log files compressed with gzip comes to 3.3MB.
I have put the whole shebang at http://www.wasp.net.au/~brad/win2k-logs.tgz if anyone is interested 
in having a look.
I assume it simply stops writing to the logs when the disk reaches a certain state of fill as it 
appears to happen in a simplar fashion no matter what the drive size.

Regards,
Brad

Re: [Qemu-devel] Win2k-SP3

[Piotr Krysik]

[-- Attachment #1: Type: text/plain, Size: 1057 bytes --]

Hi,
 
You can use
# od -t x1z edbXXXXX.log | less

It seems to be transactions log of Jet database [1]. The log, I guess, is related to database C:\WINNT\Security\Database\secedit.sdb. The database stores Local Security Policy [2].
 
I noticed that contents of all the files (except edb.log, edb00001.log and res1.log), is identical if first 32 bytes (header?) are ignored.
 
[1] http://groups.google.pl/groups?q=edb00001.log+jet&hl=pl&lr=&ie=UTF-8&inlang=pl&selm=uMKQ7RSGEHA.3456%40tk2msftngp13.phx.gbl&rnum=2
[2] http://groups.google.pl/groups?hl=pl&lr=&ie=UTF-8&inlang=pl&selm=036001c30ea8%245794ccd0%24a401280a%40phx.gbl&rnum=6
 
Brad Campbell <brad@wasp.net.au> wrote:

Does anyone know what I can use to extract some information from these files?

Incidentally, the entire 2.9GB of log files compressed with gzip comes to 3.3MB.
I have put the whole shebang at http://www.wasp.net.au/~brad/win2k-logs.tgz if anyone is interested 
in having a look.

		
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!

[-- Attachment #2: Type: text/html, Size: 1843 bytes --]

Re: [Qemu-devel] Win2k-SP3

[Brad Campbell]

Piotr Krysik wrote:
> Hi,
>  
> You can use
> # od -t x1z edbXXXXX.log | less
> It seems to be transactions log of Jet database [1]. The log, I guess, 
> is related to database C:\WINNT\Security\Database\secedit.sdb. The 
> database stores Local Security Policy [2].
>  
> I noticed that contents of all the files (except edb.log, edb00001.log 
> and res1.log), is identical if first 32 bytes (header?) are ignored.
>  

Hey, thanks for that. I'll get into the other files and then I can make wild speculative guesses 
about what could possibly be causing the problem. I have not "done windows" since 1996 so I'm a bit 
behind what it does and does not do, besides knowing that it does cause havoc and mayhem when 
infected with blaster or its kin.

Regards,
Brad

Re: [Qemu-devel] Win2k-SP3

[Bartosz Fabianowski]

I currently don't have Windows installed so I can't try this myself. But 
a little bit of googling suggests that the log files you are seeing are 
database checkpoint files. It seems that Exchange uses this database 
format and comes with some utilities that allow you to peek into the 
files. However, Windows 2000 also uses them for Active Directory and 
seems to have some limited tools on board as well. The following article 
gives a bit of details:

http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci803195,00.html

According to the article, you might want to try the NTDSUTIL utility and 
see what you can get. Microsoft also gives some information on how to 
use it:

http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part5/dsgappc.mspx

Either way, the hundreds of checkpoints indicate that something is going 
wrong with some database during installation.

By the way, is it just me or are the files actually empty (besides the 
header of course)? They compress so well because they are just full of 
zero bytes.

- Bartosz