Locked File Access Using ESENTUTL.exe

I’m currently working on a solution to collect files off a live system to be used during some IR processes. I won’t go into any great detail but I’m limited to only using built-in Windows utilities.  I need access to browser history data and while Chrome and Firefox allow copying of the history files, the WebCacheV01.dat file that IE and Edge history are stored in is a locked file and cannot be copied using native copy commands/cmdlets like Xcopy, Copy-Item, RoboCopy, etc.

ESE Database Files and ESENTUTL.EXE

The WebCacheV01.dat file is an ESE (Extensible Storage Engine) database file and there is a built-in tool for performing maintenance operations on such files: esentutl.exe. I started wondering if I could use this tool to export the database or at least dump the history.  Running esentutl.exe from a command prompt, we see two interesting options: /m to dump a file and /y to copy a file. esentutl_options

Copying the file sounds great to me.  Let’s try
“esentutl.exe /y WebCacheV01.dat /d C:\Path\To\Save\WebCacheV01.dat”

esentutl_error_locked

Strike 1. That gives us the same “file is being used” error that I received with other copy commands.  Ok so taking another look at the copy options, I see the /vss and /vssrec options. A couple of important distinctions here:

  • I am running Windows 10, build 1803. The /vss and /vssrec options are only available on Win 10 and Server 2016 or later.
  • The /vss and /vssrec options require you to be running as an admin

The /vss option “copies a snapshot of the file, does not replay the logs”.  We’ll talk a little more about the transaction logs later but let’s go with the /vss option for now.

esentutl_vss_option

OK, that’s much better. If I open up the WebCacheV01.dat file in ESEDatabaseView or BrowsingHistoryView, I see browsing history leading up to my testing. Initially, I thought it was grabbing a copy of the file from a previous Volume Shadow Copy (VSC) but that isn’t the case. Esentutl.exe is able to use the Volume Shadow Copy service to make a backup of a locked file.  This can be done even if VSCs are disabled on the system.

What about the /vssrec option?  Data is not written directly to the database file. In simple terms, data is instead written to RAM and then to transaction logs before being flushed into the database file.  Microsoft’s documentation says: “The data can be written to the database file later; possibly immediately, potentially much later.”

I did some testing with this and I’m not sure under what scenarios this doesn’t happen right away.  I opened up Edge and navigated to a new page, then immediately copied the WebCacheV01.dat file while Edge was still open and it contained this new entry.

Just keep in mind that when using the /vss option only, we have the potential to miss entries that have not been written to the database. Using the /vssrec option will replay these transaction logs.  This is the syntax used:

esentutl.exe /y C:\Path\To\WebCacheV01.dat /vssrec V01 . /d c:\exports\webcachev01.dat

This can be a double-edged sword though because you also have the potential to lose deleted records that have yet to be purged from the database once the logs are flushed.  If this is a concern you could go with both options and just save two copies of the file. This article from SANS provides more details on the ins and outs of ESE databases and transaction logs.

https://digital-forensics.sans.org/blog/2015/06/03/ese-databases-are-dirty

Additional Uses of Esentutl.exe

So we know we can use esentutl.exe to copy ESE database files but what about other locked files? Well, it turns out you can. In this example, I grab a copy of the NTUSER.dat file for the currently logged in account.

esentutl_ntuser.dat

I really like this as an option for copying system files when doing investigations or even testing. I’m sure it has value to Red Teams as well as it allows you to grab other hives like the SAM and other ESE databases like NTDS.dit without introducing outside tools or using PowerShell.  Blue Teams can detect this type of activity by auditing process creation and looking for activity by esentutl.exe, particularly with the /vss switch.  esentutl_evidence_process_tracking

Final Thoughts

I’m still looking for a good way to get IE/Edge browser history on the versions of Windows that do not have the /vss switch so if you’ve got any ideas there, let me know.

Advertisements

4 thoughts on “Locked File Access Using ESENTUTL.exe

  1. Mike this is great work!

    I was in your shoes a few months ago and I didn’t come upon this solution till reading your blog.

    The way I got around this case was to use Raw Copy solution from https://github.com/jschicht/RawCopy.

    You need to run it as admin and it shows history till the date when you extracted the file.

    Basically, it does the same thing but with an external tool.

    I executed it like this:
    rawcopy64.exe /FileNamePath:”C:\Users\IEUser\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat” /OutputPath:C:\Windows\

    Cheers!

    Like

    1. Hey Aky thanks for the comment! I’ve used RawCopy on some other projects and it works great. In my case I couldn’t use any 3rd party tools to extract the file so I couldn’t use it this time which is what led me to esentutl.exe. When I was researching things, I came across a post that said you could suspend or kill the taskhost.exe/taskhostw.exe process and it should allow you to copy the webcachv01.dat file but that didn’t work for me.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s