Windows 7 SYSTEM re...
 
Notifications
Clear all

Windows 7 SYSTEM reg file examination

16 Posts
8 Users
0 Likes
1,845 Views
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I'm looking through a SYSTEM reg file from a Win7 machine, specifically looking for log on, system start up times etc and I'm seeing something that I'm having trouble finding an explanation for.

I'm seeing the below entries in the SYSTEM file
CMFStartTime 02-11-16 154949 +8
SystemLastStartTime 16-06-16 084153 +8

I know from my client that they used the computer on the 2-11-16 so that is consistent with the last time the machine was booted up, however I need to understand the difference between the CMF start time and System last start time, and why they are different.

 
Posted : 05/04/2017 7:26 am
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

Morning (at least it is where I am!),

Is it definitely an X-Ways issue? Do other tools parse the same values or different? If other tools produce the same results, then there may be something else going on here.

As a possible avenue of thought, I have seen situations (mostly with laptops) where machines didn't actually shut down, even if the user selected "Shut Down" from the start menu - they went into some sort of weird ultra-low-power standby (the proper name of which escapes me).

I found this by looking at the machine live - when freshly booted up from "off" it would report an "up time" of several hours or days, but when rebooted, the "up time" clock would reset back to zero again.

It turned out that a BIOS setting kept the machine from truly powering off. The idea behind this was to improve start up times.

Just a thought off the top of my head.

Ben

 
Posted : 05/04/2017 1:01 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Have you tried the X-ways forums? Assuming you have an indate licence
http//www.x-ways.net/winhex/forum/messages/board-topics.html

Stefan is very good at responding on here with queries like this, though I would check through the manual first to make sure it isn't mentioned in there.

 
Posted : 05/04/2017 1:14 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I checked the manual and nothing there to indicate the difference.

I don't think it's so much an 'Xways' issue as much as an interpretation issue.

I'll head over to the Xways forums and see what Stefan can tell me.

*edit apparently not much beyond the fact that I posted in the wrong section oops

 
Posted : 06/04/2017 6:47 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Yeah he can be a little blunt

 
Posted : 06/04/2017 12:44 pm
(@athulin)
Posts: 1156
Noble Member
 

… however I need to understand the difference between the CMF start time and System last start time, and why they are different.

Any Xways gurus have an explanation?

I'm probably just showing off my ignorance but … why is this a Xways question?

If I had to guess, I would quess something related to service quality metrics – the SCMData key they're in seems to point that way.

It is extremely dangerous to read meaning into random registry keys. It's like finding a Citrix installation with a registry entry named 'Password' in a Citrix-related key If you think it is a password, you're wrong. (Yes, I did that once.)

SystemLastStartTime and SystemStartTime are probably related … but what do they relate to? The start of the computer system? The start of a SQM subsystem within the CMF system in Windows? Or something else?

You should, I think, be asking for research related to these keys. Until you know what it is, you can't discount the possibility that you'll get other people's guesses – just like mine above.

 
Posted : 06/04/2017 8:41 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I probably gave the wrong impression as it's clearly not an Xways issue (Original post edited to remove references to Xways), rather I just wanted to be clear that this was the tool I was using as I know from experience different tools represent the same information in different ways sometimes.

I've not noticed the CMF in registry keys before, but admittedly it's been a while since I needed to dig around in the registry files so no doubt I have some brushing up to do on the changes Win7 made to the registry.

The start of a SQM subsystem within the CMF system

What is the CMF system you are referencing here?

 
Posted : 07/04/2017 6:47 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I probably gave the wrong impression as it's clearly not an Xways issue (Original post edited to remove references to Xways), rather I just wanted to be clear that this was the tool I was using as I know from experience different tools represent the same information in different ways sometimes.

Yep, it may be an X-Ways connected issue or it may be not.

I mean, what you posted is the output of X-Ways, i.e. those values are called what X-Ways calls them, right?

Which specific keys (as seen in regedit) are you talking about? (full Registry path, please)

It is entirely possible that X-Wyas adopts a "friendly name" and another tool uses another one, or that some relevant article/paper uses yet another "name" for the same object.

jaclaz

 
Posted : 07/04/2017 4:27 pm
(@athulin)
Posts: 1156
Noble Member
 

The start of a SQM subsystem within the CMF system

What is the CMF system you are referencing here?

I should have said 'a' CMF system. Because I have not a clue.

The registry values you mention (@Jaclaz HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CMF\SqmData seems a reasonable guess) suggests that Sqm may be subsystem to CMF or in some way subordinate to something called CMF.

Sqm I've seen in relation to various Internet-based services, so I'm prepared to guess it's related to Service Quality Monitoring, which you can find general info about at the MSDN web site, where a number of relevant documents (API, SDK, etc.) can be found. I spent some time digging around those documents yesterday without finding anything useful.

However, CMF is not even on my map, so … something new, and possibly interesting. At first I thought it might be related to CEIP (Customer Experience something), but so far I have nothing that confirms that.

A number of fairly obvious things to look around for occurs to me, but I'm fairly sure someone already been doing this.

 
Posted : 07/04/2017 7:38 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Sqm I've seen in relation to various Internet-based services, so I'm prepared to guess it's related to Service Quality Monitoring, which you can find general info about at the MSDN web site, where a number of relevant documents (API, SDK, etc.) can be found. I spent some time digging around those documents yesterday without finding anything useful.

A loose piece of information is seemingly this one
https://news.microsoft.com/2006/03/09/qa-microsoft-announces-leadership-transition-in-windows-server-division/#X3f2R4FvkcxRRwsk.97

Some of the other teams that report into me also develop parts of the server and work directly with customers and partners to gather feedback, which shapes the release. For instance, we have a tool called SQM [pronounced “skwim”], or Service Quality Monitor, which enables us to get online customer feedback as part of the release.

Now we know that the good MS guys pronounce SQM as "skwim" 😯 and that is about all the "useful" information they are going to give us wink .

But maybe, just maybe, SQM actually means Service Quality Metrics
https://msdn.microsoft.com/en-us/library/hh554414.aspx

(which possibly they pronounce "skw-eye-m")
http//www.imdb.com/title/tt0072431/quotes?item=qt0484647

jaclaz

 
Posted : 07/04/2017 8:41 pm
Page 1 / 2
Share: