MPS Reporting Tool

For those who may be interested in trying the tool(s) mentioned above, it is from MS, and a KB article can be found here
http//support.microsoft.com/kb/818742

A version for MS SQL can be found here
http//support.microsoft.com/kb/883724

The "MPS" apparently stands for "Microsoft Product Support Services", as the package is intended to be used to provide information for the PSS folks to help you diagnose reported issues. The package apparently produces a compressed CAB file as it's output…wonder if there is a parser or reader available.

Anyway, without more info from the OP, I can only hope that this is the tool they were referring to…

Ok, well, I should have been more clearer about the tool.

Now that we are this subject, here is the MPS Tool if you are running Windows Vista.

Very good one and worth reviewing for anyone interested in seeing what data one can pull out with little effort.

Cheers,
Nick

Nick,
Is there a link missing from your posts?

> Very good one and worth reviewing for anyone interested in seeing what
> data one can pull out with little effort.

You may not be aware, but there are hundreds of tools out there like this already, as batch files and .vbs scripts. The Windows Forensic Toolkit is one, SilentRunner.vbs is but another.

However, the big difference is

"The computer has approximately 100 megabytes (MB) of free hard disk space.

Approximately 5 MB or less of hard disk space is required for the utility and the report tools, and approximately 10 MB or more of hard disk space is required for runtime, depending on the size of the event log files. The larger the event log files, the more free hard disk space is required (up to a maximum of approximately 200 MB of hard disk space)."

15MB of free disk space? I can't run this from a CD or thumb drive? That's a LOT of unallocated space that will be lost, and as the purists like to say, "a lot of evidence that will be overwritten".

There is still the issue of the output, as well…if the finished product is a compressed CAB, is there a viewer available?

There is still the issue of the output, as well…if the finished product is a compressed CAB, is there a viewer available?

Microsoft have a CabView utility available that allows looking inside the compressed format - however it seems pretty ancient …

http//support.microsoft.com/kb/198038

CAB "viewing" is built-in in later version of Windows as well … (XP and Vista at any rate … )

http//www.tech-pro.net/howto_030a.html

Obviously, this doesn't actually solve the issue of getting useful data from the contents, parsing or processing in any way shape or form …

Azrael,

So you've run the MPS tool and tested the CAB viewer with the output?

Azrael,

So you've run the MPS tool and tested the CAB viewer with the output?

No, I've only got my Mac with me today - so sadly I can't. To be honest, I don't think that it is really a particularly valuable forensic tool given the footprint and that other tools, your scripts included in that, appear to give as much, nay more, information than it does with far less impact on the system.

However, I have, when I was younger ;-), used the CabViewer as part of Visual Studio, and I have, very recently, verified that XP at least will open a CAB file …
It seems to me to be logical that an MS product, using an MS format, will be opened by an MS product using an MS format …

Then again, this is MS we are discussing, so that may be a logical step too far …

Am I to assume from your response that it isn't a "normal" CAB file ? And that it isn't openable by standard MS utilities ? I ask only as I can't verify this immediately myself …

Am I to assume from your response that it isn't a "normal" CAB file ?

No, I never said that and took efforts to not imply that, either. I was simply asking if you had had an opportunity to try the solution you recommended…were you recommending it based on your own personal experience, or suggesting it without having tried it…that's all.