Ben Heymink

Software Developer - Javascript/Angular/node/C++/C#/MAPI/Outlook

Enterprise Vault – Determine archive range

There was a post the other day on the Symantec Connect forums, here where somebody was wandering if there was a way to get hold of the size of an archive. Whilst Enterprise Vault has a webpage that an administrator can navigate to in order to see this (usage.asp), there is no readily available means for an end-user to access this information. However, by utilizing some of the other web pages used for Vault Cache synchronization, we can obtain this information:

Step one:- Identify the web page we are interested in and what information (if any) the client sends up to the server

Using a freely available tool, Fiddler I performed a reset of a user’s Vault Cache then performed an initial synchronization whilst Fiddler monitored the web traffic. The web page we are after is the call the client makes to ‘GetVaultInformation.aspx’. Examining the request in Fiddler we can see that the client sends up a small amount of data with the request; an ‘action’ code and the users Archive ID:

Step 2:- replay the call using another users information

From here, it’s easy to wrap the same call into a little python script that can exercise that web page and report on the archive information: (Note I’m using Requests to handle the page request)

Running the script and adding the relevent user information, we get back the archive information we were after:

That’s it!

1 Comment

  1. Hello Ben,

    I have been searching the web for hours to see if I could find out what SEV Plug-in client was sending onto the URL.

    I have found your name on a forum and check out your web site, I hope you can help and I am going to make this as short as possible

    I need to catch the SEV call (the URL) then go the Exchange server using the URL arguments, to decrypt – if necessary – the email, then “replay” the URL to the right SEV Server to complete the archiving.

    Below a log from the SEV plug-in :

    What would be the SEARCH I need to do on the Exchange server side to retrieve the Email(s) that are to be archived ?

    I wonder, if the &PDL is used as some kind of “hidden” folder were all the email to be archived are referenced with a DATE=tsp ?

    === Trace ===
    03/12/2014 15:41:36.053[4200][M]: Desktop Setting: MAILBOXDN
    03/12/2014 15:41:36.053[4200][M]: Value: /o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Mike Smith
    03/12/2014 15:41:36.053[4200][M]: Desktop Setting: SiteEntryId
    03/12/2014 15:41:36.053[4200][M]: Value: 1697AD1227CFE8B4EBF72639CB9A2A5B51d10000ev1
    03/12/2014 15:41:36.054[4200][M]: Sending HTTP request: http://ev1.evexample.local/EnterpriseVault/clientaction.asp?act=0&fdrenc=_&dn=/o%3dFirst%20Organization/ou%3dExchange%20Administrative%20Group%20(FYDIBOHF23SPDLT)/cn%3dRecipients/cn%3dMike%20Smith&svr=4e2a9508-24c2-4251-b5de-405d67448cd1@evexample.local&sid=1697AD1227CFE8B4EBF72639CB9A2A5B51d10000ev1&tsp=2014-12-03T15:41:35&pdl=AAAAAAAAGGBJHLKPKFMFNLEDJKLANLMEOAGPFGMAABAAGOCNBIHIOOBDAGEPLHJNGLBDFGKNGBHKAAAAAAAAAABGAAAA

    Once again Many thanks in advance

    Best regards,
    Laurent.

Leave a Reply

Your email address will not be published.

*

© 2017 Ben Heymink

Theme by Anders NorenUp ↑