With the rapid development of Internet, many personalized services also rise and bring many business opportunities. In addition to leveraging personalized service recommendation in e-commerce, the demand of personalized services also appear in personalized e-learning applications. Though there are many academic literatures and mechanisms about how do we access and identify user's action behaviors, still this information is not enough to give the details of user's operating behavior to be used to provide personalized services. To overcome this shortcoming, in this paper, we present a method to capture the users operating behaviors in Windows environments. We name it the Experimental Status Feedback Mechanism (ESFM). We apply the ECSM in the Cloud Security Experimental Platform (CSEP) which is an e-learning platform for exercising network security attacks and defenses and supports interactive teaching. As ESFM could capture user's action when they do either mouse or keyboard operations on the virtual machine, it will send the captured information to the CSEP server which in turn will presents appropriate steps for users to continue the security exercise. Our experiments showed that the overhead of ESFM is acceptable in the CSEP interactive learning environment and better than the traditional user state capture mechanisms, like Sikuli.