Amcache vs SRUM: presence vs long-window resource usage

SRUM and Amcache are more different than Amcache and Prefetch are, and that is saying something. They overlap only in that both record "binaries that did something on this host". Beyond that they answer very different questions.

The headline:

SRUM records resource usage per application over 30-60 days. Amcache records presence with rich metadata, retained much longer.

What SRUM is#

The database backing the Windows System Resource Usage Monitor. It powers the "Data usage" and "Power usage" panes in Settings and lives at:

C:\Windows\System32\sru\SRUDB.dat

SRUDB.dat is an ESE database (same engine as Active Directory and Exchange) with multiple tables. The useful ones:

Table Contents
Application Resource Usage CPU time, working-set bytes, I/O per app per hour
Network Usage Bytes sent and received per app per hour
Push Notification Toast / push activity per app
Energy Estimation Power consumption estimates per app

Each row is bucketed by hour and per application (executable path or AppID). Continuously updated by the SRUM service and rolled up daily. Retention is build-dependent but usually 30-60 days.

The fundamental difference#

Property SRUM Amcache
Storage SRUDB.dat (ESE) Amcache.hve (registry hive)
Granularity Per-app, per-hour Per-file
Hash No Yes (SHA-1)
Full path Yes Yes
Publisher No Yes
Execution Yes (implicit if usage > 0) No (presence only)
CPU / network / I/O Yes No
When did it run Yes (hour buckets) No (only inventory time)
Retention 30-60 days Months to years
Timestamp granularity Hour Second
Parser SrumECmd AmcacheParser

The two are complementary. SRUM for resource usage. Amcache for presence and metadata.

When SRUM wins#

"How much network did this binary send?"#

Amcache cannot answer. SRUM gives you bytes-sent and bytes-received per application per hour. This is the artefact for data exfiltration investigations. Nothing else on the box answers it cleanly.

"Which applications ran in the last 30 days?"#

Amcache has no execution data. SRUM shows every application with non-zero CPU or I/O in its hour buckets, which means it ran at that hour.

"Did this binary use the network at a suspicious time?"#

SRUM is the only on-box artefact with per-hour per-app network activity. Cross-reference with VPN or firewall logs and you can identify exfiltration windows.

"What was the host's resource profile in the days before the incident?"#

SRUM is the closest thing Windows ships to an always-on performance recorder. CPU, network, or I/O spikes often point straight at attacker activity.

When Amcache wins#

"Was this binary present?"#

SRUM only records binaries that did something. Staged-but-never-run tools don't appear. Amcache catches them.

"What's the SHA-1?"#

SRUM does not hash. Amcache does. You need Amcache for VirusTotal or TI enrichment.

"Beyond the 30-60 day SRUM window"#

SRUM retention is short. Amcache routinely holds entries for months or years. Past ~60 days, Amcache is often the only thing with the data.

"Driver / device evidence"#

SRUM is about applications and resource usage. Amcache has dedicated InventoryDriverBinary and InventoryDeviceContainer schemas.

"Cross-host hunt by hash or ProgramId"#

SRUM has neither. Amcache has both. See Lateral movement and Amcache ProgramId pivoting.

The classic pairing#

Exfiltration investigations. The three-way join that makes the case:

  1. SRUM: find applications with anomalous network usage in the suspected exfil window. Rows showing gigabytes of bytes-sent for a binary that normally sends nothing.
  2. Amcache: take the binary's path or name and look up its Hash, Publisher, LinkDate, KeyLastWriteTimestamp. Now you have a content hash for VT and a first-seen approximation.
  3. Prefetch: confirm execution timestamps that align with the SRUM network spikes.

That join is the canonical Windows execution-evidence workflow for data-exfiltration cases. Each artefact answers one piece. None of them does it alone.

Decision table#

Your question SRUM Amcache
Was binary X on this host? Partial (only if used resources) Yes
What is binary X's SHA-1? No Yes
When did binary X first appear? Only if it used resources Yes
Did binary X use the network? Yes No
How many bytes did binary X send? Yes No
What was the host's CPU profile last week? Yes No
Long-window presence (>60 days)? No Yes
Driver / device evidence? No Yes
Cross-host hunt? No Yes

Further reading#

  • Mark Baggett, srum-dump and his SRUM research.
  • Eric Zimmerman, SrumECmd.
  • Yogesh Khatri's posts on SRUM internals at swiftforensics.com.

Related posts

Back to all posts