Amcache vs SRUM: presence vs long-window resource usage
SRUM and Amcache are more different than Amcache and Prefetch are, and that is saying something. They overlap only in that both record "binaries that did something on this host". Beyond that they answer very different questions.
The headline:
SRUM records resource usage per application over 30-60 days. Amcache records presence with rich metadata, retained much longer.
What SRUM is#
The database backing the Windows System Resource Usage Monitor. It powers the "Data usage" and "Power usage" panes in Settings and lives at:
C:\Windows\System32\sru\SRUDB.dat
SRUDB.dat is an ESE database (same engine as Active Directory and Exchange) with multiple tables. The useful ones:
| Table | Contents |
|---|---|
| Application Resource Usage | CPU time, working-set bytes, I/O per app per hour |
| Network Usage | Bytes sent and received per app per hour |
| Push Notification | Toast / push activity per app |
| Energy Estimation | Power consumption estimates per app |
Each row is bucketed by hour and per application (executable path or AppID). Continuously updated by the SRUM service and rolled up daily. Retention is build-dependent but usually 30-60 days.
The fundamental difference#
| Property | SRUM | Amcache |
|---|---|---|
| Storage | SRUDB.dat (ESE) |
Amcache.hve (registry hive) |
| Granularity | Per-app, per-hour | Per-file |
| Hash | No | Yes (SHA-1) |
| Full path | Yes | Yes |
| Publisher | No | Yes |
| Execution | Yes (implicit if usage > 0) | No (presence only) |
| CPU / network / I/O | Yes | No |
| When did it run | Yes (hour buckets) | No (only inventory time) |
| Retention | 30-60 days | Months to years |
| Timestamp granularity | Hour | Second |
| Parser | SrumECmd | AmcacheParser |
The two are complementary. SRUM for resource usage. Amcache for presence and metadata.
When SRUM wins#
"How much network did this binary send?"#
Amcache cannot answer. SRUM gives you bytes-sent and bytes-received per application per hour. This is the artefact for data exfiltration investigations. Nothing else on the box answers it cleanly.
"Which applications ran in the last 30 days?"#
Amcache has no execution data. SRUM shows every application with non-zero CPU or I/O in its hour buckets, which means it ran at that hour.
"Did this binary use the network at a suspicious time?"#
SRUM is the only on-box artefact with per-hour per-app network activity. Cross-reference with VPN or firewall logs and you can identify exfiltration windows.
"What was the host's resource profile in the days before the incident?"#
SRUM is the closest thing Windows ships to an always-on performance recorder. CPU, network, or I/O spikes often point straight at attacker activity.
When Amcache wins#
"Was this binary present?"#
SRUM only records binaries that did something. Staged-but-never-run tools don't appear. Amcache catches them.
"What's the SHA-1?"#
SRUM does not hash. Amcache does. You need Amcache for VirusTotal or TI enrichment.
"Beyond the 30-60 day SRUM window"#
SRUM retention is short. Amcache routinely holds entries for months or years. Past ~60 days, Amcache is often the only thing with the data.
"Driver / device evidence"#
SRUM is about applications and resource usage. Amcache has dedicated InventoryDriverBinary and InventoryDeviceContainer schemas.
"Cross-host hunt by hash or ProgramId"#
SRUM has neither. Amcache has both. See Lateral movement and Amcache ProgramId pivoting.
The classic pairing#
Exfiltration investigations. The three-way join that makes the case:
- SRUM: find applications with anomalous network usage in the suspected exfil window. Rows showing gigabytes of bytes-sent for a binary that normally sends nothing.
- Amcache: take the binary's path or name and look up its
Hash,Publisher,LinkDate,KeyLastWriteTimestamp. Now you have a content hash for VT and a first-seen approximation. - Prefetch: confirm execution timestamps that align with the SRUM network spikes.
That join is the canonical Windows execution-evidence workflow for data-exfiltration cases. Each artefact answers one piece. None of them does it alone.
Decision table#
| Your question | SRUM | Amcache |
|---|---|---|
| Was binary X on this host? | Partial (only if used resources) | Yes |
| What is binary X's SHA-1? | No | Yes |
| When did binary X first appear? | Only if it used resources | Yes |
| Did binary X use the network? | Yes | No |
| How many bytes did binary X send? | Yes | No |
| What was the host's CPU profile last week? | Yes | No |
| Long-window presence (>60 days)? | No | Yes |
| Driver / device evidence? | No | Yes |
| Cross-host hunt? | No | Yes |
Further reading#
- Mark Baggett, srum-dump and his SRUM research.
- Eric Zimmerman, SrumECmd.
- Yogesh Khatri's posts on SRUM internals at swiftforensics.com.
Related#
Related posts
- Amcache vs Prefetch: what each one really proves
Amcache records presence. Prefetch records execution. Where they overlap, they corroborate. Where they diverge, the divergence is the finding.
- Amcache parsers compared: AmcacheParser CLI, browser tool, Volatility, RegRipper
Four mature parsers for Amcache.hve. Same hive, different workflows. The decision rule comes down to install footprint, batchability, and where each one wins.
- Volatility and Amcache: extracting the hive from memory images
When you only have a RAM dump, Volatility extracts the in-memory copy of Amcache.hve. Hand off to AmcacheParser. The cases where this is the only option.
- RegRipper amcache plugin: what it does and when to use it
RegRipper's amcache plugin produces a plain-text Amcache report. Useful when you're already running RegRipper across other hives or need narrative output. Use AmcacheParser when you need CSV.