What is SRUM (SRUDB.dat)? (glossary)
SRUM is the ESE database that records per-application resource usage on Windows. CPU time, working set, network bytes, push notifications, energy estimates. One row per application per hour. Retention runs about 30-60 days. It powers the "Data usage" and "Power usage" panes that nobody looks at except DFIR.
For incident response, the killer feature is the per-application network byte counters. SRUM is the only on-box artefact that tells you how much an individual binary sent or received. If you are working an exfiltration case and you do not check SRUM, you are leaving evidence on the table.
The tables that matter#
| Table | What it carries |
|---|---|
Application Resource Usage |
CPU time, working-set bytes, foreground time, I/O. |
Network Usage |
Bytes sent and received per app per hour. |
Push Notification |
Toast and push activity. |
Energy Estimation |
Power consumption estimates. |
Each row is keyed by application path (or AppID) and a one-hour bucket.
SRUM vs Amcache#
| SRUM | Amcache | |
|---|---|---|
| Storage | SRUDB.dat (ESE) |
Amcache.hve (registry hive) |
| Granularity | Per-app, per-hour | Per-file |
| Records hash | No | Yes |
| Records execution | Implicitly (non-zero usage means it ran) | No, presence only |
| Records network bytes | Yes | No |
| Retention | 30-60 days | Months to years |
| Time precision | One hour | Seconds (key write times) |
They are complementary, not overlapping. The canonical pairing: SRUM tells you a binary sent gigabytes between 14:00 and 17:00, Amcache tells you what the binary actually is (hash, publisher, link date), Prefetch gives you the exact run times that line up with the SRUM buckets. Three artefacts, full picture.
For the full comparison, see Amcache vs SRUM.
When SRUM is the right artefact#
- "How much network did this binary send?" Nothing else on Windows answers this cleanly.
- "Which apps used the CPU last week, by hour?" SRUM is the closest thing Windows ships to an always-on performance recorder.
- "What does the host's resource profile look like around the incident window?" Spikes in CPU or network usage often point straight at attacker activity.
Parsing#
- SrumECmd (Eric Zimmerman). Structured CSV per table.
- srum-dump (Mark Baggett). Colour-coded Excel.
Related terms#
Related posts
- What is Windows Prefetch? (glossary)
Windows Prefetch is the directory of .pf files that proves execution. Up to 8-10 run times per binary plus the files loaded in the first ten seconds. The strongest Windows execution evidence.
- What is Shimcache (AppCompatCache)? (glossary)
Shimcache is the kernel-maintained loader cache in the SYSTEM hive. 1024 entries, no hash, stale until reboot. Different from Amcache; pair them.
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache stores. Stable across hosts for the same install. Catches re-compiles and renames where Hash misses.
- What is LinkDate in Amcache? (glossary)
LinkDate is the PE TimeDateStamp. Attacker-controllable. Use it for build clustering, not for host timelines.