What is SRUM (SRUDB.dat)? (glossary)
SRUM (System Resource Usage Monitor) is a Windows ESE database
that records per-application resource usage — CPU, memory,
network, push notifications, and energy — bucketed by hour. It
lives at C:\Windows\System32\sru\SRUDB.dat and is maintained by
the SRUM service to power the "Data usage" and "Power usage"
panes in Windows Settings.
For DFIR, SRUM is the only Windows artefact with per-application network-byte totals, which makes it essential for data-exfiltration investigations.
Key tables#
| Table | Records |
|---|---|
Application Resource Usage |
CPU, working-set bytes, foreground time, I/O. |
Network Usage |
Bytes sent and received per application per hour. |
Push Notification |
Toast / push activity. |
Energy Estimation |
Power consumption estimates. |
Each row is keyed by application (executable path or AppID) and one-hour bucket.
SRUM vs Amcache#
| SRUM | Amcache | |
|---|---|---|
| Storage | SRUDB.dat (ESE) |
Amcache.hve (registry hive) |
| Granularity | Per-app, per-hour | Per-file |
| Records hash? | No | Yes (SHA-1) |
| Records execution? | Yes, implicitly | No (presence only) |
| Records network bytes? | Yes | No |
| Retention | 30–60 days | Months to years |
| Bucketing | Hour | Second (key write times) |
They are complementary, not overlapping. The classic pairing: SRUM identifies suspicious network activity per binary; Amcache identifies the binary's hash and metadata; Prefetch confirms exact execution times. All three together give you the full picture of a data-exfiltration intrusion.
For full coverage, see Amcache vs SRUM.
When SRUM wins#
- "How much did this binary send over the network?" — SRUM is the only Windows artefact with this answer.
- "Which apps used the CPU last week?" — SRUM has hourly buckets.
- "What was the host's resource profile around the incident?" — SRUM is the closest Windows ships to an always-on performance recorder.
Parsing tools#
- SrumECmd (Eric Zimmerman) — produces structured CSVs per table.
- srum-dump (Mark Baggett) — produces colour-coded Excel workbooks. Excellent for stakeholder briefings.
Related terms#
- Amcache.hve — the presence-evidence artefact.
- Prefetch — execution-evidence.
- ShimCache — kernel-side loader cache.
Related posts
- What is Windows Prefetch? (glossary)
Prefetch is the Windows folder of .pf files recording every binary execution, with up to 8-10 run timestamps per binary and the files each one loaded. The strongest Windows execution evidence.
- What is ShimCache (AppCompatCache)? (glossary)
ShimCache is a kernel-maintained cache in the SYSTEM registry hive recording up to 1024 binaries the Windows loader has touched. Different from Amcache.
- What is Amcache ProgramId? (glossary)
ProgramId is the 44-character application-identity hash Amcache assigns to each logical application. The same ProgramId on different hosts means the same application install.
- What is LinkDate in Amcache? (glossary)
LinkDate is the PE header TimeDateStamp Amcache records — when the binary was compiled or linked, not when it appeared on the host.