What is SRUM (SRUDB.dat)? (glossary)

SRUM is the ESE database that records per-application resource usage on Windows. CPU time, working set, network bytes, push notifications, energy estimates. One row per application per hour. Retention runs about 30-60 days. It powers the "Data usage" and "Power usage" panes that nobody looks at except DFIR.

For incident response, the killer feature is the per-application network byte counters. SRUM is the only on-box artefact that tells you how much an individual binary sent or received. If you are working an exfiltration case and you do not check SRUM, you are leaving evidence on the table.

The tables that matter#

Table What it carries
Application Resource Usage CPU time, working-set bytes, foreground time, I/O.
Network Usage Bytes sent and received per app per hour.
Push Notification Toast and push activity.
Energy Estimation Power consumption estimates.

Each row is keyed by application path (or AppID) and a one-hour bucket.

SRUM vs Amcache#

SRUM Amcache
Storage SRUDB.dat (ESE) Amcache.hve (registry hive)
Granularity Per-app, per-hour Per-file
Records hash No Yes
Records execution Implicitly (non-zero usage means it ran) No, presence only
Records network bytes Yes No
Retention 30-60 days Months to years
Time precision One hour Seconds (key write times)

They are complementary, not overlapping. The canonical pairing: SRUM tells you a binary sent gigabytes between 14:00 and 17:00, Amcache tells you what the binary actually is (hash, publisher, link date), Prefetch gives you the exact run times that line up with the SRUM buckets. Three artefacts, full picture.

For the full comparison, see Amcache vs SRUM.

When SRUM is the right artefact#

  • "How much network did this binary send?" Nothing else on Windows answers this cleanly.
  • "Which apps used the CPU last week, by hour?" SRUM is the closest thing Windows ships to an always-on performance recorder.
  • "What does the host's resource profile look like around the incident window?" Spikes in CPU or network usage often point straight at attacker activity.

Parsing#

  • SrumECmd (Eric Zimmerman). Structured CSV per table.
  • srum-dump (Mark Baggett). Colour-coded Excel.

Related posts

Back to all posts