Back to binalyze.com

SRUM

Overview

Evidence: SRUM Description: Collect SRUM and Parse Category: Process Execution Platform: Windows Short Name: srum Is Parsed: Yes - ESE database is parsed into structured tables Sent to Investigation Hub: Yes Collect File(s): No

Background

The System Resource Usage Monitor (SRUM) is a Windows feature introduced in Windows 8 that tracks application resource usage, network data consumption, and energy usage over time. The data is stored in an ESE database at C:\Windows\System32\SRU\SRUDB.dat.

SRUM provides historical information about application execution, network usage per application, and user activity patterns. This data persists for up to 60 days (configurable) and survives reboots.

Data Collected

Application Resource Usage

Field
Description
Example

AutoInc

Auto-increment ID

1

Timestamp

Time of the resource usage sample

2023-10-15T14:30:00

ApplicationName

Path to application

C:\Program Files\Chrome\chrome.exe

UserSID

User security identifier

S-1-5-21-...

Username

Username

DOMAIN\user

ForegroundCycleTime

CPU time in foreground

12345678

BackgroundCycleTime

CPU time in background

5678901

FaceTime

Time application was in focus

3600000

ForegroundContextSwitches

Context switches while foreground

1234

BackgroundContextSwitches

Context switches while background

5678

ForegroundBytesRead

Bytes read in foreground

1048576

ForegroundBytesWritten

Bytes written in foreground

524288

ForegroundNumReadOperations

Read operations in foreground

100

ForegroundNumWriteOperations

Write operations in foreground

50

ForegroundNumberOfFlushes

Flush operations in foreground

10

BackgroundBytesRead

Bytes read in background

2097152

BackgroundBytesWritten

Bytes written in background

1048576

BackgroundNumReadOperations

Read operations in background

200

BackgroundNumWriteOperations

Write operations in background

100

BackgroundNumberOfFlushes

Flush operations in background

20

Network Data Usage

Field
Description
Example

AutoInc

Auto-increment ID

1

Timestamp

Time of the network usage sample

2023-10-15T14:30:00

ApplicationName

Path to application

C:\Program Files\Chrome\chrome.exe

UserSID

User security identifier

S-1-5-21-...

Username

Username

DOMAIN\user

InterfaceLuid

Network interface LUID

123456789

ProfileID

Network profile identifier

1

ProfileFlags

Profile flags

0

BytesSent

Bytes sent over network

10485760

BytesRecvd

Bytes received over network

52428800

Collection Method

This collector:

  • Collects the SRUM database: Windows\System32\SRU\SRUDB.dat

  • Uses the libesedb library to parse the ESE database format

  • Extracts application resource usage records

  • Extracts network data usage records

  • Resolves SIDs to usernames

Usage

SRUM provides unique historical visibility into application behavior and network usage patterns. Investigators use this data to establish application execution timelines (up to 60 days), identify data exfiltration volumes, track network usage per application, detect unauthorized application usage, correlate user activity with network traffic, identify resource-intensive malware, and establish baseline application behavior.

Known Limitations

  • Only available on Windows 8 and later

  • Data retention typically 30-60 days

  • Database may be locked by SRUM service

  • Some applications may not be tracked accurately

  • Network data aggregated by time intervals

Notes

SRUM is particularly valuable because it provides historical data that other artifacts may not preserve. The network usage data can reveal data exfiltration even if network logs are not available.

PreviousRunMRUNextSam

Last updated

Was this helpful?