InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Overview
  • Parsing
  • References
  1. DFIR
  2. Windows
  3. Artefacts overview

SRUM

PreviousShimcacheNextTimestamps

Last updated 1 year ago

Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: .

Overview

Introduced in Windows 8.

Location:

  • SRUM database: %SystemRoot%\System32\SRU\SRUDB.dat.

  • (Optional) SOFTWARE (%SystemRoot%\System32\config\SOFTWARE) registry hive to translate some information in the database (user SID to username and network interfaces information notably).

Yield information related to the system usage, including programs execution and executed programs' network usage. Historical data only for the last 30 to 60 days is stored in the SRUM database.

Entries are not associated with their timestamp of occurrence but with the timestamp of insertion in the SRUM database. As entries are only written to the SRUM database every hour, timestamps are thus precise to the hour (with multiple entries usually sharing the same insertion timestamp).

The System Resource Usage Monitor (SRUM) is a feature that records numerous metrics of system activities. Among the various information stored, the following two tables hold the most commonly valuable data for forensics investigations:

  • Application Resource Usage table (GUID {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}), that tracks programs execution. For each entry in the Application Resource Usage table (SrumECmd's AppResourceUseInfo output), the following information may be recorded:

    • Timestamp of the SRUM entry creation.

    • Full path of the executable or application information / description for built-in components.

    • User SID of the user executing the process.

    • Metrics on CPU usage (CPU time in foreground and background).

    • Metrics on I/O operations (foreground / background number of read / write operations and bytes read / written).

  • App Timeline Provider table (GUID {5C8CF1C7-7257-4F13-B223-970EF5939312}), that also tracks programs execution. For each entry in the Application Resource Usage table (SrumECmd's AppTimelineProvider output), the following information may be recorded:

    • Timestamp of the SRUM entry creation.

    • Name of the executable and description for built-in components.

    • Timestamp of compilation of the executable.

    • User SID of the user executing the process.

    • Timestamp of seemingly approximate end of execution.

    • Total duration of execution (in milliseconds).

  • Network Data Usage table (GUID {973F5D5C-1D90-4944-BE8E-24B94231A174}), that tracks programs execution and network usage of the executed programs. For each entry in the Network Data Usage table (SrumECmd's NetworkUsages output), the following information may be recorded:

    • Timestamp of the SRUM entry creation.

    • Full path of the executable or application information / description for built-in components.

    • Metrics on network data usage (bytes sent and receive on a given network interface).

Some of the information recorded in the SRUM database be viewed using the Windows Task Manager ("App history" tab).

Parsing

Repairing the SRUDB.dat database

As the copied SRUM database will likely not be in a "clean state", the database will have to be repaired. This can be accomplished using the esentutl utility. It is recommended to make a copy of the SRU directory before repairing the database.

# The following commands should be executed in the directory containing the UAL database files.

esentutl.exe /r sru /i

esentutl.exe /p SRUDB.dat

SrumECmd

The SrumECmd utility (KAPE's SrumECmd module) can parse and extract information from the SRUDB.dat database, and correlates information from the SOFTWARE registry hive.

# Parses the specified SRUM database, using the optionally provided SOFTWARE registry hive.
SrumECmd.exe -f <SRUDB.dat | SRUM_DB_FILE> [-r <SOFTWARE>] --csv <OUTPUT_DIRECTORY>

# Recursively look for SRUDB.dat and SOFTWARE files in the specified directory.
SrumECmd.exe -d <DIRECTORY> --csv <OUTPUT_DIRECTORY>

References

https://isc.sans.edu/forums/diary/System+Resource+Utilization+Monitor/21927/

https://www.youtube.com/watch?v=Uw8n4_o-ETM

More information on the tables in the SRUM database is referenced in the project's .

artefacts.help
srum-dump
mapping file