# SRUM

**Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on:** [**artefacts.help**](https://artefacts.help/)**.**

### Overview

Introduced in Windows 8.

Location:

* `SRUM` database: `%SystemRoot%\System32\SRU\SRUDB.dat`.
* (Optional) `SOFTWARE` (`%SystemRoot%\System32\config\SOFTWARE`) registry hive to translate some information in the database (user `SID` to username and network interfaces information notably).

Yield information related to the system usage, including **programs execution** and **executed programs' network usage**. **Historical data only for the last 30 to 60 days** is stored in the `SRUM` database.

Entries are not associated with their timestamp of occurrence but with the timestamp of insertion in the `SRUM` database. As entries are only written to the `SRUM` database every hour, timestamps are thus precise to the hour (with multiple entries usually sharing the same insertion timestamp).

The `System Resource Usage Monitor (SRUM)` is a feature that records numerous metrics of system activities. Among the various information stored, the following two tables hold the most commonly valuable data for forensics investigations:

* `Application Resource Usage` table (GUID `{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}`), that tracks programs execution. For each entry in the `Application Resource Usage` table (`SrumECmd`'s `AppResourceUseInfo` output), the following information may be recorded:
  * Timestamp of the `SRUM` entry creation.
  * Full path of the executable or application information / description for built-in components.
  * User `SID` of the user executing the process.
  * Metrics on CPU usage (CPU time in foreground and background).
  * Metrics on I/O operations (foreground / background number of read / write operations and bytes read / written).
* `App Timeline Provider` table (GUID `{5C8CF1C7-7257-4F13-B223-970EF5939312}`), that also tracks programs execution. For each entry in the `Application Resource Usage` table (`SrumECmd`'s `AppTimelineProvider` output), the following information may be recorded:
  * Timestamp of the `SRUM` entry creation.
  * Name of the executable and description for built-in components.
  * Timestamp of compilation of the executable.
  * User `SID` of the user executing the process.
  * Timestamp of seemingly approximate end of execution.
  * Total duration of execution (in milliseconds).
* `Network Data Usage` table (GUID `{973F5D5C-1D90-4944-BE8E-24B94231A174}`), that tracks programs execution and network usage of the executed programs. For each entry in the `Network Data Usage` table (`SrumECmd`'s `NetworkUsages` output), the following information may be recorded:
  * Timestamp of the `SRUM` entry creation.
  * Full path of the executable or application information / description for built-in components.
  * Metrics on network data usage (bytes sent and receive on a given network interface).

Some of the information recorded in the `SRUM` database be viewed using the Windows `Task Manager` ("App history" tab).

More information on the tables in the `SRUM` database is referenced in the [`srum-dump`](https://github.com/MarkBaggett/srum-dump) project's [mapping file](https://github.com/MarkBaggett/srum-dump/blob/master/SRUM_TEMPLATE2.xlsx).

### Parsing

**Repairing the SRUDB.dat database**

As the copied `SRUM` database will likely not be in a "clean state", the database will have to be repaired. This can be accomplished using the `esentutl` utility. It is recommended to make a copy of the `SRU` directory before repairing the database.

```
# The following commands should be executed in the directory containing the UAL database files.

esentutl.exe /r sru /i

esentutl.exe /p SRUDB.dat
```

**SrumECmd**

The `SrumECmd` utility (`KAPE`'s `SrumECmd` module) can parse and extract information from the `SRUDB.dat` database, and correlates information from the `SOFTWARE` registry hive.

```
# Parses the specified SRUM database, using the optionally provided SOFTWARE registry hive.
SrumECmd.exe -f <SRUDB.dat | SRUM_DB_FILE> [-r <SOFTWARE>] --csv <OUTPUT_DIRECTORY>

# Recursively look for SRUDB.dat and SOFTWARE files in the specified directory.
SrumECmd.exe -d <DIRECTORY> --csv <OUTPUT_DIRECTORY>
```

***

### References

<https://isc.sans.edu/forums/diary/System+Resource+Utilization+Monitor/21927/>

<https://www.youtube.com/watch?v=Uw8n4\\_o-ETM>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.qazeer.io/dfir/windows/_artefacts_overview/srum.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.