SRUM

introduced in Windows 8

System Usage Resource Manager (SRUM) records numerous metrics of system activities such as:

  • System Usage

  • Program execution

  • Executed programs network usage

  • Historical data lasts from 30-60 days.

Entries are made with the timestamp of the insertion not occurrence.

Entries contain:

  • application resource usage (ARU) table that tracks program execution. For each ARU the following information may be recorded:

    • Timestamp of SRUM entry

    • Full path of executable or application info / description of built in components

    • Execution users SID

    • Metrics on CPU usage (time in foreground/background)

    • Metrics with I/O operations

  • App timeline provider also tracks program execution. For each ARU

    • Timestamp on SRUM entry

    • Timestamp of compilation of executable

    • timestamp of approximate end of execution

    • total duration (in miliseconds)

    • Users SID

    • Name of executable and built in description

  • Network usage data that tracks program execution and the network usage of executed programs. For each ARU:

    • Timestamp of SRUM entry

    • Full path of executable or app info

    • metrics on network usage - bytes in / bytes out on a given interface

Location: 

# SRUM DB 
%SystemRoot%\System32\SRU\SRUDB.dat

# Registry (used to translate some information in the DB - e.g. User SID to username and network shares) 
%SystemRoot%\System32\config\SOFTWARE

More information on the tables in the SRUM database is referenced in the srum-dump project.

Parsing:

Repairing the SRUDB.dat database

The (copied) SRUM database will have to be repaired as not on host device. Theesentutl util can be used to recover it (recommended to make a copy of the SRU directory before repairing the database):

# The following commands should be executed in the directory containing the database files.
esentutl.exe /r sru /i
esentutl.exe /p SRUDB.dat

SrumECmd can then be used to parse and extract information from the SRUDB.dat database, and correlates information from the SOFTWARE registry hive.

# Parses the specified SRUM database, using the optionally provided SOFTWARE registry hive.
SrumECmd.exe -f <SRUDB.dat | SRUM_DB_FILE> [-r <SOFTWARE>] --csv <OUTPUT_DIRECTORY>

# Recursively look for SRUDB.dat and SOFTWARE files in the specified directory.
SrumECmd.exe -d <DIRECTORY> --csv <OUTPUT_DIRECTORY>
PreviousBAM/ DAMNextNTFS

Last updated