SRUM

introduced in Windows 8

System Usage Resource Manager (SRUM) records numerous metrics of system activities such as:

  • System Usage

  • Program execution

  • Executed programs network usage

  • Historical data lasts from 30-60 days.

Entries are made with the timestamp of the insertion not occurrence.

Entries contain:

  • application resource usage (ARU) table that tracks program execution. For each ARU the following information may be recorded:

    • Timestamp of SRUM entry

    • Full path of executable or application info / description of built in components

    • Execution users SID

    • Metrics on CPU usage (time in foreground/background)

    • Metrics with I/O operations

  • App timeline provider also tracks program execution. For each ARU

    • Timestamp on SRUM entry

    • Timestamp of compilation of executable

    • timestamp of approximate end of execution

    • total duration (in miliseconds)

    • Users SID

    • Name of executable and built in description

  • Network usage data that tracks program execution and the network usage of executed programs. For each ARU:

    • Timestamp of SRUM entry

    • Full path of executable or app info

    • metrics on network usage - bytes in / bytes out on a given interface

Location:

More information on the tables in the SRUM database is referenced in the srum-dump project.

Parsing:

Repairing the SRUDB.dat database

The (copied) SRUM database will have to be repaired as not on host device. Theesentutl util can be used to recover it (recommended to make a copy of the SRU directory before repairing the database):

SrumECmd can then be used to parse and extract information from the SRUDB.dat database, and correlates information from the SOFTWARE registry hive.

PreviousBAM/ DAMNextNTFS

Last updated