How to parse SRUDB.dat without installing anything
5/17/2026
Three options, by environment
| Approach | Install required | Best for |
|---|---|---|
| Browser parser | None | One-off analysis, sensitive files (no upload), demos |
| SrumECmd | .NET 6+ runtime | Windows DFIR workstation, batch processing |
| srum-dump | Python 3.9+ | Linux/macOS analysts, custom pipelines |
Option 1: drop it on this page
Open the SRUM parser, drag your SRUDB.dat file onto the drop zone,
and the data appears within ~1 second for a typical 5 MB file. Everything
happens locally via WebAssembly — your file never leaves your browser.
What you get:
- All ESE tables enumerated with column types
- Tabs for the well-known SRUM tables (Application Resource Use, Network Data Usage, Network Connectivity, Energy Usage, Push Notifications)
AppIdandUserIdautomatically resolved againstSruDbIdMapTable- FILETIME columns rendered as ISO-8601 strings
Use this when you want a quick look at a single file without setting up a tool, or when the file is too sensitive to upload anywhere.
Option 2: SrumECmd
Eric Zimmerman's SrumECmd is the de-facto standard for Windows DFIR
workstations. It produces clean CSVs ready for Timeline Explorer or Excel.
SrumECmd.exe -f C:\evidence\SRUDB.dat -r C:\evidence\SOFTWARE --csv C:\output
The -r flag points at the SOFTWARE registry hive so that network profile
GUIDs get resolved to friendly SSIDs.
Output: one CSV per SRUM table — App Resource Use, Network Data Usage, Network Connectivity, Energy Usage, plus the resolved IdMap.
Option 3: srum-dump
Mark Baggett's srum-dump is the Python option. It writes an XLSX
spreadsheet with one sheet per table.
pip install -r requirements.txt
python srum_dump.py --SRUM_INFILE SRUDB.dat --REG_HIVE SOFTWARE --OUT_DIR ./out
A fork by Willi Ballenthin produces JSON instead of XLSX, which integrates better with scripted analytics.
Picking between them
- One file, quick look → browser parser
- Many files, repeatable → SrumECmd in a batch script
- Custom analysis in pandas / jq → srum-dump JSON fork
- Sensitive file you cannot exfiltrate → browser parser (zero upload)
Common pitfalls
- Copying a locked file. SRUDB.dat is locked on a live system. See Where is SRUDB.dat located on Windows? for acquisition options.
- Forgetting the SOFTWARE hive. Without it, network profile names are
raw GUIDs. SrumECmd's
-rflag and srum-dump's--REG_HIVEaccept the hive path. - Reading only the short-term table. Application Resource Use captures
the last ~30 days; the
LTsibling holds aggregated weekly rows for up to a year. Always check both.
Related reading
Frequently asked questions
- Do I need Python to parse SRUDB.dat?
- No. You can use a browser-based parser (no install), a .NET command-line tool (SrumECmd), or Python (srum-dump). Pick whichever fits your environment.
- Is the browser-based parser slower than CLI tools?
- For files under 100 MB the difference is imperceptible — parsing happens in WebAssembly at near-native speed. CLI tools win for batch processing dozens of files.
- Can I export results to CSV?
- SrumECmd and srum-dump both produce CSV/XLSX out of the box. The browser parser currently shows results in an interactive table; CSV export is on the roadmap.
- Will any parser show me data older than 30 days?
- Only if the long-term (LT) tables exist and have rows. Short-term tables are pruned after about 30 days by the SRUM service itself.
- Can I parse just the SRUDB.dat file or do I need the logs?
- SRUDB.dat alone is usually enough. The SRU*.log transaction logs only matter when the database was copied while the service was mid-flush — in that case, replaying the logs gives you the missing recent rows.