How many tables does SRUDB.dat contain?

Typically 11 to 14, including ESE system tables (MSysObjects, MSysObjids, MSysLocales), SRUM control tables (SruDbIdMapTable, SruDbCheckpointTable), and 6–8 data tables named with GUIDs.

What is SruDbIdMapTable?

It resolves the small integer AppId and UserId foreign keys used across every data table back to either an application identifier (full path or AUMID for Modern apps) or a binary SID for Windows user accounts.

Why are the data tables named with GUIDs?

Each SRUM extension registers itself with a GUID. The names are stable across Windows builds, so any tool that knows the GUID can parse the corresponding table regardless of locale or service pack.

How long are rows retained?

Around 30 days for the short-term tables and up to a year for the “LT” long-term variants. The exact retention is governed by registry policy under HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\SRUM.

Are timestamps in FILETIME or OLE format?

The TimeStamp column is an OLE variant date (8-byte float). Energy and Network Connectivity tables use 64-bit FILETIME for their event timestamps.

← Back to parser

SRUM tables explained: AppResource, Network, Energy, Push

5/17/2026

The big picture

SRUDB.dat is an Extensible Storage Engine (ESE) database. Most of its tables are named with curly-brace GUIDs that identify a SRUM extension — a piece of telemetry that the SRUM service collects on a schedule (every 60 minutes by default, every 10 seconds when AC power changes).

GUID	Common name
`{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}`	Application Resource Use
`{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}LT`	Application Resource Use (Long Term)
`{973F5D5C-1D90-4944-BE8E-24B94231A174}`	Network Data Usage
`{DD6636C4-8929-4683-974E-22C046A43763}`	Network Connectivity
`{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}`	Energy Usage
`{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}LT`	Energy Usage (Long Term)
`{D10CA2FE-6FCF-4F6D-848E-B2E99266FA8F}`	Push Notifications

Plus two control tables:

SruDbIdMapTable — joins integer IDs to application paths or SIDs
SruDbCheckpointTable — internal flush state

Application Resource Use

Per-application activity sampled once per hour. Each row tells you who ran what, when, and at what cost.

Key columns:

TimeStamp — bucket boundary
AppId, UserId — foreign keys into SruDbIdMapTable
ForegroundCycleTime, BackgroundCycleTime — CPU cycles (not seconds)
FaceTime — time the app's UI was visible to the user
ForegroundBytesRead, ForegroundBytesWritten — disk I/O while focused
ForegroundNumReadOperations / NumWriteOperations / NumberOfFlushes
Background variants of all the I/O columns

The "Long Term" sibling ({...}LT) aggregates the same rows weekly and is retained for up to a year.

Network Data Usage

Per-application bytes sent and received over each network profile.

InterfaceLuid — Windows LUID for the network interface
L2ProfileId — opaque ID resolvable against the SOFTWARE\Microsoft\ Windows NT\CurrentVersion\NetworkList\Profiles registry key for the friendly SSID/wired name
L2ProfileFlags — bitmask: 0x100 = wired, 0x200 = wireless, 0x400 = WWAN
BytesSent, BytesRecvd — counters since last sample

Combined with AppId resolution, this answers "how many MB did chrome.exe send over my home Wi-Fi between 14:00 and 15:00?"

Network Connectivity

When the system connected to and disconnected from each network.

ConnectStartTime — FILETIME of association
ConnectedTime — duration in seconds
InterfaceLuid, L2ProfileId, L2ProfileFlags — same as above

Useful for placing a device on a specific network at a specific moment.

Energy Usage

Battery and power-source telemetry. Sampled on every power state transition.

EventTimestamp — FILETIME of the transition
StateTransition — AC plug/unplug, sleep enter/exit, low-battery
ChargeLevel, CycleCount, ConfigurationHash
DesignedCapacity, FullChargedCapacity (mWh)
ActiveAcTime, CsAcTime, ActiveDcTime, CsDcTime — time-on counters per power source

The "LT" variant tracks battery health degradation over months.

Push Notifications

For Modern apps that use the Windows Push Notification Service.

NotificationType — toast, tile, badge, raw
PayloadSize — bytes of the notification body
NetworkType — which interface delivered it

Resolution: SruDbIdMapTable

Every data table holds AppId and UserId as small integers. To make them human-readable you join against SruDbIdMapTable:

Column	Meaning
`IdType`	0 = service, 1 = app, 2 = SID, 3 = user (varies by build)
`IdIndex`	The integer used by the data tables
`IdBlob`	UTF-16 path for apps, binary SID for users

The parser on the home page does this join automatically — open any SRUM table tab and the AppId / UserId columns render the resolved string when available, or #42 when the IdMap is missing an entry.

Frequently asked questions

How many tables does SRUDB.dat contain?: Typically 11 to 14, including ESE system tables (MSysObjects, MSysObjids, MSysLocales), SRUM control tables (SruDbIdMapTable, SruDbCheckpointTable), and 6–8 data tables named with GUIDs.
What is SruDbIdMapTable?: It resolves the small integer AppId and UserId foreign keys used across every data table back to either an application identifier (full path or AUMID for Modern apps) or a binary SID for Windows user accounts.
Why are the data tables named with GUIDs?: Each SRUM extension registers itself with a GUID. The names are stable across Windows builds, so any tool that knows the GUID can parse the corresponding table regardless of locale or service pack.
How long are rows retained?: Around 30 days for the short-term tables and up to a year for the “LT” long-term variants. The exact retention is governed by registry policy under HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\SRUM.
Are timestamps in FILETIME or OLE format?: The TimeStamp column is an OLE variant date (8-byte float). Energy and Network Connectivity tables use 64-bit FILETIME for their event timestamps.