Does SRUM prove a program executed?

Yes. A row in the Application Resource Use table with non-zero CPU cycles means the process ran during that hourly bucket. Unlike Prefetch it also ties the execution to a user SID and resource cost.

Is Prefetch more precise than SRUM for execution time?

Prefetch records the last 8 run timestamps to the second, so for the most recent executions it is more precise. SRUM buckets activity into ~1-hour windows but retains far more history (30–60 days vs Prefetch's ~128 entries).

Can Amcache prove execution?

Amcache proves presence and is strongly associated with execution, but it is primarily a program-inventory artifact. SRUM and Prefetch are stronger direct execution evidence.

Which artifact survives the longest?

Amcache and SRUM both retain weeks to months. Prefetch is capped at 1024 files (and disabled by default on servers/SSDs in some configs), so it rolls over fastest on busy systems.

Should I use only one of them?

No. They corroborate each other. Prefetch gives precise recent timestamps, SRUM gives long-range activity plus user attribution and bytes transferred, Amcache gives the binary's SHA-1 and install metadata. Together they build a defensible timeline.

← Back to parser

SRUM vs Prefetch vs Amcache: which execution artifact to use

5/19/2026

The one-line answer

Use Prefetch for precise recent run times, SRUM for long-range activity with user attribution and resource cost, and Amcache for the binary's hash and presence. They are complementary, not interchangeable.

Side by side

	SRUM	Prefetch	Amcache
Proves execution	Yes (CPU cycles > 0)	Yes	Associated, not definitive
Time resolution	~1 hour bucket	Second (last 8 runs)	Install/first-seen
History depth	30–60 days	~1024 entries, rolls over	Weeks–months
User attribution	Yes (UserId → SID)	No	No
Bytes / network	Yes	No	No
Binary hash	No	No	Yes (SHA-1)
Default availability	On (Win8+)	Often off on SSD/server	On

When SRUM is the right tool

SRUM is uniquely strong when the question involves who or how much:

"Which user account ran this tool?" — Prefetch and Amcache cannot answer this; SRUM's UserId resolves to a SID via SruDbIdMapTable.
"How much data did the process send?" — only SRUM's Network Data Usage table has per-process byte counters.
"Did this run repeatedly over the last month?" — SRUM keeps ~30–60 days; Prefetch likely rolled over.

When SRUM is the wrong tool

You need the exact second of the most recent execution → Prefetch.
You need the binary's hash to match against threat intel → Amcache.
The system is a server with Prefetch disabled and you only need a yes/no on presence → Amcache.

A combined workflow

Amcache — get the binary's SHA-1, first-install time.
Prefetch — precise timestamps of the last few executions.
SRUM — confirm long-range recurrence, the user account, and any network egress. Drop the database into the SRUM parser and pivot on the resolved AppId.

The corroboration across all three is what makes the timeline hold up.

Frequently asked questions

Does SRUM prove a program executed?: Yes. A row in the Application Resource Use table with non-zero CPU cycles means the process ran during that hourly bucket. Unlike Prefetch it also ties the execution to a user SID and resource cost.
Is Prefetch more precise than SRUM for execution time?: Prefetch records the last 8 run timestamps to the second, so for the most recent executions it is more precise. SRUM buckets activity into ~1-hour windows but retains far more history (30–60 days vs Prefetch's ~128 entries).
Can Amcache prove execution?: Amcache proves presence and is strongly associated with execution, but it is primarily a program-inventory artifact. SRUM and Prefetch are stronger direct execution evidence.
Which artifact survives the longest?: Amcache and SRUM both retain weeks to months. Prefetch is capped at 1024 files (and disabled by default on servers/SSDs in some configs), so it rolls over fastest on busy systems.
Should I use only one of them?: No. They corroborate each other. Prefetch gives precise recent timestamps, SRUM gives long-range activity plus user attribution and bytes transferred, Amcache gives the binary's SHA-1 and install metadata. Together they build a defensible timeline.