What is SRUM and why forensic analysts care

Overview

The System Resource Usage Monitor (SRUM) is a Windows subsystem introduced in Windows 8 that records per-application resource activity: CPU cycles, foreground/background time, bytes read and written, network bytes sent and received, and energy use. The data lives in an ESE database at C:\Windows\System32\sru\SRUDB.dat and retains roughly 30 to 60 days of history (longer in the LT siblings).

For a forensic analyst, SRUM answers questions that nothing else on the disk can answer with the same fidelity:

• Which program exfiltrated network data, and how much?
• Was a specific application running on a specific date?
• Which user account was logged in when an application ran?
• Was the device on AC power or battery when the event happened?

The well-known tables

SRUDB.dat is an ordinary ESE (Jet Blue) database. Most tables are named with a GUID; each GUID identifies a SRUM extension registered with the service.

The non-GUID table SruDbIdMapTable resolves the small integer AppId and UserId foreign keys in the data tables back to either an application path or a Windows SID.

A dedicated post breaks down each table's columns.

How to use this site

Drop a SRUDB.dat file on the home page and the parser shows you every table, every column, and resolves application paths and user SIDs on the fly. Nothing is uploaded — everything runs locally in WebAssembly.

For deeper guides:

• Where is SRUDB.dat located on Windows? — acquisition advice
• SRUM tables explained — column reference
• How to parse SRUDB.dat without installing anything — tool comparison
• Using SRUM in a forensic investigation — worked investigative examples
• The ESE database format that powers SRUDB.dat — ESE internals
• SRUM vs Prefetch vs Amcache — which execution artifact to use
• How to fix a dirty SRUDB.dat — ESE recovery troubleshooting
• How long does SRUM keep data? — retention and registry settings
• Detecting data exfiltration with SRUM — focused exfiltration method