What is the full path of SRUDB.dat?

C:\Windows\System32\sru\SRUDB.dat on all Windows versions from 8 through 11. It is accompanied by transaction logs (SRU*.log) and a checkpoint file (SRU.chk) in the same directory.

Can I copy SRUDB.dat while Windows is running?

No. The SRUM service (Dps) keeps an exclusive handle on the file. Use a Volume Shadow Copy, a forensic imager such as FTK Imager or KAPE, or a kernel-mode acquisition tool like Velociraptor.

Does SRUDB.dat exist on Windows Server?

Yes, on Server 2012 R2 and later when the Diagnostic Policy Service is running. The file may be smaller because consumer workloads (Modern apps, energy tracking) are absent.

Is SRUDB.dat encrypted?

No. SRUDB.dat is a plain Extensible Storage Engine (ESE) database. Rows are sometimes XPRESS-compressed but never encrypted at rest.

What other files do I need to grab with SRUDB.dat?

For a complete acquisition: the entire C:\Windows\System32\sru\ directory (logs and checkpoint replay any uncommitted transactions), plus the SOFTWARE registry hive if you want to resolve network profile GUIDs to friendly names.

← Back to parser

Where is SRUDB.dat located on Windows?

5/17/2026

TL;DR

SRUDB.dat lives at:

C:\Windows\System32\sru\SRUDB.dat

It cannot be copied while the system is running because the Diagnostic Policy Service (DPS) holds an exclusive handle on it. Use a Volume Shadow Copy or a forensic imager.

Why the path matters

The System Resource Usage Monitor was introduced in Windows 8 and has kept the same location ever since. The whole C:\Windows\System32\sru\ directory holds the artefacts the SRUM service maintains:

SRUDB.dat — the main ESE database
SRU*.log — ESE write-ahead log files
SRU.chk — checkpoint file that lets a parser replay uncommitted transactions

If you copy only SRUDB.dat without the logs, a parser may report fewer rows than expected — recent activity may still be in the logs waiting to flush.

Acquiring the file

On a live system, SRUDB.dat is locked. Approaches that work:

Volume Shadow Copy (VSS). Take a snapshot of the system volume, then read the file from the snapshot. The free tool Arsenal Image Mounter handles this well.
Forensic imager. FTK Imager, X-Ways, or Magnet AXIOM Process all collect locked system files via direct disk access.
Targeted collection tools. KAPE and Velociraptor have built-in SRUM collectors that pull the whole sru\ directory plus the SOFTWARE hive.

After acquisition, drop the file directly into the SRUM parser — no extra extraction step is needed.

When the path differs

The path is consistent across consumer and server SKUs, but:

Older Windows 7 systems do not have SRUM at all. The service was introduced in Windows 8 / Server 2012.
Sandboxed Windows environments (Windows-on-ARM in some kiosk configurations, certain enterprise lockdowns) may have the SRUM service disabled — the directory will exist but the database may be empty.

Frequently asked questions

What is the full path of SRUDB.dat?: C:\Windows\System32\sru\SRUDB.dat on all Windows versions from 8 through 11. It is accompanied by transaction logs (SRU*.log) and a checkpoint file (SRU.chk) in the same directory.
Can I copy SRUDB.dat while Windows is running?: No. The SRUM service (Dps) keeps an exclusive handle on the file. Use a Volume Shadow Copy, a forensic imager such as FTK Imager or KAPE, or a kernel-mode acquisition tool like Velociraptor.
Does SRUDB.dat exist on Windows Server?: Yes, on Server 2012 R2 and later when the Diagnostic Policy Service is running. The file may be smaller because consumer workloads (Modern apps, energy tracking) are absent.
Is SRUDB.dat encrypted?: No. SRUDB.dat is a plain Extensible Storage Engine (ESE) database. Rows are sometimes XPRESS-compressed but never encrypted at rest.
What other files do I need to grab with SRUDB.dat?: For a complete acquisition: the entire C:\Windows\System32\sru\ directory (logs and checkpoint replay any uncommitted transactions), plus the SOFTWARE registry hive if you want to resolve network profile GUIDs to friendly names.