System Resource Usage Monitor
The System Resource Usage Monitor (SRUM) is one of the most powerful and often overlooked diagnostic databases in Windows. It continuously tracks application performance metrics, network usage and energy consumption over extended periods ranging from 30 to 60 days. For digital forensics, SRUM acts as a historical black box revealing exactly how much data an application pushed over a network or how long a process stayed active.
Imagine a fitness tracker that logs every single step you take, exactly how many calories you burn and how much water you drink over an entire month. SRUM is that fitness tracker for Windows. Instead of calories, it measures how many megabytes of internet data a program uses and exactly how many seconds it keeps the processor busy. If a program secretly uploads all your files to the internet, SRUM will have a permanent record of the massive data spike.
General
Microsoft introduced SRUM in Windows 8 to provide telemetry for the Task Manager and Battery settings UI. The data is managed by the Diagnostic Policy Service (DPS) and is stored in an Extensible Storage Engine (ESE) database located at C:\Windows\System32\sru\SRUDB.dat. Every hour, Windows flushes its active resource counters into this database creating long-term historical snapshots of system activity. Because it tracks data down to the specific application and user SID, it provides an unparalleled view of network and execution history that standard event logs completely miss.
Traces
Extracting SRUM parses multiple complex ESE tables to provide a massive ledger of system states. Here are the top data columns we analyze:
- Application Name: The core executable or service mapped to the activity.
- Network Bytes Sent/Received: Precise counts of outgoing and incoming network traffic over wireless or wired connections.
- CPU Usage Duration: The exact amount of background and foreground processing time the application consumed.
- User SID: The specific user account associated with the execution.
- Network Connection ID: Identifies which specific Wi-Fi or LAN interface handled the traffic.
- and more.
Forensic Value
We query the SRUM database to investigate data theft and stealthy persistence mechanisms:
- Data Exfiltration: Proving that a specific process uploaded internal data. Compare these metrics with the live Process List to identify the exfiltration thread.
- Long-Term Execution: Tracking down malware or coin-miners. Integrate SRUM diagnostics into the Timeline to visualize resource consumption spikes.
- Compromised Accounts: identifying which specific compromised user account initiated the malicious activity.
- Network Activity Reconstruction: Determining if an application talked to the internet even when PCAP data is not available.
For more Info check out these Articles: Process List, Timeline