Blog >> SRUM

Investigating Windows System Resource Usage Monitor (SRUM)

07/05/2021 Friday

The Windows System Resource Usage Monitor (SRUM) was first introduced in Windows 8. SRUM tracks 30 to 60 days of system resource usage, particularly application's resource usage, energy usage, Windows push notifications and network connectivity, and data usage. This feature is enabled by default and configured to start automatically upon system startup. Some of the data collected is available to the user on Windows 8 and later versions through the “App history” tab on the Task Manager; however, the database associated with SRUM contains a wealth of information that is not visible to the end user.


Digital Forensics Value of SRUM Artifacts


SRUM is considered a gold mine of forensic information, as it contains all the activities that occur on a particular Windows system. SRUM tracks and records program executions, power consumption, network activities, and much more information that can be retrieved even if the source has been deleted. This type of information enables the examiner to gain insights into the previous activities and events on the system.


Location of SRUM Artifacts


SRUM artifacts are stored in a file named SRUDB.dat at C:\Windows\System32\SRU\SRUDB.dat


Structure of SRUM Artifacts


SRUM artifacts are stored in an Extensible Storage Engine (ESE) database format. This database file contains multiple tables recoding all the activities that occurred on a particular system.


Analyzing SRUM Artifacts with ArtiFast Windows


This section will discuss how to use ArtiFast Windows to extract SRUM artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Parser Selection Phase, you can select SRUM artifacts:




ArtiFast can analyze SRUM Application Resource Usage, Energy Usage, Energy Usage (Long Term), Network Connections, Network Usage, and Push Notification Data. For demonstration purposes, all the artifacts have been chosen but you have the option to select only one or more artifacts.



Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of SRUM artifacts in ArtiFast software.


SRUM Application Resource Usage Artifact

This artifact contains information related to the application's resource usage. The details you can view include:


SRUM Energy Usage Artifact

This artifact contains information related to power consumption on a Windows device. The details you can view include:


SRUM Energy Usage (Long Term) Artifact

This artifact contains information related to power consumption (long term) on a Windows device. The details you can view include:


SRUM Network Connections Artifact

This artifact contains information related to the networks the device connected to and the duration it stayed connected. The details you can view include:


SRUM Network Usage Artifact

This artifact contains information related to the networks activity. The details you can view include:


SRUM Push Notification Data Artifact

This artifact contains information related to Windows push notifications. The details you can view include: