| Step | Action | |------|--------| | 1. | Download the latest signed release from the official GitHub repository. Verify the SHA‑256 checksum. | | 2. Copy DB safely | Use robocopy /b (backup mode) to duplicate SRUDB.dat to a forensic workstation before parsing, e.g., robocopy C:\Windows\System32\sru C:\forensic\SRU /b . | | 3. Run with least privilege needed | If you only need a read‑only copy, run under a standard admin account with the SeBackupPrivilege right rather than full SYSTEM. | | 4. Log execution | Capture command line, timestamps, and output hashes ( certutil -hashfile output.csv SHA256 ) for audit trails. | | 5. Integrate into SIEM | Set up a scheduled job that outputs JSON to a network share, and configure the SIEM to ingest the file via a file‑watcher connector. | | 6. Version control | Keep a record of the tool version used in each investigation (the tool prints a version header in every export). | | 7. Update policy | Review GitHub releases quarterly; apply patches that address parsing bugs (e.g., handling new SRUM tables introduced in Windows 11 22H2). |
| Feature | Description | |---------|-------------| | | %SystemRoot%\System32\sru\SRUDB.dat (protected, requires elevated rights) | | Structure | SQLite‑based (v2) with multiple tables: NetworkUsage , AppUsage , UserApplication , UserProcess , UserEnergy , etc. | | Data collected | - Network: bytes sent/received per app, per interface, per time‑slot (10 s granularity). - CPU & Memory: per‑process CPU time, private working set. - Disk I/O: read/write bytes and I/O counts. - Power: energy consumption estimates, battery‑related events. | | Retention | By default, Windows retains up to 30 days of data, with a rolling purge. Administrators can modify the retention policy via Group Policy ( Computer Configuration → Administrative Templates → System → Power Management → Energy Estimation ). | | Access | Only the SYSTEM account has write access; Administrators can read with appropriate privileges ( SeBackupPrivilege or by taking ownership). | srumecmd
The data persists across reboots and user sessions, making it a historical goldmine. | Step | Action | |------|--------| | 1
: Provides user IDs, executable paths, and run times. Run with least privilege needed | If you
If a user is suspected of uploading files to cloud storage, you can analyze NetworkUsages_Output.csv . A high volume of data uploaded via chrome.exe or onedrive.exe will stand out immediately [cite: 0.5.2]. Malware Execution
Create a batch file collect_srum.bat :