Have you ever noticed the App history or Details tab in Task Manager? If you have, you will see your application history for the last 30 to 60 days. Where is this information stored? In the SRUM (System Resource Usage Monitor) database. This database stores which processes have been run including their full path and whether they were run with elevated privileges, network activity (upload and download amount stored separately), and energy usage. The SRUM database can be parsed (it is an ESE database) and searched for things like data exfiltration, command and control traffic, malware, and poorly behaving applications.
Starting with Windows 8, Microsoft added the System Resource Usage Monitor (SRUM) as part of the Windows Diagnostic Policy. Data about processes running is stored temporarily in the registry and then aggregated every hour and stored in the SRUM database. As with other ESE databases, the SRUM database may be “dirty” and have uncommitted transactions stored in a log file. See https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/ese-deep-dive-part-1-the-anatomy-of-an-ese-database/ba-p/400496 for more details on ESE databases. The esentutl tool can be used to determine if the SRUM database is dirty (https://www.sans.org/blog/ese-databases-are-dirty/) and can apply the uncommitted transactions to give you an up-to-date database.
The SRUM database is stored in c:\Windows\System32\SRU\. The following commands can be used to determine if the SRUM database is dirty and to commit transactions to the database:
esentutl /mh SRUDB.dat (look for State: Dirty Shutdown)
esentutl /r SRUDB.dat
Since the repair command will update the database file, make a copy of the original database file and repair the copy instead of the original.
Before the data is aggregated and stored in the SRUM database, it is stored in the registry:
HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\SRUM\Extensions
Some of the more interesting details that can be found in the SRUM database include:
- Amount of data downloaded and uploaded
- Networks connected to and bandwidth usage
- Exact command line used to start process and whether the process was run with elevated privileges
- CPU time
- I/O reads and writes
- Power usage
Tools that can read and/or parse the SRUM database include ESE Database View (NirSoft), Srum-dump (Mark Baggett), and SrumMonkey (David Cowen). ESE Database View provides browsing of the raw databases; Srum-dump and SrumMonkey provide export and analysis.