srum-application-resource-usages
Retrieves CPU, disk I/O, and other resource usage history for applications from a Windows SRUM (System Resource Usage Monitor) database file.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | Local file read permission |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Options
zipcharset=STR- Character encoding for ZIP entry names (Default:
utf-8) zippath=STR- ZIP file path. If specified, the SRUDB.dat file inside the ZIP file is queried.
Target
FILE_PATH- Path to the SRUDB.dat file. Wildcards (
*) can be used to specify multiple files. Ifzippathis specified, enter the path inside the ZIP file. On Windows, this file is located atC:\Windows\System32\sru\SRUDB.dat.
Output fields
| Field | Type | Description |
|---|---|---|
| _time | timestamp | Record timestamp |
| _file | string | Source file name |
| app_id | integer | App ID (SruDbIdMapTable index) |
| app_name | string | App name. Example: \Device\HarddiskVolume3\Windows\explorer.exe |
| sid | string | SID of the account that ran the program. Example: S-1-5-18 |
| user_id | integer | Account ID (SruDbIdMapTable index) |
| auto_inc_id | integer | Auto-increment ID |
| foreground_cycle_time | long | Foreground CPU cycle time |
| background_cycle_time | long | Background CPU cycle time |
| foreground_context_switches | integer | Foreground context switch count |
| background_context_switches | integer | Background context switch count |
| foreground_bytes_read | long | Bytes read in foreground |
| foreground_bytes_written | long | Bytes written in foreground |
| background_bytes_read | long | Bytes read in background |
| background_bytes_written | long | Bytes written in background |
| foreground_num_read_operations | integer | Foreground read operation count |
| foreground_num_write_operations | integer | Foreground write operation count |
| background_num_read_operations | integer | Background read operation count |
| background_num_write_operations | integer | Background write operation count |
| foreground_number_of_flushes | integer | Foreground flush count |
| background_number_of_flushes | integer | Background flush count |
| face_time | long | Foreground execution time (in 100-nanosecond units) |
Error codes
Parse errors
N/A
Runtime errors
N/A
Description
The srum-application-resource-usages command retrieves per-application resource usage history from the {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89} table of the Windows SRUM database. SRUM tracks CPU, network, and disk I/O usage by applications on Windows 8 and later.
The command first reads the SruDbIdMapTable to map app IDs and user IDs to their actual names and SIDs. CamelCase column names in the ESE database are automatically converted to snake_case.
You can use this command to analyze CPU usage, disk I/O patterns, and foreground/background execution ratios for specific applications.
Examples
-
Retrieve application resource usage from SRUDB.dat
srum-application-resource-usages C:\Windows\System32\sru\SRUDB.datRetrieves all application resource usage records from the SRUM database.
-
Query SRUDB.dat inside a ZIP file
srum-application-resource-usages zippath=D:\evidence\sru.zip SRUDB.datRetrieves application resource usage history from the SRUDB.dat file contained in the ZIP file.
-
Analyze disk I/O usage by application
srum-application-resource-usages C:\Windows\System32\sru\SRUDB.dat | search isnotnull(app_name) | stats sum(foreground_bytes_read) as fg_read, sum(foreground_bytes_written) as fg_written, sum(background_bytes_read) as bg_read, sum(background_bytes_written) as bg_written by app_name | sort -fg_readAggregates foreground and background disk I/O usage by application and sorts by foreground bytes read in descending order.