srum-energy-usages
Retrieves energy usage history including battery charge level and cycle count from a Windows SRUM (System Resource Usage Monitor) database file.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | Local file read permission |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Options
zipcharset=STR- Character encoding for ZIP entry names (Default:
utf-8) zippath=STR- ZIP file path. If specified, the SRUDB.dat file inside the ZIP file is queried.
Target
FILE_PATH- Path to the SRUDB.dat file. Wildcards (
*) can be used to specify multiple files. Ifzippathis specified, enter the path inside the ZIP file. On Windows, this file is located atC:\Windows\System32\sru\SRUDB.dat.
Output fields
| Field | Type | Description |
|---|---|---|
| _time | timestamp | Record timestamp |
| _file | string | Source file name |
| app_id | integer | App ID (SruDbIdMapTable index) |
| app_name | string | App name |
| sid | string | SID of the account that ran the program |
| user_id | integer | Account ID (SruDbIdMapTable index) |
| auto_inc_id | integer | Auto-increment ID |
| charge_level | integer | Battery charge level (%) |
| cycle_count | integer | Battery charge cycle count |
| designed_capacity | integer | Battery designed capacity (mWh) |
| full_charged_capacity | integer | Battery full charge capacity (mWh). Less than or equal to the designed capacity. |
| configuration_hash | long | System configuration hash value |
| event_timestamp | long | Event timestamp (Windows FILETIME value) |
| state_transition | integer | Power state transition value |
Error codes
Parse errors
N/A
Runtime errors
N/A
Description
The srum-energy-usages command retrieves energy usage history from the {FEE4E14F-02A9-4550-B5CE-5FA2DA202E37} table of the Windows SRUM database. This table records battery status information including charge level, cycle count, and current full charge capacity compared to the designed capacity.
The command first reads the SruDbIdMapTable to map app IDs and user IDs to their actual names and SIDs. CamelCase column names in the ESE database are automatically converted to snake_case.
The event_timestamp field is a 64-bit integer in Windows FILETIME format. FILETIME represents the number of 100-nanosecond intervals since January 1, 1601.
Examples
-
Retrieve energy usage from SRUDB.dat
srum-energy-usages C:\Windows\System32\sru\SRUDB.datRetrieves all energy usage records from the SRUM database.
-
Query SRUDB.dat inside a ZIP file
srum-energy-usages zippath=D:\evidence\sru.zip SRUDB.datRetrieves energy usage history from the SRUDB.dat file contained in the ZIP file.
-
Retrieve battery charge level trends over time
srum-energy-usages C:\Windows\System32\sru\SRUDB.dat | fields _time, charge_level, full_charged_capacity, designed_capacity | sort _timeRetrieves battery charge level changes in chronological order.