srum-network-usages
Retrieves per-application network usage including bytes sent and received from a Windows SRUM (System Resource Usage Monitor) database file.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | Local file read permission |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Options
zipcharset=STR- Character encoding for ZIP entry names (Default:
utf-8) zippath=STR- ZIP file path. If specified, the SRUDB.dat file inside the ZIP file is queried.
Target
FILE_PATH- Path to the SRUDB.dat file. Wildcards (
*) can be used to specify multiple files. Ifzippathis specified, enter the path inside the ZIP file. On Windows, this file is located atC:\Windows\System32\sru\SRUDB.dat.
Output fields
| Field | Type | Description |
|---|---|---|
| _time | timestamp | Record timestamp |
| _file | string | Source file name |
| app_id | integer | App ID (SruDbIdMapTable index) |
| app_name | string | App name. Example: \Device\HarddiskVolume3\Windows\System32\taskhostw.exe |
| sid | string | SID of the account that ran the program |
| user_id | integer | Account ID (SruDbIdMapTable index) |
| auto_inc_id | integer | Auto-increment ID |
| bytes_recvd | long | Bytes received |
| bytes_sent | long | Bytes sent |
| interface_luid | long | Network adapter LUID (Locally Unique Identifier) |
| l2_profile_flags | integer | L2 (data link layer) profile flags |
| l2_profile_id | integer | L2 (data link layer) profile ID |
Error codes
Parse errors
N/A
Runtime errors
N/A
Description
The srum-network-usages command retrieves per-application network usage from the {973F5D5C-1D90-4944-BE8E-24B94231A174} table of the Windows SRUM database. This table records bytes sent and received, and the network adapter used for each application.
The command first reads the SruDbIdMapTable to map app IDs and user IDs to their actual names and SIDs. CamelCase column names in the ESE database are automatically converted to snake_case.
You can use this command to analyze network traffic volume for specific applications and network usage patterns over time.
Examples
-
Retrieve network usage from SRUDB.dat
srum-network-usages C:\Windows\System32\sru\SRUDB.datRetrieves all network usage records from the SRUM database.
-
Query SRUDB.dat inside a ZIP file
srum-network-usages zippath=D:\evidence\sru.zip SRUDB.datRetrieves network usage from the SRUDB.dat file contained in the ZIP file.
-
Aggregate total bytes sent and received by application
srum-network-usages C:\Windows\System32\sru\SRUDB.dat | search isnotnull(app_name) | stats sum(bytes_sent) as total_sent, sum(bytes_recvd) as total_recvd by app_name | sort -(total_sent + total_recvd)Aggregates total bytes sent and received by application and sorts by total traffic in descending order.