Srumecmd

SRUM is not cleared by typical anti-forensic tools (e.g., CCleaner) nor by clearing event logs or prefetch files. srumecmd thus provides a cross-check against tampered evidence.

| Feature | Description | |---------|-------------| | | %SystemRoot%\System32\sru\SRUDB.dat (protected, requires elevated rights) | | Structure | SQLite‑based (v2) with multiple tables: NetworkUsage , AppUsage , UserApplication , UserProcess , UserEnergy , etc. | | Data collected | - Network: bytes sent/received per app, per interface, per time‑slot (10 s granularity). - CPU & Memory: per‑process CPU time, private working set. - Disk I/O: read/write bytes and I/O counts. - Power: energy consumption estimates, battery‑related events. | | Retention | By default, Windows retains up to 30 days of data, with a rolling purge. Administrators can modify the retention policy via Group Policy ( Computer Configuration → Administrative Templates → System → Power Management → Energy Estimation ). | | Access | Only the SYSTEM account has write access; Administrators can read with appropriate privileges ( SeBackupPrivilege or by taking ownership). | srumecmd

|

To get the best results, you need two files from the target machine: C:\Windows\System32\sru\SRUDB.dat SOFTWARE Hive: C:\Windows\System32\config\SOFTWARE 2. Basic Command Line Syntax SRUM is not cleared by typical anti-forensic tools (e