SRUM Dump: extracts information from the System Resource Utilization Management Database
SRUM Dump extracts information from the System Resource Utilization Management Database and creates an Excel spreadsheet.
The SRUM is one of the best sources for applications that have run on your system in the last 30 days and is invaluable to your incident investigations!
To use the tool you will need a copy of the SRUM (located in c:\windows\system32\sru\srudb.dat, but locked by the OS).
This tool also requires an SRUM_TEMPLATE that defines table and field names. You can optionally provide the SOFTWARE registry hive and the tool will tell you which wireless networks were in use by applications.
If you are looking for a version of this tool that creates CSV files instead of an Excel spreadsheet, dumps targeted tables or processes any ese then check out ese2csv. ese2csv.exe is designed specifically for csv files with the CLI user in mind.
You may provide all of the options from the command line. If the name of a srum file is not passed then the GUI will launch. There are some features like live acquisition that are only available in the GUI when running as an administrator.
In addition to the GUI srum-dump2 has the following enhancements over the original version.
- Dump all field tables including those that are not defined in the template XLSX.
- LIVE System Acquisition when running as administrator
- Speed Improved
The live acquisition warning dialog box will appear if you select the file c:\Windows\system32\sru\srudb.dat. This file is locked by the OS and can not be directly accessed. From here you can easily download a copy of FGET to acquire an unlocked copy of the file. If, and only if, you are an administrator a button will appear that says “AUTO EXTRACT”.
If you click this button then it will download FGET from my github and acquire a copy of both the SRUDB.DAT file and the associated SOFTWARE registry hive. Then it will set the paths in the GUI so that points to the acquired copies in a temporary directory.
Removed Features: I have removed the capability of defining calculated fields in the template.
The srum_template2.xlsx file is a way of defining friendly names and formats for fields found in ESE databases. To understand its power try to dump your srum with BLANK_TEMPLATE.XLSX and compare the results. The formatted row in the template tells the srum to process fields and resolve their values. Some formats such as “lookup_SID” and “lookup_LUID” are hardcoded functions in srum_dump. You can supplement the built-in know SIDS with those form your investigation by adding them to the lookup-Known Sids sheet. ESE fields can be resolved dynamically when the format row contains “lookup-xlssheet-name”. You can Add XLS tabs containing lookup tables then add srum-dump will use it to resolve values in ese tables if their table has the name of the lookup table in format row (see lookup-ExampleNameNums).
Copyright (C) 2019 Mark Baggett