Skip to main content

srum_core/
app_timeline.rs

1//! Application Timeline record — in-focus duration and user input time per app.
2//!
3//! Source table: `{7ACBBAA3-D029-4BE4-9A7A-0885927F1D8F}` in SRUDB.dat.
4//!
5//! Available since Windows 10 Anniversary Update (1607).
6
7use chrono::{DateTime, Utc};
8use serde::{Deserialize, Serialize};
9
10/// One SRUM Application Timeline record: active engagement time per app
11/// per ~1-hour interval.
12///
13/// Forensic value: distinguishes passive background execution (high CPU in
14/// AppUsage, zero focus_time_ms here) from active user interaction. A
15/// shell spawned by malware shows CPU cycles in AppUsage but no focus or
16/// input time here.
17#[derive(Debug, Clone, Serialize, Deserialize)]
18pub struct AppTimelineRecord {
19    /// Integer ID of the application (look up in [`crate::IdMapEntry`]).
20    pub app_id: i32,
21    /// Integer ID of the user account (look up in [`crate::IdMapEntry`]).
22    pub user_id: i32,
23    /// UTC timestamp of the measurement interval start.
24    pub timestamp: DateTime<Utc>,
25    /// Milliseconds the application window had foreground focus.
26    pub focus_time_ms: u64,
27    /// Milliseconds the user actively provided input to the application.
28    pub user_input_time_ms: u64,
29}