diff --git a/Win_Search_gatherdB.sql b/Win_Search_gatherdB.sql index b69b69d..f01c00e 100644 --- a/Win_Search_gatherdB.sql +++ b/Win_Search_gatherdB.sql @@ -1,27 +1,23 @@ --- This query is to show the content of the SystemIndex_1_PropertyStore table +-- This query is to show the content of the Gather tables -- of the new Win 11 search databases (Windows-gather.db) +-- Table SystemIndex_GthrPth holds the main paths & Scope/Parent IDs linked to +-- the table SystemIndex_Gthr ScopeIDs. +-- The SystemIndex_Gthr table's DocumentIDs link the entries to the Information on +-- the entry stored in the 'SystemIndex_1_PropertyStore' table on +-- the separate SQLite dB 'Windows.db' in the same file location. -- -- Database location: -- C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows-gather.db Select - -SystemIndex_GthrPth.Parent, +SystemIndex_GthrPth.Scope as 'Scope', +SystemIndex_GthrPth.Parent as 'Parent', SystemIndex_GthrPth.Name as 'Parent Name', FileName, DocumentID, AppOwnerId, --- Hex String -hex(LastModified) as 'LastModified', --- Convert LastModified to Little Endian Hex -substr(hex(LastModified), -2, 1) || substr(hex(LastModified), -1, 1) || -substr(hex(LastModified), -4, 1) || substr(hex(LastModified), -3, 1) || -substr(hex(LastModified), -6, 1) || substr(hex(LastModified), -5, 1) || -substr(hex(LastModified), -8, 1) || substr(hex(LastModified), -7, 1) || -substr(hex(LastModified), -10, 1) || substr(hex(LastModified), -9, 1) || -substr(hex(LastModified), -12, 1) || substr(hex(LastModified), -11, 1) || -substr(hex(LastModified), -14, 1) || substr(hex(LastModified), -13, 1) || -substr(hex(LastModified), -16, 1) || substr(hex(LastModified), -15, 1) as 'LastModifiedHexLE', +-- Get the LastModified Blob as a Hex String (Filetime LE) +hex(LastModified) as 'LastModifiedHex', DeletedCount, TransactionFlags, @@ -32,4 +28,5 @@ LastRequestedRunTime, StorageProviderId from SystemIndex_Gthr -join SystemIndex_GthrPth on SystemIndex_Gthr.ScopeID = SystemIndex_GthrPth.Scope \ No newline at end of file +left join SystemIndex_GthrPth on SystemIndex_Gthr.ScopeID = SystemIndex_GthrPth.Scope +order by cast(SystemIndex_GthrPth.Scope as INTEGER) ASC, cast(SystemIndex_GthrPth.Parent as INTEGER) ASC