Update README.md

README.md

@@ -105,6 +105,7 @@
 
       - **Windows 11 Search data** *(new 22H2+ SQLite3 dBs)*<br>
         *found at 'C:\ProgramData\Microsoft\Search\Data\Applications\Windows'*<br>
+        - [PropertyMap](https://github.com/kacos2000/Queries/blob/master/Win_Search_PropertyMap.sql)
         - [Paths (SystemIndex_1_PropertyStore) query](https://github.com/kacos2000/Queries/blob/master/Win_Search_PropertyStore.sql)
         - [SecurityDescriptor (SecStore.db) query](https://github.com/kacos2000/Queries/blob/master/Win_Search_SecStore.sql)
         - [Paths/Files & Timestamps (Windows-gather.db)](https://github.com/kacos2000/Queries/blob/master/Win_Search_gatherdB.sql)

Win_Search_PropertyMap.sql

@@ -0,0 +1,20 @@
+-- This query is to show the content of the PropertyMap table
+-- of the new Windows.db (Win 11 search database)
+--
+-- Database location:
+-- C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\PropMap.db
+
+SELECT
+Id,
+StandardId,
+FormatIdQualifier,
+Size,
+
+-- Since the field is a BLOB, this will show either text of the hex value:
+case 
+when typeof(FormatId) is 'text' or typeof(FormatId) is 'integer'
+then cast(FormatId as 'text')
+else hex(FormatId)
+end as 'FormatId'
+
+from PropertyMap

Win_Search_gatherdB.sql

@@ -1,27 +1,23 @@
--- This query is to show the content of the SystemIndex_1_PropertyStore table
+-- This query is to show the content of the Gather tables
 -- of the new Win 11 search databases (Windows-gather.db)
+-- Table SystemIndex_GthrPth holds the main paths & Scope/Parent IDs linked to
+-- the table SystemIndex_Gthr ScopeIDs.
+-- The SystemIndex_Gthr table's 'DocumentID's link the entries to the Information on
+-- the entry stored in the 'SystemIndex_1_PropertyStore' table and 'WorkID' field on
+-- the separate SQLite dB 'Windows.db' in the same file location.
 --
 -- Database location:
 -- C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows-gather.db
 
 Select 
-
-SystemIndex_GthrPth.Parent,
+SystemIndex_GthrPth.Scope as 'Scope',
+SystemIndex_GthrPth.Parent as 'Parent',
 SystemIndex_GthrPth.Name as 'Parent Name',
 FileName,
 DocumentID,
 AppOwnerId,
--- Hex String
-hex(LastModified) as 'LastModified',
--- Convert LastModified to Little Endian Hex
-substr(hex(LastModified), -2, 1) || substr(hex(LastModified), -1, 1) ||
-substr(hex(LastModified), -4, 1) || substr(hex(LastModified), -3, 1) ||
-substr(hex(LastModified), -6, 1) || substr(hex(LastModified), -5, 1) ||
-substr(hex(LastModified), -8, 1) || substr(hex(LastModified), -7, 1) ||
-substr(hex(LastModified), -10, 1) || substr(hex(LastModified), -9, 1) ||
-substr(hex(LastModified), -12, 1) || substr(hex(LastModified), -11, 1) ||
-substr(hex(LastModified), -14, 1) || substr(hex(LastModified), -13, 1) ||
-substr(hex(LastModified), -16, 1) || substr(hex(LastModified), -15, 1) as 'LastModifiedHexLE',
+-- Get the LastModified Blob as a Hex String (Filetime LE) 
+hex(LastModified) as 'LastModifiedHex',
 
 DeletedCount,
 TransactionFlags,
@@ -32,4 +28,5 @@ LastRequestedRunTime,
 StorageProviderId
 
 from SystemIndex_Gthr
-join SystemIndex_GthrPth on SystemIndex_Gthr.ScopeID = SystemIndex_GthrPth.Scope
+left join SystemIndex_GthrPth on SystemIndex_Gthr.ScopeID = SystemIndex_GthrPth.Scope
+order by cast(SystemIndex_GthrPth.Scope as INTEGER) ASC, cast(SystemIndex_GthrPth.Parent as INTEGER) ASC