Skip to content

Commit

Permalink
Update Win_Search_gatherdB.sql
Browse files Browse the repository at this point in the history
  • Loading branch information
@kacos2000
kacos2000 authored Dec 25, 2022
1 parent b667b22 commit 0d996e1
Showing 1 changed file with 12 additions and 15 deletions.
27 changes: 12 additions & 15 deletions Win_Search_gatherdB.sql
View file
Original file line number Diff line number Diff line change
@@ -1,27 +1,23 @@
-- This query is to show the content of the SystemIndex_1_PropertyStore table
-- This query is to show the content of the Gather tables
-- of the new Win 11 search databases (Windows-gather.db)
-- Table SystemIndex_GthrPth holds the main paths & Scope/Parent IDs linked to
-- the table SystemIndex_Gthr ScopeIDs.
-- The SystemIndex_Gthr table's DocumentIDs link the entries to the Information on
-- the entry stored in the 'SystemIndex_1_PropertyStore' table on
-- the separate SQLite dB 'Windows.db' in the same file location.
--
-- Database location:
-- C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows-gather.db

Select

SystemIndex_GthrPth.Parent,
SystemIndex_GthrPth.Scope as 'Scope',
SystemIndex_GthrPth.Parent as 'Parent',
SystemIndex_GthrPth.Name as 'Parent Name',
FileName,
DocumentID,
AppOwnerId,
-- Hex String
hex(LastModified) as 'LastModified',
-- Convert LastModified to Little Endian Hex
substr(hex(LastModified), -2, 1) || substr(hex(LastModified), -1, 1) ||
substr(hex(LastModified), -4, 1) || substr(hex(LastModified), -3, 1) ||
substr(hex(LastModified), -6, 1) || substr(hex(LastModified), -5, 1) ||
substr(hex(LastModified), -8, 1) || substr(hex(LastModified), -7, 1) ||
substr(hex(LastModified), -10, 1) || substr(hex(LastModified), -9, 1) ||
substr(hex(LastModified), -12, 1) || substr(hex(LastModified), -11, 1) ||
substr(hex(LastModified), -14, 1) || substr(hex(LastModified), -13, 1) ||
substr(hex(LastModified), -16, 1) || substr(hex(LastModified), -15, 1) as 'LastModifiedHexLE',
-- Get the LastModified Blob as a Hex String (Filetime LE)
hex(LastModified) as 'LastModifiedHex',

DeletedCount,
TransactionFlags,
Expand All @@ -32,4 +28,5 @@ LastRequestedRunTime,
StorageProviderId

from SystemIndex_Gthr
join SystemIndex_GthrPth on SystemIndex_Gthr.ScopeID = SystemIndex_GthrPth.Scope
left join SystemIndex_GthrPth on SystemIndex_Gthr.ScopeID = SystemIndex_GthrPth.Scope
order by cast(SystemIndex_GthrPth.Scope as INTEGER) ASC, cast(SystemIndex_GthrPth.Parent as INTEGER) ASC

0 comments on commit 0d996e1

Please sign in to comment.