From f8f0981fe0aeb7f7da642164b60b9128b602b0e7 Mon Sep 17 00:00:00 2001
From: Costas K <11378310+kacos2000@users.noreply.github.com>
Date: Sat, 29 Oct 2022 15:05:16 +0300
Subject: [PATCH] Win11 Search Windows.db

---
 Win_Search_gatherdB.sql | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 Win_Search_gatherdB.sql

diff --git a/Win_Search_gatherdB.sql b/Win_Search_gatherdB.sql
new file mode 100644
index 0000000..b69b69d
--- /dev/null
+++ b/Win_Search_gatherdB.sql
@@ -0,0 +1,35 @@
+-- This query is to show the content of the SystemIndex_1_PropertyStore table
+-- of the new Win 11 search databases (Windows-gather.db)
+--
+-- Database location:
+-- C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows-gather.db
+
+Select 
+
+SystemIndex_GthrPth.Parent,
+SystemIndex_GthrPth.Name as 'Parent Name',
+FileName,
+DocumentID,
+AppOwnerId,
+-- Hex String
+hex(LastModified) as 'LastModified',
+-- Convert LastModified to Little Endian Hex
+substr(hex(LastModified), -2, 1) || substr(hex(LastModified), -1, 1) ||
+substr(hex(LastModified), -4, 1) || substr(hex(LastModified), -3, 1) ||
+substr(hex(LastModified), -6, 1) || substr(hex(LastModified), -5, 1) ||
+substr(hex(LastModified), -8, 1) || substr(hex(LastModified), -7, 1) ||
+substr(hex(LastModified), -10, 1) || substr(hex(LastModified), -9, 1) ||
+substr(hex(LastModified), -12, 1) || substr(hex(LastModified), -11, 1) ||
+substr(hex(LastModified), -14, 1) || substr(hex(LastModified), -13, 1) ||
+substr(hex(LastModified), -16, 1) || substr(hex(LastModified), -15, 1) as 'LastModifiedHexLE',
+
+DeletedCount,
+TransactionFlags,
+TransactionExtendedFlags,
+RunTime,
+ClientID,
+LastRequestedRunTime,
+StorageProviderId
+
+from SystemIndex_Gthr
+join SystemIndex_GthrPth on SystemIndex_Gthr.ScopeID = SystemIndex_GthrPth.Scope
\ No newline at end of file