sidr icon indicating copy to clipboard operation
sidr copied to clipboard

Published 20 hours ago verified publisher icon strozfriedberg

Unable to parse Windows 11's `Windows.db` - potential edge case (see post)

Open AndrewRathbun opened this issue 2 years ago • 1 comments

I unfortunately don't have a good sample database to provide as I've only experienced this with my personal computer's Windows 11 Windows.db file, but when I run sidr against my personal Windows.db, I get the following error:

PS C:\Users\Andrew\Downloads> .\sidr.exe D:\WindowsIndexSearch\C -f csv
Processing sqlite: D:\WindowsIndexSearch\C\programdata\microsoft\search\data\applications\windows\Windows.db
sqlite_generate_report(D:\WindowsIndexSearch\C\programdata\microsoft\search\data\applications\windows\Windows.db) failed with error: strings passed to WinAPI cannot contain NULs
Found 1 Windows Search database(s)
Processing sqlite: D:\WindowsIndexSearch\C\Windows.db
sqlite_generate_report(D:\WindowsIndexSearch\C\Windows.db) failed with error: strings passed to WinAPI cannot contain NULs
Found 1 Windows Search database(s)

I almost didn't submit this issue because I wasn't going to provide my personal 800+mb Windows.db file, and in my testing, I can't seem to recreate this with a fresh W11 VM. However, I figure I'd provide some context of my testing environment.

  • My personal computer was upgraded from Windows 10 to Windows 11, and not a fresh install. This shouldn't matter since April 2023 is when Windows.edb -> Windows.db but it very well may be relevant down the road.
  • Also, my personal computer has been Windows 11 since the Windows 11 preview (before RTM) so maybe that has something to do with potential odd behavior with this artifact.
  • Additionally, I've established that this install of Windows on my personal computer has been around for a while, and therefore my computer was not a fresh install with an ISO of a post-April 2023 version of Windows. In my testing with a fresh install using the April 2023 version of Windows 11 22H2, I was able to parse Windows.db successfully, but not sure why I can there but not for my personal system. Who knows!

So, all that to say there may be something more going on with my personal system given the above circumstances, so feel free to close if this is too much of an edge case to spend time on (which I totally get), but without documenting this behavior, it'll get forgotten about and very well may be relevant down the road as development continues.

AndrewRathbun avatar Jun 30 '23 19:06 AndrewRathbun

Also, more as an FYI, I added some Windows 11 Windows.db artifacts here for public consumption.

Basically, a snapshot of the artifacts from when I booted Windows, after I did some browsing (browsing artifacts didn't commit to database yet), then again 10 minutes of idle time or so after (browsing artifacts commited to SQLite DB).

https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/WindowsSearchDB/Win11/RathbunVM2

AndrewRathbun avatar Jun 30 '23 19:06 AndrewRathbun

It looks like this error is originating upstream. Your database may potentially contain some invalid data. Closing this for now but feel free to reopen or file another issue if you run into this again.

juliapaluch avatar Nov 01 '24 18:11 juliapaluch

Fair enough. Clean installs of Windows 10 and Windows 11 appear to provide an artifact that the parser handles without issue. I am guessing it's the Windows 10 -> Windows 11 Preview -> Windows 11 proper workflow that has maybe made my personal system's Windows.db file unorthodox.

AndrewRathbun avatar Nov 01 '24 18:11 AndrewRathbun