Starting from Windows 11:
<SYSTEMDRIVE>:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.db
<SYSTEMDRIVE>:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows-gather.db

Windows 7 to Windows 10:
<SYSTEMDRIVE>:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

Windows XP:
<SYSTEMDRIVE>:\Documents and Settings\All user\Application Data\Microsoft\Search\Data\Application\Windows\Windows.edb

Overview

The Windows Search database provides an index to the Windows Search feature to improve search speed by indexing content. The Windows Search index is used for searches made through Windows taskbar, the Windows Explorer, and some Universal Windows Platform (UWP) applications (such as Outlook, OneDrive, etc.).

By default, only a subset of folders and files are indexed (to reduce the Windows Search database size and CPU usage). The folders scanned and number of items indexed can be consulted in the “Windows search settings” menu.

From Windows Vista / Windows Server 2008 to Windows 10 / Windows Server 2019, the Windows Search used an Extensible Storage Engine (ESE) database (Windows.edb). Starting with Windows 11 / Windows Server 2022, the Windows Search switched to two SQLite databases (Windows.db and Windows-gather.db).

Information of interest

By default, only items from the following sources are scanned and indexed:

  • Files and folders from the folders C:\Users\* (excluding AppData directories) and C:\ProgramData\Microsoft\Windows\Start Menu\Programs\* (which include startup LNK files).

    Data available: file name, path, size, attributes, MAC timestamps. For small file, part of the content of the file may be indexed as well.

  • Outlook mail data (with timestamp of reception, possible mail content).

  • OneNote notes title.

  • Internet Explorer history (URLs, timestamp of last visit).

Tool(s)

The Search Index DB Reporter (SIDR) utility (SIDRWindowsIndexSearchParser KAPE module) can be used to parse the Windows Search database (in both ESE and SQLite formats).

# Recursively scan the <INPUT_DIRECTORY> for Windows.edb and Windows.db files.

sidr.exe -f <json | csv> <INPUT_DIRECTORY> -o <DESTINATION_DIRECTORY>

Alternatively, the WinSearchDBAnalyzer graphical utility can be used to parse and explore the Windows Search, in ESE database format only.

References

Tags: windows_file_knowledge windows_browsing_history

View on GitHub