Greenspot Technologies Ltd Logo

Windows.edb

Windows 7, Windows Vista and Windows Server 2008 incorporate a built in Instant Search functionality known as Windows Search. At the centre of the search capability is the search index database, the windows.edb file.

Prior to Vista the Windows search functionality was available as a separate installation and was called Windows Desktop Search. This also used the windows.edb file as its core database.

The windows.edb file itself is an Extensible Storage Engine database that facilitates faster retrieval of data using indexed and sequential access.

Windows.edb Location

The default location of the windows.edb file varies depending upon the system upon which it is installed. On Windows Vista and Windows 7 the default location is:

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

On XP installations the default location is:

C:\Documents and Settings\Application Data\All Users\Microsoft\Search\Data\Applications\Windows\Windows.edb

It is possible to change the location of the windows.edb search index under Indexing Options in the Control Panel. The current location of the index can be obtained from the Windows Registry key detailed below:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Databases\Windows

Windows.edb Content

The windows.edb file consists of several tables formulating the Search Index. A typical set of tables is shown in the view below which was taken from WSia with a Windows Search 4 database loaded.

The first of the tables shown, MSysObjects, defines the tables, columns and indexes within the database.

The SystemIndex_0A table is the primary table within the index and it is this table that will be of most interest for forensic investigations.

SystemIndex_0A

The SystemIndex_0A table contains the columns (fields) which constitute the search index metadata values. There are several hundred columns in the database, though most record entries will have values for a handful of these. The unique identifying column (key) is the DocID column which contains a unique numeric identifier for each record.

The columns can be categorized according to the type of data they contain and WSia uses this technique to simplify the viewing of data within the index. The typical 360 columns in a Windows Search 4 Database from Vista will be split into 22 column filters.

A selection of column names is shown below to demonstrate the variety of categories:

  • System_Comment
  • System_Contact_EmailAddress
  • System_ContentType
  • System_DateAccessed
  • System_Document_DateCreated
  • System_FileFRN
  • System_FileOwner
  • System_IsDeleted
  • System_IsEncrypted
  • System_ItemUrl
  • System_Media_Duration
  • System_Message_SenderName
  • System_Photo_DateTaken
  • System_SDID
  • System_Search_HitCount
  • System_ThumbnailCacheId
  • System_Title
  • System_Video_StreamName
-
-
a motherboard
Reports view on Windows Search index analyzer