Windows.Forensics.NotificationsDatabase

Parses the Win10/11 notifications database, which contains events for badges, tiles, and toasts shown to each user.

name: Windows.Forensics.NotificationsDatabase
author: Zane Gittins
description: |
   Parses the Win10/11 notifications database, which contains events for badges, tiles, and toasts shown to each user.

# Can be CLIENT, CLIENT_EVENT, SERVER, SERVER_EVENT or NOTEBOOK
type: CLIENT

parameters:
   - name: UserRegex
     default: .
   - name: SearchGlob
     default: "C:/Users/*/AppData/Local/Microsoft/Windows/Notifications/wpndatabase.db"

sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
       LET Files <= SELECT *
         FROM glob(globs=SearchGlob)
         WHERE OSPath =~ UserRegex
       LET Notifications <= SELECT *
         FROM foreach(
           row=Files,
           query={
             SELECT *
             FROM sqlite(file=OSPath,
                         accessor="auto",
                         query="SELECT * FROM Notification")
           })
       LET Handlers <= SELECT *
         FROM foreach(
           row=Files,
           query={
             SELECT *
             FROM sqlite(file=OSPath,
                         accessor="auto",
                         query="SELECT * FROM NotificationHandler")
           })
       LET Results = SELECT *, {
                              SELECT *
                              FROM Handlers
                              WHERE RecordId = HandlerId
                            } AS HandlerInfo
         FROM Notifications
       SELECT Id,
              HandlerInfo.PrimaryId AS Application,
              HandlerId,
              Type,
              timestamp(winfiletime=ExpiryTime) AS ExpiryTime,
              timestamp(winfiletime=ArrivalTime) AS ArrivalTime,
              Payload AS PayloadRaw,
              Tag,
              Group,
              DataVersion,
              PayloadType,
              HandlerInfo
       FROM Results