Wednesday, October 8, 2025

OneDrive Quick Access

What is Quick access?

Quick access makes it simple to find your frequently used storage locations, including recently used shared libraries, channels, and folders.1

With offline mode enabled, it is possible to reconstruct this interface using locally stored data.

Microsoft.FileUsageSync.db

Microsoft.FileUsageSync.db contains the data used to populate the Quick Access interface. This file is located at:
%LOCALAPPDATA%\Microsoft\OneDrive\ListSync\Business<1-9>\settings.

Three tables within this database are of particular interest:

  • quick_access
  • quick_access_formatted
  • quick_access_metadata

Together, these tables store information such as pin states, site acronyms, and associated site icons.

quick_access table

The quick_access table provides foundational metadata for each entry in the Quick Access list. It contains the following fields:

  • ListId
  • WebId
  • SiteId
  • LastAccessDateTime
  • PinnedOrder

The purpose of the PinnedOrder value remains unclear, though it likely determines display order for pinned items.

quick_access_formatted table

The quick_access_formatted table holds the majority of the structured data required to rebuild the Quick Access interface. It includes:

  • ListId
  • WebId
  • SiteId
  • Format
    • QuickAccessRecent
    • PinnedItem
    • QuickAccessPinned
  • FormattedValue

Each Format type corresponds to a specific category of item behavior:

  • QuickAccessRecent - recently accessed items
  • PinnedItem - generated when an item is pinned
  • QuickAccessPinned - created or removed when the Quick Access endpoint is updated

The FormattedValue field contains a JSON structure that varies by format type. This structure includes key attributes such as access URLs, titles, colors, icons, and metadata necessary for UI reconstruction.

FormattedValue Header PinnedItem QuickAccessRecent QuickAccessPinned
accessUrl X X
containerTitle X X
contentClass X X
color X
favoritesOrder X
icon X
isDefaultDocumentLibrary X X
isDocLib X
isTeamsChannelSite X X
isTeamsConnectedSite X X
lastAccessDateTime X X
lastPolled X
listId X X X
listItemId X X
listUrl X
order X
operation X X
pinOrder X
siteAcronym X X
siteColor X X
siteIconUrl X
siteId X X X
siteTitle X
siteUrl X
spoId X X
title X X X
uniqueId X X
webId X X X
webTemplateConfiguration X
webUrl X X

quick_access_metadata table

The quick_access_metadata table tracks synchronization details that define the operational state of Quick Access. Its fields include:

  • SyncEndpoint
    • QuickAccessEndpoint
    • PinnedItemsEndpoint
  • InitialSyncComplete
  • ResyncRequired
  • SyncedVersion
  • LastSyncTime

*Note: If QuickAccessEndpoint is older than PinnedItemsEndpoint, QuickAccessPinned is out of sync. It takes roughly two minutes to sync when a pin state changes

Reconstructing the Quick Access Interface

Below is an example 'FormattedValue' from the quick_access_formatted table:

{
  "title": "IT Security",
  "siteAcronym": "IS",
  "siteColor": "#1C4259",
  "siteIconUrl": "https://contoso.sharepoint.com/sites/IT%20Security/_layouts/15/images/siteicon.png",
  "siteUrl": "https://contoso.sharepoint.com/sites/IT%20Security",
  "accessUrl": "https://contoso.sharepoint.com/sites/IT%20Security/Shared%20Documents",
  "isDefaultDocumentLibrary": 1,
  "isTeamsConnectedSite": 1,
  "listId": "a51d76a5-7b26-4b33-8d55-4cfbc656038a",
  "webId": "c5e85660-c9b0-4268-ad8b-23e1f862dd1c",
  "siteId": "e34301fe-78ae-4a23-9984-bf7edfc744f7",
  "lastAccessDateTime": "2025-09-29T14:38:00Z"
}
JSON Field UI Element or Behavior
title Main display text on the card
siteAcronym Initials displayed inside the colored tile
siteColor Tile background color
siteIconUrl Optional site icon (overrides acronym if present)
siteUrl Base site link (used for hover or metadata)
accessUrl Clickable target for user navigation
Format (table column) Determines grouping (Recent, Pinned, etc.)
PinnedOrder (from quick_access) Determines on-screen position

Visual Breakdown

SQL query to extract data from quick_access and quick_access_formatted

SELECT
    qf.Format,
    qa.PinnedOrder,
    json_extract(qf.FormattedValue, '$.pinOrder') AS pinOrder,
    json_extract(qf.FormattedValue, '$.order') AS "order",
    json_extract(qf.FormattedValue, '$.favoritesOrder') AS favoritesOrder,
    json_extract(qf.FormattedValue, '$.spoId') AS spoId,
    json_extract(qf.FormattedValue, '$.siteId') AS siteId,
    json_extract(qf.FormattedValue, '$.webId') AS webId,
    json_extract(qf.FormattedValue, '$.listId') AS listId,
    json_extract(qf.FormattedValue, '$.uniqueId') AS uniqueId,
    json_extract(qf.FormattedValue, '$.lastPolled') AS lastPolled,
    json_extract(qf.FormattedValue, '$.lastAccessDateTime') AS lastAccessDateTime,
    json_extract(qf.FormattedValue, '$.title') AS title,
    json_extract(qf.FormattedValue, '$.siteTitle') AS siteTitle,
    json_extract(qf.FormattedValue, '$.containerTitle') AS containerTitle,
    json_extract(qf.FormattedValue, '$.accessUrl') AS accessUrl,
    json_extract(qf.FormattedValue, '$.listUrl') AS listUrl,
    json_extract(qf.FormattedValue, '$.webUrl') AS webUrl,
    json_extract(qf.FormattedValue, '$.siteUrl') AS siteUrl,
    json_extract(qf.FormattedValue, '$.operation') AS operation,
    json_extract(qf.FormattedValue, '$.contentClass') AS contentClass,
    json_extract(qf.FormattedValue, '$.listItemId') AS listItemId,
    json_extract(qf.FormattedValue, '$.isDocLib') AS isDocLib,
    json_extract(qf.FormattedValue, '$.isDefaultDocumentLibrary') AS isDefaultDocumentLibrary,
    json_extract(qf.FormattedValue, '$.isTeamsConnectedSite') AS isTeamsConnectedSite,
    json_extract(qf.FormattedValue, '$.isTeamsChannelSite') AS isTeamsChannelSite,
    json_extract(qf.FormattedValue, '$.siteAcronym') AS siteAcronym,
    json_extract(qf.FormattedValue, '$.color') AS color,
    json_extract(qf.FormattedValue, '$.siteColor') AS siteColor,
    json_extract(qf.FormattedValue, '$.icon') AS icon,
    json_extract(qf.FormattedValue, '$.siteIconUrl') AS siteIconUrl,
    json_extract(qf.FormattedValue, '$.siteLogoUrl') AS siteLogoUrl,
    json_extract(qf.FormattedValue, '$.webTemplateConfiguration') AS webTemplateConfiguration
FROM quick_access AS qa
JOIN quick_access_formatted AS qf
    ON qa.ListId = qf.ListId
   AND qa.WebId = qf.WebId
   AND qa.SiteId = qf.SiteId;

Referecnces

  1. https://support.microsoft.com/en-us/office/getting-started-with-quick-access-eb533c0a-7ee9-40d4-8d29-0a88cc9e0231

Posted by at No comments:

Monday, September 29, 2025

OneDrive. Let's take this offline

At the beginning of this year, I started adding data from the offline databases into OneDrive Explorer. This data enhanced other artifacts that were being parsed. One thing that was lacking is a dedicated parser for the offline database (Microsoft.ListSync.db). The latest version of OneDriveExplorer now allows for parsing this data, giving a better representation of OneDrive from an offline perspective.

OneDrive Offline Mode (Project Nucleus)

To get a better understanding of what offline mode is and how it works, lets take a step back to its origins, Project Nucleus.

What is Project Nucleus?

Project Nucleus was announced at Ignite 2020 as part of Microsoft 365 / SharePoint platform enhancements.1 Project Nucleus is aimed at improving performance and usability of Microsoft’s web apps, especially when interacting with large content/data sets and unreliable/slow network connections.

Key features include:

  • A local cache on the client device (using a component described sometimes as “Microsoft.SharePoint.exe”) to store data locally and sync with the cloud.
  • Support for offline work in web apps (e.g. Microsoft Lists) so users can interact with content even without network connectivity.
  • Faster operations like sorting, filtering, grouping in large lists, because many operations can be done against the local cache rather than round-tripping to the server each time.

Nucleus is effectively a foundational engine inside Microsoft 365 web apps, powering offline/resilient experiences like OneDrive Web Offline Mode and faster large-list operations.

OneDrive offline mode

Microsoft announced a new feature coming to OneDrive for Business called Offline Mode in April 2024. The feature allows you to continue to use the web version of OneDrive without an internet connection. It works by downloading your file metadata and running a web server (Microsoft.SharePoint.exe) located in Program Files\Microsoft Onedrive<OneDrive_Version>\.

OneDriveExplorer Microsoft.ListSync.db parsing

By reconstructing the folders in Microsoft.ListSync.db, we can get a better view of what the user has access to when working offline. This data returns slightly different results when compared to what is synced on the endpoint. In this example we can see that SyncEngineDatabase.db (endpoint folders) contains 36458 file(s) - 189 deleted, 1418 folder(s) where as Microsoft.ListSync.db (offline mode) contains 36662 file(s) - 0 deleted, 1452 folder(s). That's an additional 204 files and 34 folders that offline mode gives us.

Another interesting point of data we get with offline mode is that folders contain creation and modify dates. This is not present in the endpoint (SyncEngineDatabase.db) data.

Conclusion

Project Nucleus has come a long way to add offline mode to OneDrive. With the updates to OneDriveExplorer, we now have the ability to parse this artifact on its own instead of just enhancing other artifacts. Try out the new feature and be on the lookout to updates and improvements to offline mode artifacts. The latest version of OneDriveExplorer can be downloaded here.

  1. https://redmondmag.com/articles/2020/09/23/sharepoint-syntex-project-nucleus.aspx?utm_source=chatgpt.com

Posted by at No comments:

Friday, June 6, 2025

Weekly Update 6/6/2025

 OneDrive Evolution

OneDrive Evolution has been updated to OneDrive version 25.106.0602.0001. Starting with version 25.102.0527.0001, there is a new folder under settings named .Dbfs.dbfs_bootstrap. It is not known at this time what the folder pertains to, but it does contain a database (dbfs.db). Below is a screenshot of the contents of the database.


SyncEngineDatabase.db Updates

Starting with version 25.105.0601.0001 of OneDrive, the SyncEngineDatabase.db schema has been updated to v38. A new table has been added to the database (od_ServiceOperationHistory).



 
Posted by at No comments:

Friday, May 23, 2025

OneDrive Evolution and Schema Updates

OneDrive Evolution Updates

OneDrive Evolution has been updated to v25.093.0514.0001

SyncEngine Schema Updates

 Schemas 34 - 37 have been added
  • v34 brings a new table od_ThrottleHistory
  • v35 adds archiveState column to od_ClientFile_Records table
  • v37 adds lastFailedAttempt to od_CreateAddedFolderFailures table
All schemas can be found here.
Posted by at No comments:

Monday, May 12, 2025

OneDriveExplorer now supports Microsoft.FileUsageSync.db

Recently, I have been focused on adding support for Microsoft.FileUsageSync.db. See my previous post on Microsoft.FileUsageSync.db. The recent_files_formatted_spo table was the focus of this work. To my surprise, this table holds a wealth of information. Microsoft.FileUsageSync.db tracks how files are being used including email, meetings, events, Teams chats, notes, and SharePoint. Let's take a peak into the changes to OneDriveExplorer and these new data points.

OneDriveExplorer Interface Changes

Off the bat you will notice a new sidebar containing the data points I mentioned earlier. The data points will be enabled once data has been added that pertains to that particular data point.

The next big change comes to the file menu. OneDrive settings has been changed to OneDrive metadata. This made more sense because the menu contains more options besides the OneDrive settings items. Parsing has been simplified. You can now select the Profile option, point it to a users OneDrive profile, and OneDriveExplorer will take care of the rest. There is an option to load individual files and import saved data from the command line version of OneDriveExplorer.

Loading individual files has become more intuitive with the new menu. It contains options for all supported files by OneDriveExplorer.

Import JSON has stayed the same but there is a slight update to Import CSV. This is because OneDriveExplorer saves the Microsoft.FileUsageSync.db to a separate csv.

Unmanaged Error Handling

OneDriveExplorer now can handle unmanaged exceptions and write to a log.

Microsoft.FileUsageSync.db Data

What kind of data does the Microsoft.FileUsageSync.db hold? Email, meetings, events, Teams chats, notes, and SharePoint data. I'll walk through what this data looks like in OneDriveExplorer.

Email Data

The email section contains data for files that have been shared through email. Please note that this information does not contain the body of the email. On the left will be a list of emails by sender, subject and date. When selected, the data will be presented in a familiar format resembling what you might see in an email client. Below that will contain the information about the file being shared. And there is a lot! Way too much to list here.

Meeting/Events Data

The meeting and events sections are very similar in nature. These sections hold data for files that have been shared via meeting or events. Like the email data, a list of meetings/events will be listed on the left. The middle contains various metadata that pertains to the meeting/event along with the metadata of the file being shared. Meeting/event participants are listed on the right.

Chat/Notes Data

The chat/notes sections contain the same type of data. These are files that are shared through Teams. The only difference is that notes are files shared with oneself. Chat/Note subject is on the left. If there is a subject, the list will be populated with the subject. If there is no subject, the list of participants will be combined like in Teams. The file metadata will be in the middle and participants on the right.

SharePoint Data

The SharePoint section contains data on files that have been shared through SharePoint. On the left will list the SharePoint site. The middle will list the files being shared. When a file is selected, the metadata for that file will be populated.

File Metadata

The file metadata contains too much information to list it all here. There is one thing I would like to show. There is a section in the file metadata call activity. It's not always populated but when it is, it can show various activities such as:

  • You commented on this
  • You edited this
  • You recently opened this
  • You shared this in a Teams chat
  • activity.message_format
  • {0} edited this
  • {0} mentioned {1}
  • {0} replied to a comment
  • {0} sent this
  • {0} shared this in a Teams chat
  • {0} shared this in a meeting invite
  • {0} shared this with you

Conclusion

As you can see, Microsoft.FileUsageSync.db holds a lot of information. And remember, this is only one column from one table in the database. You can find the latest version of OneDriveExplorer on GithHub.

Posted by at 2 comments:

Friday, February 21, 2025

OneDrive Microsoft.FileUsageSync.db

I recently started to look into the Microsoft.FileUsageSync.db. The database can be found in %localappdata%\Microsoft\OneDrive\ListSync\Business<1-9>\settings. It is not documented in OneDrive Evolution because it only appears in OneDrive for Business. OneDrive Evolution's data is collected from personal only. It's not known what version this database first appeared in. Just like Microsoft.ListSync.db, this database is used by Microsoft.SharePoint.exe but is not related to the Offline Mode for web feature that I am aware of. There is some interesting data in the recent_files_formatted_spo table. The FormattedValue column holds JSON data that isn't the prettiest to look at.

To make the data easier to read, I wrote the following script to convert the JSON data into CSV format.

import sqlite3
import pandas as pd
import json

db_path = "Microsoft.FileUsageSync.db"

conn = sqlite3.connect(db_path)

query = "SELECT FormattedValue FROM recent_files_formatted_spo"

df = pd.read_sql_query(query, conn)

conn.close()


def parse_json(value):
    try:
        value = value.encode().decode('unicode_escape')

        return json.loads(value)
    except Exception as e:
        print("JSON Parse Error:", e)
        return None


df_parsed = df["FormattedValue"].apply(parse_json)

df_expanded = pd.json_normalize(df_parsed.dropna())

df_expanded.to_csv('output.csv', index=False, encoding='utf-8')

So what type of data does this table hold? Unfortunately, I cannot show you the data because I don't have a development environment so I'll do my best to explain what I found.

To give you an idea, when the data is parsed out, we have the following headers:
file.Id, file.@odata.id, file.FileModifiedTime, file.LastModifiedDateTime, file.FileCreatedTime, file.FileExtension, file.FileSize, file.StorageProviderContext, file.IsEmptyCopy, file.SharePointItem.SiteId, file.SharePointItem.WebId, file.SharePointItem.ListId, file.SharePointItem.UniqueId, file.ItemProperties.Shared.LastSharedWithMailboxOwnerByDisplayName, file.ItemProperties.Shared.LastSharedWithMailboxOwnerBySmtp, file.ItemProperties.Shared.LastSharedWithMailboxOwnerDateTime, file.ItemProperties.Shared.SubjectProperty, file.ItemProperties.Shared.AttachmentItemReferenceId, file.ItemProperties.Shared.AttachmentReferenceId, file.ItemProperties.Shared.ImmutableFileItemReferenceId, file.ItemProperties.AggregatedActivities.LastUserActivityDateTime, file.ItemProperties.AggregatedActivities.LastModifiedDateTime, file.ItemProperties.AggregatedActivities.MailboxOwnerTopInsights, file.ItemProperties.AggregatedActivities.IsHidden, file.ItemProperties.SemanticProperties.Title, file.UserRelationship.LastSharedDateTime, file.Visualization.Title, file.Visualization.AccessUrl, file.Visualization.Type, file.AllExtensions.SharingHistory.Instances, file.FileName, file.SharePointOnlineFacetStatus, file.Document.Title, file.WorkingSetId, activity.message_format, activity.type, activity.users, activity.timestamp, activity.extended_info.subject, file.UserRelationship.LastSharedById, file.Document.Author, file.SharePointItem.ModifiedBy, file.PrimaryItemLocation, file.SharePointItem.ContentClass, file.SharePointItem.SitePath, file.ItemProperties.Default.SiteTemplateId, activity.extended_info.sharing_medium, file.Visualization.ContainerTitle, file.Visualization.ContainerUrl, file.Visualization.PreviewImageUrl, file.FileOwner, file.SharePointItem.ContentTypeId, file.SharePointItem.ListItemId, file.SharePointItem.DocId, file.SharePointItem.ModifiedByDisplayName, file.SharePointItem.FileUrl, file.SharePointItem.ParentId, file.ItemProperties.Default.AuthorOWSUSER, file.ItemProperties.Default.EditorOWSUSER, file.ItemProperties.Default.DocumentLink, file.ItemProperties.AggregatedActivities.MailboxOwnerHistograms, file.ItemProperties.ClientAccessByMailboxOwner.LastAccessDateTime, file.ItemProperties.SemanticProperties.Url, file.ItemProperties.SemanticProperties.ContainerName, file.ItemProperties.SemanticProperties.ContainerUrl, file.UserRelationship.FrequentlyUsedSiteWeight, file.UserRelationship.LastAccessDateTime, file.ItemProperties.Default.ProgID, file.ItemProperties.Shared.TeamsMessageThreadId, file.ItemProperties.Direct.ColorHex, file.UserRelationship.LastModifiedDateTime, file.ItemProperties.Default.RecordingStartDateTime, file.ItemProperties.Default.RecordingEndDateTime, file.ItemProperties.Default.MeetingOrganizerId, file.ItemProperties.Default.MeetingICalUid, file.ItemProperties.Default.BaseType, file.ItemProperties.Default.ListTemplateTypeId, file.ItemProperties.Default.ListIcon, file.ItemProperties.Default.ListColor, activity.extended_info.navigation_id

It appears to hold information on files that are not necessarily in your OneDrive, but files that are shared from OneDrive. This can include files that were shared to you via email, Teams, and whiteboards to name a few.

Another interesting table is recommended_files. This table appears to hold a max of 20 files. One of the things that stood out to me was a description in the JSON data. The description is the first couple lines of the file so it could give us a good indication of what the file contains.

The last table I want to talk about is top_collaborators. This one holds information on people the user interacts with the most. We could potentially glean work relationships from this data.

The plan is to add this data into OneDriveExplorer once I can get it sorted out. Until then, use the script to explore this sure to be valuable forensic resource.

Posted by at No comments:
Labels: ,

Friday, February 14, 2025

OneDriveExplorer Offline Mode Edition

Changes to OneDriveExplorer (ODE)

With this release, there are a few things to be aware of that have changed with the GUI and command line version.

GUI

The ODE GUI now has a profile selection. This is to make things easier so we don't have to point to certain files/folders for parsing settings data and logs. The options are still there but this is meant more for if you have a loose collection of files.











With the profile option, all we need to do is select the profile folder %LOCALAPPDATA%\Microsoft\OneDrive and ODE will do the rest. Logs will only be parsed if the Enable ODL log parsing option is enabled in the preferences.
The GUI can now indicate if the account is Personal or Business.











Command Line

With the command line, there is a new argument (--output-dir) to designate the save folder location. There is no longer a need to add a directory to --csv, --html, or --json. These arguments are now used to indicate what type of output you want the data stored in. Also, --csvf has been dropped.


























New Additions

OneDrive Offline Mode

OneDrive for Business has a feature called Offline Mode that allows you to continue to use the web version of OneDrive without an internet connection. If you want to learn more, I had written about it in another article. In order for the database (Microsoft.ListSync.db) to populate, Offline Mode needs to be set up. First off, the feature needs to be pushed to your tenant by Microsoft (I believe Microsoft has finished rolling this out). Offline Mode is enabled by default but can be disabled via group policy. When you navigate to OneDrive for web, if you see a computer icon in the upper right of the page, Offline Mode is enabled and ready.

Once this is done, the Offline Mode database will be populated. There are also some limitations that might not allow Offline Mode to be enabled. See the Current limitations of offline mode section for more information.

What does this bring to OneDriveExplorer

With new features bring new data. So what kind of data does OneDriveExplorer get from Offline Mode? In addition to knowing a file/folder is shared, we can now see who it is shared with.

Another interesting artifact of this is seeing what other people have shared and to whom. If we look at a folder that was linked to OneDrive, the shared data is present, even though we did not do the sharing.

Another data point Offline Mode brings to ODE is OCR (Optical Character Recognition). Here is an example of the data in ODE verses the actual image.

More to come

There is still a lot of data to go through with Offline Mode that can be added to ODE. Additional work will be done to have a dedicated parser for Microsoft.ListSync.db for instances where that is the only file you have available. The latest version of OneDriveExplorer can be found here.

Posted by at No comments:
Labels:
Subscribe to: Comments (Atom)