Friday, August 3, 2018

Windows 10 Notification WAL database

David Cowen recently wrote and article about revisiting the Windows 10 Notification database. From my observations, the database is in Write-Ahead Logging mode. The wpndatabase.db-wal file can contain deleted entries. I came up with a way to view the wal file.

I forked a python script (Walitean) because the endianness of the integers was wrong. With my forked version, you can convert the wal file into a sql database to view by doing the following:

Once the wal file is converted, you can run the following sql query to parse the database:

SELECT unknown0 AS Id, unknown1 AS HandlerId, unknown2 AS ActiveId, unknown3 AS Type, unknown4 AS Payload, unknown5 AS Tag, unknown6 AS 'Group',
 datetime((unknown7/10000000)-11644473600, 'unixepoch') AS ExpiryTime, datetime((unknown8/10000000)-11644473600, 'unixepoch') AS ArrivalTime ,
unknown9 AS DataVersion

My forked version of  Walitean can be found here:

1 comment: