Unable to parse Windows 11's `Windows.db` - potential edge case (see post)

[AndrewRathbun]

I unfortunately don't have a good sample database to provide as I've only experienced this with my personal computer's Windows 11 Windows.db file, but when I run sidr against my personal Windows.db, I get the following error:

PS C:\Users\Andrew\Downloads> .\sidr.exe D:\WindowsIndexSearch\C -f csv
Processing sqlite: D:\WindowsIndexSearch\C\programdata\microsoft\search\data\applications\windows\Windows.db
sqlite_generate_report(D:\WindowsIndexSearch\C\programdata\microsoft\search\data\applications\windows\Windows.db) failed with error: strings passed to WinAPI cannot contain NULs
Found 1 Windows Search database(s)
Processing sqlite: D:\WindowsIndexSearch\C\Windows.db
sqlite_generate_report(D:\WindowsIndexSearch\C\Windows.db) failed with error: strings passed to WinAPI cannot contain NULs
Found 1 Windows Search database(s)

I almost didn't submit this issue because I wasn't going to provide my personal 800+mb Windows.db file, and in my testing, I can't seem to recreate this with a fresh W11 VM. However, I figure I'd provide some context of my testing environment.

• My personal computer was upgraded from Windows 10 to Windows 11, and not a fresh install. This shouldn't matter since April 2023 is when Windows.edb -> Windows.db but it very well may be relevant down the road.
• Also, my personal computer has been Windows 11 since the Windows 11 preview (before RTM) so maybe that has something to do with potential odd behavior with this artifact.
• Additionally, I've established that this install of Windows on my personal computer has been around for a while, and therefore my computer was not a fresh install with an ISO of a post-April 2023 version of Windows. In my testing with a fresh install using the April 2023 version of Windows 11 22H2, I was able to parse Windows.db successfully, but not sure why I can there but not for my personal system. Who knows!

So, all that to say there may be something more going on with my personal system given the above circumstances, so feel free to close if this is too much of an edge case to spend time on (which I totally get), but without documenting this behavior, it'll get forgotten about and very well may be relevant down the road as development continues.

[AndrewRathbun]

Also, more as an FYI, I added some Windows 11 Windows.db artifacts here for public consumption.

Basically, a snapshot of the artifacts from when I booted Windows, after I did some browsing (browsing artifacts didn't commit to database yet), then again 10 minutes of idle time or so after (browsing artifacts commited to SQLite DB).

https://github.com/AndrewRathbun/DFIRArtifactMuseum/tree/main/Windows/WindowsSearchDB/Win11/RathbunVM2