Notifications on windows was a new feature added with windows 8 and continues in 10. In this post, I briefly discuss the format and data obtained from these notifications. Notifications can hold useful recent data (and some not so recent data) such as popup messages from applications, email snippets, application specific data like torrent downloaded messages among other information. As of now, not many applications use this feature on windows (when contrasted to apps on mac), but that is changing as more applications begin adding support for sending events to the Notifications Center/Bar.
As pointed out by Brent Muir here, this database is located at:
This Notifications database holds not just the popup notifications which the user sees briefly, but also any updates to Tiles on the new windows start screen/start menu. Under the notifications scheme used by windows, there are 4 types of notifications, Toasts (popups), Tiles (updates on app live tiles like latest news stories, tweets or weather), Badges (small overlay on tile used to show status or count of items) or Raw push notifications (app specific data).
Appdb.db is a binary database having the signature 'DNPW' as the first 4 bytes. The structure of the file is roughly as shown below:
By default, there are 256 chunks in the file. Each chunk has a header element, however, only the first chunk has the header filled in. The chunk header starts with the DNPW signature, followed by what I believe to be the time the last notification was displayed to the user (8 bytes FILETIME) and the next sequential Notification ID to be used, and some unknown data after that (12 bytes).
The header is followed by data that I assume to be flags (8 bytes), followed then by Push URI (URL used by apps to push data and notifications to the client), Badge XML content and Tile Data (5 metadata objects and 5 corresponding XML data strings). Each of these elements in the chunk has its own data structure, which is quite detailed in itself. I am not reproducing all the structures here. To get this information, download the 010 Template (from link below) containing all the definitions for structures (deciphered so far..). There is also a python script available to parse information from this file and write out to a CSV file.
Looks like they changed at lease the name of the database in Windows 10, build 1607: wpndatabase.db.ReplyDelete
That would be the anniversary edition of 10?Delete
Just looked at it today. wpndatabase.db is an sqlite database with an easy to parse table structure. I will modify the script to support this.Delete
Hi have u found solution for Win 10 wpndatabase.db .Delete
I tried parsing but it contain garbage data
This comment has been removed by the author.ReplyDelete
Anyone have AppDB.reg so I can import it and fix my notification problems?ReplyDelete
Database now has a different structure and is called wpndatabase.db. Win 10 build 1607. Your program produces an error. How to be?ReplyDelete
Any update for new format?ReplyDelete
I haven't looked at the creators update, not sure if its changed again. I haven't had time to update the script but a query like this should get you the details:ReplyDelete
SELECT datetime((ArrivalTime/10000000)-11644473600, 'unixepoch') AS ArrivalTime , datetime((ExpiryTime/10000000)-11644473600, 'unixepoch') AS ExpiryTime,
Type , Payload, Tag, 'Group', 'Order', PrimaryId, HandlerType, WNFEventName, CreatedTime as HandlerCreatedTime, ModifiedTime as HandlerModifiedTime
FROM Notification LEFT JOIN NotificationHandler ON Notification.HandlerId = NotificationHandler.RecordId
The payload part will need parsing, as its an XML blob.