WindowsIndexSearch
Windowsv1.2
Author: Mark Hallman, Reece394
description
Windows Index Search
paths
4 paths
FileKnowledgeWindowsIndexSearch
C:\programdata\microsoft\search\data\applications\windows\FileKnowledgeWindowsIndexSearch - User
C:\Users\%user%\AppData\Roaming\Microsoft\Search\Data\Applications\S-1*\FileKnowledgeGatherLogs - User
C:\Users\%user%\AppData\Roaming\Microsoft\Search\Data\Applications\S-1*\GatherLogs\FileKnowledgeGatherLogs
C:\programdata\microsoft\search\data\applications\windows\GatherLogs\› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: WindowsIndexSearch
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. WindowsIndexSearch
Collect-Artifact -SourcePath "C:\programdata\microsoft\search\data\applications\windows\\*" -FolderName "WindowsIndexSearch"
# 2. WindowsIndexSearch - User
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Microsoft\Search\Data\Applications\S-1*\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "WindowsIndexSearch___User"
# 3. GatherLogs - User
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Microsoft\Search\Data\Applications\S-1*\GatherLogs\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "GatherLogs___User"
# 4. GatherLogs
Collect-Artifact -SourcePath "C:\programdata\microsoft\search\data\applications\windows\GatherLogs\\*" -FolderName "GatherLogs"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1