Created
June 11, 2018 21:29
-
-
Save danzek/dd6ca72ee78954ffe9ec8868357c48e7 to your computer and use it in GitHub Desktop.
Gets data from Windows Desktop Search
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Gets data from Windows Desktop Search. | |
| .DESCRIPTION | |
| Uses Windows API (ADO) to get data from Windows Desktop Search JET (ESE) database. | |
| .NOTES | |
| File Name : Get-DesktopSearchData.ps1 | |
| Author : Dan O'Day - [email protected] | |
| Currently this must be run live directly on a system. | |
| See https://msdn.microsoft.com/en-us/library/windows/desktop/ff521715(v=vs.85).aspx | |
| and https://msdn.microsoft.com/en-us/library/windows/desktop/bb419046(v=vs.85).aspx | |
| for fields / properties to extract. | |
| #> | |
| # connection and record set | |
| $conn = New-Object -ComObject ADODB.Connection | |
| $conn.CommandTimeOut = 0 | |
| $recordSet = New-Object -ComObject ADODB.Recordset | |
| $conn.Open("Provider=Search.CollatorDSO;Extended Properties='Application=Windows';") | |
| # query | |
| $recordSet.Open("SELECT System.ItemName, System.ItemTypeText, System.Size, System.IsDeleted, System.DateAccessed, System.Kind, System.ItemDate, System.Search.Store, System.ItemParticipants, System.ItemAuthors, System.IsRead, System.Message.AttachmentNames, System.Search.AutoSummary FROM SystemIndex", $conn, 0, 1) | |
| # iterate over record set | |
| $output = @() | |
| $recordSet.MoveFirst() | |
| do { | |
| $record = [PSCustomObject]@{ | |
| 'System.ItemName' = $recordSet.Fields.Item("System.ItemName").Value | |
| 'System.ItemTypeText' = $recordSet.Fields.Item("System.ItemTypeText").Value | |
| 'System.Size' = $recordSet.Fields.Item("System.Size").Value | |
| 'System.IsDeleted' = $recordSet.Fields.Item("System.IsDeleted").Value | |
| 'System.DateAccessed' = $recordSet.Fields.Item("System.DateAccessed").Value | |
| 'System.Kind' = $recordSet.Fields.Item("System.Kind").Value | |
| 'System.ItemDate' = $recordSet.Fields.Item("System.ItemDate").Value | |
| 'System.Search.Store' = $recordSet.Fields.Item("System.Search.Store").Value | |
| 'System.ItemParticipants' = $recordSet.Fields.Item("System.ItemParticipants").Value | |
| 'System.ItemAuthors' = $recordSet.Fields.Item("System.ItemAuthors").Value | |
| 'System.IsRead' = $recordSet.Fields.Item("System.IsRead").Value | |
| 'System.Message.AttachmentNames' = $recordSet.Fields.Item("System.Message.AttachmentNames").Value | |
| 'System.Search.AutoSummary' = $recordSet.Fields.Item("System.Search.AutoSummary").Value | |
| }; | |
| $output += $record | |
| $recordSet.MoveNext(); | |
| } until ($recordSet.EOF -eq $true) | |
| # cleanup | |
| $recordSet.Close() | |
| $conn.Close() | |
| $output | Export-Csv DSOutput.csv -NoTypeInformation |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment