Windows Notification Database

Location

Common Names

Description

Per-user notification store used by Action Center / Notification Center to retain recent toast notifications, app identifiers, payload fragments, timestamps, and notification grouping metadata.

Forensic Value

The notification database can preserve transient user-facing content that never appears in email or messaging stores, such as MFA prompts, messaging previews, download alerts, security-tool detections, and collaboration notifications. It is especially useful for reconstructing what the user was shown on screen around a critical time window and for validating whether a phishing lure, approval request, or malware detection alert was surfaced to the user. This store can also expose app identifiers and timing relationships that corroborate browser, email, and authentication artifacts.

Tools Required

Collection Commands

Get-ChildItem "C:\Users\*\AppData\Local\Microsoft\Windows\Notifications" -Include wpndatabase.db,appdb.dat -Recurse -ErrorAction SilentlyContinue | Copy-Item -Destination C:\output\Notifications\

kape.exe --tsource C: --tdest C:\output --target AppCompat

velociraptor artifacts collect Windows.Forensics.SQLiteHunter -o C:\output\velociraptor_notifications.zip

Collection Constraints

• •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
• •Schema and storage format differ between Windows versions, and retention is limited because notifications are routinely cleared or aged out. Older systems may use appdb.dat instead of wpndatabase.db.

MITRE ATT&CK Techniques

References