I am trying to create a powershell script to read the IE 10/11 internet history, which is stored in AppData\Local\Microsoft\Windows\WebCache\WebCache.dat.
I am using Managed Esent+- to interface with the Win32 Jet api in .NET.
My issue is that I can never actually open the database, as EsentPageSizeMismatchException is thrown when I call JetAttachDatabase. After doing some research on this error, I found that the IE WebCache has a page size of 32K. When I attempted to correct for this, by setting the DatabasePageSize system parameter to 0x8000, JetInit started to throw the same exception.
Here is the code I have
#stop the things locking the database
stop-process -name taskhost
stop-process -name dllhost
#give powershell access to the interop dlls
add-type -path "$PSScriptRoot\ManagedEsent 1.6\Esent.Interop.dll"
$instance = [Microsoft.Isam.Esent.Interop.JET_INSTANCE]::Nil
#set page size
# init the instance, throws EsentPageSizeMismatchException if the page size is not default
$sesid = [Microsoft.Isam.Esent.Interop.JET_SESID]::Nil
# throws EsentPageSizeMismatchException if page size is default
If you notice, in one case it's
JetAttachDatabase that fails with the exception, and
JetInit in the other.
You are indeed correct that you need to set DatabasePageSize.
JetInit is actually a poor name. It should be called something like
JetInitAndReplayLogFiles. It will look at the transaction log files (default name of edb*.log) in the log directory (default: "."), and replay the operations within the transaction log files.
You are probably now picking up other transaction log files created with a different page size. Theory: you're picking up the
edb*.log files you unintentionally created during your first attempt.
Some potential solutions:
-cd in to the directory that contains the log files first.
-Change the LogFileDirectory (You can either use
JET_param.LogFilePath, or the wrapper class
InstanceParameters.LogFileDirectory). Oh, you'll also need to set
InstanceParameters.BaseName to "v01", since that's what the webcache01.dat file seems to use (Affects the names of "edb.log" versus "v01.log").
esentutl.exe -r v01 to bring the database to a 'clean shutdown' state, and then set
false to avoid creating new transacation log files accidentally. And I see you're already attaching with
Finally, I hope this is just for curiosity. The people who worked on the inetcache can change the implementation details at any time. If it's for forensic purposes, Microsoft does assist forensic efforts by law enforcement agencies.