Recently one of my fellow SANS instructors, Mattia Epifani, noted that in Windows 11 23H2 the WordWheelQuery value is no longer populated. Time to do some testing!

Forensafe has a nice article that describes the artefact.

When I do a simple search in Explorer, it should populate a dropdown box in the search box; at least it has on previous versions of Windows. This in turn updates the WordWheelQuery key in the users NTUSER.DAT hive.

However, in (from?) this version of Windows 11, the searches are basically conducted as you type rather than on pressing enter. So it seems that instead it’s querying a database (likely the Windows search index) so that it can return results immediately. As the dropdown isn’t available any more, the WordWheelQuery key isn’t required to be populated.

Overall this is a shame because we use this key during investigations all the time. It might still be in Windows Server, but I haven’t downloaded a copy to test it out on.

I did a search for a string as a test, and had a look at the Search index folder; Nothing in there changed, which is a shame, but likely the database is getting queried.

As a side note – I also looked at ProcMon and my string came up in TypedPaths. This is likely because I accessed something from my search window

As you can see below, the path that you performed the search against, and the search term is recorded, however this will depend on your interaction with a file inside the search dialog.

search-ms:displayname=Search%20Results%20in%20SystemIndex&crumb=System.Generic.String%3Aabcdefgfedcba&crumb=location:C%3A%5CProgramData%5CMicrosoft%5CSearch%5CData%5CApplications%5CWindows%5CGatherLogs%5CSystemIndex

Unfortunately as TypedPaths only records one timestamp we may not be able to determine when this took place. This would potentially be tracked in shell items however that’s outside the scope of this post!

Next to look into is the Start Menu though, because that definitely has some search information! A brief check says I need to start looking in the appdata\local\packages folder first. Next time!