playbooks

home / mcp / windows notification analysis mcp server

Windows Notification Analysis MCP Server

Provides automated extraction and analysis of Windows notification data from E01 images, enabling keyword search, app filters, timelines, and sensitive-content detection.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "hoihosick-windows-notification-analysis-mcp-server": {
      "command": "C:\\Path\\To\\Your\\notification-mcp-server\\.venv\\Scripts\\python.exe",
      "args": [
        "C:\\Path\\To\\Your\\notification-mcp-server\\server.py"
      ]
    }
  }
}

You can run a Windows-focused MCP server that extracts and analyzes the Windows notification database from E01 forensic images. It automatically finds per-user notification databases, parses notifications, and exposes the data for analysis with MCP-enabled agents.

How to use

You will connect an MCP client to the notification MCP server to perform forensic analysis. Use the provided tools to scan an E01 image, extract per-user notification databases, parse notifications, search by keywords, filter by app, build timelines, and extract sensitive content for reporting. The server is designed to work with agents like Claude Desktop, enabling integrated workflow for forensic investigations.

How to install

Prerequisites you need before installing the server:

  • Windows host with PowerShell
  • Python 3.12 installed or available via a virtual environment tool
  • Internet access to install dependencies

Step 1. Create a Python 3.12 virtual environment and activate it

uv python install 3.12
uv venv .venv --python 3.12
.venv\Scripts\activate

Step 2. Install dependencies

uv pip install -r requirements.txt

Step 3. Configure the MCP server in the client configuration

{
  "mcpServers": {
    "notification-forensics": {
      "command": "C:\\Path\\To\\Your\\notification-mcp-server\\.venv\\Scripts\\python.exe",
      "args": [
        "C:\\Path\\To\\Your\\notification-mcp-server\\server.py"
      ]
    }
  }
}

Notes for configuration

- The path values in the configuration must reflect your actual installation location.

Additional configuration and notes

Key components you will interact with include modules that handle E01 image processing, notification parsing, XML parsing, and analytics. Typical workflow involves scanning an E01 image for notification databases, extracting per-user databases, parsing notifications, and performing searches, timelines, and statistics.

Important: Ensure the virtual environment path and server script path are correct in your client configuration before starting.

Output data formats and examples

Notifications are represented as structured JSON records with fields such as id, app_id, arrival_time, and payload_data including title, body, and sender. Statistics summarize total notifications, unique apps, time range, and per-app distribution.

Available tools

scan_e01_for_notification_dbs

Search an E01 image to locate Windows notification databases for extraction.

extract_notification_db

Extract the per-user notification database from the E01 image.

auto_analyze_e01_notifications

Automatically perform a comprehensive analysis of notifications found in an E01 image.

parse_all_notifications

Parse all notifications from the wpndatabase.db into structured data.

search_notifications

Search notifications by keyword to identify relevant records.

get_notifications_by_app

Retrieve notifications for a specific application.

get_notification_timeline

Generate a time-ordered timeline of notifications.

get_notification_statistics

Create statistics on notification usage and patterns.

list_notification_apps

List apps that sent notifications.

extract_sensitive_content

Extract notifications containing sensitive content based on keywords.

auto_analyze_e01_notifications

Run automatic, comprehensive analysis of E01-notification data.