WindowsMail.MSMessageStore Primer

Windows Mail is client based software for email and newsgroup management and was introduced with Microsoft Windows Vista. It is accessible on a Vista platform from the Start Menu under ‘Programs’.

This short article covers the file WindowsMail.MSMessageStore, part of the Windows Mail repository for email storage and archiving.

When using Windows Mail on a regular basis the user will be prompted to compact the message store upon program closure.

The process takes several minutes depending on the quantity of messages.

The settings relating to the message store can be accessed and viewed from the main menu of Windows Mail under ‘Tools’ > ‘Options’, then click the ‘Advanced’ tab and ‘Maintenance’ button (see picture below).

The maintenance window provides several pieces of information.

The default setting for prompting a user to compress the message store is 100 runs (see picture above). If this setting is changed to 1 for example the user would be prompted to compress the message store each time Windows Mail is closed.

The clean up window shows the current size of the message store and allows a user to perform general cleaning tasks. The picture below shows the message store is 78 megabytes.

The message store folder window displays the current path setting for the message store, the default location is:

<VOLUME>\Users\<PROFILE>\AppData\Local\Microsoft\Windows Mail

Reviewing email and attachments from Windows Mail can be easily achieved by creating a virtual machine of the host system and using the Windows Mail application to view and export information.¹

A utility called Windows Mail Store Extractor, part of Simple Carver Suite, will parse this data and provide a user with a summary of data contained within the WindowsMail.MSMessageStore.

1 Commercial forensic packages Encase, FTK etc support processing of .eml files and associated attachments (not covered in this article).