Lines Matching full:windows
3 # $File: windows,v 1.67 2024/11/09 22:43:01 christos Exp $
4 # windows: file(1) magic for Microsoft Windows
7 # using them are run almost always on MS Windows 3.x or
8 # above, or files only used exclusively in Windows OS,
10 # For example, even though WinZIP almost run on Windows
97 # Summary: Windows crash dump
104 # Note: called "Windows memory dump" by TrID
105 # and verified by like Windows Kit `Dumpchk.exe 043022-18703-01.dmp`
110 >4 string DUMP MS Windows 32bit crash dump
172 # Note: called "Windows 64bit Memory Dump" by TrID
174 >4 string DU64 MS Windows 64bit crash dump
177 # like: c:\Windows\Minidump\020322-18890-01.dmp c:\Windows\MEMORY.DMP
236 # https://learn.microsoft.com/en-us/troubleshoot/windows-server/performance/memory-dump-file-options
252 # URL: https://github.com/libyal/libevtx/blob/main/documentation/Windows%20XML%20Event%20Log%20(EV…
256 # Note: called "Vista Event Log" by TrID and "Event Log" by Windows
258 0 string ElfFile\0 MS Windows
262 # Major+Minor format version: 3.1~Vista and later 3.2~Windows 10 (2004) and later
274 # Summary: Windows Event Trace Log
278 # https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/etw/tracelog/trace_logfile_header.…
288 # display information of Windows Performance Analyzer Trace File (file name)
290 >0 ubyte x Windows Event Trace Log
297 # like: "c:\Windows\Logs\NetSetup\service.0.etl" "C:\Windows\System32\LogFiles\WMI\Wifi.etl"
300 # Summary: Windows System Deployment Image
363 # Summary: Windows boot status log BOOTSTAT.DAT
365 # Reference: https://www.geoffchappell.com/notes/windows/boot/bsd.htm
366 # Note: mainly refers to older Windows Vista, sometimes
375 >0 ulelong x Windows boot log
380 # apparently a version number: 2 for older like Vista, 3, 4 Windows 10
382 # apparently the size of the header: often 10h in older Windows, 14h, 18h
448 # \Windows\system32\winload.exe \Windows\system32\winload.efi
451 # Summary: Windows Error Report text files
455 # Note: in directories %ProgramData%\Microsoft\Windows\WER\{ReportArchive,ReportQueue}
456 # %LOCALAPPDATA%\Microsoft\Windows\WER\{ReportArchive,ReportQueue}
458 >22 lestring16 EventType Windows Error Report
463 # Summary: Windows 3.1 group files
466 0 string \120\115\103\103 MS Windows 3.1 group files
475 # check and then display version and date inside MS Windows HeLP file fragment
480 >>4 leshort 1 Windows
487 # version Minor of help file format is hint for windows version
488 # HC30 Windows 3.0 help file
490 # HC31 Windows 3.1 help file
494 # MVC or HCW 4.00 Windows 95
499 # to complete message string like "MS Windows 3.x help file"
526 # Note: called "Windows HELP File" by TrID, "Windows Help File" by DROID via PUID fmt/474 and
529 # ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file"
535 >>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation
541 >>>(4.l+0x65) search/26 |Pete Windows help Global Index
546 # "Windows HELP File" by TrID by hlp.trid.xml
594 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>8 lelong !0xFFffFFff Windows Multimedia Viewer Book
599 # remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 7 8.1 64-bi…
601 >>>>16 default x Windows help Bookmark
641 >(4.l+9) uleshort !0x293B MS Windows Multimedia Viewer Book
661 # display mime type and name of Windows help Content source
666 >>1 regex/c \^([^\xd>]*|.*\\.hlp) MS Windows help file Content, based "%s"
672 # Note: called "Windows Help Full-Text Search index" by TrID
673 # Windows creates a full text search from hlp file, if the user clicks the "Find" tab and enables k…
674 0 string tfMR MS Windows help Full Text Search index
677 # path of corresponding MS Windows help like: "C:\CDCREATR\creatr32.hlp" "C:\PROGRAMME\IPHOTO PLUS …
681 # Note: called "Windows Help Full-Text search Group" by TrID
682 0 string gfMR MS Windows help Full Text search Group
685 # path of corresponding FTS like: "C:\Windows\Help\winhlp32.FTS"
694 # Note: called "HyperTerminal data file" by TrID and "HyperTerminal File" on English Windows
696 >14 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile
703 # Summary: Windows shortcut
709 # https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/%5bMS-SHLLINK%…
710 # Note: called "Windows Shortcut" by TrID, "Microsoft Windows Shortcut" by DROID via PUID x-fmt/42…
714 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut
937 # Reference: https://interoperability.blob.core.windows.net/files/MS-PST/%5bMS-PST%5d.pdf
962 # called "Microsoft Outlook email folder" in ./windows version 1.37 and older
1005 …~encryption with permutation 2~encryption with cyclic 16~encryption with Windows Information Prote…
1025 # Summary: Windows help cache
1027 0 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache
1039 0 string regf MS Windows registry file, NT/2000 or above
1040 0 string CREG MS Windows 95/98/ME registry file
1041 0 string SHCC3 MS Windows 3.1 registry file
1044 # Summary: Windows Registry text
1049 # Windows 3-9X variant
1053 >7 search/3 \n Windows Registry text
1056 # Windows 9X variant
1058 # Windows 2K ANSI variant
1059 0 string Windows\ Registry\ Editor\
1060 >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above)
1063 # Windows 2K UTF-16 variant
1064 2 lestring16 Windows\ Registry\ Editor\
1065 >0x32 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above)
1067 #>&0 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above)
1074 # instead binary hiv structure like Windows
1081 # Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013, Feb 2018
1090 # look for phrase of Windows policy ADMinistrative template (with starting remark)
1094 # if no Windows policy ADMinistrative template then Windows INItialization
1100 # check and then display Windows INItialization configuration
1105 # https://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx
1118 >>>&0 string !]\r\n[ Microsoft Windows Autorun file
1121 # https://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx
1122 # version strings ASCII coded case-independent for Windows setup information script file
1123 >>&0 regex/c \^(version|strings)] Windows setup INFormation
1128 >>&0 regex/c \^(WinsockCRCList|OEMCPL)] Windows setup INFormation
1132 # https://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx
1134 >>&0 regex/1024c \^(\\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini
1138 >>&0 regex/c \^don't\ load] Windows CONTROL.INI
1141 >>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI
1146 >>&0 regex/c \^(windows|Compatibility|embedding)] Windows WIN.INI
1150 >>&0 regex/c \^(boot|386enh|drivers)] Windows SYSTEM.INI
1154 >>&0 regex/c \^SafeList] Windows IOS.INI
1157 # https://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information
1158 >>&0 regex/c \^boot\x20loader] Windows boot.ini
1181 >>&0 regex/c \^Windows\ (Latin|Cyrillic) Windows codepage translator
1189 # Note: called "Windows Explorer Command Shell File" by TrID and "File Explorer Command" by Window…
1190 >>&0 regex/c \^Shell]\r\n Windows Explorer Shell Command File
1249 >>>>&0 string/c version Windows setup INFormation
1258 # https://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other
1275 # look for phrase of Windows policy ADMinistrative template (UTF-16 by adm-uni.trid.xml)
1278 >>0 use windows-adm
1279 # if no Windows policy ADMinistrative template then Windows INFormation
1286 >>>>&3 lestring16 ersion] Windows setup INFormation
1290 >>>>&3 lestring16 trings] Windows setup INFormation
1294 >>>>&3 lestring16 ourceDisksNames] Windows setup INFormation
1303 >>>>>>&3 lestring16 ersion] Windows setup INFormation
1307 # Summary: Windows Policy ADMinistrative template
1315 >>0 use windows-adm
1317 >>0 use windows-adm
1318 # display information about Windows policy ADMinistrative template
1319 0 name windows-adm Windows Policy Administrative Template
1340 # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h
1341 # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/in…
1342 # URL: http://fileformats.archiveteam.org/wiki/INF_(Windows)
1354 # skip few Adobe Photoshop Color swatch ("Mac OS.aco" TRUMATCH-Farben.aco Windows.aco) and some
1359 >0 uleshort x Windows Precompiled iNF
1362 # major version 1 for older Windows like XP and 3 since about Windows Vista
1363 # 101h~95-XP; 301h~Windows Vista-7 ; 302h~Windows 10 14393; 303h~Windows 10 18362-Windows11
1366 >0 uleshort =0x0101 (Windows
1369 >0 uleshort =0x0301 (Windows Vista-8.1)
1370 >0 uleshort =0x0302 (Windows 10 older)
1371 >0 uleshort =0x0303 (Windows 10-11)
1372 # 1 ,2 (windows 98 SE)
1414 # for Windows 98, XP
1433 # normally unicoded C:\Windows
1438 # normally ASCII C:\WINDOWS
1439 #>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s"
1440 >>>>(68.l) string !C:\\WINDOWS
1468 # for newer Windows like Vista, 7 , 8.1 , 10
1472 # normally unicoded C:\Windows
1485 # Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003
1499 >>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive
1673 # Windows Imaging (WIM) Image
1678 # fefdc36e-392d-4678-9e4e-771ffa2692ab/Windows%20Imaging%20File%20Format.rtf
1687 >0 string x Windows imaging
1690 # Magdir/windows, 760: Warning: Current entry does not yet have a description
1706 # look for archive member RunTime.xml like in Microsoft.Windows.Cosa.Desktop.Client.ppkg
1709 # if is is not a Windows provisioning package, then it is a WIM
1772 # Note: called "Windows Easy Transfer migration data" by TrID,
1774 0 string 1giM Windows Easy Transfer migration data
1800 # Summary: Windows Performance Monitor Alert
1804 # Note: called "Windows Performance Monitor Alert" by TrID
1806 >4 ubyte =0 Windows Performance Monitor Alert
1860 # URL: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/rdp…
1895 # URL: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/registry-policy-f…
1907 # The MSFT format is generated by the Windows CreateTypeLib2 API: https://learn.microsoft.com/en-us…
1908 # The SLTG format is generated by the Windows CreateTypeLib API: https://learn.microsoft.com/en-us/…