1 2#------------------------------------------------------------------------------ 3# $File: windows,v 1.14 2015/12/15 01:06:17 christos Exp $ 4# windows: file(1) magic for Microsoft Windows 5# 6# This file is mainly reserved for files where programs 7# using them are run almost always on MS Windows 3.x or 8# above, or files only used exclusively in Windows OS, 9# where there is no better category to allocate for. 10# For example, even though WinZIP almost run on Windows 11# only, it is better to treat them as "archive" instead. 12# For format usable in DOS, such as generic executable 13# format, please specify under "msdos" file. 14# 15 16 17# Summary: Outlook Express DBX file 18# Extension: .dbx 19# Created by: Christophe Monniez 200 string \xCF\xAD\x12\xFE MS Outlook Express DBX file 21>4 byte =0xC5 \b, message database 22>4 byte =0xC6 \b, folder database 23>4 byte =0xC7 \b, account information 24>4 byte =0x30 \b, offline database 25 26 27# Summary: Windows crash dump 28# Extension: .dmp 29# Created by: Andreas Schuster (http://computer.forensikblog.de/) 30# Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html 31# Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) 320 string PAGE 33>4 string DUMP MS Windows 32bit crash dump 34>>0x05c byte 0 \b, no PAE 35>>0x05c byte 1 \b, PAE 36>>0xf88 lelong 1 \b, full dump 37>>0xf88 lelong 2 \b, kernel dump 38>>0xf88 lelong 3 \b, small dump 39>>0x068 lelong x \b, %d pages 40>4 string DU64 MS Windows 64bit crash dump 41>>0xf98 lelong 1 \b, full dump 42>>0xf98 lelong 2 \b, kernel dump 43>>0xf98 lelong 3 \b, small dump 44>>0x090 lequad x \b, %lld pages 45 46 47# Summary: Vista Event Log 48# Extension: .evtx 49# Created by: Andreas Schuster (http://computer.forensikblog.de/) 50# Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html 510 string ElfFile\0 MS Windows Vista Event Log 52>0x2a leshort x \b, %d chunks 53>>0x10 lelong x \b (no. %d in use) 54>0x18 lelong >1 \b, next record no. %d 55>0x18 lelong =1 \b, empty 56>0x78 lelong &1 \b, DIRTY 57>0x78 lelong &2 \b, FULL 58 59 60# Summary: Windows 3.1 group files 61# Extension: .grp 62# Created by: unknown 630 string \120\115\103\103 MS Windows 3.1 group files 64 65 66# Summary: Old format help files 67# URL: https://en.wikipedia.org/wiki/WinHelp 68# Reference: http://www.oocities.org/mwinterhoff/helpfile.htm 69# Update: Joerg Jenderek 70# Created by: Dirk Jagdmann <doj@cubic.org> 71# 72# check and then display version and date inside MS Windows HeLP file fragment 730 name help-ver-date 74# look for Magic of SYSTEMHEADER 75>0 leshort 0x036C 76# version Major 1 for right file fragment 77>>4 leshort 1 Windows 78# print non empty string above to avoid error message 79# Warning: Current entry does not yet have a description for adding a MIME type 80!:mime application/winhelp 81!:ext hlp 82# version Minor of help file format is hint for windows version 83>>>2 leshort 0x0F 3.x 84>>>2 leshort 0x15 3.0 85>>>2 leshort 0x21 3.1 86>>>2 leshort 0x27 x.y 87>>>2 leshort 0x33 95 88>>>2 default x y.z 89>>>>2 leshort x 0x%x 90# to complete message string like "MS Windows 3.x help file" 91>>>2 leshort x help 92# GenDate often older than file creation date 93>>>6 ldate x \b, %s 94# 95# Magic for HeLP files 960 lelong 0x00035f3f 97# ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" 98# file header magic 0x293B at DirectoryStart+9 99>(4.l+9) uleshort 0x293B MS 100# look for @VERSION bmf.. like IBMAVW.ANN 101>>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation 102!:mime application/x-winhelp 103!:ext ann 104>>0xD4 string !\x62\x6D\x66\x01\x00 105# "GID Help index" by TrID 106>>>(4.l+0x65) string =|Pete Windows help Global Index 107!:mime application/x-winhelp 108!:ext gid 109# HeLP Bookmark or 110# "Windows HELP File" by TrID 111>>>(4.l+0x65) string !|Pete 112# maybe there exist a cleaner way to detect HeLP fragments 113# brute search for Magic 0x036C with matching Major maximal 7 iterations 114# discapp.hlp 115>>>>16 search/0x49AF/s \x6c\x03 116>>>>>&0 use help-ver-date 117>>>>>&4 leshort !1 118# putty.hlp 119>>>>>>&0 search/0x69AF/s \x6c\x03 120>>>>>>>&0 use help-ver-date 121>>>>>>>&4 leshort !1 122>>>>>>>>&0 search/0x49AF/s \x6c\x03 123>>>>>>>>>&0 use help-ver-date 124>>>>>>>>>&4 leshort !1 125>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 126>>>>>>>>>>>&0 use help-ver-date 127>>>>>>>>>>>&4 leshort !1 128>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 129>>>>>>>>>>>>>&0 use help-ver-date 130>>>>>>>>>>>>>&4 leshort !1 131>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 132>>>>>>>>>>>>>>>&0 use help-ver-date 133>>>>>>>>>>>>>>>&4 leshort !1 134>>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 135# GCC.HLP is detected after 7 iterations 136>>>>>>>>>>>>>>>>>&0 use help-ver-date 137# this only happens if bigger hlp file is detected after used search iterations 138>>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help 139!:mime application/winhelp 140!:ext hlp 141# repeat search again or following default line does not work 142>>>>16 search/0x49AF/s \x6c\x03 143# remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) 144>>>>16 default x Windows help Bookmark 145!:mime application/x-winhelp 146!:ext /bmk 147## FirstFreeBlock normally FFFFFFFFh 10h for *ANN 148##>>8 lelong x \b, FirstFreeBlock 0x%8.8x 149# EntireFileSize 150>>12 lelong x \b, %d bytes 151## ReservedSpace normally 042Fh AFh for *.ANN 152#>>(4.l) lelong x \b, ReservedSpace 0x%8.8x 153## UsedSpace normally 0426h A6h for *.ANN 154#>>(4.l+4) lelong x \b, UsedSpace 0x%8.8x 155## FileFlags normally 04... 156#>>(4.l+5) lelong x \b, FileFlags 0x%8.8x 157## file header magic 0x293B 158#>>(4.l+9) uleshort x \b, file header magic 0x%4.4x 159## file header Flags 0x0402 160#>>(4.l+11) uleshort x \b, file header Flags 0x%4.4x 161## file header PageSize 0400h 80h for *.ANN 162#>>(4.l+13) uleshort x \b, PageSize 0x%4.4x 163## Structure[16] z4 164#>>(4.l+15) string >\0 \b, Structure_"%-.16s" 165## MustBeZero 0 166#>>(4.l+31) uleshort x \b, MustBeZero 0x%4.4x 167## PageSplits 168#>>(4.l+33) uleshort x \b, PageSplits 0x%4.4x 169## RootPage 170#>>(4.l+35) uleshort x \b, RootPage 0x%4.4x 171## MustBeNegOne 0xffff 172#>>(4.l+37) uleshort x \b, MustBeNegOne 0x%4.4x 173## TotalPages 1 174#>>(4.l+39) uleshort x \b, TotalPages 0x%4.4x 175## NLevels 0x0001 176#>>(4.l+41) uleshort x \b, NLevels 0x%4.4x 177## TotalBtreeEntries 178#>>(4.l+43) ulelong x \b, TotalBtreeEntries 0x%8.8x 179## pages of the B+ tree 180#>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx 181 182# start with colon or semicolon for comment line like Back2Life.cnt 1830 regex \^(:|;) 184# look for first keyword Base 185>0 search/45 :Base 186>>&0 use cnt-name 187# only solution to search again from beginning , because relative offsets changes when use is called 188>0 search/45 :Base 189>0 default x 190# look for other keyword Title like in putty.cnt 191>>0 search/45 :Title 192>>>&0 use cnt-name 193# 194# display mime type and name of Windows help Content source 1950 name cnt-name 196# skip space at beginning 197>0 string \ 198# name without extension and greater character or name with hlp extension 199>>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" 200!:mime text/plain 201!:apple ????TEXT 202!:ext cnt 203# 204# Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing 2050 string tfMR MS Windows help Full Text Search index 206!:mime application/x-winhelp-fts 207!:ext fts 208>16 string >\0 for "%s" 209 210# Summary: Hyper terminal 211# Extension: .ht 212# Created by: unknown 2130 string HyperTerminal\ 214>15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile 215 216# http://ithreats.files.wordpress.com/2009/05/\ 217# lnk_the_windows_shortcut_file_format.pdf 218# Summary: Windows shortcut 219# Extension: .lnk 220# Created by: unknown 221# 'L' + GUUID 2220 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut 223>20 lelong&1 1 \b, Item id list present 224>20 lelong&2 2 \b, Points to a file or directory 225>20 lelong&4 4 \b, Has Description string 226>20 lelong&8 8 \b, Has Relative path 227>20 lelong&16 16 \b, Has Working directory 228>20 lelong&32 32 \b, Has command line arguments 229>20 lelong&64 64 \b, Icon 230>>56 lelong x \b number=%d 231>24 lelong&1 1 \b, Read-Only 232>24 lelong&2 2 \b, Hidden 233>24 lelong&4 4 \b, System 234>24 lelong&8 8 \b, Volume Label 235>24 lelong&16 16 \b, Directory 236>24 lelong&32 32 \b, Archive 237>24 lelong&64 64 \b, Encrypted 238>24 lelong&128 128 \b, Normal 239>24 lelong&256 256 \b, Temporary 240>24 lelong&512 512 \b, Sparse 241>24 lelong&1024 1024 \b, Reparse point 242>24 lelong&2048 2048 \b, Compressed 243>24 lelong&4096 4096 \b, Offline 244>28 leqwdate x \b, ctime=%s 245>36 leqwdate x \b, mtime=%s 246>44 leqwdate x \b, atime=%s 247>52 lelong x \b, length=%u, window= 248>60 lelong&1 1 \bhide 249>60 lelong&2 2 \bnormal 250>60 lelong&4 4 \bshowminimized 251>60 lelong&8 8 \bshowmaximized 252>60 lelong&16 16 \bshownoactivate 253>60 lelong&32 32 \bminimize 254>60 lelong&64 64 \bshowminnoactive 255>60 lelong&128 128 \bshowna 256>60 lelong&256 256 \brestore 257>60 lelong&512 512 \bshowdefault 258#>20 lelong&1 0 259#>>20 lelong&2 2 260#>>>(72.l-64) pstring/h x \b [%s] 261#>20 lelong&1 1 262#>>20 lelong&2 2 263#>>>(72.s) leshort x 264#>>>&75 pstring/h x \b [%s] 265 266# Summary: Outlook Personal Folders 267# Created by: unknown 2680 lelong 0x4E444221 Microsoft Outlook email folder 269>10 leshort 0x0e (<=2002) 270>10 leshort 0x17 (>=2003) 271 272 273# Summary: Windows help cache 274# Created by: unknown 2750 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache 276 277 278# Summary: IE cache file 279# Created by: Christophe Monniez 2800 string Client\ UrlCache\ MMF Internet Explorer cache file 281>20 string >\0 version %s 282 283 284# Summary: Registry files 285# Created by: unknown 286# Modified by (1): Joerg Jenderek 2870 string regf MS Windows registry file, NT/2000 or above 2880 string CREG MS Windows 95/98/ME registry file 2890 string SHCC3 MS Windows 3.1 registry file 290 291 292# Summary: Windows Registry text 293# Extension: .reg 294# Submitted by: Abel Cheung <abelcheung@gmail.com> 2950 string REGEDIT4\r\n\r\n Windows Registry text (Win95 or above) 2960 string Windows\ Registry\ Editor\ 297>&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) 298 299# Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013 300# empty ,comment , section 301# PR/383: remove unicode BOM because it is not portable across regex impls 3020 regex/s \\`(\\r\\n|;|[[]) 303# left bracket in section line 304>&0 search/8192 [ 305# http://en.wikipedia.org/wiki/Autorun.inf 306# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx 307>>&0 regex/c \^(autorun)]\r\n 308>>>&0 ubyte =0x5b INItialization configuration 309!:mime application/x-wine-extension-ini 310# From: Pal Tamas <folti@balabit.hu> 311# Autorun File 312>>>&0 ubyte !0x5b Microsoft Windows Autorun file 313!:mime application/x-setupscript 314# http://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx 315# version strings ASCII coded case-independent for Windows setup information script file 316>>&0 regex/c \^(version|strings)] Windows setup INFormation 317!:mime application/x-setupscript 318#!:mime application/inf 319#!:mime application/x-wine-extension-inf 320>>&0 regex/c \^(WinsockCRCList|OEMCPL)] Windows setup INFormation 321!:mime text/inf 322# http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm 323# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx 324# .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent 325>>&0 regex/c \^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini 326!:mime application/x-wine-extension-ini 327#!:mime text/plain 328# http://support.microsoft.com/kb/84709/ 329>>&0 regex/c \^(don't\ load)] Windows CONTROL.INI 330!:mime application/x-wine-extension-ini 331>>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI 332!:mime application/x-wine-extension-ini 333# http://technet.microsoft.com/en-us/library/cc722567.aspx 334# http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm 335>>&0 regex/c \^(windows|Compatibility|embedding)] Windows WIN.INI 336!:mime application/x-wine-extension-ini 337# http://en.wikipedia.org/wiki/SYSTEM.INI 338>>&0 regex/c \^(boot|386enh|drivers)] Windows SYSTEM.INI 339!:mime application/x-wine-extension-ini 340# http://www.mdgx.com/newtip6.htm 341>>&0 regex/c \^(SafeList)] Windows IOS.INI 342!:mime application/x-wine-extension-ini 343# http://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information 344>>&0 regex/c \^(boot\x20loader)] Windows boot.ini 345!:mime application/x-wine-extension-ini 346>>>&0 ubyte x 347# http://en.wikipedia.org/wiki/CONFIG.SYS 348>>&0 regex/c \^(menu)]\r\n MS-DOS CONFIG.SYS 349# http://support.microsoft.com/kb/118579/ 350>>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS 351# VERS string unicoded case-independent 352>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 353# ION] string unicoded case-independent 354>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation 355!:mime application/x-setupscript 356# STRI string unicoded case-independent 357>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049 358# NGS] string unicoded case-independent 359>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation 360!:mime application/x-setupscript 361# unknown keyword after opening bracket 362>>&0 default x 363>>>&0 search/8192 [ 364# version Strings FileIdentification 365>>>>&0 string/c version Windows setup INFormation 366!:mime application/x-setupscript 367# VERS string unicoded case-independent 368>>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 369# ION] string unicoded case-independent 370>>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation 371!:mime application/x-setupscript 372# http://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other 373#>>>>&0 default x Generic INItialization configuration 374#!:mime application/x-wine-extension-ini 375 376# Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h 377# http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm 378# GRR: line below too general as it catches also PDP-11 UNIX/RT ldp 3790 leshort&0xFeFe 0x0000 380!:strength -5 381# test for unused null bits in PNF_FLAGs 382>4 ulelong&0xFCffFe00 0x00000000 383# only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure 384>>68 ulelong >0x57 385# test for zero high byte of InfValueBlockSize, followed by WinDirPath like 386# C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT 387>>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF 388!:mime application/x-pnf 389# currently only found Major Version=1 and Minor Version=1 390#>>>>0 uleshort =0x0101 391#>>>>>1 ubyte x \b, version %u 392#>>>>>0 ubyte x \b.%u 393>>>>0 uleshort !0x0101 394>>>>>1 ubyte x \b, version %u 395>>>>>0 ubyte x \b.%u 396# 1 ,2 (windows 98 SE) 397#>>>>2 uleshort =2 \b, InfStyle %u 398>>>>2 uleshort !2 \b, InfStyle %u 399# PNF_FLAG_IS_UNICODE 0x00000001 400# PNF_FLAG_HAS_STRINGS 0x00000002 401# PNF_FLAG_SRCPATH_IS_URL 0x00000004 402# PNF_FLAG_HAS_VOLATILE_DIRIDS 0x00000008 403# PNF_FLAG_INF_VERIFIED 0x00000010 404# PNF_FLAG_INF_DIGITALLY_SIGNED 0x00000020 405# ?? 0x00000100 406# ?? 0x01000000 407# ?? 0x02000000 408>>>>4 ulelong&0x00000001 0x00000001 \b, unicoded 409>>>>4 ulelong&0x00000020 0x00000020 \b, digitally signed 410#>>>>8 ulelong x \b, InfSubstValueListOffset 0x%x 411# many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF 412#>>>>12 uleshort x \b, InfSubstValueCount 0x%x 413# only < 9 found 414#>>>>14 uleshort x \b, InfVersionDatumCount 0x%x 415# only found values lower 0x0000ffff 416#>>>>16 ulelong x \b, InfVersionDataSize 0x%x 417# only found positive values lower 0x00ffFFff for InfVersionDataOffset 418>>>>20 ulelong x \b, at 0x%x 419>>>>4 ulelong&0x00000001 =0x00000001 420# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature 421>>>>>(20.l) lestring16 x "%s" 422>>>>4 ulelong&0x00000001 !0x00000001 423>>>>>(20.l) string x "%s" 424# FILETIME is number of 100-nanosecond intervals since 1 January 1601 425#>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx 426# only found values lower 0x00ffFFff 427#>>>>32 ulelong x \b, StringTableBlockOffset 0x%x 428#>>>>36 ulelong x \b, StringTableBlockSize 0x%x 429#>>>>40 ulelong x \b, InfSectionCount 0x%x 430#>>>>44 ulelong x \b, InfSectionBlockOffset 0x%x 431#>>>>48 ulelong x \b, InfSectionBlockSize 0x%x 432#>>>>52 ulelong x \b, InfLineBlockOffset 0x%x 433#>>>>56 ulelong x \b, InfLineBlockSize 0x%x 434#>>>>60 ulelong x \b, InfValueBlockOffset 0x%x 435#>>>>64 ulelong x \b, InfValueBlockSize 0x%x 436# WinDirPathOffset 437#>>>>68 ulelong x \b, at 0x%x 438>>>>68 ulelong >0x57 439>>>>>4 ulelong&0x00000001 =0x00000001 440>>>>>>(68.l) ubequad =0x43003a005c005700 441# normally unicoded C:\Windows 442#>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" 443>>>>>>(68.l) ubequad !0x43003a005c005700 444>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" 445>>>>>4 ulelong&0x00000001 !0x00000001 446# normally ASCII C:\WINDOWS 447#>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" 448>>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s" 449# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF 450#>>>>72 ulelong >0 \b, at 0x%x 451>>>>72 ulelong >0 \b, 452>>>>>4 ulelong&0x00000001 =0x00000001 453>>>>>>(72.l) lestring16 x OsLoaderPath "%s" 454>>>>>4 ulelong&0x00000001 !0x00000001 455# seldom C:\ instead empty 456>>>>>>(72.l) string x OsLoaderPath "%s" 457# 1fdh 458#>>>>76 uleshort x \b, StringTableHashBucketCount 0x%x 459>>>>78 uleshort !0x407 \b, LanguageId %x 460# only 407h found 461#>>>>78 uleshort =0x407 \b, LanguageId %x 462# InfSourcePathOffset often 0 463#>>>>80 ulelong >0 \b, at 0x%x 464>>>>80 ulelong >0 \b, 465>>>>>4 ulelong&0x00000001 =0x00000001 466>>>>>>(80.l) lestring16 x SourcePath "%s" 467>>>>>4 ulelong&0x00000001 !0x00000001 468>>>>>>(80.l) string >\0 SourcePath "%s" 469# OriginalInfNameOffset often 0 470#>>>>84 ulelong >0 \b, at 0x%x 471>>>>84 ulelong >0 \b, 472>>>>>4 ulelong&0x00000001 =0x00000001 473>>>>>>(84.l) lestring16 x InfName "%s" 474>>>>>4 ulelong&0x00000001 !0x00000001 475>>>>>>(84.l) string >\0 InfName "%s" 476 477# Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 478# Extension: .bkf 479# Created by: Joerg Jenderek 480# URL: http://en.wikipedia.org/wiki/NTBackup 481# Reference: http://laytongraphics.com/mtf/MTF_100a.PDF 482# Descriptor BloCK name of Microsoft Tape Format 4830 string TAPE 484# Format Logical Address is zero 485>20 ulequad 0 486# Reserved for MBC is zero 487>>28 uleshort 0 488# Control Block ID is zero 489>>>36 ulelong 0 490# BIT4-BIT15, BIT18-BIT31 of block attributes are unused 491>>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive 492#!:mime application/x-ntbackup 493!:ext bkf 494# OS ID 495>>>>>10 ubyte 1 \b NetWare 496>>>>>10 ubyte 13 \b NetWare SMS 497>>>>>10 ubyte 14 \b NT 498>>>>>10 ubyte 24 \b 3 499>>>>>10 ubyte 25 \b OS/2 500>>>>>10 ubyte 26 \b 95 501>>>>>10 ubyte 27 \b Macintosh 502>>>>>10 ubyte 28 \b UNIX 503# OS Version (2) 504#>>>>>11 ubyte x OS V=%x 505# MTF_CONTINUATION Media Sequence Number > 1 506#>>>>>4 ulelong&0x00000001 !0 \b, continued 507# MTF_COMPRESSION 508>>>>>4 ulelong&0x00000004 !0 \b, compressed 509# MTF_EOS_AT_EOM End Of Medium was hit during end of set processing 510>>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit 511>>>>>4 ulelong&0x00020000 0 512# MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape 513>>>>>>4 ulelong&0x00010000 !0 \b, with catalog 514# MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present 515>>>>>4 ulelong&0x00020000 !0 \b, with file catalog 516# Offset To First Event 238h,240h,28Ch 517#>>>>>8 uleshort x \b, event offset %4.4x 518# Displayable Size (20e0230h 20e024ch 20e0224h) 519#>>>>>8 ulequad x dis. size %16.16llx 520# Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h) 521#>>>>>52 ulelong x family ID %8.8x 522# TAPE Attributes (3) 523#>>>>>56 ulelong x TAPE %8.8x 524# Media Sequence Number 525>>>>>60 uleshort >1 \b, sequence %u 526# Password Encryption Algorithm (3) 527>>>>>62 uleshort >0 \b, 0x%x encrypted 528# Soft Filemark Block Size * 512 (2) 529#>>>>>64 uleshort =2 \b, soft size %u*512 530>>>>>64 uleshort !2 \b, soft size %u*512 531# Media Based Catalog Type (1,2) 532#>>>>>66 uleshort x \b, catalog type %4.4x 533# size of Media Name (66,68,6Eh) 534>>>>>68 uleshort >0 535# offset of Media Name (5Eh) 536>>>>>>70 uleshort >0 537# 0~, 1~ANSI, 2~UNICODE 538>>>>>>>48 ubyte 1 539# size terminated ansi coded string normally followed by "MTF Media Label" 540>>>>>>>>(70.s) string >\0 \b, name: %s 541>>>>>>>48 ubyte 2 542# Not null, but size terminated unicoded string 543>>>>>>>>(70.s) lestring16 x \b, name: %s 544# size of Media Label (104h) 545>>>>>72 uleshort >0 546# offset of Media Label (C4h,C6h,CCh) 547>>>>>74 uleshort >0 548>>>>>>48 ubyte 1 549#Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields 550>>>>>>>(74.s) string >\0 \b, label: %s 551>>>>>>48 ubyte 2 552>>>>>>>(74.s) lestring16 x \b, label: %s 553# size of password name (0,1Ch) 554#>>>>>76 uleshort >0 \b, password size %4.4x 555# Software Vendor ID (CBEh) 556>>>>>86 uleshort x \b, software (0x%x) 557# size of Software Name (6Eh) 558>>>>>80 uleshort >0 559# offset of Software Name (1C8h,1CAh,1D0h) 560>>>>>>82 uleshort >0 561# 1~ANSI, 2~UNICODE 562>>>>>>>48 ubyte 1 563>>>>>>>>(82.s) string >\0 \b: %s 564>>>>>>>48 ubyte 2 565# size terminated unicoded coded string normally followed by "SPAD" 566>>>>>>>>(82.s) lestring16 x \b: %s 567# Format Logical Block Size (512,1024) 568#>>>>>84 uleshort =1024 \b, block size %u 569>>>>>84 uleshort !1024 \b, block size %u 570# Media Date of MTF_DATE_TIME type with 5 bytes 571#>>>>>>88 ubequad x DATE %16.16llx 572# MTF Major Version (1) 573#>>>>>>93 ubyte x \b, MFT version %x 574# 575 576