xref: /freebsd/contrib/file/magic/Magdir/windows (revision f6a3b357e9be4c6423c85eff9a847163a0d307c8)
1
2#------------------------------------------------------------------------------
3# $File: windows,v 1.22 2018/02/16 15:44:00 christos Exp $
4# windows:  file(1) magic for Microsoft Windows
5#
6# This file is mainly reserved for files where programs
7# using them are run almost always on MS Windows 3.x or
8# above, or files only used exclusively in Windows OS,
9# where there is no better category to allocate for.
10# For example, even though WinZIP almost run on Windows
11# only, it is better to treat them as "archive" instead.
12# For format usable in DOS, such as generic executable
13# format, please specify under "msdos" file.
14#
15
16
17# Summary: Outlook Express DBX file
18# Extension: .dbx
19# Created by: Christophe Monniez
200	string	\xCF\xAD\x12\xFE	MS Outlook Express DBX file
21>4	byte	=0xC5			\b, message database
22>4	byte	=0xC6			\b, folder database
23>4	byte	=0xC7			\b, account information
24>4	byte	=0x30			\b, offline database
25
26
27# Summary: Windows crash dump
28# Extension: .dmp
29# Created by: Andreas Schuster (http://computer.forensikblog.de/)
30# Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html
31# Modified by (1): Abel Cheung (Avoid match with first 4 bytes only)
320	string		PAGE
33>4	string		DUMP		MS Windows 32bit crash dump
34>>0x05c	byte            0		\b, no PAE
35>>0x05c	byte            1		\b, PAE
36>>0xf88	lelong		1		\b, full dump
37>>0xf88	lelong		2		\b, kernel dump
38>>0xf88	lelong		3		\b, small dump
39>>0x068	lelong		x		\b, %d pages
40>4	string		DU64		MS Windows 64bit crash dump
41>>0xf98	lelong		1		\b, full dump
42>>0xf98	lelong		2		\b, kernel dump
43>>0xf98	lelong		3		\b, small dump
44>>0x090	lequad		x		\b, %lld pages
45
46
47# Summary: Vista Event Log
48# Extension: .evtx
49# Created by: Andreas Schuster (http://computer.forensikblog.de/)
50# Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html
510	string		ElfFile\0	MS Windows Vista Event Log
52>0x2a	leshort		x		\b, %d chunks
53>>0x10	lelong		x		\b (no. %d in use)
54>0x18	lelong		>1		\b, next record no. %d
55>0x18	lelong		=1		\b, empty
56>0x78	lelong		&1		\b, DIRTY
57>0x78	lelong		&2		\b, FULL
58
59
60# Summary: Windows 3.1 group files
61# Extension: .grp
62# Created by: unknown
630	string		\120\115\103\103	MS Windows 3.1 group files
64
65
66# Summary: Old format help files
67# URL: https://en.wikipedia.org/wiki/WinHelp
68# Reference: http://www.oocities.org/mwinterhoff/helpfile.htm
69# Update: Joerg Jenderek
70# Created by: Dirk Jagdmann <doj@cubic.org>
71#
72# check and then display version and date inside MS Windows HeLP file fragment
730	name				help-ver-date
74# look for Magic of SYSTEMHEADER
75>0	leshort		0x036C
76# version Major		1 for right file fragment
77>>4	leshort		1		Windows
78# print non empty string above to avoid error message
79# Warning: Current entry does not yet have a description for adding a MIME type
80!:mime	application/winhelp
81!:ext	hlp
82# version Minor of help file format is hint for windows version
83>>>2	leshort		0x0F		3.x
84>>>2	leshort		0x15		3.0
85>>>2	leshort		0x21		3.1
86>>>2	leshort		0x27		x.y
87>>>2	leshort		0x33		95
88>>>2	default		x		y.z
89>>>>2	leshort		x		0x%x
90# to complete message string like "MS Windows 3.x help file"
91>>>2	leshort		x		help
92# GenDate often older than file creation date
93>>>6	ldate		x		\b, %s
94#
95# Magic for HeLP files
960	lelong		0x00035f3f
97# ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file"
98# file header magic 0x293B at DirectoryStart+9
99>(4.l+9)	uleshort	0x293B		MS
100# look for @VERSION	bmf.. like IBMAVW.ANN
101>>0xD4		string	=\x62\x6D\x66\x01\x00	Windows help annotation
102!:mime	application/x-winhelp
103!:ext	ann
104>>0xD4		string	!\x62\x6D\x66\x01\x00
105# "GID Help index" by TrID
106>>>(4.l+0x65)	string	=|Pete			Windows help Global Index
107!:mime	application/x-winhelp
108!:ext	gid
109# HeLP Bookmark or
110# "Windows HELP File" by TrID
111>>>(4.l+0x65)		string		!|Pete
112# maybe there exist a cleaner way to detect HeLP fragments
113# brute search for Magic 0x036C with matching Major maximal 7 iterations
114# discapp.hlp
115>>>>16			search/0x49AF/s	\x6c\x03
116>>>>>&0			use 		help-ver-date
117>>>>>&4			leshort		!1
118# putty.hlp
119>>>>>>&0		search/0x69AF/s	\x6c\x03
120>>>>>>>&0		use 		help-ver-date
121>>>>>>>&4		leshort		!1
122>>>>>>>>&0		search/0x49AF/s	\x6c\x03
123>>>>>>>>>&0		use 		help-ver-date
124>>>>>>>>>&4		leshort		!1
125>>>>>>>>>>&0		search/0x49AF/s	\x6c\x03
126>>>>>>>>>>>&0		use 		help-ver-date
127>>>>>>>>>>>&4		leshort		!1
128>>>>>>>>>>>>&0		search/0x49AF/s	\x6c\x03
129>>>>>>>>>>>>>&0		use 		help-ver-date
130>>>>>>>>>>>>>&4		leshort		!1
131>>>>>>>>>>>>>>&0	search/0x49AF/s	\x6c\x03
132>>>>>>>>>>>>>>>&0	use 		help-ver-date
133>>>>>>>>>>>>>>>&4	leshort		!1
134>>>>>>>>>>>>>>>>&0	search/0x49AF/s	\x6c\x03
135# GCC.HLP is detected after 7 iterations
136>>>>>>>>>>>>>>>>>&0	use 		help-ver-date
137# this only happens if bigger hlp file is detected after used search iterations
138>>>>>>>>>>>>>>>>>&4	leshort		!1		Windows y.z help
139!:mime	application/winhelp
140!:ext	hlp
141# repeat search again or following default line does not work
142>>>>16			search/0x49AF/s	\x6c\x03
143# remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit)
144>>>>16	default				x	Windows help Bookmark
145!:mime	application/x-winhelp
146!:ext	bmk
147## FirstFreeBlock normally FFFFFFFFh 10h for *ANN
148##>>8	lelong			x		\b, FirstFreeBlock 0x%8.8x
149# EntireFileSize
150>>12	lelong			x		\b, %d bytes
151## ReservedSpace normally 042Fh AFh for *.ANN
152#>>(4.l)	lelong		x		\b, ReservedSpace 0x%8.8x
153## UsedSpace normally 0426h A6h for *.ANN
154#>>(4.l+4)	lelong		x		\b, UsedSpace 0x%8.8x
155## FileFlags normally 04...
156#>>(4.l+5)	lelong		x		\b, FileFlags 0x%8.8x
157## file header magic 0x293B
158#>>(4.l+9)	uleshort	x		\b, file header magic 0x%4.4x
159## file header Flags		0x0402
160#>>(4.l+11)	uleshort	x		\b, file header Flags 0x%4.4x
161## file header PageSize	0400h 80h for *.ANN
162#>>(4.l+13)	uleshort	x		\b, PageSize 0x%4.4x
163## Structure[16]		z4
164#>>(4.l+15)	string		>\0		\b, Structure_"%-.16s"
165## MustBeZero			0
166#>>(4.l+31)	uleshort	x		\b, MustBeZero 0x%4.4x
167## PageSplits
168#>>(4.l+33)	uleshort	x		\b, PageSplits 0x%4.4x
169## RootPage
170#>>(4.l+35)	uleshort	x		\b, RootPage 0x%4.4x
171## MustBeNegOne			0xffff
172#>>(4.l+37)	uleshort	x		\b, MustBeNegOne 0x%4.4x
173## TotalPages			1
174#>>(4.l+39)	uleshort	x		\b, TotalPages 0x%4.4x
175## NLevels			0x0001
176#>>(4.l+41)	uleshort	x		\b, NLevels 0x%4.4x
177## TotalBtreeEntries
178#>>(4.l+43)	ulelong		x		\b, TotalBtreeEntries 0x%8.8x
179## pages of the B+ tree
180#>>(4.l+47)	ubequad		x		\b, PageStart 0x%16.16llx
181
182# start with colon or semicolon for comment line like Back2Life.cnt
1830		regex		\^(:|;)
184# look for first keyword Base
185>0		search/45	:Base
186>>&0				use 		cnt-name
187# only solution to search again from beginning , because relative offsets changes when use is called
188>0		search/45	:Base
189>0		default		x
190# look for other keyword Title like in putty.cnt
191>>0		search/45	:Title
192>>>&0				use 		cnt-name
193#
194# display mime type and name of Windows help Content source
1950	name				cnt-name
196# skip space at beginning
197>0     string		\040
198# name without extension and greater character or name with hlp extension
199>>1	regex/c		\^([^\xd>]*|.*\.hlp)	MS Windows help file Content, based "%s"
200!:mime	text/plain
201!:apple	????TEXT
202!:ext	cnt
203#
204# Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing
2050	string		tfMR			MS Windows help Full Text Search index
206!:mime application/x-winhelp-fts
207!:ext	fts
208>16	string		>\0			for "%s"
209
210# Summary: Hyper terminal
211# Extension: .ht
212# Created by: unknown
2130	string		HyperTerminal\040
214>15	string		1.0\ --\ HyperTerminal\ data\ file	MS Windows HyperTerminal profile
215
216# http://ithreats.files.wordpress.com/2009/05/\040
217# lnk_the_windows_shortcut_file_format.pdf
218# Summary: Windows shortcut
219# Extension: .lnk
220# Created by: unknown
221# 'L' + GUUID
2220	string		\114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106	MS Windows shortcut
223>20	lelong&1	1	\b, Item id list present
224>20	lelong&2	2	\b, Points to a file or directory
225>20	lelong&4	4	\b, Has Description string
226>20	lelong&8	8	\b, Has Relative path
227>20	lelong&16	16	\b, Has Working directory
228>20	lelong&32	32	\b, Has command line arguments
229>20	lelong&64	64	\b, Icon
230>>56	lelong		x	\b number=%d
231>24	lelong&1	1	\b, Read-Only
232>24	lelong&2	2	\b, Hidden
233>24	lelong&4	4	\b, System
234>24	lelong&8	8	\b, Volume Label
235>24	lelong&16	16	\b, Directory
236>24	lelong&32	32	\b, Archive
237>24	lelong&64	64	\b, Encrypted
238>24	lelong&128	128	\b, Normal
239>24	lelong&256	256	\b, Temporary
240>24	lelong&512	512	\b, Sparse
241>24	lelong&1024	1024	\b, Reparse point
242>24	lelong&2048	2048	\b, Compressed
243>24	lelong&4096	4096	\b, Offline
244>28	leqwdate	x	\b, ctime=%s
245>36	leqwdate	x	\b, mtime=%s
246>44	leqwdate	x	\b, atime=%s
247>52	lelong		x	\b, length=%u, window=
248>60	lelong&1	1	\bhide
249>60	lelong&2	2	\bnormal
250>60	lelong&4	4	\bshowminimized
251>60	lelong&8	8	\bshowmaximized
252>60	lelong&16	16	\bshownoactivate
253>60	lelong&32	32	\bminimize
254>60	lelong&64	64	\bshowminnoactive
255>60	lelong&128	128	\bshowna
256>60	lelong&256	256	\brestore
257>60	lelong&512	512	\bshowdefault
258#>20	lelong&1	0
259#>>20	lelong&2	2
260#>>>(72.l-64)	pstring/h	x	\b [%s]
261#>20	lelong&1	1
262#>>20	lelong&2	2
263#>>>(72.s)	leshort	x
264#>>>&75	pstring/h	x	\b [%s]
265
266# Summary: Outlook Personal Folders
267# Created by: unknown
2680	lelong		0x4E444221	Microsoft Outlook email folder
269>10	leshort		0x0e		(<=2002)
270>10	leshort		0x17		(>=2003)
271
272
273# Summary: Windows help cache
274# Created by: unknown
2750	string		\164\146\115\122\012\000\000\000\001\000\000\000	MS Windows help cache
276
277
278# Summary: IE cache file
279# Created by: Christophe Monniez
2800	string	Client\ UrlCache\ MMF 	Internet Explorer cache file
281>20	string	>\0			version %s
282
283
284# Summary: Registry files
285# Created by: unknown
286# Modified by (1): Joerg Jenderek
2870	string		regf		MS Windows registry file, NT/2000 or above
2880	string		CREG		MS Windows 95/98/ME registry file
2890	string		SHCC3		MS Windows 3.1 registry file
290
291
292# Summary: Windows Registry text
293# URL: https://en.wikipedia.org/wiki/Windows_Registry#.REG_files
294# Reference: http://fileformats.archiveteam.org/wiki/Windows_Registry
295# Submitted by: Abel Cheung <abelcheung@gmail.com>
296# Update: Joerg Jenderek
297#		Windows 3-9X variant
2980	string		REGEDIT
299# skip ASCII text like "REGEDITor.txt" but match
300# L1WMAP.REG with only 1 CRNL or org.gnome.gnumeric.reg with 2 NL
301>7	search/3	\n			Windows Registry text
302!:mime	text/x-ms-regedit
303!:ext	reg
304#		Windows 9X variant
305>>0	string		REGEDIT4		(Win95 or above)
306#		Windows 2K ANSI variant
3070	string		Windows\ Registry\ Editor\
308>&0	string		Version\ 5.00\r\n\r\n	Windows Registry text (Win2K or above)
309!:mime	text/x-ms-regedit
310!:ext	reg
311#		Windows 2K UTF-16 variant
3122	lestring16	Windows\ Registry\ Editor\
313>0x32	lestring16	Version\ 5.00\r\n\r\n	Windows Registry little-endian text (Win2K or above)
314# relative offset not working
315#>&0	lestring16	Version\ 5.00\r\n\r\n	Windows Registry little-endian text (Win2K or above)
316!:mime	text/x-ms-regedit
317!:ext	reg
318#		WINE variant
319# URL: https://en.wikipedia.org/wiki/Wine_(software)
320# Reference: https://www.winehq.org/pipermail/wine-cvs/2005-October/018763.html
321# Note:	WINE use text based registry (system.reg,user.reg,userdef.reg)
322#	instead binary hiv structure like Windows
3230	string	WINE\ REGISTRY\ Version\ 	WINE registry text
324# version 2
325>&0	string	x				\b, version %s
326!:mime	text/x-wine-extension-reg
327!:ext	reg
328
329# Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013, Feb 2018
330# empty ,comment , section
331# PR/383: remove unicode BOM because it is not portable across regex impls
332#0	regex/s		\\`(\\r\\n|;|[[])
333# empty line CRLF
3340	ubeshort	0x0D0A
335>0	use		ini-file
336# comment line
3370	string		;
338>0	use		ini-file
339# section line
3400	string		[
341>0	use		ini-file
342# check and then display Windows INItialization configuration
3430	name		ini-file
344# look for left bracket in section line
345>0	search/8192	[
346# http://en.wikipedia.org/wiki/Autorun.inf
347# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx
348# space after right bracket
349# or AutoRun.Amd64 for 64 bit systems
350# or only NL separator
351>>&0	regex/c		\^(autorun)
352# but sometimes total commander directory tree file "treeinfo.wc" with lines like
353# [AUTORUN]
354# [boot]
355>>>&0	string		=]\r\n[					Total commander directory treeinfo.wc
356!:mime text/plain
357!:ext	wc
358# From: Pal Tamas <folti@balabit.hu>
359# Autorun File
360>>>&0	string		!]\r\n[					Microsoft Windows Autorun file
361!:mime application/x-setupscript
362!:ext	inf
363# http://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx
364# version strings ASCII coded case-independent for Windows setup information script file
365>>&0	regex/c		\^(version|strings)]				Windows setup INFormation
366!:mime	application/x-setupscript
367#!:mime application/x-wine-extension-inf
368!:ext	inf
369# NETCRC.INF OEMCPL.INF
370>>&0	regex/c		\^(WinsockCRCList|OEMCPL)]			Windows setup INFormation
371!:mime	application/x-setupscript
372!:ext	inf
373# http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm
374# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx
375# .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent
376>>&0	regex/c	\^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)]	Windows desktop.ini
377!:mime application/x-wine-extension-ini
378#!:mime text/plain
379# http://support.microsoft.com/kb/84709/
380>>&0	regex/c		\^(don't\ load)]				Windows CONTROL.INI
381!:mime application/x-wine-extension-ini
382!:ext	ini
383>>&0	regex/c		\^(ndishlp\\$|protman\\$|NETBEUI\\$)]		Windows PROTOCOL.INI
384!:mime application/x-wine-extension-ini
385!:ext	ini
386# http://technet.microsoft.com/en-us/library/cc722567.aspx
387# http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm
388>>&0	regex/c		\^(windows|Compatibility|embedding)]		Windows WIN.INI
389!:mime application/x-wine-extension-ini
390!:ext	ini
391# http://en.wikipedia.org/wiki/SYSTEM.INI
392>>&0	regex/c		\^(boot|386enh|drivers)]			Windows SYSTEM.INI
393!:mime application/x-wine-extension-ini
394!:ext	ini
395# http://www.mdgx.com/newtip6.htm
396>>&0	regex/c		\^(SafeList)]					Windows IOS.INI
397!:mime application/x-wine-extension-ini
398!:ext	ini
399# http://en.wikipedia.org/wiki/NTLDR	Windows Boot Loader information
400>>&0	regex/c		\^(boot\x20loader)]				Windows boot.ini
401!:mime application/x-wine-extension-ini
402!:ext	ini
403# http://en.wikipedia.org/wiki/CONFIG.SYS
404>>&0	regex/c		\^(menu)]					MS-DOS CONFIG.SYS
405# @CONFIG.UI configuration file of previous DOS version saved by Caldera OPENDOS INSTALL.EXE
406# CONFIG.PSS saved version of file CONFIG.SYS created by %WINDIR%\SYTEM\MSCONFIG.EXE
407# CONFIG.TSH renamed file CONFIG.SYS.BAT by %WINDIR%\SYTEM\MSCONFIG.EXE
408# dos and w40 used in dual booting scene
409!:ext	sys/dos/w40
410# http://support.microsoft.com/kb/118579/
411>>&0	regex/c		\^(Paths)]\r\n					MS-DOS MSDOS.SYS
412!:ext	sys/dos
413# http://chmspec.nongnu.org/latest/INI.html#HHP
414>>&0	regex/c		\^(options)]\r\n				Microsoft HTML Help Project
415!:mime text/plain
416!:ext	hhp
417# unknown keyword after opening bracket
418>>&0	default				x
419#>>>&0	string/c			x	UNKNOWN [%s
420# look for left bracket of second section
421>>>&0	search/8192			[
422# version Strings FileIdentification
423>>>>&0	string/c			version				Windows setup INFormation
424!:mime application/x-setupscript
425!:ext	inf
426# http://en.wikipedia.org/wiki/Initialization_file	Windows Initialization File or other
427>>>>&0	default				x
428>>>>>&0	ubyte				x
429# characters, digits, underscore and white space followed by right bracket
430# terminated by CR implies section line to skip BOOTLOG.TXT DETLOG.TXT
431>>>>>>&-1	regex			\^([A-Za-z0-9_\(\)\ ]+)\]\r	Generic INItialization configuration [%-.40s
432# NETDEF.INF multiarc.ini
433#!:mime	application/x-setupscript
434!:mime	application/x-wine-extension-ini
435#!:mime	text/plain
436!:ext	ini/inf
437# UTF-16 BOM followed by CR~0D00 , comment~semicolon~3B00 , section~bracket~5B00
4380	ubelong&0xFFff89FF	=0xFFFE0900
439# look for left bracket in section line
440>2	search/8192		[
441# keyword without 1st letter which is maybe up-/down-case
442>>&3	lestring16		ersion]			Windows setup INFormation
443!:mime	application/x-setupscript
444!:ext	inf
445>>&3	lestring16		trings]			Windows setup INFormation
446!:mime	application/x-setupscript
447!:ext	inf
448>>&3	lestring16		ourceDisksNames]	Windows setup INFormation
449!:mime	application/x-setupscript
450!:ext	inf
451# netnwcli.inf start with ;---[ NetNWCli.INX ]
452>>&3	default			x
453# look for NL followed by left bracket
454>>>&0	search/8192		\x0A\x00\x5b
455>>>>&3	lestring16		ersion]			Windows setup INFormation
456!:mime	application/x-setupscript
457!:ext	inf
458
459# Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h
460# http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm
461# GRR: line below too general as it catches also PDP-11 UNIX/RT ldp
4620		leshort&0xFeFe	0x0000
463!:strength -5
464# test for unused null bits in PNF_FLAGs
465>4	ulelong&0xFCffFe00	0x00000000
466# only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure
467>>68		ulelong		>0x57
468# test for zero high byte of InfValueBlockSize, followed by WinDirPath like
469# C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT
470>>>(68.l-1)	ubelong&0xffE0C519	=0x00400018	Windows Precompiled iNF
471!:mime	application/x-pnf
472# currently only found Major Version=1 and Minor Version=1
473#>>>>0		uleshort	=0x0101
474#>>>>>1		ubyte		x		\b, version %u
475#>>>>>0		ubyte		x		\b.%u
476>>>>0		uleshort	!0x0101
477>>>>>1		ubyte		x		\b, version %u
478>>>>>0		ubyte		x		\b.%u
479# 1 ,2 (windows 98 SE)
480#>>>>2		uleshort	=2		\b, InfStyle %u
481>>>>2		uleshort	!2		\b, InfStyle %u
482#	PNF_FLAG_IS_UNICODE		0x00000001
483#	PNF_FLAG_HAS_STRINGS		0x00000002
484#	PNF_FLAG_SRCPATH_IS_URL		0x00000004
485#	PNF_FLAG_HAS_VOLATILE_DIRIDS	0x00000008
486#	PNF_FLAG_INF_VERIFIED		0x00000010
487#	PNF_FLAG_INF_DIGITALLY_SIGNED	0x00000020
488#	??				0x00000100
489#	??				0x01000000
490#	??				0x02000000
491>>>>4	ulelong&0x00000001	0x00000001	\b, unicoded
492>>>>4	ulelong&0x00000020	0x00000020	\b, digitally signed
493#>>>>8		ulelong		x		\b, InfSubstValueListOffset 0x%x
494# many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF
495#>>>>12		uleshort	x		\b, InfSubstValueCount 0x%x
496# only < 9 found
497#>>>>14		uleshort	x		\b, InfVersionDatumCount 0x%x
498# only found values lower 0x0000ffff
499#>>>>16		ulelong		x		\b, InfVersionDataSize 0x%x
500# only found positive values lower 0x00ffFFff for InfVersionDataOffset
501>>>>20		ulelong		x		\b, at 0x%x
502>>>>4	ulelong&0x00000001	=0x00000001
503# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature
504>>>>>(20.l)	lestring16	x		"%s"
505>>>>4	ulelong&0x00000001	!0x00000001
506>>>>>(20.l)	string		x		"%s"
507# FILETIME is number of 100-nanosecond intervals since 1 January 1601
508#>>>>24		ulequad		x		\b, InfVersionLastWriteTime %16.16llx
509# only found values lower 0x00ffFFff
510#>>>>32		ulelong		x		\b, StringTableBlockOffset 0x%x
511#>>>>36		ulelong		x		\b, StringTableBlockSize 0x%x
512#>>>>40		ulelong		x		\b, InfSectionCount 0x%x
513#>>>>44		ulelong		x		\b, InfSectionBlockOffset 0x%x
514#>>>>48		ulelong		x		\b, InfSectionBlockSize 0x%x
515#>>>>52		ulelong		x		\b, InfLineBlockOffset 0x%x
516#>>>>56		ulelong		x		\b, InfLineBlockSize 0x%x
517#>>>>60		ulelong		x		\b, InfValueBlockOffset 0x%x
518#>>>>64		ulelong		x		\b, InfValueBlockSize 0x%x
519# WinDirPathOffset
520#>>>>68		ulelong		x		\b, at 0x%x
521>>>>68		ulelong		>0x57
522>>>>>4	ulelong&0x00000001	=0x00000001
523>>>>>>(68.l)	ubequad		=0x43003a005c005700
524# normally unicoded C:\Windows
525#>>>>>>>(68.l)	lestring16	x		\b, WinDirPath "%s"
526>>>>>>(68.l)	ubequad		!0x43003a005c005700
527>>>>>>>(68.l)	lestring16	x		\b, WinDirPath "%s"
528>>>>>4	ulelong&0x00000001	!0x00000001
529# normally ASCII C:\WINDOWS
530#>>>>>>(68.l)	string		=C:\\WINDOWS	\b, WinDirPath "%s"
531>>>>>>(68.l)	string		!C:\\WINDOWS	\b, WinDirPath "%s"
532# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF
533#>>>>72		ulelong		>0		\b, at 0x%x
534>>>>72		ulelong		>0		\b,
535>>>>>4	ulelong&0x00000001	=0x00000001
536>>>>>>(72.l)	lestring16	x		OsLoaderPath "%s"
537>>>>>4	ulelong&0x00000001	!0x00000001
538# seldom C:\ instead empty
539>>>>>>(72.l)	string		x		OsLoaderPath "%s"
540# 1fdh
541#>>>>76		uleshort	x		\b, StringTableHashBucketCount 0x%x
542>>>>78		uleshort	!0x407		\b, LanguageId %x
543# only 407h found
544#>>>>78		uleshort	=0x407		\b, LanguageId %x
545# InfSourcePathOffset often 0
546#>>>>80		ulelong		>0		\b, at 0x%x
547>>>>80		ulelong		>0		\b,
548>>>>>4	ulelong&0x00000001	=0x00000001
549>>>>>>(80.l)	lestring16	x		SourcePath "%s"
550>>>>>4	ulelong&0x00000001	!0x00000001
551>>>>>>(80.l)	string		>\0		SourcePath "%s"
552# OriginalInfNameOffset often 0
553#>>>>84		ulelong		>0		\b, at 0x%x
554>>>>84		ulelong		>0		\b,
555>>>>>4	ulelong&0x00000001	=0x00000001
556>>>>>>(84.l)	lestring16	x		InfName "%s"
557>>>>>4	ulelong&0x00000001	!0x00000001
558>>>>>>(84.l)	string		>\0		InfName "%s"
559
560# Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003
561# Extension: .bkf
562# Created by: Joerg Jenderek
563# URL: http://en.wikipedia.org/wiki/NTBackup
564# Reference: http://laytongraphics.com/mtf/MTF_100a.PDF
565# Descriptor BloCK name of Microsoft Tape Format
5660	string			TAPE
567# Format Logical Address is zero
568>20	ulequad			0
569# Reserved for MBC is zero
570>>28	uleshort		0
571# Control Block ID is zero
572>>>36	ulelong			0
573# BIT4-BIT15, BIT18-BIT31 of block attributes are unused
574>>>>4	ulelong&0xFFfcFFe0	0		Windows NTbackup archive
575#!:mime application/x-ntbackup
576!:ext bkf
577# OS ID
578>>>>>10	ubyte			1		\b NetWare
579>>>>>10	ubyte			13		\b NetWare SMS
580>>>>>10	ubyte			14		\b NT
581>>>>>10	ubyte			24		\b 3
582>>>>>10	ubyte			25		\b OS/2
583>>>>>10	ubyte			26		\b 95
584>>>>>10	ubyte			27		\b Macintosh
585>>>>>10	ubyte			28		\b UNIX
586# OS Version (2)
587#>>>>>11	ubyte			x		OS V=%x
588# MTF_CONTINUATION	Media Sequence Number > 1
589#>>>>>4	ulelong&0x00000001	!0		\b, continued
590# MTF_COMPRESSION
591>>>>>4	ulelong&0x00000004	!0		\b, compressed
592# MTF_EOS_AT_EOM	End Of Medium was hit during end of set processing
593>>>>>4	ulelong&0x00000008	!0		\b, End Of Medium hit
594>>>>>4	ulelong&0x00020000	0
595# MTF_SET_MAP_EXISTS	A Media Based Catalog Set Map may exist on tape
596>>>>>>4	ulelong&0x00010000	!0		\b, with catalog
597# MTF_FDD_ALLOWED	However File/Directory Detail can only exist if a Set Map is also present
598>>>>>4	ulelong&0x00020000	!0		\b, with file catalog
599# Offset To First Event 238h,240h,28Ch
600#>>>>>8	uleshort		x		\b, event offset %4.4x
601# Displayable Size (20e0230h 20e024ch 20e0224h)
602#>>>>>8	ulequad			x		dis. size %16.16llx
603# Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h)
604#>>>>>52	ulelong			x		family ID %8.8x
605# TAPE Attributes (3)
606#>>>>>56	ulelong			x		TAPE %8.8x
607# Media Sequence Number
608>>>>>60	uleshort		>1		\b, sequence %u
609# Password Encryption Algorithm (3)
610>>>>>62	uleshort		>0		\b, 0x%x encrypted
611# Soft Filemark Block Size * 512 (2)
612#>>>>>64	uleshort		=2		\b, soft size %u*512
613>>>>>64	uleshort		!2		\b, soft size %u*512
614# Media Based Catalog Type (1,2)
615#>>>>>66	uleshort		x		\b, catalog type %4.4x
616# size of Media Name (66,68,6Eh)
617>>>>>68	uleshort		>0
618# offset of Media Name (5Eh)
619>>>>>>70	uleshort	>0
620# 0~, 1~ANSI, 2~UNICODE
621>>>>>>>48	ubyte		1
622# size terminated ansi coded string normally followed by "MTF Media Label"
623>>>>>>>>(70.s)	string		>\0		\b, name: %s
624>>>>>>>48	ubyte		2
625# Not null, but size terminated unicoded string
626>>>>>>>>(70.s)	lestring16	x		\b, name: %s
627# size of Media Label (104h)
628>>>>>72	uleshort		>0
629# offset of Media Label (C4h,C6h,CCh)
630>>>>>74		uleshort	>0
631>>>>>>48	ubyte		1
632#Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields
633>>>>>>>(74.s)	string		>\0		\b, label: %s
634>>>>>>48	ubyte		2
635>>>>>>>(74.s)	lestring16	x		\b, label: %s
636# size of password name (0,1Ch)
637#>>>>>76	uleshort		>0		\b, password size %4.4x
638# Software Vendor ID (CBEh)
639>>>>>86	uleshort		x		\b, software (0x%x)
640# size of Software Name (6Eh)
641>>>>>80	uleshort		>0
642# offset of Software Name (1C8h,1CAh,1D0h)
643>>>>>>82	uleshort	>0
644# 1~ANSI, 2~UNICODE
645>>>>>>>48	ubyte		1
646>>>>>>>>(82.s)	string		>\0		\b: %s
647>>>>>>>48	ubyte		2
648# size terminated unicoded coded string normally followed by "SPAD"
649>>>>>>>>(82.s)	lestring16	x		\b: %s
650# Format Logical Block Size (512,1024)
651#>>>>>84	uleshort		=1024		\b, block size %u
652>>>>>84	uleshort		!1024		\b, block size %u
653# Media Date of MTF_DATE_TIME type with 5 bytes
654#>>>>>>88	ubequad			x		DATE %16.16llx
655# MTF Major Version (1)
656#>>>>>>93	ubyte		x		\b, MFT version %x
657#
658
659# URL: https://en.wikipedia.org/wiki/PaintShop_Pro
660# Reference: http://www.cryer.co.uk/file-types/p/pal.htm
661# Created by: Joerg Jenderek
662# Note: there exist other color palette formats also with .pal extension
6630	string	JASC-PAL\r\n	PaintShop Pro color palette
664#!:mime	text/plain
665# PspPalette extension is used by newer (probably 8) PaintShopPro versions
666!:ext	pal/PspPalette
667# 2nd line contains palette file version. For example "0100"
668>10	string	!0100		\b, version %.4s
669# third line contains the number of colours: 16 256 ...
670>16	string	x		\b, %.3s colors
671
672# URL: http://en.wikipedia.org/wiki/Innosetup
673# Reference: https://github.com/jrsoftware/issrc/blob/master/Projects/Undo.pas
674# Created by: Joerg Jenderek
675# Note:	created by like "InnoSetup self-extracting archive" inside ./msdos
676# TrID labeles the entry as "Inno Setup Uninstall Log"
677#	TUninstallLogID
6780	string	Inno\ Setup\ Uninstall\ Log\ (b)	InnoSetup Log
679!:mime	application/x-innosetup
680# unins000.dat, unins001.dat, ...
681!:ext	dat
682# " 64-bit" variant
683>0x1c	string		>\0				\b%.7s
684# AppName[0x80] like "Minimal SYStem", ClamWin Free Antivirus , ...
685>0xc0	string		x				%s
686# AppId[0x80] is simliar to AppName or
687# GUID like {4BB0DCDC-BC24-49EC-8937-72956C33A470} start with left brace
688>0x40	ubyte		0x7b
689>>0x40	string		x				%-.38s
690# do not know how this log version correlates to program version
691>0x140	ulelong		x				\b, version 0x%x
692# NumRecs
693#>0x144	ulelong		x				\b, 0x%4.4x records
694# EndOffset means files size
695>0x148	ulelong		x				\b, %u bytes
696# Flags 5 25h 35h
697#>0x14c	ulelong		x				\b, flags %8.8x
698# Reserved: array[0..26] of Longint
699# the non Unicode HighestSupportedVersion may never become greater than or equal to 1000
700>0x140	ulelong		<1000
701# hostname
702>>0x1d6	pstring		x				\b, %s
703# user name
704>>>&0	pstring		x				\b\%s
705# directory like C:\Program Files (x86)\GnuWin32
706>>>>&0	pstring		x				\b, "%s"
707# version 1000 or higher implies unicode
708>0x140	ulelong		>999
709# hostname
710>>0x1db	lestring16	x				\b, %-.9s
711# utf string variant with prepending fe??ffFFff
712>>0x1db	search/43	\xFF\xFF\xFF
713# user name
714>>>&0	lestring16	x				\b\%-.9s
715>>>&0	search/43	\xFF\xFF\xFF
716# directory like C:\Program Files\GIMP 2
717>>>>&0	lestring16	x				\b, %-.42s
718
719