1 2#------------------------------------------------------------------------------ 3# $File: windows,v 1.22 2018/02/16 15:44:00 christos Exp $ 4# windows: file(1) magic for Microsoft Windows 5# 6# This file is mainly reserved for files where programs 7# using them are run almost always on MS Windows 3.x or 8# above, or files only used exclusively in Windows OS, 9# where there is no better category to allocate for. 10# For example, even though WinZIP almost run on Windows 11# only, it is better to treat them as "archive" instead. 12# For format usable in DOS, such as generic executable 13# format, please specify under "msdos" file. 14# 15 16 17# Summary: Outlook Express DBX file 18# Extension: .dbx 19# Created by: Christophe Monniez 200 string \xCF\xAD\x12\xFE MS Outlook Express DBX file 21>4 byte =0xC5 \b, message database 22>4 byte =0xC6 \b, folder database 23>4 byte =0xC7 \b, account information 24>4 byte =0x30 \b, offline database 25 26 27# Summary: Windows crash dump 28# Extension: .dmp 29# Created by: Andreas Schuster (http://computer.forensikblog.de/) 30# Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html 31# Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) 320 string PAGE 33>4 string DUMP MS Windows 32bit crash dump 34>>0x05c byte 0 \b, no PAE 35>>0x05c byte 1 \b, PAE 36>>0xf88 lelong 1 \b, full dump 37>>0xf88 lelong 2 \b, kernel dump 38>>0xf88 lelong 3 \b, small dump 39>>0x068 lelong x \b, %d pages 40>4 string DU64 MS Windows 64bit crash dump 41>>0xf98 lelong 1 \b, full dump 42>>0xf98 lelong 2 \b, kernel dump 43>>0xf98 lelong 3 \b, small dump 44>>0x090 lequad x \b, %lld pages 45 46 47# Summary: Vista Event Log 48# Extension: .evtx 49# Created by: Andreas Schuster (http://computer.forensikblog.de/) 50# Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html 510 string ElfFile\0 MS Windows Vista Event Log 52>0x2a leshort x \b, %d chunks 53>>0x10 lelong x \b (no. %d in use) 54>0x18 lelong >1 \b, next record no. %d 55>0x18 lelong =1 \b, empty 56>0x78 lelong &1 \b, DIRTY 57>0x78 lelong &2 \b, FULL 58 59 60# Summary: Windows 3.1 group files 61# Extension: .grp 62# Created by: unknown 630 string \120\115\103\103 MS Windows 3.1 group files 64 65 66# Summary: Old format help files 67# URL: https://en.wikipedia.org/wiki/WinHelp 68# Reference: http://www.oocities.org/mwinterhoff/helpfile.htm 69# Update: Joerg Jenderek 70# Created by: Dirk Jagdmann <doj@cubic.org> 71# 72# check and then display version and date inside MS Windows HeLP file fragment 730 name help-ver-date 74# look for Magic of SYSTEMHEADER 75>0 leshort 0x036C 76# version Major 1 for right file fragment 77>>4 leshort 1 Windows 78# print non empty string above to avoid error message 79# Warning: Current entry does not yet have a description for adding a MIME type 80!:mime application/winhelp 81!:ext hlp 82# version Minor of help file format is hint for windows version 83>>>2 leshort 0x0F 3.x 84>>>2 leshort 0x15 3.0 85>>>2 leshort 0x21 3.1 86>>>2 leshort 0x27 x.y 87>>>2 leshort 0x33 95 88>>>2 default x y.z 89>>>>2 leshort x 0x%x 90# to complete message string like "MS Windows 3.x help file" 91>>>2 leshort x help 92# GenDate often older than file creation date 93>>>6 ldate x \b, %s 94# 95# Magic for HeLP files 960 lelong 0x00035f3f 97# ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" 98# file header magic 0x293B at DirectoryStart+9 99>(4.l+9) uleshort 0x293B MS 100# look for @VERSION bmf.. like IBMAVW.ANN 101>>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation 102!:mime application/x-winhelp 103!:ext ann 104>>0xD4 string !\x62\x6D\x66\x01\x00 105# "GID Help index" by TrID 106>>>(4.l+0x65) string =|Pete Windows help Global Index 107!:mime application/x-winhelp 108!:ext gid 109# HeLP Bookmark or 110# "Windows HELP File" by TrID 111>>>(4.l+0x65) string !|Pete 112# maybe there exist a cleaner way to detect HeLP fragments 113# brute search for Magic 0x036C with matching Major maximal 7 iterations 114# discapp.hlp 115>>>>16 search/0x49AF/s \x6c\x03 116>>>>>&0 use help-ver-date 117>>>>>&4 leshort !1 118# putty.hlp 119>>>>>>&0 search/0x69AF/s \x6c\x03 120>>>>>>>&0 use help-ver-date 121>>>>>>>&4 leshort !1 122>>>>>>>>&0 search/0x49AF/s \x6c\x03 123>>>>>>>>>&0 use help-ver-date 124>>>>>>>>>&4 leshort !1 125>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 126>>>>>>>>>>>&0 use help-ver-date 127>>>>>>>>>>>&4 leshort !1 128>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 129>>>>>>>>>>>>>&0 use help-ver-date 130>>>>>>>>>>>>>&4 leshort !1 131>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 132>>>>>>>>>>>>>>>&0 use help-ver-date 133>>>>>>>>>>>>>>>&4 leshort !1 134>>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 135# GCC.HLP is detected after 7 iterations 136>>>>>>>>>>>>>>>>>&0 use help-ver-date 137# this only happens if bigger hlp file is detected after used search iterations 138>>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help 139!:mime application/winhelp 140!:ext hlp 141# repeat search again or following default line does not work 142>>>>16 search/0x49AF/s \x6c\x03 143# remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) 144>>>>16 default x Windows help Bookmark 145!:mime application/x-winhelp 146!:ext bmk 147## FirstFreeBlock normally FFFFFFFFh 10h for *ANN 148##>>8 lelong x \b, FirstFreeBlock 0x%8.8x 149# EntireFileSize 150>>12 lelong x \b, %d bytes 151## ReservedSpace normally 042Fh AFh for *.ANN 152#>>(4.l) lelong x \b, ReservedSpace 0x%8.8x 153## UsedSpace normally 0426h A6h for *.ANN 154#>>(4.l+4) lelong x \b, UsedSpace 0x%8.8x 155## FileFlags normally 04... 156#>>(4.l+5) lelong x \b, FileFlags 0x%8.8x 157## file header magic 0x293B 158#>>(4.l+9) uleshort x \b, file header magic 0x%4.4x 159## file header Flags 0x0402 160#>>(4.l+11) uleshort x \b, file header Flags 0x%4.4x 161## file header PageSize 0400h 80h for *.ANN 162#>>(4.l+13) uleshort x \b, PageSize 0x%4.4x 163## Structure[16] z4 164#>>(4.l+15) string >\0 \b, Structure_"%-.16s" 165## MustBeZero 0 166#>>(4.l+31) uleshort x \b, MustBeZero 0x%4.4x 167## PageSplits 168#>>(4.l+33) uleshort x \b, PageSplits 0x%4.4x 169## RootPage 170#>>(4.l+35) uleshort x \b, RootPage 0x%4.4x 171## MustBeNegOne 0xffff 172#>>(4.l+37) uleshort x \b, MustBeNegOne 0x%4.4x 173## TotalPages 1 174#>>(4.l+39) uleshort x \b, TotalPages 0x%4.4x 175## NLevels 0x0001 176#>>(4.l+41) uleshort x \b, NLevels 0x%4.4x 177## TotalBtreeEntries 178#>>(4.l+43) ulelong x \b, TotalBtreeEntries 0x%8.8x 179## pages of the B+ tree 180#>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx 181 182# start with colon or semicolon for comment line like Back2Life.cnt 1830 regex \^(:|;) 184# look for first keyword Base 185>0 search/45 :Base 186>>&0 use cnt-name 187# only solution to search again from beginning , because relative offsets changes when use is called 188>0 search/45 :Base 189>0 default x 190# look for other keyword Title like in putty.cnt 191>>0 search/45 :Title 192>>>&0 use cnt-name 193# 194# display mime type and name of Windows help Content source 1950 name cnt-name 196# skip space at beginning 197>0 string \040 198# name without extension and greater character or name with hlp extension 199>>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" 200!:mime text/plain 201!:apple ????TEXT 202!:ext cnt 203# 204# Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing 2050 string tfMR MS Windows help Full Text Search index 206!:mime application/x-winhelp-fts 207!:ext fts 208>16 string >\0 for "%s" 209 210# Summary: Hyper terminal 211# Extension: .ht 212# Created by: unknown 2130 string HyperTerminal\040 214>15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile 215 216# http://ithreats.files.wordpress.com/2009/05/\040 217# lnk_the_windows_shortcut_file_format.pdf 218# Summary: Windows shortcut 219# Extension: .lnk 220# Created by: unknown 221# 'L' + GUUID 2220 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut 223>20 lelong&1 1 \b, Item id list present 224>20 lelong&2 2 \b, Points to a file or directory 225>20 lelong&4 4 \b, Has Description string 226>20 lelong&8 8 \b, Has Relative path 227>20 lelong&16 16 \b, Has Working directory 228>20 lelong&32 32 \b, Has command line arguments 229>20 lelong&64 64 \b, Icon 230>>56 lelong x \b number=%d 231>24 lelong&1 1 \b, Read-Only 232>24 lelong&2 2 \b, Hidden 233>24 lelong&4 4 \b, System 234>24 lelong&8 8 \b, Volume Label 235>24 lelong&16 16 \b, Directory 236>24 lelong&32 32 \b, Archive 237>24 lelong&64 64 \b, Encrypted 238>24 lelong&128 128 \b, Normal 239>24 lelong&256 256 \b, Temporary 240>24 lelong&512 512 \b, Sparse 241>24 lelong&1024 1024 \b, Reparse point 242>24 lelong&2048 2048 \b, Compressed 243>24 lelong&4096 4096 \b, Offline 244>28 leqwdate x \b, ctime=%s 245>36 leqwdate x \b, mtime=%s 246>44 leqwdate x \b, atime=%s 247>52 lelong x \b, length=%u, window= 248>60 lelong&1 1 \bhide 249>60 lelong&2 2 \bnormal 250>60 lelong&4 4 \bshowminimized 251>60 lelong&8 8 \bshowmaximized 252>60 lelong&16 16 \bshownoactivate 253>60 lelong&32 32 \bminimize 254>60 lelong&64 64 \bshowminnoactive 255>60 lelong&128 128 \bshowna 256>60 lelong&256 256 \brestore 257>60 lelong&512 512 \bshowdefault 258#>20 lelong&1 0 259#>>20 lelong&2 2 260#>>>(72.l-64) pstring/h x \b [%s] 261#>20 lelong&1 1 262#>>20 lelong&2 2 263#>>>(72.s) leshort x 264#>>>&75 pstring/h x \b [%s] 265 266# Summary: Outlook Personal Folders 267# Created by: unknown 2680 lelong 0x4E444221 Microsoft Outlook email folder 269>10 leshort 0x0e (<=2002) 270>10 leshort 0x17 (>=2003) 271 272 273# Summary: Windows help cache 274# Created by: unknown 2750 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache 276 277 278# Summary: IE cache file 279# Created by: Christophe Monniez 2800 string Client\ UrlCache\ MMF Internet Explorer cache file 281>20 string >\0 version %s 282 283 284# Summary: Registry files 285# Created by: unknown 286# Modified by (1): Joerg Jenderek 2870 string regf MS Windows registry file, NT/2000 or above 2880 string CREG MS Windows 95/98/ME registry file 2890 string SHCC3 MS Windows 3.1 registry file 290 291 292# Summary: Windows Registry text 293# URL: https://en.wikipedia.org/wiki/Windows_Registry#.REG_files 294# Reference: http://fileformats.archiveteam.org/wiki/Windows_Registry 295# Submitted by: Abel Cheung <abelcheung@gmail.com> 296# Update: Joerg Jenderek 297# Windows 3-9X variant 2980 string REGEDIT 299# skip ASCII text like "REGEDITor.txt" but match 300# L1WMAP.REG with only 1 CRNL or org.gnome.gnumeric.reg with 2 NL 301>7 search/3 \n Windows Registry text 302!:mime text/x-ms-regedit 303!:ext reg 304# Windows 9X variant 305>>0 string REGEDIT4 (Win95 or above) 306# Windows 2K ANSI variant 3070 string Windows\ Registry\ Editor\ 308>&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) 309!:mime text/x-ms-regedit 310!:ext reg 311# Windows 2K UTF-16 variant 3122 lestring16 Windows\ Registry\ Editor\ 313>0x32 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above) 314# relative offset not working 315#>&0 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above) 316!:mime text/x-ms-regedit 317!:ext reg 318# WINE variant 319# URL: https://en.wikipedia.org/wiki/Wine_(software) 320# Reference: https://www.winehq.org/pipermail/wine-cvs/2005-October/018763.html 321# Note: WINE use text based registry (system.reg,user.reg,userdef.reg) 322# instead binary hiv structure like Windows 3230 string WINE\ REGISTRY\ Version\ WINE registry text 324# version 2 325>&0 string x \b, version %s 326!:mime text/x-wine-extension-reg 327!:ext reg 328 329# Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013, Feb 2018 330# empty ,comment , section 331# PR/383: remove unicode BOM because it is not portable across regex impls 332#0 regex/s \\`(\\r\\n|;|[[]) 333# empty line CRLF 3340 ubeshort 0x0D0A 335>0 use ini-file 336# comment line 3370 string ; 338>0 use ini-file 339# section line 3400 string [ 341>0 use ini-file 342# check and then display Windows INItialization configuration 3430 name ini-file 344# look for left bracket in section line 345>0 search/8192 [ 346# http://en.wikipedia.org/wiki/Autorun.inf 347# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx 348# space after right bracket 349# or AutoRun.Amd64 for 64 bit systems 350# or only NL separator 351>>&0 regex/c \^(autorun) 352# but sometimes total commander directory tree file "treeinfo.wc" with lines like 353# [AUTORUN] 354# [boot] 355>>>&0 string =]\r\n[ Total commander directory treeinfo.wc 356!:mime text/plain 357!:ext wc 358# From: Pal Tamas <folti@balabit.hu> 359# Autorun File 360>>>&0 string !]\r\n[ Microsoft Windows Autorun file 361!:mime application/x-setupscript 362!:ext inf 363# http://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx 364# version strings ASCII coded case-independent for Windows setup information script file 365>>&0 regex/c \^(version|strings)] Windows setup INFormation 366!:mime application/x-setupscript 367#!:mime application/x-wine-extension-inf 368!:ext inf 369# NETCRC.INF OEMCPL.INF 370>>&0 regex/c \^(WinsockCRCList|OEMCPL)] Windows setup INFormation 371!:mime application/x-setupscript 372!:ext inf 373# http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm 374# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx 375# .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent 376>>&0 regex/c \^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini 377!:mime application/x-wine-extension-ini 378#!:mime text/plain 379# http://support.microsoft.com/kb/84709/ 380>>&0 regex/c \^(don't\ load)] Windows CONTROL.INI 381!:mime application/x-wine-extension-ini 382!:ext ini 383>>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI 384!:mime application/x-wine-extension-ini 385!:ext ini 386# http://technet.microsoft.com/en-us/library/cc722567.aspx 387# http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm 388>>&0 regex/c \^(windows|Compatibility|embedding)] Windows WIN.INI 389!:mime application/x-wine-extension-ini 390!:ext ini 391# http://en.wikipedia.org/wiki/SYSTEM.INI 392>>&0 regex/c \^(boot|386enh|drivers)] Windows SYSTEM.INI 393!:mime application/x-wine-extension-ini 394!:ext ini 395# http://www.mdgx.com/newtip6.htm 396>>&0 regex/c \^(SafeList)] Windows IOS.INI 397!:mime application/x-wine-extension-ini 398!:ext ini 399# http://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information 400>>&0 regex/c \^(boot\x20loader)] Windows boot.ini 401!:mime application/x-wine-extension-ini 402!:ext ini 403# http://en.wikipedia.org/wiki/CONFIG.SYS 404>>&0 regex/c \^(menu)] MS-DOS CONFIG.SYS 405# @CONFIG.UI configuration file of previous DOS version saved by Caldera OPENDOS INSTALL.EXE 406# CONFIG.PSS saved version of file CONFIG.SYS created by %WINDIR%\SYTEM\MSCONFIG.EXE 407# CONFIG.TSH renamed file CONFIG.SYS.BAT by %WINDIR%\SYTEM\MSCONFIG.EXE 408# dos and w40 used in dual booting scene 409!:ext sys/dos/w40 410# http://support.microsoft.com/kb/118579/ 411>>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS 412!:ext sys/dos 413# http://chmspec.nongnu.org/latest/INI.html#HHP 414>>&0 regex/c \^(options)]\r\n Microsoft HTML Help Project 415!:mime text/plain 416!:ext hhp 417# unknown keyword after opening bracket 418>>&0 default x 419#>>>&0 string/c x UNKNOWN [%s 420# look for left bracket of second section 421>>>&0 search/8192 [ 422# version Strings FileIdentification 423>>>>&0 string/c version Windows setup INFormation 424!:mime application/x-setupscript 425!:ext inf 426# http://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other 427>>>>&0 default x 428>>>>>&0 ubyte x 429# characters, digits, underscore and white space followed by right bracket 430# terminated by CR implies section line to skip BOOTLOG.TXT DETLOG.TXT 431>>>>>>&-1 regex \^([A-Za-z0-9_\(\)\ ]+)\]\r Generic INItialization configuration [%-.40s 432# NETDEF.INF multiarc.ini 433#!:mime application/x-setupscript 434!:mime application/x-wine-extension-ini 435#!:mime text/plain 436!:ext ini/inf 437# UTF-16 BOM followed by CR~0D00 , comment~semicolon~3B00 , section~bracket~5B00 4380 ubelong&0xFFff89FF =0xFFFE0900 439# look for left bracket in section line 440>2 search/8192 [ 441# keyword without 1st letter which is maybe up-/down-case 442>>&3 lestring16 ersion] Windows setup INFormation 443!:mime application/x-setupscript 444!:ext inf 445>>&3 lestring16 trings] Windows setup INFormation 446!:mime application/x-setupscript 447!:ext inf 448>>&3 lestring16 ourceDisksNames] Windows setup INFormation 449!:mime application/x-setupscript 450!:ext inf 451# netnwcli.inf start with ;---[ NetNWCli.INX ] 452>>&3 default x 453# look for NL followed by left bracket 454>>>&0 search/8192 \x0A\x00\x5b 455>>>>&3 lestring16 ersion] Windows setup INFormation 456!:mime application/x-setupscript 457!:ext inf 458 459# Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h 460# http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm 461# GRR: line below too general as it catches also PDP-11 UNIX/RT ldp 4620 leshort&0xFeFe 0x0000 463!:strength -5 464# test for unused null bits in PNF_FLAGs 465>4 ulelong&0xFCffFe00 0x00000000 466# only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure 467>>68 ulelong >0x57 468# test for zero high byte of InfValueBlockSize, followed by WinDirPath like 469# C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT 470>>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF 471!:mime application/x-pnf 472# currently only found Major Version=1 and Minor Version=1 473#>>>>0 uleshort =0x0101 474#>>>>>1 ubyte x \b, version %u 475#>>>>>0 ubyte x \b.%u 476>>>>0 uleshort !0x0101 477>>>>>1 ubyte x \b, version %u 478>>>>>0 ubyte x \b.%u 479# 1 ,2 (windows 98 SE) 480#>>>>2 uleshort =2 \b, InfStyle %u 481>>>>2 uleshort !2 \b, InfStyle %u 482# PNF_FLAG_IS_UNICODE 0x00000001 483# PNF_FLAG_HAS_STRINGS 0x00000002 484# PNF_FLAG_SRCPATH_IS_URL 0x00000004 485# PNF_FLAG_HAS_VOLATILE_DIRIDS 0x00000008 486# PNF_FLAG_INF_VERIFIED 0x00000010 487# PNF_FLAG_INF_DIGITALLY_SIGNED 0x00000020 488# ?? 0x00000100 489# ?? 0x01000000 490# ?? 0x02000000 491>>>>4 ulelong&0x00000001 0x00000001 \b, unicoded 492>>>>4 ulelong&0x00000020 0x00000020 \b, digitally signed 493#>>>>8 ulelong x \b, InfSubstValueListOffset 0x%x 494# many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF 495#>>>>12 uleshort x \b, InfSubstValueCount 0x%x 496# only < 9 found 497#>>>>14 uleshort x \b, InfVersionDatumCount 0x%x 498# only found values lower 0x0000ffff 499#>>>>16 ulelong x \b, InfVersionDataSize 0x%x 500# only found positive values lower 0x00ffFFff for InfVersionDataOffset 501>>>>20 ulelong x \b, at 0x%x 502>>>>4 ulelong&0x00000001 =0x00000001 503# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature 504>>>>>(20.l) lestring16 x "%s" 505>>>>4 ulelong&0x00000001 !0x00000001 506>>>>>(20.l) string x "%s" 507# FILETIME is number of 100-nanosecond intervals since 1 January 1601 508#>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx 509# only found values lower 0x00ffFFff 510#>>>>32 ulelong x \b, StringTableBlockOffset 0x%x 511#>>>>36 ulelong x \b, StringTableBlockSize 0x%x 512#>>>>40 ulelong x \b, InfSectionCount 0x%x 513#>>>>44 ulelong x \b, InfSectionBlockOffset 0x%x 514#>>>>48 ulelong x \b, InfSectionBlockSize 0x%x 515#>>>>52 ulelong x \b, InfLineBlockOffset 0x%x 516#>>>>56 ulelong x \b, InfLineBlockSize 0x%x 517#>>>>60 ulelong x \b, InfValueBlockOffset 0x%x 518#>>>>64 ulelong x \b, InfValueBlockSize 0x%x 519# WinDirPathOffset 520#>>>>68 ulelong x \b, at 0x%x 521>>>>68 ulelong >0x57 522>>>>>4 ulelong&0x00000001 =0x00000001 523>>>>>>(68.l) ubequad =0x43003a005c005700 524# normally unicoded C:\Windows 525#>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" 526>>>>>>(68.l) ubequad !0x43003a005c005700 527>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" 528>>>>>4 ulelong&0x00000001 !0x00000001 529# normally ASCII C:\WINDOWS 530#>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" 531>>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s" 532# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF 533#>>>>72 ulelong >0 \b, at 0x%x 534>>>>72 ulelong >0 \b, 535>>>>>4 ulelong&0x00000001 =0x00000001 536>>>>>>(72.l) lestring16 x OsLoaderPath "%s" 537>>>>>4 ulelong&0x00000001 !0x00000001 538# seldom C:\ instead empty 539>>>>>>(72.l) string x OsLoaderPath "%s" 540# 1fdh 541#>>>>76 uleshort x \b, StringTableHashBucketCount 0x%x 542>>>>78 uleshort !0x407 \b, LanguageId %x 543# only 407h found 544#>>>>78 uleshort =0x407 \b, LanguageId %x 545# InfSourcePathOffset often 0 546#>>>>80 ulelong >0 \b, at 0x%x 547>>>>80 ulelong >0 \b, 548>>>>>4 ulelong&0x00000001 =0x00000001 549>>>>>>(80.l) lestring16 x SourcePath "%s" 550>>>>>4 ulelong&0x00000001 !0x00000001 551>>>>>>(80.l) string >\0 SourcePath "%s" 552# OriginalInfNameOffset often 0 553#>>>>84 ulelong >0 \b, at 0x%x 554>>>>84 ulelong >0 \b, 555>>>>>4 ulelong&0x00000001 =0x00000001 556>>>>>>(84.l) lestring16 x InfName "%s" 557>>>>>4 ulelong&0x00000001 !0x00000001 558>>>>>>(84.l) string >\0 InfName "%s" 559 560# Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 561# Extension: .bkf 562# Created by: Joerg Jenderek 563# URL: http://en.wikipedia.org/wiki/NTBackup 564# Reference: http://laytongraphics.com/mtf/MTF_100a.PDF 565# Descriptor BloCK name of Microsoft Tape Format 5660 string TAPE 567# Format Logical Address is zero 568>20 ulequad 0 569# Reserved for MBC is zero 570>>28 uleshort 0 571# Control Block ID is zero 572>>>36 ulelong 0 573# BIT4-BIT15, BIT18-BIT31 of block attributes are unused 574>>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive 575#!:mime application/x-ntbackup 576!:ext bkf 577# OS ID 578>>>>>10 ubyte 1 \b NetWare 579>>>>>10 ubyte 13 \b NetWare SMS 580>>>>>10 ubyte 14 \b NT 581>>>>>10 ubyte 24 \b 3 582>>>>>10 ubyte 25 \b OS/2 583>>>>>10 ubyte 26 \b 95 584>>>>>10 ubyte 27 \b Macintosh 585>>>>>10 ubyte 28 \b UNIX 586# OS Version (2) 587#>>>>>11 ubyte x OS V=%x 588# MTF_CONTINUATION Media Sequence Number > 1 589#>>>>>4 ulelong&0x00000001 !0 \b, continued 590# MTF_COMPRESSION 591>>>>>4 ulelong&0x00000004 !0 \b, compressed 592# MTF_EOS_AT_EOM End Of Medium was hit during end of set processing 593>>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit 594>>>>>4 ulelong&0x00020000 0 595# MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape 596>>>>>>4 ulelong&0x00010000 !0 \b, with catalog 597# MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present 598>>>>>4 ulelong&0x00020000 !0 \b, with file catalog 599# Offset To First Event 238h,240h,28Ch 600#>>>>>8 uleshort x \b, event offset %4.4x 601# Displayable Size (20e0230h 20e024ch 20e0224h) 602#>>>>>8 ulequad x dis. size %16.16llx 603# Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h) 604#>>>>>52 ulelong x family ID %8.8x 605# TAPE Attributes (3) 606#>>>>>56 ulelong x TAPE %8.8x 607# Media Sequence Number 608>>>>>60 uleshort >1 \b, sequence %u 609# Password Encryption Algorithm (3) 610>>>>>62 uleshort >0 \b, 0x%x encrypted 611# Soft Filemark Block Size * 512 (2) 612#>>>>>64 uleshort =2 \b, soft size %u*512 613>>>>>64 uleshort !2 \b, soft size %u*512 614# Media Based Catalog Type (1,2) 615#>>>>>66 uleshort x \b, catalog type %4.4x 616# size of Media Name (66,68,6Eh) 617>>>>>68 uleshort >0 618# offset of Media Name (5Eh) 619>>>>>>70 uleshort >0 620# 0~, 1~ANSI, 2~UNICODE 621>>>>>>>48 ubyte 1 622# size terminated ansi coded string normally followed by "MTF Media Label" 623>>>>>>>>(70.s) string >\0 \b, name: %s 624>>>>>>>48 ubyte 2 625# Not null, but size terminated unicoded string 626>>>>>>>>(70.s) lestring16 x \b, name: %s 627# size of Media Label (104h) 628>>>>>72 uleshort >0 629# offset of Media Label (C4h,C6h,CCh) 630>>>>>74 uleshort >0 631>>>>>>48 ubyte 1 632#Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields 633>>>>>>>(74.s) string >\0 \b, label: %s 634>>>>>>48 ubyte 2 635>>>>>>>(74.s) lestring16 x \b, label: %s 636# size of password name (0,1Ch) 637#>>>>>76 uleshort >0 \b, password size %4.4x 638# Software Vendor ID (CBEh) 639>>>>>86 uleshort x \b, software (0x%x) 640# size of Software Name (6Eh) 641>>>>>80 uleshort >0 642# offset of Software Name (1C8h,1CAh,1D0h) 643>>>>>>82 uleshort >0 644# 1~ANSI, 2~UNICODE 645>>>>>>>48 ubyte 1 646>>>>>>>>(82.s) string >\0 \b: %s 647>>>>>>>48 ubyte 2 648# size terminated unicoded coded string normally followed by "SPAD" 649>>>>>>>>(82.s) lestring16 x \b: %s 650# Format Logical Block Size (512,1024) 651#>>>>>84 uleshort =1024 \b, block size %u 652>>>>>84 uleshort !1024 \b, block size %u 653# Media Date of MTF_DATE_TIME type with 5 bytes 654#>>>>>>88 ubequad x DATE %16.16llx 655# MTF Major Version (1) 656#>>>>>>93 ubyte x \b, MFT version %x 657# 658 659# URL: https://en.wikipedia.org/wiki/PaintShop_Pro 660# Reference: http://www.cryer.co.uk/file-types/p/pal.htm 661# Created by: Joerg Jenderek 662# Note: there exist other color palette formats also with .pal extension 6630 string JASC-PAL\r\n PaintShop Pro color palette 664#!:mime text/plain 665# PspPalette extension is used by newer (probably 8) PaintShopPro versions 666!:ext pal/PspPalette 667# 2nd line contains palette file version. For example "0100" 668>10 string !0100 \b, version %.4s 669# third line contains the number of colours: 16 256 ... 670>16 string x \b, %.3s colors 671 672# URL: http://en.wikipedia.org/wiki/Innosetup 673# Reference: https://github.com/jrsoftware/issrc/blob/master/Projects/Undo.pas 674# Created by: Joerg Jenderek 675# Note: created by like "InnoSetup self-extracting archive" inside ./msdos 676# TrID labeles the entry as "Inno Setup Uninstall Log" 677# TUninstallLogID 6780 string Inno\ Setup\ Uninstall\ Log\ (b) InnoSetup Log 679!:mime application/x-innosetup 680# unins000.dat, unins001.dat, ... 681!:ext dat 682# " 64-bit" variant 683>0x1c string >\0 \b%.7s 684# AppName[0x80] like "Minimal SYStem", ClamWin Free Antivirus , ... 685>0xc0 string x %s 686# AppId[0x80] is simliar to AppName or 687# GUID like {4BB0DCDC-BC24-49EC-8937-72956C33A470} start with left brace 688>0x40 ubyte 0x7b 689>>0x40 string x %-.38s 690# do not know how this log version correlates to program version 691>0x140 ulelong x \b, version 0x%x 692# NumRecs 693#>0x144 ulelong x \b, 0x%4.4x records 694# EndOffset means files size 695>0x148 ulelong x \b, %u bytes 696# Flags 5 25h 35h 697#>0x14c ulelong x \b, flags %8.8x 698# Reserved: array[0..26] of Longint 699# the non Unicode HighestSupportedVersion may never become greater than or equal to 1000 700>0x140 ulelong <1000 701# hostname 702>>0x1d6 pstring x \b, %s 703# user name 704>>>&0 pstring x \b\%s 705# directory like C:\Program Files (x86)\GnuWin32 706>>>>&0 pstring x \b, "%s" 707# version 1000 or higher implies unicode 708>0x140 ulelong >999 709# hostname 710>>0x1db lestring16 x \b, %-.9s 711# utf string variant with prepending fe??ffFFff 712>>0x1db search/43 \xFF\xFF\xFF 713# user name 714>>>&0 lestring16 x \b\%-.9s 715>>>&0 search/43 \xFF\xFF\xFF 716# directory like C:\Program Files\GIMP 2 717>>>>&0 lestring16 x \b, %-.42s 718 719