windows revision 1.1.1.3
1 1.1 christos 2 1.1 christos #------------------------------------------------------------------------------ 3 1.1.1.3 christos # $File: windows,v 1.5 2012/04/03 22:25:07 christos Exp $ 4 1.1 christos # windows: file(1) magic for Microsoft Windows 5 1.1 christos # 6 1.1 christos # This file is mainly reserved for files where programs 7 1.1 christos # using them are run almost always on MS Windows 3.x or 8 1.1 christos # above, or files only used exclusively in Windows OS, 9 1.1 christos # where there is no better category to allocate for. 10 1.1 christos # For example, even though WinZIP almost run on Windows 11 1.1 christos # only, it is better to treat them as "archive" instead. 12 1.1 christos # For format usable in DOS, such as generic executable 13 1.1 christos # format, please specify under "msdos" file. 14 1.1 christos # 15 1.1 christos 16 1.1 christos 17 1.1 christos # Summary: Outlook Express DBX file 18 1.1 christos # Extension: .dbx 19 1.1 christos # Created by: Christophe Monniez 20 1.1 christos 0 string \xCF\xAD\x12\xFE MS Outlook Express DBX file 21 1.1 christos >4 byte =0xC5 \b, message database 22 1.1 christos >4 byte =0xC6 \b, folder database 23 1.1 christos >4 byte =0xC7 \b, account information 24 1.1 christos >4 byte =0x30 \b, offline database 25 1.1 christos 26 1.1 christos 27 1.1 christos # Summary: Windows crash dump 28 1.1 christos # Extension: .dmp 29 1.1 christos # Created by: Andreas Schuster (http://computer.forensikblog.de/) 30 1.1 christos # Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html 31 1.1 christos # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) 32 1.1 christos 0 string PAGE 33 1.1 christos >4 string DUMP MS Windows 32bit crash dump 34 1.1 christos >>0x05c byte 0 \b, no PAE 35 1.1 christos >>0x05c byte 1 \b, PAE 36 1.1 christos >>0xf88 lelong 1 \b, full dump 37 1.1 christos >>0xf88 lelong 2 \b, kernel dump 38 1.1 christos >>0xf88 lelong 3 \b, small dump 39 1.1 christos >>0x068 lelong x \b, %ld pages 40 1.1 christos >4 string DU64 MS Windows 64bit crash dump 41 1.1 christos >>0xf98 lelong 1 \b, full dump 42 1.1 christos >>0xf98 lelong 2 \b, kernel dump 43 1.1 christos >>0xf98 lelong 3 \b, small dump 44 1.1 christos >>0x090 lequad x \b, %lld pages 45 1.1 christos 46 1.1 christos 47 1.1 christos # Summary: Vista Event Log 48 1.1 christos # Extension: .evtx 49 1.1 christos # Created by: Andreas Schuster (http://computer.forensikblog.de/) 50 1.1 christos # Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html 51 1.1 christos 0 string ElfFile\0 MS Windows Vista Event Log 52 1.1 christos >0x2a leshort x \b, %d chunks 53 1.1 christos >>0x10 lelong x \b (no. %d in use) 54 1.1 christos >0x18 lelong >1 \b, next record no. %d 55 1.1 christos >0x18 lelong =1 \b, empty 56 1.1 christos >0x78 lelong &1 \b, DIRTY 57 1.1 christos >0x78 lelong &2 \b, FULL 58 1.1 christos 59 1.1 christos 60 1.1 christos # Summary: Windows 3.1 group files 61 1.1 christos # Extension: .grp 62 1.1 christos # Created by: unknown 63 1.1 christos 0 string \120\115\103\103 MS Windows 3.1 group files 64 1.1 christos 65 1.1 christos 66 1.1 christos # Summary: Old format help files 67 1.1 christos # Extension: .hlp 68 1.1 christos # Created by: Dirk Jagdmann <doj (a] cubic.org> 69 1.1 christos 0 lelong 0x00035f3f MS Windows 3.x help file 70 1.1 christos 71 1.1 christos 72 1.1 christos # Summary: Hyper terminal 73 1.1 christos # Extension: .ht 74 1.1 christos # Created by: unknown 75 1.1 christos 0 string HyperTerminal\ 76 1.1 christos >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile 77 1.1 christos 78 1.1.1.3 christos # http://ithreats.files.wordpress.com/2009/05/\ 79 1.1.1.3 christos # lnk_the_windows_shortcut_file_format.pdf 80 1.1 christos # Summary: Windows shortcut 81 1.1 christos # Extension: .lnk 82 1.1 christos # Created by: unknown 83 1.1.1.3 christos # 'L' + GUUID 84 1.1 christos 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut 85 1.1.1.3 christos >20 lelong&1 1 \b, Item id list present 86 1.1.1.3 christos >20 lelong&2 2 \b, Points to a file or directory 87 1.1.1.3 christos >20 lelong&4 4 \b, Has Description string 88 1.1.1.3 christos >20 lelong&8 8 \b, Has Relative path 89 1.1.1.3 christos >20 lelong&16 16 \b, Has Working directory 90 1.1.1.3 christos >20 lelong&32 32 \b, Has command line arguments 91 1.1.1.3 christos >20 lelong&64 64 \b, Icon 92 1.1.1.3 christos >>56 lelong \b number=%d 93 1.1.1.3 christos >24 lelong&1 1 \b, Read-Only 94 1.1.1.3 christos >24 lelong&2 2 \b, Hidden 95 1.1.1.3 christos >24 lelong&4 4 \b, System 96 1.1.1.3 christos >24 lelong&8 8 \b, Volume Label 97 1.1.1.3 christos >24 lelong&16 16 \b, Directory 98 1.1.1.3 christos >24 lelong&32 32 \b, Archive 99 1.1.1.3 christos >24 lelong&64 64 \b, Encrypted 100 1.1.1.3 christos >24 lelong&128 128 \b, Normal 101 1.1.1.3 christos >24 lelong&256 256 \b, Temporary 102 1.1.1.3 christos >24 lelong&512 512 \b, Sparse 103 1.1.1.3 christos >24 lelong&1024 1024 \b, Reparse point 104 1.1.1.3 christos >24 lelong&2048 2048 \b, Compressed 105 1.1.1.3 christos >24 lelong&4096 4096 \b, Offline 106 1.1.1.3 christos >28 leqwdate x \b, ctime=%s 107 1.1.1.3 christos >36 leqwdate x \b, mtime=%s 108 1.1.1.3 christos >44 leqwdate x \b, atime=%s 109 1.1.1.3 christos >52 lelong x \b, length=%u, window= 110 1.1.1.3 christos >60 lelong&1 1 \bhide 111 1.1.1.3 christos >60 lelong&2 2 \bnormal 112 1.1.1.3 christos >60 lelong&4 4 \bshowminimized 113 1.1.1.3 christos >60 lelong&8 8 \bshowmaximized 114 1.1.1.3 christos >60 lelong&16 16 \bshownoactivate 115 1.1.1.3 christos >60 lelong&32 32 \bminimize 116 1.1.1.3 christos >60 lelong&64 64 \bshowminnoactive 117 1.1.1.3 christos >60 lelong&128 128 \bshowna 118 1.1.1.3 christos >60 lelong&256 256 \brestore 119 1.1.1.3 christos >60 lelong&512 512 \bshowdefault 120 1.1.1.3 christos #>20 lelong&1 0 121 1.1.1.3 christos #>>20 lelong&2 2 122 1.1.1.3 christos #>>>(72.l-64) pstring/h x \b [%s] 123 1.1.1.3 christos #>20 lelong&1 1 124 1.1.1.3 christos #>>20 lelong&2 2 125 1.1.1.3 christos #>>>(72.s) leshort x 126 1.1.1.3 christos #>>>&75 pstring/h x \b [%s] 127 1.1 christos 128 1.1 christos # Summary: Outlook Personal Folders 129 1.1 christos # Created by: unknown 130 1.1 christos 0 lelong 0x4E444221 Microsoft Outlook email folder 131 1.1 christos >10 leshort 0x0e (<=2002) 132 1.1 christos >10 leshort 0x17 (>=2003) 133 1.1 christos 134 1.1 christos 135 1.1 christos # Summary: Windows help cache 136 1.1 christos # Created by: unknown 137 1.1 christos 0 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache 138 1.1 christos 139 1.1 christos 140 1.1 christos # Summary: IE cache file 141 1.1 christos # Created by: Christophe Monniez 142 1.1 christos 0 string Client\ UrlCache\ MMF Internet Explorer cache file 143 1.1 christos >20 string >\0 version %s 144 1.1 christos 145 1.1 christos 146 1.1 christos # Summary: Registry files 147 1.1 christos # Created by: unknown 148 1.1 christos # Modified by (1): Joerg Jenderek 149 1.1 christos 0 string regf MS Windows registry file, NT/2000 or above 150 1.1 christos 0 string CREG MS Windows 95/98/ME registry file 151 1.1 christos 0 string SHCC3 MS Windows 3.1 registry file 152 1.1 christos 153 1.1 christos 154 1.1 christos # Summary: Windows Registry text 155 1.1 christos # Extension: .reg 156 1.1 christos # Submitted by: Abel Cheung <abelcheung (a] gmail.com> 157 1.1 christos 0 string REGEDIT4\r\n\r\n Windows Registry text (Win95 or above) 158 1.1 christos 0 string Windows\ Registry\ Editor\ 159 1.1 christos >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) 160 1.1 christos 161 1.1 christos 162 1.1 christos # From: Pal Tamas <folti (a] balabit.hu> 163 1.1 christos # Autorun File 164 1.1 christos 0 string/c [autorun]\r\n Microsoft Windows Autorun file. 165 1.1 christos !:mime application/x-setupscript. 166
Indexes created Fri Jun 26 00:24:39 UTC 2026