windows revision 1.1.1.3
1 2 #------------------------------------------------------------------------------ 3 # $File: windows,v 1.5 2012/04/03 22:25:07 christos Exp $ 4 # windows: file(1) magic for Microsoft Windows 5 # 6 # This file is mainly reserved for files where programs 7 # using them are run almost always on MS Windows 3.x or 8 # above, or files only used exclusively in Windows OS, 9 # where there is no better category to allocate for. 10 # For example, even though WinZIP almost run on Windows 11 # only, it is better to treat them as "archive" instead. 12 # For format usable in DOS, such as generic executable 13 # format, please specify under "msdos" file. 14 # 15 16 17 # Summary: Outlook Express DBX file 18 # Extension: .dbx 19 # Created by: Christophe Monniez 20 0 string \xCF\xAD\x12\xFE MS Outlook Express DBX file 21 >4 byte =0xC5 \b, message database 22 >4 byte =0xC6 \b, folder database 23 >4 byte =0xC7 \b, account information 24 >4 byte =0x30 \b, offline database 25 26 27 # Summary: Windows crash dump 28 # Extension: .dmp 29 # Created by: Andreas Schuster (http://computer.forensikblog.de/) 30 # Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html 31 # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) 32 0 string PAGE 33 >4 string DUMP MS Windows 32bit crash dump 34 >>0x05c byte 0 \b, no PAE 35 >>0x05c byte 1 \b, PAE 36 >>0xf88 lelong 1 \b, full dump 37 >>0xf88 lelong 2 \b, kernel dump 38 >>0xf88 lelong 3 \b, small dump 39 >>0x068 lelong x \b, %ld pages 40 >4 string DU64 MS Windows 64bit crash dump 41 >>0xf98 lelong 1 \b, full dump 42 >>0xf98 lelong 2 \b, kernel dump 43 >>0xf98 lelong 3 \b, small dump 44 >>0x090 lequad x \b, %lld pages 45 46 47 # Summary: Vista Event Log 48 # Extension: .evtx 49 # Created by: Andreas Schuster (http://computer.forensikblog.de/) 50 # Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html 51 0 string ElfFile\0 MS Windows Vista Event Log 52 >0x2a leshort x \b, %d chunks 53 >>0x10 lelong x \b (no. %d in use) 54 >0x18 lelong >1 \b, next record no. %d 55 >0x18 lelong =1 \b, empty 56 >0x78 lelong &1 \b, DIRTY 57 >0x78 lelong &2 \b, FULL 58 59 60 # Summary: Windows 3.1 group files 61 # Extension: .grp 62 # Created by: unknown 63 0 string \120\115\103\103 MS Windows 3.1 group files 64 65 66 # Summary: Old format help files 67 # Extension: .hlp 68 # Created by: Dirk Jagdmann <doj (a] cubic.org> 69 0 lelong 0x00035f3f MS Windows 3.x help file 70 71 72 # Summary: Hyper terminal 73 # Extension: .ht 74 # Created by: unknown 75 0 string HyperTerminal\ 76 >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile 77 78 # http://ithreats.files.wordpress.com/2009/05/\ 79 # lnk_the_windows_shortcut_file_format.pdf 80 # Summary: Windows shortcut 81 # Extension: .lnk 82 # Created by: unknown 83 # 'L' + GUUID 84 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut 85 >20 lelong&1 1 \b, Item id list present 86 >20 lelong&2 2 \b, Points to a file or directory 87 >20 lelong&4 4 \b, Has Description string 88 >20 lelong&8 8 \b, Has Relative path 89 >20 lelong&16 16 \b, Has Working directory 90 >20 lelong&32 32 \b, Has command line arguments 91 >20 lelong&64 64 \b, Icon 92 >>56 lelong \b number=%d 93 >24 lelong&1 1 \b, Read-Only 94 >24 lelong&2 2 \b, Hidden 95 >24 lelong&4 4 \b, System 96 >24 lelong&8 8 \b, Volume Label 97 >24 lelong&16 16 \b, Directory 98 >24 lelong&32 32 \b, Archive 99 >24 lelong&64 64 \b, Encrypted 100 >24 lelong&128 128 \b, Normal 101 >24 lelong&256 256 \b, Temporary 102 >24 lelong&512 512 \b, Sparse 103 >24 lelong&1024 1024 \b, Reparse point 104 >24 lelong&2048 2048 \b, Compressed 105 >24 lelong&4096 4096 \b, Offline 106 >28 leqwdate x \b, ctime=%s 107 >36 leqwdate x \b, mtime=%s 108 >44 leqwdate x \b, atime=%s 109 >52 lelong x \b, length=%u, window= 110 >60 lelong&1 1 \bhide 111 >60 lelong&2 2 \bnormal 112 >60 lelong&4 4 \bshowminimized 113 >60 lelong&8 8 \bshowmaximized 114 >60 lelong&16 16 \bshownoactivate 115 >60 lelong&32 32 \bminimize 116 >60 lelong&64 64 \bshowminnoactive 117 >60 lelong&128 128 \bshowna 118 >60 lelong&256 256 \brestore 119 >60 lelong&512 512 \bshowdefault 120 #>20 lelong&1 0 121 #>>20 lelong&2 2 122 #>>>(72.l-64) pstring/h x \b [%s] 123 #>20 lelong&1 1 124 #>>20 lelong&2 2 125 #>>>(72.s) leshort x 126 #>>>&75 pstring/h x \b [%s] 127 128 # Summary: Outlook Personal Folders 129 # Created by: unknown 130 0 lelong 0x4E444221 Microsoft Outlook email folder 131 >10 leshort 0x0e (<=2002) 132 >10 leshort 0x17 (>=2003) 133 134 135 # Summary: Windows help cache 136 # Created by: unknown 137 0 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache 138 139 140 # Summary: IE cache file 141 # Created by: Christophe Monniez 142 0 string Client\ UrlCache\ MMF Internet Explorer cache file 143 >20 string >\0 version %s 144 145 146 # Summary: Registry files 147 # Created by: unknown 148 # Modified by (1): Joerg Jenderek 149 0 string regf MS Windows registry file, NT/2000 or above 150 0 string CREG MS Windows 95/98/ME registry file 151 0 string SHCC3 MS Windows 3.1 registry file 152 153 154 # Summary: Windows Registry text 155 # Extension: .reg 156 # Submitted by: Abel Cheung <abelcheung (a] gmail.com> 157 0 string REGEDIT4\r\n\r\n Windows Registry text (Win95 or above) 158 0 string Windows\ Registry\ Editor\ 159 >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) 160 161 162 # From: Pal Tamas <folti (a] balabit.hu> 163 # Autorun File 164 0 string/c [autorun]\r\n Microsoft Windows Autorun file. 165 !:mime application/x-setupscript. 166
Indexes created Thu May 14 00:25:00 UTC 2026