windows revision 1.1.1.6.2.1
1 2 #------------------------------------------------------------------------------ 3 # $File: windows,v 1.14 2015/12/15 01:06:17 christos Exp $ 4 # windows: file(1) magic for Microsoft Windows 5 # 6 # This file is mainly reserved for files where programs 7 # using them are run almost always on MS Windows 3.x or 8 # above, or files only used exclusively in Windows OS, 9 # where there is no better category to allocate for. 10 # For example, even though WinZIP almost run on Windows 11 # only, it is better to treat them as "archive" instead. 12 # For format usable in DOS, such as generic executable 13 # format, please specify under "msdos" file. 14 # 15 16 17 # Summary: Outlook Express DBX file 18 # Extension: .dbx 19 # Created by: Christophe Monniez 20 0 string \xCF\xAD\x12\xFE MS Outlook Express DBX file 21 >4 byte =0xC5 \b, message database 22 >4 byte =0xC6 \b, folder database 23 >4 byte =0xC7 \b, account information 24 >4 byte =0x30 \b, offline database 25 26 27 # Summary: Windows crash dump 28 # Extension: .dmp 29 # Created by: Andreas Schuster (http://computer.forensikblog.de/) 30 # Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html 31 # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) 32 0 string PAGE 33 >4 string DUMP MS Windows 32bit crash dump 34 >>0x05c byte 0 \b, no PAE 35 >>0x05c byte 1 \b, PAE 36 >>0xf88 lelong 1 \b, full dump 37 >>0xf88 lelong 2 \b, kernel dump 38 >>0xf88 lelong 3 \b, small dump 39 >>0x068 lelong x \b, %d pages 40 >4 string DU64 MS Windows 64bit crash dump 41 >>0xf98 lelong 1 \b, full dump 42 >>0xf98 lelong 2 \b, kernel dump 43 >>0xf98 lelong 3 \b, small dump 44 >>0x090 lequad x \b, %lld pages 45 46 47 # Summary: Vista Event Log 48 # Extension: .evtx 49 # Created by: Andreas Schuster (http://computer.forensikblog.de/) 50 # Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html 51 0 string ElfFile\0 MS Windows Vista Event Log 52 >0x2a leshort x \b, %d chunks 53 >>0x10 lelong x \b (no. %d in use) 54 >0x18 lelong >1 \b, next record no. %d 55 >0x18 lelong =1 \b, empty 56 >0x78 lelong &1 \b, DIRTY 57 >0x78 lelong &2 \b, FULL 58 59 60 # Summary: Windows 3.1 group files 61 # Extension: .grp 62 # Created by: unknown 63 0 string \120\115\103\103 MS Windows 3.1 group files 64 65 66 # Summary: Old format help files 67 # URL: https://en.wikipedia.org/wiki/WinHelp 68 # Reference: http://www.oocities.org/mwinterhoff/helpfile.htm 69 # Update: Joerg Jenderek 70 # Created by: Dirk Jagdmann <doj (a] cubic.org> 71 # 72 # check and then display version and date inside MS Windows HeLP file fragment 73 0 name help-ver-date 74 # look for Magic of SYSTEMHEADER 75 >0 leshort 0x036C 76 # version Major 1 for right file fragment 77 >>4 leshort 1 Windows 78 # print non empty string above to avoid error message 79 # Warning: Current entry does not yet have a description for adding a MIME type 80 !:mime application/winhelp 81 !:ext hlp 82 # version Minor of help file format is hint for windows version 83 >>>2 leshort 0x0F 3.x 84 >>>2 leshort 0x15 3.0 85 >>>2 leshort 0x21 3.1 86 >>>2 leshort 0x27 x.y 87 >>>2 leshort 0x33 95 88 >>>2 default x y.z 89 >>>>2 leshort x 0x%x 90 # to complete message string like "MS Windows 3.x help file" 91 >>>2 leshort x help 92 # GenDate often older than file creation date 93 >>>6 ldate x \b, %s 94 # 95 # Magic for HeLP files 96 0 lelong 0x00035f3f 97 # ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" 98 # file header magic 0x293B at DirectoryStart+9 99 >(4.l+9) uleshort 0x293B MS 100 # look for @VERSION bmf.. like IBMAVW.ANN 101 >>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation 102 !:mime application/x-winhelp 103 !:ext ann 104 >>0xD4 string !\x62\x6D\x66\x01\x00 105 # "GID Help index" by TrID 106 >>>(4.l+0x65) string =|Pete Windows help Global Index 107 !:mime application/x-winhelp 108 !:ext gid 109 # HeLP Bookmark or 110 # "Windows HELP File" by TrID 111 >>>(4.l+0x65) string !|Pete 112 # maybe there exist a cleaner way to detect HeLP fragments 113 # brute search for Magic 0x036C with matching Major maximal 7 iterations 114 # discapp.hlp 115 >>>>16 search/0x49AF/s \x6c\x03 116 >>>>>&0 use help-ver-date 117 >>>>>&4 leshort !1 118 # putty.hlp 119 >>>>>>&0 search/0x69AF/s \x6c\x03 120 >>>>>>>&0 use help-ver-date 121 >>>>>>>&4 leshort !1 122 >>>>>>>>&0 search/0x49AF/s \x6c\x03 123 >>>>>>>>>&0 use help-ver-date 124 >>>>>>>>>&4 leshort !1 125 >>>>>>>>>>&0 search/0x49AF/s \x6c\x03 126 >>>>>>>>>>>&0 use help-ver-date 127 >>>>>>>>>>>&4 leshort !1 128 >>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 129 >>>>>>>>>>>>>&0 use help-ver-date 130 >>>>>>>>>>>>>&4 leshort !1 131 >>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 132 >>>>>>>>>>>>>>>&0 use help-ver-date 133 >>>>>>>>>>>>>>>&4 leshort !1 134 >>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 135 # GCC.HLP is detected after 7 iterations 136 >>>>>>>>>>>>>>>>>&0 use help-ver-date 137 # this only happens if bigger hlp file is detected after used search iterations 138 >>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help 139 !:mime application/winhelp 140 !:ext hlp 141 # repeat search again or following default line does not work 142 >>>>16 search/0x49AF/s \x6c\x03 143 # remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) 144 >>>>16 default x Windows help Bookmark 145 !:mime application/x-winhelp 146 !:ext /bmk 147 ## FirstFreeBlock normally FFFFFFFFh 10h for *ANN 148 ##>>8 lelong x \b, FirstFreeBlock 0x%8.8x 149 # EntireFileSize 150 >>12 lelong x \b, %d bytes 151 ## ReservedSpace normally 042Fh AFh for *.ANN 152 #>>(4.l) lelong x \b, ReservedSpace 0x%8.8x 153 ## UsedSpace normally 0426h A6h for *.ANN 154 #>>(4.l+4) lelong x \b, UsedSpace 0x%8.8x 155 ## FileFlags normally 04... 156 #>>(4.l+5) lelong x \b, FileFlags 0x%8.8x 157 ## file header magic 0x293B 158 #>>(4.l+9) uleshort x \b, file header magic 0x%4.4x 159 ## file header Flags 0x0402 160 #>>(4.l+11) uleshort x \b, file header Flags 0x%4.4x 161 ## file header PageSize 0400h 80h for *.ANN 162 #>>(4.l+13) uleshort x \b, PageSize 0x%4.4x 163 ## Structure[16] z4 164 #>>(4.l+15) string >\0 \b, Structure_"%-.16s" 165 ## MustBeZero 0 166 #>>(4.l+31) uleshort x \b, MustBeZero 0x%4.4x 167 ## PageSplits 168 #>>(4.l+33) uleshort x \b, PageSplits 0x%4.4x 169 ## RootPage 170 #>>(4.l+35) uleshort x \b, RootPage 0x%4.4x 171 ## MustBeNegOne 0xffff 172 #>>(4.l+37) uleshort x \b, MustBeNegOne 0x%4.4x 173 ## TotalPages 1 174 #>>(4.l+39) uleshort x \b, TotalPages 0x%4.4x 175 ## NLevels 0x0001 176 #>>(4.l+41) uleshort x \b, NLevels 0x%4.4x 177 ## TotalBtreeEntries 178 #>>(4.l+43) ulelong x \b, TotalBtreeEntries 0x%8.8x 179 ## pages of the B+ tree 180 #>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx 181 182 # start with colon or semicolon for comment line like Back2Life.cnt 183 0 regex \^(:|;) 184 # look for first keyword Base 185 >0 search/45 :Base 186 >>&0 use cnt-name 187 # only solution to search again from beginning , because relative offsets changes when use is called 188 >0 search/45 :Base 189 >0 default x 190 # look for other keyword Title like in putty.cnt 191 >>0 search/45 :Title 192 >>>&0 use cnt-name 193 # 194 # display mime type and name of Windows help Content source 195 0 name cnt-name 196 # skip space at beginning 197 >0 string \ 198 # name without extension and greater character or name with hlp extension 199 >>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" 200 !:mime text/plain 201 !:apple ????TEXT 202 !:ext cnt 203 # 204 # Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing 205 0 string tfMR MS Windows help Full Text Search index 206 !:mime application/x-winhelp-fts 207 !:ext fts 208 >16 string >\0 for "%s" 209 210 # Summary: Hyper terminal 211 # Extension: .ht 212 # Created by: unknown 213 0 string HyperTerminal\ 214 >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile 215 216 # http://ithreats.files.wordpress.com/2009/05/\ 217 # lnk_the_windows_shortcut_file_format.pdf 218 # Summary: Windows shortcut 219 # Extension: .lnk 220 # Created by: unknown 221 # 'L' + GUUID 222 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut 223 >20 lelong&1 1 \b, Item id list present 224 >20 lelong&2 2 \b, Points to a file or directory 225 >20 lelong&4 4 \b, Has Description string 226 >20 lelong&8 8 \b, Has Relative path 227 >20 lelong&16 16 \b, Has Working directory 228 >20 lelong&32 32 \b, Has command line arguments 229 >20 lelong&64 64 \b, Icon 230 >>56 lelong x \b number=%d 231 >24 lelong&1 1 \b, Read-Only 232 >24 lelong&2 2 \b, Hidden 233 >24 lelong&4 4 \b, System 234 >24 lelong&8 8 \b, Volume Label 235 >24 lelong&16 16 \b, Directory 236 >24 lelong&32 32 \b, Archive 237 >24 lelong&64 64 \b, Encrypted 238 >24 lelong&128 128 \b, Normal 239 >24 lelong&256 256 \b, Temporary 240 >24 lelong&512 512 \b, Sparse 241 >24 lelong&1024 1024 \b, Reparse point 242 >24 lelong&2048 2048 \b, Compressed 243 >24 lelong&4096 4096 \b, Offline 244 >28 leqwdate x \b, ctime=%s 245 >36 leqwdate x \b, mtime=%s 246 >44 leqwdate x \b, atime=%s 247 >52 lelong x \b, length=%u, window= 248 >60 lelong&1 1 \bhide 249 >60 lelong&2 2 \bnormal 250 >60 lelong&4 4 \bshowminimized 251 >60 lelong&8 8 \bshowmaximized 252 >60 lelong&16 16 \bshownoactivate 253 >60 lelong&32 32 \bminimize 254 >60 lelong&64 64 \bshowminnoactive 255 >60 lelong&128 128 \bshowna 256 >60 lelong&256 256 \brestore 257 >60 lelong&512 512 \bshowdefault 258 #>20 lelong&1 0 259 #>>20 lelong&2 2 260 #>>>(72.l-64) pstring/h x \b [%s] 261 #>20 lelong&1 1 262 #>>20 lelong&2 2 263 #>>>(72.s) leshort x 264 #>>>&75 pstring/h x \b [%s] 265 266 # Summary: Outlook Personal Folders 267 # Created by: unknown 268 0 lelong 0x4E444221 Microsoft Outlook email folder 269 >10 leshort 0x0e (<=2002) 270 >10 leshort 0x17 (>=2003) 271 272 273 # Summary: Windows help cache 274 # Created by: unknown 275 0 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache 276 277 278 # Summary: IE cache file 279 # Created by: Christophe Monniez 280 0 string Client\ UrlCache\ MMF Internet Explorer cache file 281 >20 string >\0 version %s 282 283 284 # Summary: Registry files 285 # Created by: unknown 286 # Modified by (1): Joerg Jenderek 287 0 string regf MS Windows registry file, NT/2000 or above 288 0 string CREG MS Windows 95/98/ME registry file 289 0 string SHCC3 MS Windows 3.1 registry file 290 291 292 # Summary: Windows Registry text 293 # Extension: .reg 294 # Submitted by: Abel Cheung <abelcheung (a] gmail.com> 295 0 string REGEDIT4\r\n\r\n Windows Registry text (Win95 or above) 296 0 string Windows\ Registry\ Editor\ 297 >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) 298 299 # Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013 300 # empty ,comment , section 301 # PR/383: remove unicode BOM because it is not portable across regex impls 302 0 regex/s \\`(\\r\\n|;|[[]) 303 # left bracket in section line 304 >&0 search/8192 [ 305 # http://en.wikipedia.org/wiki/Autorun.inf 306 # http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx 307 >>&0 regex/c \^(autorun)]\r\n 308 >>>&0 ubyte =0x5b INItialization configuration 309 !:mime application/x-wine-extension-ini 310 # From: Pal Tamas <folti (a] balabit.hu> 311 # Autorun File 312 >>>&0 ubyte !0x5b Microsoft Windows Autorun file 313 !:mime application/x-setupscript 314 # http://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx 315 # version strings ASCII coded case-independent for Windows setup information script file 316 >>&0 regex/c \^(version|strings)] Windows setup INFormation 317 !:mime application/x-setupscript 318 #!:mime application/inf 319 #!:mime application/x-wine-extension-inf 320 >>&0 regex/c \^(WinsockCRCList|OEMCPL)] Windows setup INFormation 321 !:mime text/inf 322 # http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm 323 # http://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx 324 # .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent 325 >>&0 regex/c \^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini 326 !:mime application/x-wine-extension-ini 327 #!:mime text/plain 328 # http://support.microsoft.com/kb/84709/ 329 >>&0 regex/c \^(don't\ load)] Windows CONTROL.INI 330 !:mime application/x-wine-extension-ini 331 >>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI 332 !:mime application/x-wine-extension-ini 333 # http://technet.microsoft.com/en-us/library/cc722567.aspx 334 # http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm 335 >>&0 regex/c \^(windows|Compatibility|embedding)] Windows WIN.INI 336 !:mime application/x-wine-extension-ini 337 # http://en.wikipedia.org/wiki/SYSTEM.INI 338 >>&0 regex/c \^(boot|386enh|drivers)] Windows SYSTEM.INI 339 !:mime application/x-wine-extension-ini 340 # http://www.mdgx.com/newtip6.htm 341 >>&0 regex/c \^(SafeList)] Windows IOS.INI 342 !:mime application/x-wine-extension-ini 343 # http://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information 344 >>&0 regex/c \^(boot\x20loader)] Windows boot.ini 345 !:mime application/x-wine-extension-ini 346 >>>&0 ubyte x 347 # http://en.wikipedia.org/wiki/CONFIG.SYS 348 >>&0 regex/c \^(menu)]\r\n MS-DOS CONFIG.SYS 349 # http://support.microsoft.com/kb/118579/ 350 >>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS 351 # VERS string unicoded case-independent 352 >>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 353 # ION] string unicoded case-independent 354 >>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation 355 !:mime application/x-setupscript 356 # STRI string unicoded case-independent 357 >>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049 358 # NGS] string unicoded case-independent 359 >>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation 360 !:mime application/x-setupscript 361 # unknown keyword after opening bracket 362 >>&0 default x 363 >>>&0 search/8192 [ 364 # version Strings FileIdentification 365 >>>>&0 string/c version Windows setup INFormation 366 !:mime application/x-setupscript 367 # VERS string unicoded case-independent 368 >>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053 369 # ION] string unicoded case-independent 370 >>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation 371 !:mime application/x-setupscript 372 # http://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other 373 #>>>>&0 default x Generic INItialization configuration 374 #!:mime application/x-wine-extension-ini 375 376 # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h 377 # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm 378 # GRR: line below too general as it catches also PDP-11 UNIX/RT ldp 379 0 leshort&0xFeFe 0x0000 380 !:strength -5 381 # test for unused null bits in PNF_FLAGs 382 >4 ulelong&0xFCffFe00 0x00000000 383 # only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure 384 >>68 ulelong >0x57 385 # test for zero high byte of InfValueBlockSize, followed by WinDirPath like 386 # C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT 387 >>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF 388 !:mime application/x-pnf 389 # currently only found Major Version=1 and Minor Version=1 390 #>>>>0 uleshort =0x0101 391 #>>>>>1 ubyte x \b, version %u 392 #>>>>>0 ubyte x \b.%u 393 >>>>0 uleshort !0x0101 394 >>>>>1 ubyte x \b, version %u 395 >>>>>0 ubyte x \b.%u 396 # 1 ,2 (windows 98 SE) 397 #>>>>2 uleshort =2 \b, InfStyle %u 398 >>>>2 uleshort !2 \b, InfStyle %u 399 # PNF_FLAG_IS_UNICODE 0x00000001 400 # PNF_FLAG_HAS_STRINGS 0x00000002 401 # PNF_FLAG_SRCPATH_IS_URL 0x00000004 402 # PNF_FLAG_HAS_VOLATILE_DIRIDS 0x00000008 403 # PNF_FLAG_INF_VERIFIED 0x00000010 404 # PNF_FLAG_INF_DIGITALLY_SIGNED 0x00000020 405 # ?? 0x00000100 406 # ?? 0x01000000 407 # ?? 0x02000000 408 >>>>4 ulelong&0x00000001 0x00000001 \b, unicoded 409 >>>>4 ulelong&0x00000020 0x00000020 \b, digitally signed 410 #>>>>8 ulelong x \b, InfSubstValueListOffset 0x%x 411 # many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF 412 #>>>>12 uleshort x \b, InfSubstValueCount 0x%x 413 # only < 9 found 414 #>>>>14 uleshort x \b, InfVersionDatumCount 0x%x 415 # only found values lower 0x0000ffff 416 #>>>>16 ulelong x \b, InfVersionDataSize 0x%x 417 # only found positive values lower 0x00ffFFff for InfVersionDataOffset 418 >>>>20 ulelong x \b, at 0x%x 419 >>>>4 ulelong&0x00000001 =0x00000001 420 # case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature 421 >>>>>(20.l) lestring16 x "%s" 422 >>>>4 ulelong&0x00000001 !0x00000001 423 >>>>>(20.l) string x "%s" 424 # FILETIME is number of 100-nanosecond intervals since 1 January 1601 425 #>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx 426 # only found values lower 0x00ffFFff 427 #>>>>32 ulelong x \b, StringTableBlockOffset 0x%x 428 #>>>>36 ulelong x \b, StringTableBlockSize 0x%x 429 #>>>>40 ulelong x \b, InfSectionCount 0x%x 430 #>>>>44 ulelong x \b, InfSectionBlockOffset 0x%x 431 #>>>>48 ulelong x \b, InfSectionBlockSize 0x%x 432 #>>>>52 ulelong x \b, InfLineBlockOffset 0x%x 433 #>>>>56 ulelong x \b, InfLineBlockSize 0x%x 434 #>>>>60 ulelong x \b, InfValueBlockOffset 0x%x 435 #>>>>64 ulelong x \b, InfValueBlockSize 0x%x 436 # WinDirPathOffset 437 #>>>>68 ulelong x \b, at 0x%x 438 >>>>68 ulelong >0x57 439 >>>>>4 ulelong&0x00000001 =0x00000001 440 >>>>>>(68.l) ubequad =0x43003a005c005700 441 # normally unicoded C:\Windows 442 #>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" 443 >>>>>>(68.l) ubequad !0x43003a005c005700 444 >>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" 445 >>>>>4 ulelong&0x00000001 !0x00000001 446 # normally ASCII C:\WINDOWS 447 #>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" 448 >>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s" 449 # found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF 450 #>>>>72 ulelong >0 \b, at 0x%x 451 >>>>72 ulelong >0 \b, 452 >>>>>4 ulelong&0x00000001 =0x00000001 453 >>>>>>(72.l) lestring16 x OsLoaderPath "%s" 454 >>>>>4 ulelong&0x00000001 !0x00000001 455 # seldom C:\ instead empty 456 >>>>>>(72.l) string x OsLoaderPath "%s" 457 # 1fdh 458 #>>>>76 uleshort x \b, StringTableHashBucketCount 0x%x 459 >>>>78 uleshort !0x407 \b, LanguageId %x 460 # only 407h found 461 #>>>>78 uleshort =0x407 \b, LanguageId %x 462 # InfSourcePathOffset often 0 463 #>>>>80 ulelong >0 \b, at 0x%x 464 >>>>80 ulelong >0 \b, 465 >>>>>4 ulelong&0x00000001 =0x00000001 466 >>>>>>(80.l) lestring16 x SourcePath "%s" 467 >>>>>4 ulelong&0x00000001 !0x00000001 468 >>>>>>(80.l) string >\0 SourcePath "%s" 469 # OriginalInfNameOffset often 0 470 #>>>>84 ulelong >0 \b, at 0x%x 471 >>>>84 ulelong >0 \b, 472 >>>>>4 ulelong&0x00000001 =0x00000001 473 >>>>>>(84.l) lestring16 x InfName "%s" 474 >>>>>4 ulelong&0x00000001 !0x00000001 475 >>>>>>(84.l) string >\0 InfName "%s" 476 477 # Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 478 # Extension: .bkf 479 # Created by: Joerg Jenderek 480 # URL: http://en.wikipedia.org/wiki/NTBackup 481 # Reference: http://laytongraphics.com/mtf/MTF_100a.PDF 482 # Descriptor BloCK name of Microsoft Tape Format 483 0 string TAPE 484 # Format Logical Address is zero 485 >20 ulequad 0 486 # Reserved for MBC is zero 487 >>28 uleshort 0 488 # Control Block ID is zero 489 >>>36 ulelong 0 490 # BIT4-BIT15, BIT18-BIT31 of block attributes are unused 491 >>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive 492 #!:mime application/x-ntbackup 493 !:ext bkf 494 # OS ID 495 >>>>>10 ubyte 1 \b NetWare 496 >>>>>10 ubyte 13 \b NetWare SMS 497 >>>>>10 ubyte 14 \b NT 498 >>>>>10 ubyte 24 \b 3 499 >>>>>10 ubyte 25 \b OS/2 500 >>>>>10 ubyte 26 \b 95 501 >>>>>10 ubyte 27 \b Macintosh 502 >>>>>10 ubyte 28 \b UNIX 503 # OS Version (2) 504 #>>>>>11 ubyte x OS V=%x 505 # MTF_CONTINUATION Media Sequence Number > 1 506 #>>>>>4 ulelong&0x00000001 !0 \b, continued 507 # MTF_COMPRESSION 508 >>>>>4 ulelong&0x00000004 !0 \b, compressed 509 # MTF_EOS_AT_EOM End Of Medium was hit during end of set processing 510 >>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit 511 >>>>>4 ulelong&0x00020000 0 512 # MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape 513 >>>>>>4 ulelong&0x00010000 !0 \b, with catalog 514 # MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present 515 >>>>>4 ulelong&0x00020000 !0 \b, with file catalog 516 # Offset To First Event 238h,240h,28Ch 517 #>>>>>8 uleshort x \b, event offset %4.4x 518 # Displayable Size (20e0230h 20e024ch 20e0224h) 519 #>>>>>8 ulequad x dis. size %16.16llx 520 # Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h) 521 #>>>>>52 ulelong x family ID %8.8x 522 # TAPE Attributes (3) 523 #>>>>>56 ulelong x TAPE %8.8x 524 # Media Sequence Number 525 >>>>>60 uleshort >1 \b, sequence %u 526 # Password Encryption Algorithm (3) 527 >>>>>62 uleshort >0 \b, 0x%x encrypted 528 # Soft Filemark Block Size * 512 (2) 529 #>>>>>64 uleshort =2 \b, soft size %u*512 530 >>>>>64 uleshort !2 \b, soft size %u*512 531 # Media Based Catalog Type (1,2) 532 #>>>>>66 uleshort x \b, catalog type %4.4x 533 # size of Media Name (66,68,6Eh) 534 >>>>>68 uleshort >0 535 # offset of Media Name (5Eh) 536 >>>>>>70 uleshort >0 537 # 0~, 1~ANSI, 2~UNICODE 538 >>>>>>>48 ubyte 1 539 # size terminated ansi coded string normally followed by "MTF Media Label" 540 >>>>>>>>(70.s) string >\0 \b, name: %s 541 >>>>>>>48 ubyte 2 542 # Not null, but size terminated unicoded string 543 >>>>>>>>(70.s) lestring16 x \b, name: %s 544 # size of Media Label (104h) 545 >>>>>72 uleshort >0 546 # offset of Media Label (C4h,C6h,CCh) 547 >>>>>74 uleshort >0 548 >>>>>>48 ubyte 1 549 #Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields 550 >>>>>>>(74.s) string >\0 \b, label: %s 551 >>>>>>48 ubyte 2 552 >>>>>>>(74.s) lestring16 x \b, label: %s 553 # size of password name (0,1Ch) 554 #>>>>>76 uleshort >0 \b, password size %4.4x 555 # Software Vendor ID (CBEh) 556 >>>>>86 uleshort x \b, software (0x%x) 557 # size of Software Name (6Eh) 558 >>>>>80 uleshort >0 559 # offset of Software Name (1C8h,1CAh,1D0h) 560 >>>>>>82 uleshort >0 561 # 1~ANSI, 2~UNICODE 562 >>>>>>>48 ubyte 1 563 >>>>>>>>(82.s) string >\0 \b: %s 564 >>>>>>>48 ubyte 2 565 # size terminated unicoded coded string normally followed by "SPAD" 566 >>>>>>>>(82.s) lestring16 x \b: %s 567 # Format Logical Block Size (512,1024) 568 #>>>>>84 uleshort =1024 \b, block size %u 569 >>>>>84 uleshort !1024 \b, block size %u 570 # Media Date of MTF_DATE_TIME type with 5 bytes 571 #>>>>>>88 ubequad x DATE %16.16llx 572 # MTF Major Version (1) 573 #>>>>>>93 ubyte x \b, MFT version %x 574 # 575 576
Indexes created Thu May 14 00:25:00 UTC 2026