windows revision 1.1.1.9.2.1
1 2 #------------------------------------------------------------------------------ 3 # $File: windows,v 1.26 2019/05/01 17:55:25 christos Exp $ 4 # windows: file(1) magic for Microsoft Windows 5 # 6 # This file is mainly reserved for files where programs 7 # using them are run almost always on MS Windows 3.x or 8 # above, or files only used exclusively in Windows OS, 9 # where there is no better category to allocate for. 10 # For example, even though WinZIP almost run on Windows 11 # only, it is better to treat them as "archive" instead. 12 # For format usable in DOS, such as generic executable 13 # format, please specify under "msdos" file. 14 # 15 16 17 # Summary: Outlook Express DBX file 18 # Extension: .dbx 19 # Created by: Christophe Monniez 20 0 string \xCF\xAD\x12\xFE MS Outlook Express DBX file 21 >4 byte =0xC5 \b, message database 22 >4 byte =0xC6 \b, folder database 23 >4 byte =0xC7 \b, account information 24 >4 byte =0x30 \b, offline database 25 26 27 # Summary: Windows crash dump 28 # Extension: .dmp 29 # Created by: Andreas Schuster (https://computer.forensikblog.de/) 30 # Reference (1): https://computer.forensikblog.de/en/2008/02/64bit_magic.html 31 # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) 32 0 string PAGE 33 >4 string DUMP MS Windows 32bit crash dump 34 >>0x05c byte 0 \b, no PAE 35 >>0x05c byte 1 \b, PAE 36 >>0xf88 lelong 1 \b, full dump 37 >>0xf88 lelong 2 \b, kernel dump 38 >>0xf88 lelong 3 \b, small dump 39 >>0x068 lelong x \b, %d pages 40 >4 string DU64 MS Windows 64bit crash dump 41 >>0xf98 lelong 1 \b, full dump 42 >>0xf98 lelong 2 \b, kernel dump 43 >>0xf98 lelong 3 \b, small dump 44 >>0x090 lequad x \b, %lld pages 45 46 47 # Summary: Vista Event Log 48 # Extension: .evtx 49 # Created by: Andreas Schuster (https://computer.forensikblog.de/) 50 # Reference (1): https://computer.forensikblog.de/en/2007/05/some_magic.html 51 0 string ElfFile\0 MS Windows Vista Event Log 52 >0x2a leshort x \b, %d chunks 53 >>0x10 lelong x \b (no. %d in use) 54 >0x18 lelong >1 \b, next record no. %d 55 >0x18 lelong =1 \b, empty 56 >0x78 lelong &1 \b, DIRTY 57 >0x78 lelong &2 \b, FULL 58 59 # Summary: Windows System Deployment Image 60 # Created by: Joerg Jenderek 61 # URL: http://en.wikipedia.org/wiki/System_Deployment_Image 62 # Reference: http://skolk.livejournal.com/1320.html 63 0 string $SDI 64 >4 string 0001 System Deployment Image 65 !:mime application/x-ms-sdi 66 #!:mime application/octet-stream 67 # \Boot\boot.sdi 68 !:ext sdi 69 # MDBtype: 0~Unspecified 1~RAM 2~ROM 70 >>8 ulequad !0 \b, MDBtype 0x%llx 71 # BootCodeOffset 72 >>16 ulequad !0 \b, BootCodeOffset 0x%llx 73 # BootCodeSize 74 >>24 ulequad !0 \b, BootCodeSize 0x%llx 75 # VendorID 76 >>32 ulequad !0 \b, VendorID 0x%llx 77 # DeviceID 78 >>40 ulequad !0 \b, DeviceID 0x%llx 79 # DeviceModel 80 >>48 ulequad !0 \b, DeviceModel 0x%llx 81 >>>56 ulequad !0 \b%llx 82 # DeviceRole 83 >>64 ulequad !0 \b, DeviceRole 0x%llx 84 # Reserved1; reserved fields and gaps between BLOBs are padded with \0 85 #>>72 ulequad !0 \b, Reserved1 0x%llx 86 # RuntimeGUID 87 >>80 ulequad !0 \b, RuntimeGUID 0x%llx 88 >>>88 ulequad !0 \b%llx 89 # RuntimeOEMrev 90 >>96 ulequad !0 \b, RuntimeOEMrev 0x%llx 91 # Reserved2 92 #>>104 ulequad !0 \b, Reserved2 0x%llx 93 # BLOB alignment value in pages, as specified in sdimgr /pack: 1~4K 2~8k 94 >>112 ulequad !0 \b, PageAlignment %llu 95 # Reserved3[48] 96 #>>120 ulequad !0 \b, Reserved3 0x%llx 97 # SDI checksum 39h 98 >>0x1f8 ulequad x \b, checksum 0x%llx 99 # BLOBtype[8] \0-padded: PART, WIM , BOOT, LOAD, DISK 100 >>0x400 string >\0 \b, type %-3.8s 101 # 0~non-filesystem 7~NTFS 6~BIGFAT 102 >>>0x420 ulequad !0 (0x%llx) 103 # ATTRibutes 104 >>>0x408 ulequad !0 0x%llx attributes 105 # Offset 106 >>>0x410 ulequad x at 0x%llx 107 # print 1 space after size and then handles NTFS boot sector by ./filesystems 108 >>>0x418 ulequad >0 %llu bytes 109 >>>>(0x410.l) indirect x 110 # 2nd BLOB: WIM 111 >>0x440 string >\0 \b, type %-3.8s 112 >>>0x428 ulequad !0 (0x%llx) 113 # ATTRibutes 114 >>>0x448 ulequad !0 0x%llx attributes 115 # Offset 116 >>>0x450 ulequad x at 0x%llx 117 >>>0x458 ulequad >0 %llu bytes 118 >>>>(0x450.l) indirect x 119 # 3rd BLOB 120 >>0x480 string >\0 \b, type %-3.8s 121 122 # Summary: Windows Error Report text files 123 # URL: https://en.wikipedia.org/wiki/Windows_Error_Reporting 124 # Reference: https://www.nirsoft.net/utils/app_crash_view.html 125 # Created by: Joerg Jenderek 126 # Note: in directories %ProgramData%\Microsoft\Windows\WER\{ReportArchive,ReportQueue} 127 # %LOCALAPPDATA%\Microsoft\Windows\WER\{ReportArchive,ReportQueue} 128 0 lestring16 Version= 129 >22 lestring16 EventType Windows Error Report 130 !:mime text/plain 131 # Report.wer 132 !:ext wer 133 134 # Summary: Windows 3.1 group files 135 # Extension: .grp 136 # Created by: unknown 137 0 string \120\115\103\103 MS Windows 3.1 group files 138 139 140 # Summary: Old format help files 141 # URL: https://en.wikipedia.org/wiki/WinHelp 142 # Reference: https://www.oocities.org/mwinterhoff/helpfile.htm 143 # Update: Joerg Jenderek 144 # Created by: Dirk Jagdmann <doj (a] cubic.org> 145 # 146 # check and then display version and date inside MS Windows HeLP file fragment 147 0 name help-ver-date 148 # look for Magic of SYSTEMHEADER 149 >0 leshort 0x036C 150 # version Major 1 for right file fragment 151 >>4 leshort 1 Windows 152 # print non empty string above to avoid error message 153 # Warning: Current entry does not yet have a description for adding a MIME type 154 !:mime application/winhelp 155 !:ext hlp 156 # version Minor of help file format is hint for windows version 157 >>>2 leshort 0x0F 3.x 158 >>>2 leshort 0x15 3.0 159 >>>2 leshort 0x21 3.1 160 >>>2 leshort 0x27 x.y 161 >>>2 leshort 0x33 95 162 >>>2 default x y.z 163 >>>>2 leshort x 0x%x 164 # to complete message string like "MS Windows 3.x help file" 165 >>>2 leshort x help 166 # GenDate often older than file creation date 167 >>>6 ldate x \b, %s 168 # 169 # Magic for HeLP files 170 0 lelong 0x00035f3f 171 # ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" 172 # file header magic 0x293B at DirectoryStart+9 173 >(4.l+9) uleshort 0x293B MS 174 # look for @VERSION bmf.. like IBMAVW.ANN 175 >>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation 176 !:mime application/x-winhelp 177 !:ext ann 178 >>0xD4 string !\x62\x6D\x66\x01\x00 179 # "GID Help index" by TrID 180 >>>(4.l+0x65) string =|Pete Windows help Global Index 181 !:mime application/x-winhelp 182 !:ext gid 183 # HeLP Bookmark or 184 # "Windows HELP File" by TrID 185 >>>(4.l+0x65) string !|Pete 186 # maybe there exist a cleaner way to detect HeLP fragments 187 # brute search for Magic 0x036C with matching Major maximal 7 iterations 188 # discapp.hlp 189 >>>>16 search/0x49AF/s \x6c\x03 190 >>>>>&0 use help-ver-date 191 >>>>>&4 leshort !1 192 # putty.hlp 193 >>>>>>&0 search/0x69AF/s \x6c\x03 194 >>>>>>>&0 use help-ver-date 195 >>>>>>>&4 leshort !1 196 >>>>>>>>&0 search/0x49AF/s \x6c\x03 197 >>>>>>>>>&0 use help-ver-date 198 >>>>>>>>>&4 leshort !1 199 >>>>>>>>>>&0 search/0x49AF/s \x6c\x03 200 >>>>>>>>>>>&0 use help-ver-date 201 >>>>>>>>>>>&4 leshort !1 202 >>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 203 >>>>>>>>>>>>>&0 use help-ver-date 204 >>>>>>>>>>>>>&4 leshort !1 205 >>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 206 >>>>>>>>>>>>>>>&0 use help-ver-date 207 >>>>>>>>>>>>>>>&4 leshort !1 208 >>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 209 # GCC.HLP is detected after 7 iterations 210 >>>>>>>>>>>>>>>>>&0 use help-ver-date 211 # this only happens if bigger hlp file is detected after used search iterations 212 >>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help 213 !:mime application/winhelp 214 !:ext hlp 215 # repeat search again or following default line does not work 216 >>>>16 search/0x49AF/s \x6c\x03 217 # remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) 218 >>>>16 default x Windows help Bookmark 219 !:mime application/x-winhelp 220 !:ext bmk 221 ## FirstFreeBlock normally FFFFFFFFh 10h for *ANN 222 ##>>8 lelong x \b, FirstFreeBlock 0x%8.8x 223 # EntireFileSize 224 >>12 lelong x \b, %d bytes 225 ## ReservedSpace normally 042Fh AFh for *.ANN 226 #>>(4.l) lelong x \b, ReservedSpace 0x%8.8x 227 ## UsedSpace normally 0426h A6h for *.ANN 228 #>>(4.l+4) lelong x \b, UsedSpace 0x%8.8x 229 ## FileFlags normally 04... 230 #>>(4.l+5) lelong x \b, FileFlags 0x%8.8x 231 ## file header magic 0x293B 232 #>>(4.l+9) uleshort x \b, file header magic 0x%4.4x 233 ## file header Flags 0x0402 234 #>>(4.l+11) uleshort x \b, file header Flags 0x%4.4x 235 ## file header PageSize 0400h 80h for *.ANN 236 #>>(4.l+13) uleshort x \b, PageSize 0x%4.4x 237 ## Structure[16] z4 238 #>>(4.l+15) string >\0 \b, Structure_"%-.16s" 239 ## MustBeZero 0 240 #>>(4.l+31) uleshort x \b, MustBeZero 0x%4.4x 241 ## PageSplits 242 #>>(4.l+33) uleshort x \b, PageSplits 0x%4.4x 243 ## RootPage 244 #>>(4.l+35) uleshort x \b, RootPage 0x%4.4x 245 ## MustBeNegOne 0xffff 246 #>>(4.l+37) uleshort x \b, MustBeNegOne 0x%4.4x 247 ## TotalPages 1 248 #>>(4.l+39) uleshort x \b, TotalPages 0x%4.4x 249 ## NLevels 0x0001 250 #>>(4.l+41) uleshort x \b, NLevels 0x%4.4x 251 ## TotalBtreeEntries 252 #>>(4.l+43) ulelong x \b, TotalBtreeEntries 0x%8.8x 253 ## pages of the B+ tree 254 #>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx 255 256 # start with colon or semicolon for comment line like Back2Life.cnt 257 0 regex \^(:|;) 258 # look for first keyword Base 259 >0 search/45 :Base 260 >>&0 use cnt-name 261 # only solution to search again from beginning , because relative offsets changes when use is called 262 >0 search/45 :Base 263 >0 default x 264 # look for other keyword Title like in putty.cnt 265 >>0 search/45 :Title 266 >>>&0 use cnt-name 267 # 268 # display mime type and name of Windows help Content source 269 0 name cnt-name 270 # skip space at beginning 271 >0 string \040 272 # name without extension and greater character or name with hlp extension 273 >>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" 274 !:mime text/plain 275 !:apple ????TEXT 276 !:ext cnt 277 # 278 # Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing 279 0 string tfMR MS Windows help Full Text Search index 280 !:mime application/x-winhelp-fts 281 !:ext fts 282 >16 string >\0 for "%s" 283 284 # Summary: Hyper terminal 285 # Extension: .ht 286 # Created by: unknown 287 0 string HyperTerminal\040 288 >15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile 289 290 # https://ithreats.files.wordpress.com/2009/05/\040 291 # lnk_the_windows_shortcut_file_format.pdf 292 # Summary: Windows shortcut 293 # Extension: .lnk 294 # Created by: unknown 295 # 'L' + GUUID 296 0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut 297 >20 lelong&1 1 \b, Item id list present 298 >20 lelong&2 2 \b, Points to a file or directory 299 >20 lelong&4 4 \b, Has Description string 300 >20 lelong&8 8 \b, Has Relative path 301 >20 lelong&16 16 \b, Has Working directory 302 >20 lelong&32 32 \b, Has command line arguments 303 >20 lelong&64 64 \b, Icon 304 >>56 lelong x \b number=%d 305 >24 lelong&1 1 \b, Read-Only 306 >24 lelong&2 2 \b, Hidden 307 >24 lelong&4 4 \b, System 308 >24 lelong&8 8 \b, Volume Label 309 >24 lelong&16 16 \b, Directory 310 >24 lelong&32 32 \b, Archive 311 >24 lelong&64 64 \b, Encrypted 312 >24 lelong&128 128 \b, Normal 313 >24 lelong&256 256 \b, Temporary 314 >24 lelong&512 512 \b, Sparse 315 >24 lelong&1024 1024 \b, Reparse point 316 >24 lelong&2048 2048 \b, Compressed 317 >24 lelong&4096 4096 \b, Offline 318 >28 leqwdate x \b, ctime=%s 319 >36 leqwdate x \b, mtime=%s 320 >44 leqwdate x \b, atime=%s 321 >52 lelong x \b, length=%u, window= 322 >60 lelong&1 1 \bhide 323 >60 lelong&2 2 \bnormal 324 >60 lelong&4 4 \bshowminimized 325 >60 lelong&8 8 \bshowmaximized 326 >60 lelong&16 16 \bshownoactivate 327 >60 lelong&32 32 \bminimize 328 >60 lelong&64 64 \bshowminnoactive 329 >60 lelong&128 128 \bshowna 330 >60 lelong&256 256 \brestore 331 >60 lelong&512 512 \bshowdefault 332 #>20 lelong&1 0 333 #>>20 lelong&2 2 334 #>>>(72.l-64) pstring/h x \b [%s] 335 #>20 lelong&1 1 336 #>>20 lelong&2 2 337 #>>>(72.s) leshort x 338 #>>>&75 pstring/h x \b [%s] 339 340 # Summary: Outlook Personal Folders 341 # Created by: unknown 342 0 lelong 0x4E444221 Microsoft Outlook email folder 343 >10 leshort 0x0e (<=2002) 344 >10 leshort 0x17 (>=2003) 345 346 347 # Summary: Windows help cache 348 # Created by: unknown 349 0 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache 350 351 352 # Summary: IE cache file 353 # Created by: Christophe Monniez 354 0 string Client\ UrlCache\ MMF Internet Explorer cache file 355 >20 string >\0 version %s 356 357 358 # Summary: Registry files 359 # Created by: unknown 360 # Modified by (1): Joerg Jenderek 361 0 string regf MS Windows registry file, NT/2000 or above 362 0 string CREG MS Windows 95/98/ME registry file 363 0 string SHCC3 MS Windows 3.1 registry file 364 365 366 # Summary: Windows Registry text 367 # URL: https://en.wikipedia.org/wiki/Windows_Registry#.REG_files 368 # Reference: http://fileformats.archiveteam.org/wiki/Windows_Registry 369 # Submitted by: Abel Cheung <abelcheung (a] gmail.com> 370 # Update: Joerg Jenderek 371 # Windows 3-9X variant 372 0 string REGEDIT 373 # skip ASCII text like "REGEDITor.txt" but match 374 # L1WMAP.REG with only 1 CRNL or org.gnome.gnumeric.reg with 2 NL 375 >7 search/3 \n Windows Registry text 376 !:mime text/x-ms-regedit 377 !:ext reg 378 # Windows 9X variant 379 >>0 string REGEDIT4 (Win95 or above) 380 # Windows 2K ANSI variant 381 0 string Windows\ Registry\ Editor\ 382 >&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) 383 !:mime text/x-ms-regedit 384 !:ext reg 385 # Windows 2K UTF-16 variant 386 2 lestring16 Windows\ Registry\ Editor\ 387 >0x32 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above) 388 # relative offset not working 389 #>&0 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above) 390 !:mime text/x-ms-regedit 391 !:ext reg 392 # WINE variant 393 # URL: https://en.wikipedia.org/wiki/Wine_(software) 394 # Reference: https://www.winehq.org/pipermail/wine-cvs/2005-October/018763.html 395 # Note: WINE use text based registry (system.reg,user.reg,userdef.reg) 396 # instead binary hiv structure like Windows 397 0 string WINE\ REGISTRY\ Version\ WINE registry text 398 # version 2 399 >&0 string x \b, version %s 400 !:mime text/x-wine-extension-reg 401 !:ext reg 402 403 # Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013, Feb 2018 404 # empty ,comment , section 405 # PR/383: remove unicode BOM because it is not portable across regex impls 406 #0 regex/s \\`(\\r\\n|;|[[]) 407 # empty line CRLF 408 0 ubeshort 0x0D0A 409 >0 use ini-file 410 # comment line 411 0 string ; 412 >0 use ini-file 413 # section line 414 0 string [ 415 >0 use ini-file 416 # check and then display Windows INItialization configuration 417 0 name ini-file 418 # look for left bracket in section line 419 >0 search/8192 [ 420 # https://en.wikipedia.org/wiki/Autorun.inf 421 # https://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx 422 # space after right bracket 423 # or AutoRun.Amd64 for 64 bit systems 424 # or only NL separator 425 >>&0 regex/c \^(autorun) 426 # but sometimes total commander directory tree file "treeinfo.wc" with lines like 427 # [AUTORUN] 428 # [boot] 429 >>>&0 string =]\r\n[ Total commander directory treeinfo.wc 430 !:mime text/plain 431 !:ext wc 432 # From: Pal Tamas <folti (a] balabit.hu> 433 # Autorun File 434 >>>&0 string !]\r\n[ Microsoft Windows Autorun file 435 !:mime application/x-setupscript 436 !:ext inf 437 # https://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx 438 # version strings ASCII coded case-independent for Windows setup information script file 439 >>&0 regex/c \^(version|strings)] Windows setup INFormation 440 !:mime application/x-setupscript 441 #!:mime application/x-wine-extension-inf 442 !:ext inf 443 # NETCRC.INF OEMCPL.INF 444 >>&0 regex/c \^(WinsockCRCList|OEMCPL)] Windows setup INFormation 445 !:mime application/x-setupscript 446 !:ext inf 447 # http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm 448 # https://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx 449 # .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent 450 >>&0 regex/c \^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini 451 !:mime application/x-wine-extension-ini 452 #!:mime text/plain 453 # https://support.microsoft.com/kb/84709/ 454 >>&0 regex/c \^(don't\ load)] Windows CONTROL.INI 455 !:mime application/x-wine-extension-ini 456 !:ext ini 457 >>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI 458 !:mime application/x-wine-extension-ini 459 !:ext ini 460 # https://technet.microsoft.com/en-us/library/cc722567.aspx 461 # http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm 462 >>&0 regex/c \^(windows|Compatibility|embedding)] Windows WIN.INI 463 !:mime application/x-wine-extension-ini 464 !:ext ini 465 # https://en.wikipedia.org/wiki/SYSTEM.INI 466 >>&0 regex/c \^(boot|386enh|drivers)] Windows SYSTEM.INI 467 !:mime application/x-wine-extension-ini 468 !:ext ini 469 # http://www.mdgx.com/newtip6.htm 470 >>&0 regex/c \^(SafeList)] Windows IOS.INI 471 !:mime application/x-wine-extension-ini 472 !:ext ini 473 # https://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information 474 >>&0 regex/c \^(boot\x20loader)] Windows boot.ini 475 !:mime application/x-wine-extension-ini 476 !:ext ini 477 # https://en.wikipedia.org/wiki/CONFIG.SYS 478 >>&0 regex/c \^(menu)] MS-DOS CONFIG.SYS 479 # @CONFIG.UI configuration file of previous DOS version saved by Caldera OPENDOS INSTALL.EXE 480 # CONFIG.PSS saved version of file CONFIG.SYS created by %WINDIR%\SYTEM\MSCONFIG.EXE 481 # CONFIG.TSH renamed file CONFIG.SYS.BAT by %WINDIR%\SYTEM\MSCONFIG.EXE 482 # dos and w40 used in dual booting scene 483 !:ext sys/dos/w40 484 # https://support.microsoft.com/kb/118579/ 485 >>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS 486 !:ext sys/dos 487 # http://chmspec.nongnu.org/latest/INI.html#HHP 488 >>&0 regex/c \^(options)]\r\n Microsoft HTML Help Project 489 !:mime text/plain 490 !:ext hhp 491 # unknown keyword after opening bracket 492 >>&0 default x 493 #>>>&0 string/c x UNKNOWN [%s 494 # look for left bracket of second section 495 >>>&0 search/8192 [ 496 # version Strings FileIdentification 497 >>>>&0 string/c version Windows setup INFormation 498 !:mime application/x-setupscript 499 !:ext inf 500 # https://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other 501 >>>>&0 default x 502 >>>>>&0 ubyte x 503 # characters, digits, underscore and white space followed by right bracket 504 # terminated by CR implies section line to skip BOOTLOG.TXT DETLOG.TXT 505 >>>>>>&-1 regex \^([A-Za-z0-9_\(\)\ ]+)\]\r Generic INItialization configuration [%-.40s 506 # NETDEF.INF multiarc.ini 507 #!:mime application/x-setupscript 508 !:mime application/x-wine-extension-ini 509 #!:mime text/plain 510 !:ext ini/inf 511 # UTF-16 BOM followed by CR~0D00 , comment~semicolon~3B00 , section~bracket~5B00 512 0 ubelong&0xFFff89FF =0xFFFE0900 513 # look for left bracket in section line 514 >2 search/8192 [ 515 # keyword without 1st letter which is maybe up-/down-case 516 >>&3 lestring16 ersion] Windows setup INFormation 517 !:mime application/x-setupscript 518 !:ext inf 519 >>&3 lestring16 trings] Windows setup INFormation 520 !:mime application/x-setupscript 521 !:ext inf 522 >>&3 lestring16 ourceDisksNames] Windows setup INFormation 523 !:mime application/x-setupscript 524 !:ext inf 525 # netnwcli.inf start with ;---[ NetNWCli.INX ] 526 >>&3 default x 527 # look for NL followed by left bracket 528 >>>&0 search/8192 \x0A\x00\x5b 529 >>>>&3 lestring16 ersion] Windows setup INFormation 530 !:mime application/x-setupscript 531 !:ext inf 532 533 # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h 534 # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm 535 # GRR: line below too general as it catches also PDP-11 UNIX/RT ldp 536 0 leshort&0xFeFe 0x0000 537 !:strength -5 538 # test for unused null bits in PNF_FLAGs 539 >4 ulelong&0xFCffFe00 0x00000000 540 # only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure 541 >>68 ulelong >0x57 542 # test for zero high byte of InfValueBlockSize, followed by WinDirPath like 543 # C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT 544 >>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF 545 !:mime application/x-pnf 546 # currently only found Major Version=1 and Minor Version=1 547 #>>>>0 uleshort =0x0101 548 #>>>>>1 ubyte x \b, version %u 549 #>>>>>0 ubyte x \b.%u 550 >>>>0 uleshort !0x0101 551 >>>>>1 ubyte x \b, version %u 552 >>>>>0 ubyte x \b.%u 553 # 1 ,2 (windows 98 SE) 554 #>>>>2 uleshort =2 \b, InfStyle %u 555 >>>>2 uleshort !2 \b, InfStyle %u 556 # PNF_FLAG_IS_UNICODE 0x00000001 557 # PNF_FLAG_HAS_STRINGS 0x00000002 558 # PNF_FLAG_SRCPATH_IS_URL 0x00000004 559 # PNF_FLAG_HAS_VOLATILE_DIRIDS 0x00000008 560 # PNF_FLAG_INF_VERIFIED 0x00000010 561 # PNF_FLAG_INF_DIGITALLY_SIGNED 0x00000020 562 # ?? 0x00000100 563 # ?? 0x01000000 564 # ?? 0x02000000 565 >>>>4 ulelong&0x00000001 0x00000001 \b, unicoded 566 >>>>4 ulelong&0x00000020 0x00000020 \b, digitally signed 567 #>>>>8 ulelong x \b, InfSubstValueListOffset 0x%x 568 # many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF 569 #>>>>12 uleshort x \b, InfSubstValueCount 0x%x 570 # only < 9 found 571 #>>>>14 uleshort x \b, InfVersionDatumCount 0x%x 572 # only found values lower 0x0000ffff 573 #>>>>16 ulelong x \b, InfVersionDataSize 0x%x 574 # only found positive values lower 0x00ffFFff for InfVersionDataOffset 575 >>>>20 ulelong x \b, at 0x%x 576 >>>>4 ulelong&0x00000001 =0x00000001 577 # case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature 578 >>>>>(20.l) lestring16 x "%s" 579 >>>>4 ulelong&0x00000001 !0x00000001 580 >>>>>(20.l) string x "%s" 581 # FILETIME is number of 100-nanosecond intervals since 1 January 1601 582 #>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx 583 # only found values lower 0x00ffFFff 584 #>>>>32 ulelong x \b, StringTableBlockOffset 0x%x 585 #>>>>36 ulelong x \b, StringTableBlockSize 0x%x 586 #>>>>40 ulelong x \b, InfSectionCount 0x%x 587 #>>>>44 ulelong x \b, InfSectionBlockOffset 0x%x 588 #>>>>48 ulelong x \b, InfSectionBlockSize 0x%x 589 #>>>>52 ulelong x \b, InfLineBlockOffset 0x%x 590 #>>>>56 ulelong x \b, InfLineBlockSize 0x%x 591 #>>>>60 ulelong x \b, InfValueBlockOffset 0x%x 592 #>>>>64 ulelong x \b, InfValueBlockSize 0x%x 593 # WinDirPathOffset 594 #>>>>68 ulelong x \b, at 0x%x 595 >>>>68 ulelong >0x57 596 >>>>>4 ulelong&0x00000001 =0x00000001 597 >>>>>>(68.l) ubequad =0x43003a005c005700 598 # normally unicoded C:\Windows 599 #>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" 600 >>>>>>(68.l) ubequad !0x43003a005c005700 601 >>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" 602 >>>>>4 ulelong&0x00000001 !0x00000001 603 # normally ASCII C:\WINDOWS 604 #>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" 605 >>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s" 606 # found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF 607 #>>>>72 ulelong >0 \b, at 0x%x 608 >>>>72 ulelong >0 \b, 609 >>>>>4 ulelong&0x00000001 =0x00000001 610 >>>>>>(72.l) lestring16 x OsLoaderPath "%s" 611 >>>>>4 ulelong&0x00000001 !0x00000001 612 # seldom C:\ instead empty 613 >>>>>>(72.l) string x OsLoaderPath "%s" 614 # 1fdh 615 #>>>>76 uleshort x \b, StringTableHashBucketCount 0x%x 616 >>>>78 uleshort !0x407 \b, LanguageId %x 617 # only 407h found 618 #>>>>78 uleshort =0x407 \b, LanguageId %x 619 # InfSourcePathOffset often 0 620 #>>>>80 ulelong >0 \b, at 0x%x 621 >>>>80 ulelong >0 \b, 622 >>>>>4 ulelong&0x00000001 =0x00000001 623 >>>>>>(80.l) lestring16 x SourcePath "%s" 624 >>>>>4 ulelong&0x00000001 !0x00000001 625 >>>>>>(80.l) string >\0 SourcePath "%s" 626 # OriginalInfNameOffset often 0 627 #>>>>84 ulelong >0 \b, at 0x%x 628 >>>>84 ulelong >0 \b, 629 >>>>>4 ulelong&0x00000001 =0x00000001 630 >>>>>>(84.l) lestring16 x InfName "%s" 631 >>>>>4 ulelong&0x00000001 !0x00000001 632 >>>>>>(84.l) string >\0 InfName "%s" 633 634 # Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 635 # Extension: .bkf 636 # Created by: Joerg Jenderek 637 # URL: https://en.wikipedia.org/wiki/NTBackup 638 # Reference: http://laytongraphics.com/mtf/MTF_100a.PDF 639 # Descriptor BloCK name of Microsoft Tape Format 640 0 string TAPE 641 # Format Logical Address is zero 642 >20 ulequad 0 643 # Reserved for MBC is zero 644 >>28 uleshort 0 645 # Control Block ID is zero 646 >>>36 ulelong 0 647 # BIT4-BIT15, BIT18-BIT31 of block attributes are unused 648 >>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive 649 #!:mime application/x-ntbackup 650 !:ext bkf 651 # OS ID 652 >>>>>10 ubyte 1 \b NetWare 653 >>>>>10 ubyte 13 \b NetWare SMS 654 >>>>>10 ubyte 14 \b NT 655 >>>>>10 ubyte 24 \b 3 656 >>>>>10 ubyte 25 \b OS/2 657 >>>>>10 ubyte 26 \b 95 658 >>>>>10 ubyte 27 \b Macintosh 659 >>>>>10 ubyte 28 \b UNIX 660 # OS Version (2) 661 #>>>>>11 ubyte x OS V=%x 662 # MTF_CONTINUATION Media Sequence Number > 1 663 #>>>>>4 ulelong&0x00000001 !0 \b, continued 664 # MTF_COMPRESSION 665 >>>>>4 ulelong&0x00000004 !0 \b, compressed 666 # MTF_EOS_AT_EOM End Of Medium was hit during end of set processing 667 >>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit 668 >>>>>4 ulelong&0x00020000 0 669 # MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape 670 >>>>>>4 ulelong&0x00010000 !0 \b, with catalog 671 # MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present 672 >>>>>4 ulelong&0x00020000 !0 \b, with file catalog 673 # Offset To First Event 238h,240h,28Ch 674 #>>>>>8 uleshort x \b, event offset %4.4x 675 # Displayable Size (20e0230h 20e024ch 20e0224h) 676 #>>>>>8 ulequad x dis. size %16.16llx 677 # Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h) 678 #>>>>>52 ulelong x family ID %8.8x 679 # TAPE Attributes (3) 680 #>>>>>56 ulelong x TAPE %8.8x 681 # Media Sequence Number 682 >>>>>60 uleshort >1 \b, sequence %u 683 # Password Encryption Algorithm (3) 684 >>>>>62 uleshort >0 \b, 0x%x encrypted 685 # Soft Filemark Block Size * 512 (2) 686 #>>>>>64 uleshort =2 \b, soft size %u*512 687 >>>>>64 uleshort !2 \b, soft size %u*512 688 # Media Based Catalog Type (1,2) 689 #>>>>>66 uleshort x \b, catalog type %4.4x 690 # size of Media Name (66,68,6Eh) 691 >>>>>68 uleshort >0 692 # offset of Media Name (5Eh) 693 >>>>>>70 uleshort >0 694 # 0~, 1~ANSI, 2~UNICODE 695 >>>>>>>48 ubyte 1 696 # size terminated ansi coded string normally followed by "MTF Media Label" 697 >>>>>>>>(70.s) string >\0 \b, name: %s 698 >>>>>>>48 ubyte 2 699 # Not null, but size terminated unicoded string 700 >>>>>>>>(70.s) lestring16 x \b, name: %s 701 # size of Media Label (104h) 702 >>>>>72 uleshort >0 703 # offset of Media Label (C4h,C6h,CCh) 704 >>>>>74 uleshort >0 705 >>>>>>48 ubyte 1 706 #Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields 707 >>>>>>>(74.s) string >\0 \b, label: %s 708 >>>>>>48 ubyte 2 709 >>>>>>>(74.s) lestring16 x \b, label: %s 710 # size of password name (0,1Ch) 711 #>>>>>76 uleshort >0 \b, password size %4.4x 712 # Software Vendor ID (CBEh) 713 >>>>>86 uleshort x \b, software (0x%x) 714 # size of Software Name (6Eh) 715 >>>>>80 uleshort >0 716 # offset of Software Name (1C8h,1CAh,1D0h) 717 >>>>>>82 uleshort >0 718 # 1~ANSI, 2~UNICODE 719 >>>>>>>48 ubyte 1 720 >>>>>>>>(82.s) string >\0 \b: %s 721 >>>>>>>48 ubyte 2 722 # size terminated unicoded coded string normally followed by "SPAD" 723 >>>>>>>>(82.s) lestring16 x \b: %s 724 # Format Logical Block Size (512,1024) 725 #>>>>>84 uleshort =1024 \b, block size %u 726 >>>>>84 uleshort !1024 \b, block size %u 727 # Media Date of MTF_DATE_TIME type with 5 bytes 728 #>>>>>>88 ubequad x DATE %16.16llx 729 # MTF Major Version (1) 730 #>>>>>>93 ubyte x \b, MFT version %x 731 # 732 733 # URL: https://en.wikipedia.org/wiki/PaintShop_Pro 734 # Reference: https://www.cryer.co.uk/file-types/p/pal.htm 735 # Created by: Joerg Jenderek 736 # Note: there exist other color palette formats also with .pal extension 737 0 string JASC-PAL\r\n PaintShop Pro color palette 738 #!:mime text/plain 739 # PspPalette extension is used by newer (probably 8) PaintShopPro versions 740 !:ext pal/PspPalette 741 # 2nd line contains palette file version. For example "0100" 742 >10 string !0100 \b, version %.4s 743 # third line contains the number of colours: 16 256 ... 744 >16 string x \b, %.3s colors 745 746 # URL: https://en.wikipedia.org/wiki/Innosetup 747 # Reference: https://github.com/jrsoftware/issrc/blob/master/Projects/Undo.pas 748 # Created by: Joerg Jenderek 749 # Note: created by like "InnoSetup self-extracting archive" inside ./msdos 750 # TrID labeles the entry as "Inno Setup Uninstall Log" 751 # TUninstallLogID 752 0 string Inno\ Setup\ Uninstall\ Log\ (b) InnoSetup Log 753 !:mime application/x-innosetup 754 # unins000.dat, unins001.dat, ... 755 !:ext dat 756 # " 64-bit" variant 757 >0x1c string >\0 \b%.7s 758 # AppName[0x80] like "Minimal SYStem", ClamWin Free Antivirus , ... 759 >0xc0 string x %s 760 # AppId[0x80] is simliar to AppName or 761 # GUID like {4BB0DCDC-BC24-49EC-8937-72956C33A470} start with left brace 762 >0x40 ubyte 0x7b 763 >>0x40 string x %-.38s 764 # do not know how this log version correlates to program version 765 >0x140 ulelong x \b, version 0x%x 766 # NumRecs 767 #>0x144 ulelong x \b, 0x%4.4x records 768 # EndOffset means files size 769 >0x148 ulelong x \b, %u bytes 770 # Flags 5 25h 35h 771 #>0x14c ulelong x \b, flags %8.8x 772 # Reserved: array[0..26] of Longint 773 # the non Unicode HighestSupportedVersion may never become greater than or equal to 1000 774 >0x140 ulelong <1000 775 # hostname 776 >>0x1d6 pstring x \b, %s 777 # user name 778 >>>&0 pstring x \b\%s 779 # directory like C:\Program Files (x86)\GnuWin32 780 >>>>&0 pstring x \b, "%s" 781 # version 1000 or higher implies unicode 782 >0x140 ulelong >999 783 # hostname 784 >>0x1db lestring16 x \b, %-.9s 785 # utf string variant with prepending fe??ffFFff 786 >>0x1db search/43 \xFF\xFF\xFF 787 # user name 788 >>>&0 lestring16 x \b\%-.9s 789 >>>&0 search/43 \xFF\xFF\xFF 790 # directory like C:\Program Files\GIMP 2 791 >>>>&0 lestring16 x \b, %-.42s 792 793 # Windows Imaging (WIM) Image 794 # Update: Joerg Jenderek at Mar 2019 795 # URL: https://en.wikipedia.org/wiki/Windows_Imaging_Format 796 # Reference: https://download.microsoft.com/download/f/e/f/ 797 # fefdc36e-392d-4678-9e4e-771ffa2692ab/Windows%20Imaging%20File%20Format.rtf 798 # Note: verified by like `7z t boot.wim` `wiminfo install.esd --header` 799 0 string MSWIM\000\000\000 800 >0 use wim-archive 801 # https://wimlib.net/man1/wimoptimize.html 802 0 string WLPWM\000\000\000 803 >0 use wim-archive 804 0 name wim-archive 805 # _WIMHEADER_V1_PACKED ImageTag[8] 806 >0 string x Windows imaging 807 !:mime application/x-ms-wim 808 # TO avoid in file version 5.36 error like 809 # Magdir/windows, 760: Warning: Current entry does not yet have a description 810 # file: could not find any valid magic files! (No error) 811 # splitted WIM 812 >16 ulelong &0x00000008 (SWM 813 !:ext swm 814 # usPartNumber; 1, unless the file was split into multiple parts 815 >>40 uleshort x \b %u 816 # usTotalParts; The total number of WIM file parts in a spanned set 817 >>42 uleshort x \b of %u) image 818 # non splitted WIM 819 >16 ulelong ^0x00000008 820 # https://wimlib.net/man1/wimmount.html 821 # solid WIMs; version 3584; usually contain LZMS-compressed and the .esd extension 822 >>12 ulelong 3584 (ESD) image 823 !:ext esd 824 >>12 ulelong !3584 (WIM) image 825 !:ext wim 826 >0 string/b WLPWM\000\000\000 \b, wimlib pipable format 827 # cbSize size of the WIM header in bytes like 208 828 #>8 ulelong x \b, headersize %u 829 # dwVersion version of the WIM file 00010d00h~1.13 00000e00h~0.14 830 >14 uleshort x v%u 831 >13 ubyte x \b.%u 832 # dwImageCount; The number of images contained in the WIM file 833 >44 ulelong >1 \b, %u images 834 # dwBootIndex 835 # 1-based index of the bootable image of the WIM, or 0 if no image is bootable 836 >0x78 ulelong >0 \b, bootable no. %u 837 # dwFlags 838 #>16 ulelong x \b, flags 0x%8.8x 839 #define FLAG_HEADER_COMPRESSION 0x00000002 840 #define FLAG_HEADER_READONLY 0x00000004 841 #define FLAG_HEADER_SPANNED 0x00000008 842 #define FLAG_HEADER_RESOURCE_ONLY 0x00000010 843 #define FLAG_HEADER_METADATA_ONLY 0x00000020 844 #define FLAG_HEADER_WRITE_IN_PROGRESS 0x00000040 845 #define FLAG_HEADER_RP_FIX 0x00000080 reparse point fixup 846 #define FLAG_HEADER_COMPRESS_RESERVED 0x00010000 847 #define FLAG_HEADER_COMPRESS_XPRESS 0x00020000 848 #define FLAG_HEADER_COMPRESS_LZX 0x00040000 849 #define FLAG_HEADER_COMPRESS_LZMS 0x00080000 850 #define FLAG_HEADER_COMPRESS_XPRESS2 0x00100000 wimlib-1.13.0\include\wimlib\header.h 851 # XPRESS, with small chunk size 852 >16 ulelong &0x00100000 \b, XPRESS2 853 >16 ulelong &0x00080000 \b, LZMS 854 >16 ulelong &0x00040000 \b, LZX 855 >16 ulelong &0x00020000 \b, XPRESS 856 >16 ulelong &0x00000002 compressed 857 >16 ulelong &0x00000004 \b, read only 858 >16 ulelong &0x00000010 \b, resource only 859 >16 ulelong &0x00000020 \b, metadata only 860 >16 ulelong &0x00000080 \b, reparse point fixup 861 #>16 ulelong &0x00010000 \b, RESERVED 862 # dwCompressionSize; Uncompressed chunk size for resources or 0 if uncompressed 863 #>20 ulelong >0 \b, chunk size %u bytes 864 # gWIMGuid 865 #>24 ubequad x \b, GUID 0x%16.16llx 866 #>>32 ubequad x \b%16.16llx 867 # rhOffsetTable; the location of the resource lookup table 868 # wim_reshdr_disk[24]= u8 size_in_wim[7] + u8 flags + le64 offset_in_wim + le64 uncompressed_size 869 #>48 ubequad x \b, rhOffsetTable 0x%16.16llx 870 # rhXmlData; the location of the XML data 871 #>0x50 ulelong x \b, at 0x%8.8x 872 # NOT WORKING \xff\xfe<\0W\0I\0M\0 873 #>(0x50.l) ubequad x \b, xml=%16.16llx 874 # rhBootMetadata; the location of the metadata resource 875 #>0x60 ubequad x \b, rhBootMetadata 0x%16.16llx 876 # rhIntegrity; the location of integrity table used to verify files 877 #>0x7c ubequad x \b, rhIntegrity 0x%16.16llx 878 # Unused[60] 879 #>148 ubequad !0 \b,unused 0x%16.16llx 880 # 881 882
Indexes created Wed May 13 00:24:45 UTC 2026