"Fossies" - the Fresh Open Source Software Archive

Member "file-5.35/magic/Magdir/windows" (16 Feb 2018, 26146 Bytes) of package /linux/misc/file-5.35.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "windows": 5.32_vs_5.33.

    1 
    2 #------------------------------------------------------------------------------
    3 # $File: windows,v 1.22 2018/02/16 15:44:00 christos Exp $
    4 # windows:  file(1) magic for Microsoft Windows
    5 #
    6 # This file is mainly reserved for files where programs
    7 # using them are run almost always on MS Windows 3.x or
    8 # above, or files only used exclusively in Windows OS,
    9 # where there is no better category to allocate for.
   10 # For example, even though WinZIP almost run on Windows
   11 # only, it is better to treat them as "archive" instead.
   12 # For format usable in DOS, such as generic executable
   13 # format, please specify under "msdos" file.
   14 #
   15 
   16 
   17 # Summary: Outlook Express DBX file
   18 # Extension: .dbx
   19 # Created by: Christophe Monniez
   20 0	string	\xCF\xAD\x12\xFE	MS Outlook Express DBX file
   21 >4	byte	=0xC5			\b, message database
   22 >4	byte	=0xC6			\b, folder database
   23 >4	byte	=0xC7			\b, account information
   24 >4	byte	=0x30			\b, offline database
   25 
   26 
   27 # Summary: Windows crash dump
   28 # Extension: .dmp
   29 # Created by: Andreas Schuster (http://computer.forensikblog.de/)
   30 # Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html
   31 # Modified by (1): Abel Cheung (Avoid match with first 4 bytes only)
   32 0	string		PAGE
   33 >4	string		DUMP		MS Windows 32bit crash dump
   34 >>0x05c	byte            0		\b, no PAE
   35 >>0x05c	byte            1		\b, PAE
   36 >>0xf88	lelong		1		\b, full dump
   37 >>0xf88	lelong		2		\b, kernel dump
   38 >>0xf88	lelong		3		\b, small dump
   39 >>0x068	lelong		x		\b, %d pages
   40 >4	string		DU64		MS Windows 64bit crash dump
   41 >>0xf98	lelong		1		\b, full dump
   42 >>0xf98	lelong		2		\b, kernel dump
   43 >>0xf98	lelong		3		\b, small dump
   44 >>0x090	lequad		x		\b, %lld pages
   45 
   46 
   47 # Summary: Vista Event Log
   48 # Extension: .evtx
   49 # Created by: Andreas Schuster (http://computer.forensikblog.de/)
   50 # Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html
   51 0	string		ElfFile\0	MS Windows Vista Event Log
   52 >0x2a	leshort		x		\b, %d chunks
   53 >>0x10	lelong		x		\b (no. %d in use)
   54 >0x18	lelong		>1		\b, next record no. %d
   55 >0x18	lelong		=1		\b, empty
   56 >0x78	lelong		&1		\b, DIRTY
   57 >0x78	lelong		&2		\b, FULL
   58 
   59 
   60 # Summary: Windows 3.1 group files
   61 # Extension: .grp
   62 # Created by: unknown
   63 0	string		\120\115\103\103	MS Windows 3.1 group files
   64 
   65 
   66 # Summary: Old format help files
   67 # URL: https://en.wikipedia.org/wiki/WinHelp
   68 # Reference: http://www.oocities.org/mwinterhoff/helpfile.htm
   69 # Update: Joerg Jenderek
   70 # Created by: Dirk Jagdmann <doj@cubic.org>
   71 #
   72 # check and then display version and date inside MS Windows HeLP file fragment
   73 0	name				help-ver-date
   74 # look for Magic of SYSTEMHEADER
   75 >0	leshort		0x036C
   76 # version Major		1 for right file fragment
   77 >>4	leshort		1		Windows
   78 # print non empty string above to avoid error message
   79 # Warning: Current entry does not yet have a description for adding a MIME type
   80 !:mime	application/winhelp
   81 !:ext	hlp
   82 # version Minor of help file format is hint for windows version
   83 >>>2	leshort		0x0F		3.x
   84 >>>2	leshort		0x15		3.0
   85 >>>2	leshort		0x21		3.1
   86 >>>2	leshort		0x27		x.y
   87 >>>2	leshort		0x33		95
   88 >>>2	default		x		y.z
   89 >>>>2	leshort		x		0x%x
   90 # to complete message string like "MS Windows 3.x help file"
   91 >>>2	leshort		x		help
   92 # GenDate often older than file creation date
   93 >>>6	ldate		x		\b, %s
   94 #
   95 # Magic for HeLP files
   96 0	lelong		0x00035f3f
   97 # ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file"
   98 # file header magic 0x293B at DirectoryStart+9
   99 >(4.l+9)	uleshort	0x293B		MS
  100 # look for @VERSION	bmf.. like IBMAVW.ANN
  101 >>0xD4		string	=\x62\x6D\x66\x01\x00	Windows help annotation
  102 !:mime	application/x-winhelp
  103 !:ext	ann
  104 >>0xD4		string	!\x62\x6D\x66\x01\x00
  105 # "GID Help index" by TrID
  106 >>>(4.l+0x65)	string	=|Pete			Windows help Global Index
  107 !:mime	application/x-winhelp
  108 !:ext	gid
  109 # HeLP Bookmark or
  110 # "Windows HELP File" by TrID
  111 >>>(4.l+0x65)		string		!|Pete
  112 # maybe there exist a cleaner way to detect HeLP fragments
  113 # brute search for Magic 0x036C with matching Major maximal 7 iterations
  114 # discapp.hlp
  115 >>>>16			search/0x49AF/s	\x6c\x03
  116 >>>>>&0			use 		help-ver-date
  117 >>>>>&4			leshort		!1
  118 # putty.hlp
  119 >>>>>>&0		search/0x69AF/s	\x6c\x03
  120 >>>>>>>&0		use 		help-ver-date
  121 >>>>>>>&4		leshort		!1
  122 >>>>>>>>&0		search/0x49AF/s	\x6c\x03
  123 >>>>>>>>>&0		use 		help-ver-date
  124 >>>>>>>>>&4		leshort		!1
  125 >>>>>>>>>>&0		search/0x49AF/s	\x6c\x03
  126 >>>>>>>>>>>&0		use 		help-ver-date
  127 >>>>>>>>>>>&4		leshort		!1
  128 >>>>>>>>>>>>&0		search/0x49AF/s	\x6c\x03
  129 >>>>>>>>>>>>>&0		use 		help-ver-date
  130 >>>>>>>>>>>>>&4		leshort		!1
  131 >>>>>>>>>>>>>>&0	search/0x49AF/s	\x6c\x03
  132 >>>>>>>>>>>>>>>&0	use 		help-ver-date
  133 >>>>>>>>>>>>>>>&4	leshort		!1
  134 >>>>>>>>>>>>>>>>&0	search/0x49AF/s	\x6c\x03
  135 # GCC.HLP is detected after 7 iterations
  136 >>>>>>>>>>>>>>>>>&0	use 		help-ver-date
  137 # this only happens if bigger hlp file is detected after used search iterations
  138 >>>>>>>>>>>>>>>>>&4	leshort		!1		Windows y.z help
  139 !:mime	application/winhelp
  140 !:ext	hlp
  141 # repeat search again or following default line does not work
  142 >>>>16			search/0x49AF/s	\x6c\x03
  143 # remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit)
  144 >>>>16	default				x	Windows help Bookmark
  145 !:mime	application/x-winhelp
  146 !:ext	bmk
  147 ## FirstFreeBlock normally FFFFFFFFh 10h for *ANN
  148 ##>>8	lelong			x		\b, FirstFreeBlock 0x%8.8x
  149 # EntireFileSize
  150 >>12	lelong			x		\b, %d bytes
  151 ## ReservedSpace normally 042Fh AFh for *.ANN
  152 #>>(4.l)	lelong		x		\b, ReservedSpace 0x%8.8x
  153 ## UsedSpace normally 0426h A6h for *.ANN
  154 #>>(4.l+4)	lelong		x		\b, UsedSpace 0x%8.8x
  155 ## FileFlags normally 04...
  156 #>>(4.l+5)	lelong		x		\b, FileFlags 0x%8.8x
  157 ## file header magic 0x293B
  158 #>>(4.l+9)	uleshort	x		\b, file header magic 0x%4.4x
  159 ## file header Flags		0x0402
  160 #>>(4.l+11)	uleshort	x		\b, file header Flags 0x%4.4x
  161 ## file header PageSize	0400h 80h for *.ANN
  162 #>>(4.l+13)	uleshort	x		\b, PageSize 0x%4.4x
  163 ## Structure[16]		z4
  164 #>>(4.l+15)	string		>\0		\b, Structure_"%-.16s"
  165 ## MustBeZero			0
  166 #>>(4.l+31)	uleshort	x		\b, MustBeZero 0x%4.4x
  167 ## PageSplits
  168 #>>(4.l+33)	uleshort	x		\b, PageSplits 0x%4.4x
  169 ## RootPage
  170 #>>(4.l+35)	uleshort	x		\b, RootPage 0x%4.4x
  171 ## MustBeNegOne			0xffff
  172 #>>(4.l+37)	uleshort	x		\b, MustBeNegOne 0x%4.4x
  173 ## TotalPages			1
  174 #>>(4.l+39)	uleshort	x		\b, TotalPages 0x%4.4x
  175 ## NLevels			0x0001
  176 #>>(4.l+41)	uleshort	x		\b, NLevels 0x%4.4x
  177 ## TotalBtreeEntries
  178 #>>(4.l+43)	ulelong		x		\b, TotalBtreeEntries 0x%8.8x
  179 ## pages of the B+ tree
  180 #>>(4.l+47)	ubequad		x		\b, PageStart 0x%16.16llx
  181 
  182 # start with colon or semicolon for comment line like Back2Life.cnt
  183 0		regex		\^(:|;)
  184 # look for first keyword Base
  185 >0		search/45	:Base
  186 >>&0				use 		cnt-name
  187 # only solution to search again from beginning , because relative offsets changes when use is called
  188 >0		search/45	:Base
  189 >0		default		x
  190 # look for other keyword Title like in putty.cnt
  191 >>0		search/45	:Title
  192 >>>&0				use 		cnt-name
  193 #
  194 # display mime type and name of Windows help Content source
  195 0	name				cnt-name
  196 # skip space at beginning
  197 >0     string		\040
  198 # name without extension and greater character or name with hlp extension
  199 >>1	regex/c		\^([^\xd>]*|.*\.hlp)	MS Windows help file Content, based "%s"
  200 !:mime	text/plain
  201 !:apple	????TEXT
  202 !:ext	cnt
  203 #
  204 # Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing
  205 0	string		tfMR			MS Windows help Full Text Search index
  206 !:mime application/x-winhelp-fts
  207 !:ext	fts
  208 >16	string		>\0			for "%s"
  209 
  210 # Summary: Hyper terminal
  211 # Extension: .ht
  212 # Created by: unknown
  213 0	string		HyperTerminal\040
  214 >15	string		1.0\ --\ HyperTerminal\ data\ file	MS Windows HyperTerminal profile
  215 
  216 # http://ithreats.files.wordpress.com/2009/05/\040
  217 # lnk_the_windows_shortcut_file_format.pdf
  218 # Summary: Windows shortcut
  219 # Extension: .lnk
  220 # Created by: unknown
  221 # 'L' + GUUID
  222 0	string		\114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106	MS Windows shortcut
  223 >20	lelong&1	1	\b, Item id list present
  224 >20	lelong&2	2	\b, Points to a file or directory
  225 >20	lelong&4	4	\b, Has Description string
  226 >20	lelong&8	8	\b, Has Relative path
  227 >20	lelong&16	16	\b, Has Working directory
  228 >20	lelong&32	32	\b, Has command line arguments
  229 >20	lelong&64	64	\b, Icon
  230 >>56	lelong		x	\b number=%d
  231 >24	lelong&1	1	\b, Read-Only
  232 >24	lelong&2	2	\b, Hidden
  233 >24	lelong&4	4	\b, System
  234 >24	lelong&8	8	\b, Volume Label
  235 >24	lelong&16	16	\b, Directory
  236 >24	lelong&32	32	\b, Archive
  237 >24	lelong&64	64	\b, Encrypted
  238 >24	lelong&128	128	\b, Normal
  239 >24	lelong&256	256	\b, Temporary
  240 >24	lelong&512	512	\b, Sparse
  241 >24	lelong&1024	1024	\b, Reparse point
  242 >24	lelong&2048	2048	\b, Compressed
  243 >24	lelong&4096	4096	\b, Offline
  244 >28	leqwdate	x	\b, ctime=%s
  245 >36	leqwdate	x	\b, mtime=%s
  246 >44	leqwdate	x	\b, atime=%s
  247 >52	lelong		x	\b, length=%u, window=
  248 >60	lelong&1	1	\bhide
  249 >60	lelong&2	2	\bnormal
  250 >60	lelong&4	4	\bshowminimized
  251 >60	lelong&8	8	\bshowmaximized
  252 >60	lelong&16	16	\bshownoactivate
  253 >60	lelong&32	32	\bminimize
  254 >60	lelong&64	64	\bshowminnoactive
  255 >60	lelong&128	128	\bshowna
  256 >60	lelong&256	256	\brestore
  257 >60	lelong&512	512	\bshowdefault
  258 #>20	lelong&1	0
  259 #>>20	lelong&2	2
  260 #>>>(72.l-64)	pstring/h	x	\b [%s]
  261 #>20	lelong&1	1
  262 #>>20	lelong&2	2
  263 #>>>(72.s)	leshort	x
  264 #>>>&75	pstring/h	x	\b [%s]
  265 
  266 # Summary: Outlook Personal Folders
  267 # Created by: unknown
  268 0	lelong		0x4E444221	Microsoft Outlook email folder
  269 >10	leshort		0x0e		(<=2002)
  270 >10	leshort		0x17		(>=2003)
  271 
  272 
  273 # Summary: Windows help cache
  274 # Created by: unknown
  275 0	string		\164\146\115\122\012\000\000\000\001\000\000\000	MS Windows help cache
  276 
  277 
  278 # Summary: IE cache file
  279 # Created by: Christophe Monniez
  280 0	string	Client\ UrlCache\ MMF 	Internet Explorer cache file
  281 >20	string	>\0			version %s
  282 
  283 
  284 # Summary: Registry files
  285 # Created by: unknown
  286 # Modified by (1): Joerg Jenderek
  287 0	string		regf		MS Windows registry file, NT/2000 or above
  288 0	string		CREG		MS Windows 95/98/ME registry file
  289 0	string		SHCC3		MS Windows 3.1 registry file
  290 
  291 
  292 # Summary: Windows Registry text
  293 # URL: https://en.wikipedia.org/wiki/Windows_Registry#.REG_files
  294 # Reference: http://fileformats.archiveteam.org/wiki/Windows_Registry
  295 # Submitted by: Abel Cheung <abelcheung@gmail.com>
  296 # Update: Joerg Jenderek
  297 #		Windows 3-9X variant
  298 0	string		REGEDIT
  299 # skip ASCII text like "REGEDITor.txt" but match
  300 # L1WMAP.REG with only 1 CRNL or org.gnome.gnumeric.reg with 2 NL
  301 >7	search/3	\n			Windows Registry text
  302 !:mime	text/x-ms-regedit
  303 !:ext	reg
  304 #		Windows 9X variant
  305 >>0	string		REGEDIT4		(Win95 or above)
  306 #		Windows 2K ANSI variant
  307 0	string		Windows\ Registry\ Editor\ 
  308 >&0	string		Version\ 5.00\r\n\r\n	Windows Registry text (Win2K or above)
  309 !:mime	text/x-ms-regedit
  310 !:ext	reg
  311 #		Windows 2K UTF-16 variant
  312 2	lestring16	Windows\ Registry\ Editor\ 
  313 >0x32	lestring16	Version\ 5.00\r\n\r\n	Windows Registry little-endian text (Win2K or above)
  314 # relative offset not working
  315 #>&0	lestring16	Version\ 5.00\r\n\r\n	Windows Registry little-endian text (Win2K or above)
  316 !:mime	text/x-ms-regedit
  317 !:ext	reg
  318 #		WINE variant
  319 # URL: https://en.wikipedia.org/wiki/Wine_(software)
  320 # Reference: https://www.winehq.org/pipermail/wine-cvs/2005-October/018763.html
  321 # Note:	WINE use text based registry (system.reg,user.reg,userdef.reg)
  322 #	instead binary hiv structure like Windows
  323 0	string	WINE\ REGISTRY\ Version\ 	WINE registry text
  324 # version 2
  325 >&0	string	x				\b, version %s
  326 !:mime	text/x-wine-extension-reg
  327 !:ext	reg
  328 
  329 # Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013, Feb 2018
  330 # empty ,comment , section
  331 # PR/383: remove unicode BOM because it is not portable across regex impls
  332 #0	regex/s		\\`(\\r\\n|;|[[])
  333 # empty line CRLF
  334 0	ubeshort	0x0D0A
  335 >0	use		ini-file
  336 # comment line
  337 0	string		;
  338 >0	use		ini-file
  339 # section line
  340 0	string		[
  341 >0	use		ini-file
  342 # check and then display Windows INItialization configuration
  343 0	name		ini-file
  344 # look for left bracket in section line
  345 >0	search/8192	[
  346 # http://en.wikipedia.org/wiki/Autorun.inf
  347 # http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx
  348 # space after right bracket
  349 # or AutoRun.Amd64 for 64 bit systems
  350 # or only NL separator
  351 >>&0	regex/c		\^(autorun)
  352 # but sometimes total commander directory tree file "treeinfo.wc" with lines like
  353 # [AUTORUN]
  354 # [boot]
  355 >>>&0	string		=]\r\n[					Total commander directory treeinfo.wc
  356 !:mime text/plain
  357 !:ext	wc
  358 # From: Pal Tamas <folti@balabit.hu>
  359 # Autorun File
  360 >>>&0	string		!]\r\n[					Microsoft Windows Autorun file
  361 !:mime application/x-setupscript
  362 !:ext	inf
  363 # http://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx
  364 # version strings ASCII coded case-independent for Windows setup information script file
  365 >>&0	regex/c		\^(version|strings)]				Windows setup INFormation
  366 !:mime	application/x-setupscript
  367 #!:mime application/x-wine-extension-inf
  368 !:ext	inf
  369 # NETCRC.INF OEMCPL.INF
  370 >>&0	regex/c		\^(WinsockCRCList|OEMCPL)]			Windows setup INFormation
  371 !:mime	application/x-setupscript
  372 !:ext	inf
  373 # http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm
  374 # http://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx
  375 # .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent
  376 >>&0	regex/c	\^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)]	Windows desktop.ini
  377 !:mime application/x-wine-extension-ini
  378 #!:mime text/plain
  379 # http://support.microsoft.com/kb/84709/
  380 >>&0	regex/c		\^(don't\ load)]				Windows CONTROL.INI
  381 !:mime application/x-wine-extension-ini
  382 !:ext	ini
  383 >>&0	regex/c		\^(ndishlp\\$|protman\\$|NETBEUI\\$)]		Windows PROTOCOL.INI
  384 !:mime application/x-wine-extension-ini
  385 !:ext	ini
  386 # http://technet.microsoft.com/en-us/library/cc722567.aspx
  387 # http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm
  388 >>&0	regex/c		\^(windows|Compatibility|embedding)]		Windows WIN.INI
  389 !:mime application/x-wine-extension-ini
  390 !:ext	ini
  391 # http://en.wikipedia.org/wiki/SYSTEM.INI
  392 >>&0	regex/c		\^(boot|386enh|drivers)]			Windows SYSTEM.INI
  393 !:mime application/x-wine-extension-ini
  394 !:ext	ini
  395 # http://www.mdgx.com/newtip6.htm
  396 >>&0	regex/c		\^(SafeList)]					Windows IOS.INI
  397 !:mime application/x-wine-extension-ini
  398 !:ext	ini
  399 # http://en.wikipedia.org/wiki/NTLDR	Windows Boot Loader information
  400 >>&0	regex/c		\^(boot\x20loader)]				Windows boot.ini
  401 !:mime application/x-wine-extension-ini
  402 !:ext	ini
  403 # http://en.wikipedia.org/wiki/CONFIG.SYS
  404 >>&0	regex/c		\^(menu)]					MS-DOS CONFIG.SYS
  405 # @CONFIG.UI configuration file of previous DOS version saved by Caldera OPENDOS INSTALL.EXE
  406 # CONFIG.PSS saved version of file CONFIG.SYS created by %WINDIR%\SYTEM\MSCONFIG.EXE
  407 # CONFIG.TSH renamed file CONFIG.SYS.BAT by %WINDIR%\SYTEM\MSCONFIG.EXE
  408 # dos and w40 used in dual booting scene
  409 !:ext	sys/dos/w40
  410 # http://support.microsoft.com/kb/118579/
  411 >>&0	regex/c		\^(Paths)]\r\n					MS-DOS MSDOS.SYS
  412 !:ext	sys/dos
  413 # http://chmspec.nongnu.org/latest/INI.html#HHP
  414 >>&0	regex/c		\^(options)]\r\n				Microsoft HTML Help Project
  415 !:mime text/plain
  416 !:ext	hhp
  417 # unknown keyword after opening bracket
  418 >>&0	default				x
  419 #>>>&0	string/c			x	UNKNOWN [%s
  420 # look for left bracket of second section
  421 >>>&0	search/8192			[
  422 # version Strings FileIdentification
  423 >>>>&0	string/c			version				Windows setup INFormation
  424 !:mime application/x-setupscript
  425 !:ext	inf
  426 # http://en.wikipedia.org/wiki/Initialization_file	Windows Initialization File or other
  427 >>>>&0	default				x
  428 >>>>>&0	ubyte				x
  429 # characters, digits, underscore and white space followed by right bracket
  430 # terminated by CR implies section line to skip BOOTLOG.TXT DETLOG.TXT
  431 >>>>>>&-1	regex			\^([A-Za-z0-9_\(\)\ ]+)\]\r	Generic INItialization configuration [%-.40s
  432 # NETDEF.INF multiarc.ini 
  433 #!:mime	application/x-setupscript
  434 !:mime	application/x-wine-extension-ini
  435 #!:mime	text/plain
  436 !:ext	ini/inf
  437 # UTF-16 BOM followed by CR~0D00 , comment~semicolon~3B00 , section~bracket~5B00
  438 0	ubelong&0xFFff89FF	=0xFFFE0900
  439 # look for left bracket in section line
  440 >2	search/8192		[
  441 # keyword without 1st letter which is maybe up-/down-case
  442 >>&3	lestring16		ersion]			Windows setup INFormation
  443 !:mime	application/x-setupscript
  444 !:ext	inf
  445 >>&3	lestring16		trings]			Windows setup INFormation
  446 !:mime	application/x-setupscript
  447 !:ext	inf
  448 >>&3	lestring16		ourceDisksNames]	Windows setup INFormation
  449 !:mime	application/x-setupscript
  450 !:ext	inf
  451 # netnwcli.inf start with ;---[ NetNWCli.INX ]
  452 >>&3	default			x
  453 # look for NL followed by left bracket
  454 >>>&0	search/8192		\x0A\x00\x5b
  455 >>>>&3	lestring16		ersion]			Windows setup INFormation
  456 !:mime	application/x-setupscript
  457 !:ext	inf
  458 
  459 # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h
  460 # http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm
  461 # GRR: line below too general as it catches also PDP-11 UNIX/RT ldp
  462 0		leshort&0xFeFe	0x0000
  463 !:strength -5
  464 # test for unused null bits in PNF_FLAGs
  465 >4	ulelong&0xFCffFe00	0x00000000
  466 # only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure
  467 >>68		ulelong		>0x57
  468 # test for zero high byte of InfValueBlockSize, followed by WinDirPath like
  469 # C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT
  470 >>>(68.l-1)	ubelong&0xffE0C519	=0x00400018	Windows Precompiled iNF
  471 !:mime	application/x-pnf
  472 # currently only found Major Version=1 and Minor Version=1
  473 #>>>>0		uleshort	=0x0101
  474 #>>>>>1		ubyte		x		\b, version %u
  475 #>>>>>0		ubyte		x		\b.%u
  476 >>>>0		uleshort	!0x0101
  477 >>>>>1		ubyte		x		\b, version %u
  478 >>>>>0		ubyte		x		\b.%u
  479 # 1 ,2 (windows 98 SE)
  480 #>>>>2		uleshort	=2		\b, InfStyle %u
  481 >>>>2		uleshort	!2		\b, InfStyle %u
  482 #	PNF_FLAG_IS_UNICODE		0x00000001
  483 #	PNF_FLAG_HAS_STRINGS		0x00000002
  484 #	PNF_FLAG_SRCPATH_IS_URL		0x00000004
  485 #	PNF_FLAG_HAS_VOLATILE_DIRIDS	0x00000008
  486 #	PNF_FLAG_INF_VERIFIED		0x00000010
  487 #	PNF_FLAG_INF_DIGITALLY_SIGNED	0x00000020
  488 #	??				0x00000100
  489 #	??				0x01000000
  490 #	??				0x02000000
  491 >>>>4	ulelong&0x00000001	0x00000001	\b, unicoded
  492 >>>>4	ulelong&0x00000020	0x00000020	\b, digitally signed
  493 #>>>>8		ulelong		x		\b, InfSubstValueListOffset 0x%x
  494 # many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF
  495 #>>>>12		uleshort	x		\b, InfSubstValueCount 0x%x
  496 # only < 9 found
  497 #>>>>14		uleshort	x		\b, InfVersionDatumCount 0x%x
  498 # only found values lower 0x0000ffff
  499 #>>>>16		ulelong		x		\b, InfVersionDataSize 0x%x
  500 # only found positive values lower 0x00ffFFff for InfVersionDataOffset
  501 >>>>20		ulelong		x		\b, at 0x%x
  502 >>>>4	ulelong&0x00000001	=0x00000001
  503 # case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature
  504 >>>>>(20.l)	lestring16	x		"%s"
  505 >>>>4	ulelong&0x00000001	!0x00000001
  506 >>>>>(20.l)	string		x		"%s"
  507 # FILETIME is number of 100-nanosecond intervals since 1 January 1601
  508 #>>>>24		ulequad		x		\b, InfVersionLastWriteTime %16.16llx
  509 # only found values lower 0x00ffFFff
  510 #>>>>32		ulelong		x		\b, StringTableBlockOffset 0x%x
  511 #>>>>36		ulelong		x		\b, StringTableBlockSize 0x%x
  512 #>>>>40		ulelong		x		\b, InfSectionCount 0x%x
  513 #>>>>44		ulelong		x		\b, InfSectionBlockOffset 0x%x
  514 #>>>>48		ulelong		x		\b, InfSectionBlockSize 0x%x
  515 #>>>>52		ulelong		x		\b, InfLineBlockOffset 0x%x
  516 #>>>>56		ulelong		x		\b, InfLineBlockSize 0x%x
  517 #>>>>60		ulelong		x		\b, InfValueBlockOffset 0x%x
  518 #>>>>64		ulelong		x		\b, InfValueBlockSize 0x%x
  519 # WinDirPathOffset
  520 #>>>>68		ulelong		x		\b, at 0x%x
  521 >>>>68		ulelong		>0x57
  522 >>>>>4	ulelong&0x00000001	=0x00000001
  523 >>>>>>(68.l)	ubequad		=0x43003a005c005700
  524 # normally unicoded C:\Windows
  525 #>>>>>>>(68.l)	lestring16	x		\b, WinDirPath "%s"
  526 >>>>>>(68.l)	ubequad		!0x43003a005c005700
  527 >>>>>>>(68.l)	lestring16	x		\b, WinDirPath "%s"
  528 >>>>>4	ulelong&0x00000001	!0x00000001
  529 # normally ASCII C:\WINDOWS
  530 #>>>>>>(68.l)	string		=C:\\WINDOWS	\b, WinDirPath "%s"
  531 >>>>>>(68.l)	string		!C:\\WINDOWS	\b, WinDirPath "%s"
  532 # found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF
  533 #>>>>72		ulelong		>0		\b, at 0x%x
  534 >>>>72		ulelong		>0		\b,
  535 >>>>>4	ulelong&0x00000001	=0x00000001
  536 >>>>>>(72.l)	lestring16	x		OsLoaderPath "%s"
  537 >>>>>4	ulelong&0x00000001	!0x00000001
  538 # seldom C:\ instead empty
  539 >>>>>>(72.l)	string		x		OsLoaderPath "%s"
  540 # 1fdh
  541 #>>>>76		uleshort	x		\b, StringTableHashBucketCount 0x%x
  542 >>>>78		uleshort	!0x407		\b, LanguageId %x
  543 # only 407h found
  544 #>>>>78		uleshort	=0x407		\b, LanguageId %x
  545 # InfSourcePathOffset often 0
  546 #>>>>80		ulelong		>0		\b, at 0x%x
  547 >>>>80		ulelong		>0		\b,
  548 >>>>>4	ulelong&0x00000001	=0x00000001
  549 >>>>>>(80.l)	lestring16	x		SourcePath "%s"
  550 >>>>>4	ulelong&0x00000001	!0x00000001
  551 >>>>>>(80.l)	string		>\0		SourcePath "%s"
  552 # OriginalInfNameOffset often 0
  553 #>>>>84		ulelong		>0		\b, at 0x%x
  554 >>>>84		ulelong		>0		\b,
  555 >>>>>4	ulelong&0x00000001	=0x00000001
  556 >>>>>>(84.l)	lestring16	x		InfName "%s"
  557 >>>>>4	ulelong&0x00000001	!0x00000001
  558 >>>>>>(84.l)	string		>\0		InfName "%s"
  559 
  560 # Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003
  561 # Extension: .bkf
  562 # Created by: Joerg Jenderek
  563 # URL: http://en.wikipedia.org/wiki/NTBackup
  564 # Reference: http://laytongraphics.com/mtf/MTF_100a.PDF
  565 # Descriptor BloCK name of Microsoft Tape Format
  566 0	string			TAPE
  567 # Format Logical Address is zero
  568 >20	ulequad			0
  569 # Reserved for MBC is zero
  570 >>28	uleshort		0
  571 # Control Block ID is zero
  572 >>>36	ulelong			0
  573 # BIT4-BIT15, BIT18-BIT31 of block attributes are unused
  574 >>>>4	ulelong&0xFFfcFFe0	0		Windows NTbackup archive
  575 #!:mime application/x-ntbackup
  576 !:ext bkf
  577 # OS ID
  578 >>>>>10	ubyte			1		\b NetWare
  579 >>>>>10	ubyte			13		\b NetWare SMS
  580 >>>>>10	ubyte			14		\b NT
  581 >>>>>10	ubyte			24		\b 3
  582 >>>>>10	ubyte			25		\b OS/2
  583 >>>>>10	ubyte			26		\b 95
  584 >>>>>10	ubyte			27		\b Macintosh
  585 >>>>>10	ubyte			28		\b UNIX
  586 # OS Version (2)
  587 #>>>>>11	ubyte			x		OS V=%x
  588 # MTF_CONTINUATION	Media Sequence Number > 1
  589 #>>>>>4	ulelong&0x00000001	!0		\b, continued
  590 # MTF_COMPRESSION
  591 >>>>>4	ulelong&0x00000004	!0		\b, compressed
  592 # MTF_EOS_AT_EOM	End Of Medium was hit during end of set processing
  593 >>>>>4	ulelong&0x00000008	!0		\b, End Of Medium hit
  594 >>>>>4	ulelong&0x00020000	0
  595 # MTF_SET_MAP_EXISTS	A Media Based Catalog Set Map may exist on tape
  596 >>>>>>4	ulelong&0x00010000	!0		\b, with catalog
  597 # MTF_FDD_ALLOWED	However File/Directory Detail can only exist if a Set Map is also present
  598 >>>>>4	ulelong&0x00020000	!0		\b, with file catalog
  599 # Offset To First Event 238h,240h,28Ch
  600 #>>>>>8	uleshort		x		\b, event offset %4.4x
  601 # Displayable Size (20e0230h 20e024ch 20e0224h)
  602 #>>>>>8	ulequad			x		dis. size %16.16llx
  603 # Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h)
  604 #>>>>>52	ulelong			x		family ID %8.8x
  605 # TAPE Attributes (3)
  606 #>>>>>56	ulelong			x		TAPE %8.8x
  607 # Media Sequence Number
  608 >>>>>60	uleshort		>1		\b, sequence %u
  609 # Password Encryption Algorithm (3)
  610 >>>>>62	uleshort		>0		\b, 0x%x encrypted
  611 # Soft Filemark Block Size * 512 (2)
  612 #>>>>>64	uleshort		=2		\b, soft size %u*512
  613 >>>>>64	uleshort		!2		\b, soft size %u*512
  614 # Media Based Catalog Type (1,2)
  615 #>>>>>66	uleshort		x		\b, catalog type %4.4x
  616 # size of Media Name (66,68,6Eh)
  617 >>>>>68	uleshort		>0
  618 # offset of Media Name (5Eh)
  619 >>>>>>70	uleshort	>0
  620 # 0~, 1~ANSI, 2~UNICODE
  621 >>>>>>>48	ubyte		1
  622 # size terminated ansi coded string normally followed by "MTF Media Label"
  623 >>>>>>>>(70.s)	string		>\0		\b, name: %s
  624 >>>>>>>48	ubyte		2
  625 # Not null, but size terminated unicoded string
  626 >>>>>>>>(70.s)	lestring16	x		\b, name: %s
  627 # size of Media Label (104h)
  628 >>>>>72	uleshort		>0
  629 # offset of Media Label (C4h,C6h,CCh)
  630 >>>>>74		uleshort	>0
  631 >>>>>>48	ubyte		1
  632 #Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields
  633 >>>>>>>(74.s)	string		>\0		\b, label: %s
  634 >>>>>>48	ubyte		2
  635 >>>>>>>(74.s)	lestring16	x		\b, label: %s
  636 # size of password name (0,1Ch)
  637 #>>>>>76	uleshort		>0		\b, password size %4.4x
  638 # Software Vendor ID (CBEh)
  639 >>>>>86	uleshort		x		\b, software (0x%x)
  640 # size of Software Name (6Eh)
  641 >>>>>80	uleshort		>0
  642 # offset of Software Name (1C8h,1CAh,1D0h)
  643 >>>>>>82	uleshort	>0
  644 # 1~ANSI, 2~UNICODE
  645 >>>>>>>48	ubyte		1
  646 >>>>>>>>(82.s)	string		>\0		\b: %s
  647 >>>>>>>48	ubyte		2
  648 # size terminated unicoded coded string normally followed by "SPAD"
  649 >>>>>>>>(82.s)	lestring16	x		\b: %s
  650 # Format Logical Block Size (512,1024)
  651 #>>>>>84	uleshort		=1024		\b, block size %u
  652 >>>>>84	uleshort		!1024		\b, block size %u
  653 # Media Date of MTF_DATE_TIME type with 5 bytes
  654 #>>>>>>88	ubequad			x		DATE %16.16llx
  655 # MTF Major Version (1)
  656 #>>>>>>93	ubyte		x		\b, MFT version %x
  657 #
  658 
  659 # URL: https://en.wikipedia.org/wiki/PaintShop_Pro
  660 # Reference: http://www.cryer.co.uk/file-types/p/pal.htm
  661 # Created by: Joerg Jenderek
  662 # Note: there exist other color palette formats also with .pal extension
  663 0	string	JASC-PAL\r\n	PaintShop Pro color palette
  664 #!:mime	text/plain
  665 # PspPalette extension is used by newer (probably 8) PaintShopPro versions
  666 !:ext	pal/PspPalette
  667 # 2nd line contains palette file version. For example "0100"
  668 >10	string	!0100		\b, version %.4s
  669 # third line contains the number of colours: 16 256 ...
  670 >16	string	x		\b, %.3s colors
  671 
  672 # URL: http://en.wikipedia.org/wiki/Innosetup
  673 # Reference: https://github.com/jrsoftware/issrc/blob/master/Projects/Undo.pas
  674 # Created by: Joerg Jenderek
  675 # Note:	created by like "InnoSetup self-extracting archive" inside ./msdos
  676 # TrID labeles the entry as "Inno Setup Uninstall Log"
  677 #	TUninstallLogID
  678 0	string	Inno\ Setup\ Uninstall\ Log\ (b)	InnoSetup Log
  679 !:mime	application/x-innosetup
  680 # unins000.dat, unins001.dat, ...
  681 !:ext	dat
  682 # " 64-bit" variant
  683 >0x1c	string		>\0				\b%.7s
  684 # AppName[0x80] like "Minimal SYStem", ClamWin Free Antivirus , ...
  685 >0xc0	string		x				%s
  686 # AppId[0x80] is simliar to AppName or
  687 # GUID like {4BB0DCDC-BC24-49EC-8937-72956C33A470} start with left brace
  688 >0x40	ubyte		0x7b
  689 >>0x40	string		x				%-.38s
  690 # do not know how this log version correlates to program version
  691 >0x140	ulelong		x				\b, version 0x%x
  692 # NumRecs
  693 #>0x144	ulelong		x				\b, 0x%4.4x records
  694 # EndOffset means files size
  695 >0x148	ulelong		x				\b, %u bytes
  696 # Flags 5 25h 35h
  697 #>0x14c	ulelong		x				\b, flags %8.8x
  698 # Reserved: array[0..26] of Longint
  699 # the non Unicode HighestSupportedVersion may never become greater than or equal to 1000
  700 >0x140	ulelong		<1000
  701 # hostname
  702 >>0x1d6	pstring		x				\b, %s
  703 # user name
  704 >>>&0	pstring		x				\b\%s
  705 # directory like C:\Program Files (x86)\GnuWin32
  706 >>>>&0	pstring		x				\b, "%s"
  707 # version 1000 or higher implies unicode
  708 >0x140	ulelong		>999
  709 # hostname
  710 >>0x1db	lestring16	x				\b, %-.9s
  711 # utf string variant with prepending fe??ffFFff
  712 >>0x1db	search/43	\xFF\xFF\xFF			
  713 # user name
  714 >>>&0	lestring16	x				\b\%-.9s
  715 >>>&0	search/43	\xFF\xFF\xFF			
  716 # directory like C:\Program Files\GIMP 2
  717 >>>>&0	lestring16	x				\b, %-.42s
  718