1b6cee71dSXin LI 2b6cee71dSXin LI#------------------------------------------------------------------------------ 3*58a0f0d0SEitan Adler# $File: windows,v 1.22 2018/02/16 15:44:00 christos Exp $ 4b6cee71dSXin LI# windows: file(1) magic for Microsoft Windows 5b6cee71dSXin LI# 6b6cee71dSXin LI# This file is mainly reserved for files where programs 7b6cee71dSXin LI# using them are run almost always on MS Windows 3.x or 8b6cee71dSXin LI# above, or files only used exclusively in Windows OS, 9b6cee71dSXin LI# where there is no better category to allocate for. 10b6cee71dSXin LI# For example, even though WinZIP almost run on Windows 11b6cee71dSXin LI# only, it is better to treat them as "archive" instead. 12b6cee71dSXin LI# For format usable in DOS, such as generic executable 13b6cee71dSXin LI# format, please specify under "msdos" file. 14b6cee71dSXin LI# 15b6cee71dSXin LI 16b6cee71dSXin LI 17b6cee71dSXin LI# Summary: Outlook Express DBX file 18b6cee71dSXin LI# Extension: .dbx 19b6cee71dSXin LI# Created by: Christophe Monniez 20b6cee71dSXin LI0 string \xCF\xAD\x12\xFE MS Outlook Express DBX file 21b6cee71dSXin LI>4 byte =0xC5 \b, message database 22b6cee71dSXin LI>4 byte =0xC6 \b, folder database 23b6cee71dSXin LI>4 byte =0xC7 \b, account information 24b6cee71dSXin LI>4 byte =0x30 \b, offline database 25b6cee71dSXin LI 26b6cee71dSXin LI 27b6cee71dSXin LI# Summary: Windows crash dump 28b6cee71dSXin LI# Extension: .dmp 29b6cee71dSXin LI# Created by: Andreas Schuster (http://computer.forensikblog.de/) 30b6cee71dSXin LI# Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html 31b6cee71dSXin LI# Modified by (1): Abel Cheung (Avoid match with first 4 bytes only) 32b6cee71dSXin LI0 string PAGE 33b6cee71dSXin LI>4 string DUMP MS Windows 32bit crash dump 34b6cee71dSXin LI>>0x05c byte 0 \b, no PAE 35b6cee71dSXin LI>>0x05c byte 1 \b, PAE 36b6cee71dSXin LI>>0xf88 lelong 1 \b, full dump 37b6cee71dSXin LI>>0xf88 lelong 2 \b, kernel dump 38b6cee71dSXin LI>>0xf88 lelong 3 \b, small dump 39b6cee71dSXin LI>>0x068 lelong x \b, %d pages 40b6cee71dSXin LI>4 string DU64 MS Windows 64bit crash dump 41b6cee71dSXin LI>>0xf98 lelong 1 \b, full dump 42b6cee71dSXin LI>>0xf98 lelong 2 \b, kernel dump 43b6cee71dSXin LI>>0xf98 lelong 3 \b, small dump 44b6cee71dSXin LI>>0x090 lequad x \b, %lld pages 45b6cee71dSXin LI 46b6cee71dSXin LI 47b6cee71dSXin LI# Summary: Vista Event Log 48b6cee71dSXin LI# Extension: .evtx 49b6cee71dSXin LI# Created by: Andreas Schuster (http://computer.forensikblog.de/) 50b6cee71dSXin LI# Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html 51b6cee71dSXin LI0 string ElfFile\0 MS Windows Vista Event Log 52b6cee71dSXin LI>0x2a leshort x \b, %d chunks 53b6cee71dSXin LI>>0x10 lelong x \b (no. %d in use) 54b6cee71dSXin LI>0x18 lelong >1 \b, next record no. %d 55b6cee71dSXin LI>0x18 lelong =1 \b, empty 56b6cee71dSXin LI>0x78 lelong &1 \b, DIRTY 57b6cee71dSXin LI>0x78 lelong &2 \b, FULL 58b6cee71dSXin LI 59b6cee71dSXin LI 60b6cee71dSXin LI# Summary: Windows 3.1 group files 61b6cee71dSXin LI# Extension: .grp 62b6cee71dSXin LI# Created by: unknown 63b6cee71dSXin LI0 string \120\115\103\103 MS Windows 3.1 group files 64b6cee71dSXin LI 65b6cee71dSXin LI 66b6cee71dSXin LI# Summary: Old format help files 673e41d09dSXin LI# URL: https://en.wikipedia.org/wiki/WinHelp 683e41d09dSXin LI# Reference: http://www.oocities.org/mwinterhoff/helpfile.htm 693e41d09dSXin LI# Update: Joerg Jenderek 70b6cee71dSXin LI# Created by: Dirk Jagdmann <doj@cubic.org> 713e41d09dSXin LI# 723e41d09dSXin LI# check and then display version and date inside MS Windows HeLP file fragment 733e41d09dSXin LI0 name help-ver-date 743e41d09dSXin LI# look for Magic of SYSTEMHEADER 753e41d09dSXin LI>0 leshort 0x036C 763e41d09dSXin LI# version Major 1 for right file fragment 773e41d09dSXin LI>>4 leshort 1 Windows 783e41d09dSXin LI# print non empty string above to avoid error message 793e41d09dSXin LI# Warning: Current entry does not yet have a description for adding a MIME type 803e41d09dSXin LI!:mime application/winhelp 813e41d09dSXin LI!:ext hlp 823e41d09dSXin LI# version Minor of help file format is hint for windows version 833e41d09dSXin LI>>>2 leshort 0x0F 3.x 843e41d09dSXin LI>>>2 leshort 0x15 3.0 853e41d09dSXin LI>>>2 leshort 0x21 3.1 863e41d09dSXin LI>>>2 leshort 0x27 x.y 873e41d09dSXin LI>>>2 leshort 0x33 95 883e41d09dSXin LI>>>2 default x y.z 893e41d09dSXin LI>>>>2 leshort x 0x%x 903e41d09dSXin LI# to complete message string like "MS Windows 3.x help file" 913e41d09dSXin LI>>>2 leshort x help 923e41d09dSXin LI# GenDate often older than file creation date 933e41d09dSXin LI>>>6 ldate x \b, %s 943e41d09dSXin LI# 953e41d09dSXin LI# Magic for HeLP files 963e41d09dSXin LI0 lelong 0x00035f3f 973e41d09dSXin LI# ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file" 983e41d09dSXin LI# file header magic 0x293B at DirectoryStart+9 993e41d09dSXin LI>(4.l+9) uleshort 0x293B MS 1003e41d09dSXin LI# look for @VERSION bmf.. like IBMAVW.ANN 1013e41d09dSXin LI>>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation 1023e41d09dSXin LI!:mime application/x-winhelp 1033e41d09dSXin LI!:ext ann 1043e41d09dSXin LI>>0xD4 string !\x62\x6D\x66\x01\x00 1053e41d09dSXin LI# "GID Help index" by TrID 1063e41d09dSXin LI>>>(4.l+0x65) string =|Pete Windows help Global Index 1073e41d09dSXin LI!:mime application/x-winhelp 1083e41d09dSXin LI!:ext gid 1093e41d09dSXin LI# HeLP Bookmark or 1103e41d09dSXin LI# "Windows HELP File" by TrID 1113e41d09dSXin LI>>>(4.l+0x65) string !|Pete 1123e41d09dSXin LI# maybe there exist a cleaner way to detect HeLP fragments 1133e41d09dSXin LI# brute search for Magic 0x036C with matching Major maximal 7 iterations 1143e41d09dSXin LI# discapp.hlp 1153e41d09dSXin LI>>>>16 search/0x49AF/s \x6c\x03 1163e41d09dSXin LI>>>>>&0 use help-ver-date 1173e41d09dSXin LI>>>>>&4 leshort !1 1183e41d09dSXin LI# putty.hlp 1193e41d09dSXin LI>>>>>>&0 search/0x69AF/s \x6c\x03 1203e41d09dSXin LI>>>>>>>&0 use help-ver-date 1213e41d09dSXin LI>>>>>>>&4 leshort !1 1223e41d09dSXin LI>>>>>>>>&0 search/0x49AF/s \x6c\x03 1233e41d09dSXin LI>>>>>>>>>&0 use help-ver-date 1243e41d09dSXin LI>>>>>>>>>&4 leshort !1 1253e41d09dSXin LI>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 1263e41d09dSXin LI>>>>>>>>>>>&0 use help-ver-date 1273e41d09dSXin LI>>>>>>>>>>>&4 leshort !1 1283e41d09dSXin LI>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 1293e41d09dSXin LI>>>>>>>>>>>>>&0 use help-ver-date 1303e41d09dSXin LI>>>>>>>>>>>>>&4 leshort !1 1313e41d09dSXin LI>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 1323e41d09dSXin LI>>>>>>>>>>>>>>>&0 use help-ver-date 1333e41d09dSXin LI>>>>>>>>>>>>>>>&4 leshort !1 1343e41d09dSXin LI>>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03 1353e41d09dSXin LI# GCC.HLP is detected after 7 iterations 1363e41d09dSXin LI>>>>>>>>>>>>>>>>>&0 use help-ver-date 1373e41d09dSXin LI# this only happens if bigger hlp file is detected after used search iterations 1383e41d09dSXin LI>>>>>>>>>>>>>>>>>&4 leshort !1 Windows y.z help 1393e41d09dSXin LI!:mime application/winhelp 1403e41d09dSXin LI!:ext hlp 1413e41d09dSXin LI# repeat search again or following default line does not work 1423e41d09dSXin LI>>>>16 search/0x49AF/s \x6c\x03 1433e41d09dSXin LI# remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit) 1443e41d09dSXin LI>>>>16 default x Windows help Bookmark 1453e41d09dSXin LI!:mime application/x-winhelp 146*58a0f0d0SEitan Adler!:ext bmk 1473e41d09dSXin LI## FirstFreeBlock normally FFFFFFFFh 10h for *ANN 1483e41d09dSXin LI##>>8 lelong x \b, FirstFreeBlock 0x%8.8x 1493e41d09dSXin LI# EntireFileSize 1503e41d09dSXin LI>>12 lelong x \b, %d bytes 1513e41d09dSXin LI## ReservedSpace normally 042Fh AFh for *.ANN 1523e41d09dSXin LI#>>(4.l) lelong x \b, ReservedSpace 0x%8.8x 1533e41d09dSXin LI## UsedSpace normally 0426h A6h for *.ANN 1543e41d09dSXin LI#>>(4.l+4) lelong x \b, UsedSpace 0x%8.8x 1553e41d09dSXin LI## FileFlags normally 04... 1563e41d09dSXin LI#>>(4.l+5) lelong x \b, FileFlags 0x%8.8x 1573e41d09dSXin LI## file header magic 0x293B 1583e41d09dSXin LI#>>(4.l+9) uleshort x \b, file header magic 0x%4.4x 1593e41d09dSXin LI## file header Flags 0x0402 1603e41d09dSXin LI#>>(4.l+11) uleshort x \b, file header Flags 0x%4.4x 1613e41d09dSXin LI## file header PageSize 0400h 80h for *.ANN 1623e41d09dSXin LI#>>(4.l+13) uleshort x \b, PageSize 0x%4.4x 1633e41d09dSXin LI## Structure[16] z4 1643e41d09dSXin LI#>>(4.l+15) string >\0 \b, Structure_"%-.16s" 1653e41d09dSXin LI## MustBeZero 0 1663e41d09dSXin LI#>>(4.l+31) uleshort x \b, MustBeZero 0x%4.4x 1673e41d09dSXin LI## PageSplits 1683e41d09dSXin LI#>>(4.l+33) uleshort x \b, PageSplits 0x%4.4x 1693e41d09dSXin LI## RootPage 1703e41d09dSXin LI#>>(4.l+35) uleshort x \b, RootPage 0x%4.4x 1713e41d09dSXin LI## MustBeNegOne 0xffff 1723e41d09dSXin LI#>>(4.l+37) uleshort x \b, MustBeNegOne 0x%4.4x 1733e41d09dSXin LI## TotalPages 1 1743e41d09dSXin LI#>>(4.l+39) uleshort x \b, TotalPages 0x%4.4x 1753e41d09dSXin LI## NLevels 0x0001 1763e41d09dSXin LI#>>(4.l+41) uleshort x \b, NLevels 0x%4.4x 1773e41d09dSXin LI## TotalBtreeEntries 1783e41d09dSXin LI#>>(4.l+43) ulelong x \b, TotalBtreeEntries 0x%8.8x 1793e41d09dSXin LI## pages of the B+ tree 1803e41d09dSXin LI#>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx 181b6cee71dSXin LI 1823e41d09dSXin LI# start with colon or semicolon for comment line like Back2Life.cnt 1833e41d09dSXin LI0 regex \^(:|;) 1843e41d09dSXin LI# look for first keyword Base 1853e41d09dSXin LI>0 search/45 :Base 1863e41d09dSXin LI>>&0 use cnt-name 1873e41d09dSXin LI# only solution to search again from beginning , because relative offsets changes when use is called 1883e41d09dSXin LI>0 search/45 :Base 1893e41d09dSXin LI>0 default x 1903e41d09dSXin LI# look for other keyword Title like in putty.cnt 1913e41d09dSXin LI>>0 search/45 :Title 1923e41d09dSXin LI>>>&0 use cnt-name 1933e41d09dSXin LI# 1943e41d09dSXin LI# display mime type and name of Windows help Content source 1953e41d09dSXin LI0 name cnt-name 1963e41d09dSXin LI# skip space at beginning 19740427ccaSGordon Tetlow>0 string \040 1983e41d09dSXin LI# name without extension and greater character or name with hlp extension 1993e41d09dSXin LI>>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s" 2003e41d09dSXin LI!:mime text/plain 2013e41d09dSXin LI!:apple ????TEXT 2023e41d09dSXin LI!:ext cnt 2033e41d09dSXin LI# 2043e41d09dSXin LI# Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing 2053e41d09dSXin LI0 string tfMR MS Windows help Full Text Search index 2063e41d09dSXin LI!:mime application/x-winhelp-fts 2073e41d09dSXin LI!:ext fts 2083e41d09dSXin LI>16 string >\0 for "%s" 209b6cee71dSXin LI 210b6cee71dSXin LI# Summary: Hyper terminal 211b6cee71dSXin LI# Extension: .ht 212b6cee71dSXin LI# Created by: unknown 21340427ccaSGordon Tetlow0 string HyperTerminal\040 214b6cee71dSXin LI>15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile 215b6cee71dSXin LI 21640427ccaSGordon Tetlow# http://ithreats.files.wordpress.com/2009/05/\040 217b6cee71dSXin LI# lnk_the_windows_shortcut_file_format.pdf 218b6cee71dSXin LI# Summary: Windows shortcut 219b6cee71dSXin LI# Extension: .lnk 220b6cee71dSXin LI# Created by: unknown 221b6cee71dSXin LI# 'L' + GUUID 222b6cee71dSXin LI0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut 223b6cee71dSXin LI>20 lelong&1 1 \b, Item id list present 224b6cee71dSXin LI>20 lelong&2 2 \b, Points to a file or directory 225b6cee71dSXin LI>20 lelong&4 4 \b, Has Description string 226b6cee71dSXin LI>20 lelong&8 8 \b, Has Relative path 227b6cee71dSXin LI>20 lelong&16 16 \b, Has Working directory 228b6cee71dSXin LI>20 lelong&32 32 \b, Has command line arguments 229b6cee71dSXin LI>20 lelong&64 64 \b, Icon 2309ce06829SXin LI>>56 lelong x \b number=%d 231b6cee71dSXin LI>24 lelong&1 1 \b, Read-Only 232b6cee71dSXin LI>24 lelong&2 2 \b, Hidden 233b6cee71dSXin LI>24 lelong&4 4 \b, System 234b6cee71dSXin LI>24 lelong&8 8 \b, Volume Label 235b6cee71dSXin LI>24 lelong&16 16 \b, Directory 236b6cee71dSXin LI>24 lelong&32 32 \b, Archive 237b6cee71dSXin LI>24 lelong&64 64 \b, Encrypted 238b6cee71dSXin LI>24 lelong&128 128 \b, Normal 239b6cee71dSXin LI>24 lelong&256 256 \b, Temporary 240b6cee71dSXin LI>24 lelong&512 512 \b, Sparse 241b6cee71dSXin LI>24 lelong&1024 1024 \b, Reparse point 242b6cee71dSXin LI>24 lelong&2048 2048 \b, Compressed 243b6cee71dSXin LI>24 lelong&4096 4096 \b, Offline 244b6cee71dSXin LI>28 leqwdate x \b, ctime=%s 245b6cee71dSXin LI>36 leqwdate x \b, mtime=%s 246b6cee71dSXin LI>44 leqwdate x \b, atime=%s 247b6cee71dSXin LI>52 lelong x \b, length=%u, window= 248b6cee71dSXin LI>60 lelong&1 1 \bhide 249b6cee71dSXin LI>60 lelong&2 2 \bnormal 250b6cee71dSXin LI>60 lelong&4 4 \bshowminimized 251b6cee71dSXin LI>60 lelong&8 8 \bshowmaximized 252b6cee71dSXin LI>60 lelong&16 16 \bshownoactivate 253b6cee71dSXin LI>60 lelong&32 32 \bminimize 254b6cee71dSXin LI>60 lelong&64 64 \bshowminnoactive 255b6cee71dSXin LI>60 lelong&128 128 \bshowna 256b6cee71dSXin LI>60 lelong&256 256 \brestore 257b6cee71dSXin LI>60 lelong&512 512 \bshowdefault 258b6cee71dSXin LI#>20 lelong&1 0 259b6cee71dSXin LI#>>20 lelong&2 2 260b6cee71dSXin LI#>>>(72.l-64) pstring/h x \b [%s] 261b6cee71dSXin LI#>20 lelong&1 1 262b6cee71dSXin LI#>>20 lelong&2 2 263b6cee71dSXin LI#>>>(72.s) leshort x 264b6cee71dSXin LI#>>>&75 pstring/h x \b [%s] 265b6cee71dSXin LI 266b6cee71dSXin LI# Summary: Outlook Personal Folders 267b6cee71dSXin LI# Created by: unknown 268b6cee71dSXin LI0 lelong 0x4E444221 Microsoft Outlook email folder 269b6cee71dSXin LI>10 leshort 0x0e (<=2002) 270b6cee71dSXin LI>10 leshort 0x17 (>=2003) 271b6cee71dSXin LI 272b6cee71dSXin LI 273b6cee71dSXin LI# Summary: Windows help cache 274b6cee71dSXin LI# Created by: unknown 275b6cee71dSXin LI0 string \164\146\115\122\012\000\000\000\001\000\000\000 MS Windows help cache 276b6cee71dSXin LI 277b6cee71dSXin LI 278b6cee71dSXin LI# Summary: IE cache file 279b6cee71dSXin LI# Created by: Christophe Monniez 280b6cee71dSXin LI0 string Client\ UrlCache\ MMF Internet Explorer cache file 281b6cee71dSXin LI>20 string >\0 version %s 282b6cee71dSXin LI 283b6cee71dSXin LI 284b6cee71dSXin LI# Summary: Registry files 285b6cee71dSXin LI# Created by: unknown 286b6cee71dSXin LI# Modified by (1): Joerg Jenderek 287b6cee71dSXin LI0 string regf MS Windows registry file, NT/2000 or above 288b6cee71dSXin LI0 string CREG MS Windows 95/98/ME registry file 289b6cee71dSXin LI0 string SHCC3 MS Windows 3.1 registry file 290b6cee71dSXin LI 291b6cee71dSXin LI 292b6cee71dSXin LI# Summary: Windows Registry text 293*58a0f0d0SEitan Adler# URL: https://en.wikipedia.org/wiki/Windows_Registry#.REG_files 294*58a0f0d0SEitan Adler# Reference: http://fileformats.archiveteam.org/wiki/Windows_Registry 295b6cee71dSXin LI# Submitted by: Abel Cheung <abelcheung@gmail.com> 296*58a0f0d0SEitan Adler# Update: Joerg Jenderek 297*58a0f0d0SEitan Adler# Windows 3-9X variant 298*58a0f0d0SEitan Adler0 string REGEDIT 299*58a0f0d0SEitan Adler# skip ASCII text like "REGEDITor.txt" but match 300*58a0f0d0SEitan Adler# L1WMAP.REG with only 1 CRNL or org.gnome.gnumeric.reg with 2 NL 301*58a0f0d0SEitan Adler>7 search/3 \n Windows Registry text 302*58a0f0d0SEitan Adler!:mime text/x-ms-regedit 303*58a0f0d0SEitan Adler!:ext reg 304*58a0f0d0SEitan Adler# Windows 9X variant 305*58a0f0d0SEitan Adler>>0 string REGEDIT4 (Win95 or above) 306*58a0f0d0SEitan Adler# Windows 2K ANSI variant 307*58a0f0d0SEitan Adler0 string Windows\ Registry\ Editor\ 308b6cee71dSXin LI>&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above) 309*58a0f0d0SEitan Adler!:mime text/x-ms-regedit 310*58a0f0d0SEitan Adler!:ext reg 311*58a0f0d0SEitan Adler# Windows 2K UTF-16 variant 312*58a0f0d0SEitan Adler2 lestring16 Windows\ Registry\ Editor\ 313*58a0f0d0SEitan Adler>0x32 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above) 314*58a0f0d0SEitan Adler# relative offset not working 315*58a0f0d0SEitan Adler#>&0 lestring16 Version\ 5.00\r\n\r\n Windows Registry little-endian text (Win2K or above) 316*58a0f0d0SEitan Adler!:mime text/x-ms-regedit 317*58a0f0d0SEitan Adler!:ext reg 318*58a0f0d0SEitan Adler# WINE variant 319*58a0f0d0SEitan Adler# URL: https://en.wikipedia.org/wiki/Wine_(software) 320*58a0f0d0SEitan Adler# Reference: https://www.winehq.org/pipermail/wine-cvs/2005-October/018763.html 321*58a0f0d0SEitan Adler# Note: WINE use text based registry (system.reg,user.reg,userdef.reg) 322*58a0f0d0SEitan Adler# instead binary hiv structure like Windows 323*58a0f0d0SEitan Adler0 string WINE\ REGISTRY\ Version\ WINE registry text 324*58a0f0d0SEitan Adler# version 2 325*58a0f0d0SEitan Adler>&0 string x \b, version %s 326*58a0f0d0SEitan Adler!:mime text/x-wine-extension-reg 327*58a0f0d0SEitan Adler!:ext reg 328b6cee71dSXin LI 329*58a0f0d0SEitan Adler# Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013, Feb 2018 330c2931133SXin LI# empty ,comment , section 331c2931133SXin LI# PR/383: remove unicode BOM because it is not portable across regex impls 332*58a0f0d0SEitan Adler#0 regex/s \\`(\\r\\n|;|[[]) 333*58a0f0d0SEitan Adler# empty line CRLF 334*58a0f0d0SEitan Adler0 ubeshort 0x0D0A 335*58a0f0d0SEitan Adler>0 use ini-file 336*58a0f0d0SEitan Adler# comment line 337*58a0f0d0SEitan Adler0 string ; 338*58a0f0d0SEitan Adler>0 use ini-file 339*58a0f0d0SEitan Adler# section line 340*58a0f0d0SEitan Adler0 string [ 341*58a0f0d0SEitan Adler>0 use ini-file 342*58a0f0d0SEitan Adler# check and then display Windows INItialization configuration 343*58a0f0d0SEitan Adler0 name ini-file 344*58a0f0d0SEitan Adler# look for left bracket in section line 345*58a0f0d0SEitan Adler>0 search/8192 [ 346b6cee71dSXin LI# http://en.wikipedia.org/wiki/Autorun.inf 347b6cee71dSXin LI# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx 348*58a0f0d0SEitan Adler# space after right bracket 349*58a0f0d0SEitan Adler# or AutoRun.Amd64 for 64 bit systems 350*58a0f0d0SEitan Adler# or only NL separator 351*58a0f0d0SEitan Adler>>&0 regex/c \^(autorun) 352*58a0f0d0SEitan Adler# but sometimes total commander directory tree file "treeinfo.wc" with lines like 353*58a0f0d0SEitan Adler# [AUTORUN] 354*58a0f0d0SEitan Adler# [boot] 355*58a0f0d0SEitan Adler>>>&0 string =]\r\n[ Total commander directory treeinfo.wc 356*58a0f0d0SEitan Adler!:mime text/plain 357*58a0f0d0SEitan Adler!:ext wc 358b6cee71dSXin LI# From: Pal Tamas <folti@balabit.hu> 359b6cee71dSXin LI# Autorun File 360*58a0f0d0SEitan Adler>>>&0 string !]\r\n[ Microsoft Windows Autorun file 361b6cee71dSXin LI!:mime application/x-setupscript 362*58a0f0d0SEitan Adler!:ext inf 363b6cee71dSXin LI# http://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx 364b6cee71dSXin LI# version strings ASCII coded case-independent for Windows setup information script file 365b6cee71dSXin LI>>&0 regex/c \^(version|strings)] Windows setup INFormation 366b6cee71dSXin LI!:mime application/x-setupscript 367b6cee71dSXin LI#!:mime application/x-wine-extension-inf 368*58a0f0d0SEitan Adler!:ext inf 369*58a0f0d0SEitan Adler# NETCRC.INF OEMCPL.INF 370b6cee71dSXin LI>>&0 regex/c \^(WinsockCRCList|OEMCPL)] Windows setup INFormation 371*58a0f0d0SEitan Adler!:mime application/x-setupscript 372*58a0f0d0SEitan Adler!:ext inf 373b6cee71dSXin LI# http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm 374b6cee71dSXin LI# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx 375b6cee71dSXin LI# .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent 376b6cee71dSXin LI>>&0 regex/c \^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)] Windows desktop.ini 377b6cee71dSXin LI!:mime application/x-wine-extension-ini 378b6cee71dSXin LI#!:mime text/plain 379b6cee71dSXin LI# http://support.microsoft.com/kb/84709/ 380b6cee71dSXin LI>>&0 regex/c \^(don't\ load)] Windows CONTROL.INI 381b6cee71dSXin LI!:mime application/x-wine-extension-ini 382*58a0f0d0SEitan Adler!:ext ini 383b6cee71dSXin LI>>&0 regex/c \^(ndishlp\\$|protman\\$|NETBEUI\\$)] Windows PROTOCOL.INI 384b6cee71dSXin LI!:mime application/x-wine-extension-ini 385*58a0f0d0SEitan Adler!:ext ini 386b6cee71dSXin LI# http://technet.microsoft.com/en-us/library/cc722567.aspx 387b6cee71dSXin LI# http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm 388b6cee71dSXin LI>>&0 regex/c \^(windows|Compatibility|embedding)] Windows WIN.INI 389b6cee71dSXin LI!:mime application/x-wine-extension-ini 390*58a0f0d0SEitan Adler!:ext ini 391b6cee71dSXin LI# http://en.wikipedia.org/wiki/SYSTEM.INI 392b6cee71dSXin LI>>&0 regex/c \^(boot|386enh|drivers)] Windows SYSTEM.INI 393b6cee71dSXin LI!:mime application/x-wine-extension-ini 394*58a0f0d0SEitan Adler!:ext ini 395b6cee71dSXin LI# http://www.mdgx.com/newtip6.htm 396b6cee71dSXin LI>>&0 regex/c \^(SafeList)] Windows IOS.INI 397b6cee71dSXin LI!:mime application/x-wine-extension-ini 398*58a0f0d0SEitan Adler!:ext ini 399b6cee71dSXin LI# http://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information 400b6cee71dSXin LI>>&0 regex/c \^(boot\x20loader)] Windows boot.ini 401b6cee71dSXin LI!:mime application/x-wine-extension-ini 402*58a0f0d0SEitan Adler!:ext ini 403b6cee71dSXin LI# http://en.wikipedia.org/wiki/CONFIG.SYS 404*58a0f0d0SEitan Adler>>&0 regex/c \^(menu)] MS-DOS CONFIG.SYS 405*58a0f0d0SEitan Adler# @CONFIG.UI configuration file of previous DOS version saved by Caldera OPENDOS INSTALL.EXE 406*58a0f0d0SEitan Adler# CONFIG.PSS saved version of file CONFIG.SYS created by %WINDIR%\SYTEM\MSCONFIG.EXE 407*58a0f0d0SEitan Adler# CONFIG.TSH renamed file CONFIG.SYS.BAT by %WINDIR%\SYTEM\MSCONFIG.EXE 408*58a0f0d0SEitan Adler# dos and w40 used in dual booting scene 409*58a0f0d0SEitan Adler!:ext sys/dos/w40 410b6cee71dSXin LI# http://support.microsoft.com/kb/118579/ 411b6cee71dSXin LI>>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS 412*58a0f0d0SEitan Adler!:ext sys/dos 413*58a0f0d0SEitan Adler# http://chmspec.nongnu.org/latest/INI.html#HHP 414*58a0f0d0SEitan Adler>>&0 regex/c \^(options)]\r\n Microsoft HTML Help Project 415*58a0f0d0SEitan Adler!:mime text/plain 416*58a0f0d0SEitan Adler!:ext hhp 417b6cee71dSXin LI# unknown keyword after opening bracket 418b6cee71dSXin LI>>&0 default x 419*58a0f0d0SEitan Adler#>>>&0 string/c x UNKNOWN [%s 420*58a0f0d0SEitan Adler# look for left bracket of second section 421b6cee71dSXin LI>>>&0 search/8192 [ 422b6cee71dSXin LI# version Strings FileIdentification 423b6cee71dSXin LI>>>>&0 string/c version Windows setup INFormation 424b6cee71dSXin LI!:mime application/x-setupscript 425*58a0f0d0SEitan Adler!:ext inf 426b6cee71dSXin LI# http://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other 427*58a0f0d0SEitan Adler>>>>&0 default x 428*58a0f0d0SEitan Adler>>>>>&0 ubyte x 429*58a0f0d0SEitan Adler# characters, digits, underscore and white space followed by right bracket 430*58a0f0d0SEitan Adler# terminated by CR implies section line to skip BOOTLOG.TXT DETLOG.TXT 431*58a0f0d0SEitan Adler>>>>>>&-1 regex \^([A-Za-z0-9_\(\)\ ]+)\]\r Generic INItialization configuration [%-.40s 432*58a0f0d0SEitan Adler# NETDEF.INF multiarc.ini 433*58a0f0d0SEitan Adler#!:mime application/x-setupscript 434*58a0f0d0SEitan Adler!:mime application/x-wine-extension-ini 435*58a0f0d0SEitan Adler#!:mime text/plain 436*58a0f0d0SEitan Adler!:ext ini/inf 437*58a0f0d0SEitan Adler# UTF-16 BOM followed by CR~0D00 , comment~semicolon~3B00 , section~bracket~5B00 438*58a0f0d0SEitan Adler0 ubelong&0xFFff89FF =0xFFFE0900 439*58a0f0d0SEitan Adler# look for left bracket in section line 440*58a0f0d0SEitan Adler>2 search/8192 [ 441*58a0f0d0SEitan Adler# keyword without 1st letter which is maybe up-/down-case 442*58a0f0d0SEitan Adler>>&3 lestring16 ersion] Windows setup INFormation 443*58a0f0d0SEitan Adler!:mime application/x-setupscript 444*58a0f0d0SEitan Adler!:ext inf 445*58a0f0d0SEitan Adler>>&3 lestring16 trings] Windows setup INFormation 446*58a0f0d0SEitan Adler!:mime application/x-setupscript 447*58a0f0d0SEitan Adler!:ext inf 448*58a0f0d0SEitan Adler>>&3 lestring16 ourceDisksNames] Windows setup INFormation 449*58a0f0d0SEitan Adler!:mime application/x-setupscript 450*58a0f0d0SEitan Adler!:ext inf 451*58a0f0d0SEitan Adler# netnwcli.inf start with ;---[ NetNWCli.INX ] 452*58a0f0d0SEitan Adler>>&3 default x 453*58a0f0d0SEitan Adler# look for NL followed by left bracket 454*58a0f0d0SEitan Adler>>>&0 search/8192 \x0A\x00\x5b 455*58a0f0d0SEitan Adler>>>>&3 lestring16 ersion] Windows setup INFormation 456*58a0f0d0SEitan Adler!:mime application/x-setupscript 457*58a0f0d0SEitan Adler!:ext inf 458b6cee71dSXin LI 459b6cee71dSXin LI# Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h 460b6cee71dSXin LI# http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm 461b6cee71dSXin LI# GRR: line below too general as it catches also PDP-11 UNIX/RT ldp 462b6cee71dSXin LI0 leshort&0xFeFe 0x0000 4639ce06829SXin LI!:strength -5 464b6cee71dSXin LI# test for unused null bits in PNF_FLAGs 465b6cee71dSXin LI>4 ulelong&0xFCffFe00 0x00000000 466b6cee71dSXin LI# only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure 467b6cee71dSXin LI>>68 ulelong >0x57 468b6cee71dSXin LI# test for zero high byte of InfValueBlockSize, followed by WinDirPath like 469b6cee71dSXin LI# C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT 470b6cee71dSXin LI>>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF 471b6cee71dSXin LI!:mime application/x-pnf 472b6cee71dSXin LI# currently only found Major Version=1 and Minor Version=1 473b6cee71dSXin LI#>>>>0 uleshort =0x0101 474b6cee71dSXin LI#>>>>>1 ubyte x \b, version %u 475b6cee71dSXin LI#>>>>>0 ubyte x \b.%u 476b6cee71dSXin LI>>>>0 uleshort !0x0101 477b6cee71dSXin LI>>>>>1 ubyte x \b, version %u 478b6cee71dSXin LI>>>>>0 ubyte x \b.%u 479b6cee71dSXin LI# 1 ,2 (windows 98 SE) 480b6cee71dSXin LI#>>>>2 uleshort =2 \b, InfStyle %u 481b6cee71dSXin LI>>>>2 uleshort !2 \b, InfStyle %u 482b6cee71dSXin LI# PNF_FLAG_IS_UNICODE 0x00000001 483b6cee71dSXin LI# PNF_FLAG_HAS_STRINGS 0x00000002 484b6cee71dSXin LI# PNF_FLAG_SRCPATH_IS_URL 0x00000004 485b6cee71dSXin LI# PNF_FLAG_HAS_VOLATILE_DIRIDS 0x00000008 486b6cee71dSXin LI# PNF_FLAG_INF_VERIFIED 0x00000010 487b6cee71dSXin LI# PNF_FLAG_INF_DIGITALLY_SIGNED 0x00000020 488b6cee71dSXin LI# ?? 0x00000100 489b6cee71dSXin LI# ?? 0x01000000 490b6cee71dSXin LI# ?? 0x02000000 491b6cee71dSXin LI>>>>4 ulelong&0x00000001 0x00000001 \b, unicoded 492b6cee71dSXin LI>>>>4 ulelong&0x00000020 0x00000020 \b, digitally signed 493b6cee71dSXin LI#>>>>8 ulelong x \b, InfSubstValueListOffset 0x%x 494b6cee71dSXin LI# many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF 495b6cee71dSXin LI#>>>>12 uleshort x \b, InfSubstValueCount 0x%x 496b6cee71dSXin LI# only < 9 found 497b6cee71dSXin LI#>>>>14 uleshort x \b, InfVersionDatumCount 0x%x 498b6cee71dSXin LI# only found values lower 0x0000ffff 499b6cee71dSXin LI#>>>>16 ulelong x \b, InfVersionDataSize 0x%x 500b6cee71dSXin LI# only found positive values lower 0x00ffFFff for InfVersionDataOffset 501b6cee71dSXin LI>>>>20 ulelong x \b, at 0x%x 502b6cee71dSXin LI>>>>4 ulelong&0x00000001 =0x00000001 503b6cee71dSXin LI# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature 504b6cee71dSXin LI>>>>>(20.l) lestring16 x "%s" 505b6cee71dSXin LI>>>>4 ulelong&0x00000001 !0x00000001 506b6cee71dSXin LI>>>>>(20.l) string x "%s" 507b6cee71dSXin LI# FILETIME is number of 100-nanosecond intervals since 1 January 1601 508b6cee71dSXin LI#>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx 509b6cee71dSXin LI# only found values lower 0x00ffFFff 510b6cee71dSXin LI#>>>>32 ulelong x \b, StringTableBlockOffset 0x%x 511b6cee71dSXin LI#>>>>36 ulelong x \b, StringTableBlockSize 0x%x 512b6cee71dSXin LI#>>>>40 ulelong x \b, InfSectionCount 0x%x 513b6cee71dSXin LI#>>>>44 ulelong x \b, InfSectionBlockOffset 0x%x 514b6cee71dSXin LI#>>>>48 ulelong x \b, InfSectionBlockSize 0x%x 515b6cee71dSXin LI#>>>>52 ulelong x \b, InfLineBlockOffset 0x%x 516b6cee71dSXin LI#>>>>56 ulelong x \b, InfLineBlockSize 0x%x 517b6cee71dSXin LI#>>>>60 ulelong x \b, InfValueBlockOffset 0x%x 518b6cee71dSXin LI#>>>>64 ulelong x \b, InfValueBlockSize 0x%x 519b6cee71dSXin LI# WinDirPathOffset 520b6cee71dSXin LI#>>>>68 ulelong x \b, at 0x%x 521b6cee71dSXin LI>>>>68 ulelong >0x57 522b6cee71dSXin LI>>>>>4 ulelong&0x00000001 =0x00000001 523b6cee71dSXin LI>>>>>>(68.l) ubequad =0x43003a005c005700 524b6cee71dSXin LI# normally unicoded C:\Windows 525b6cee71dSXin LI#>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" 526b6cee71dSXin LI>>>>>>(68.l) ubequad !0x43003a005c005700 527b6cee71dSXin LI>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s" 528b6cee71dSXin LI>>>>>4 ulelong&0x00000001 !0x00000001 529b6cee71dSXin LI# normally ASCII C:\WINDOWS 530b6cee71dSXin LI#>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s" 531b6cee71dSXin LI>>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s" 532b6cee71dSXin LI# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF 533b6cee71dSXin LI#>>>>72 ulelong >0 \b, at 0x%x 534b6cee71dSXin LI>>>>72 ulelong >0 \b, 535b6cee71dSXin LI>>>>>4 ulelong&0x00000001 =0x00000001 536b6cee71dSXin LI>>>>>>(72.l) lestring16 x OsLoaderPath "%s" 537b6cee71dSXin LI>>>>>4 ulelong&0x00000001 !0x00000001 538b6cee71dSXin LI# seldom C:\ instead empty 539b6cee71dSXin LI>>>>>>(72.l) string x OsLoaderPath "%s" 540b6cee71dSXin LI# 1fdh 541b6cee71dSXin LI#>>>>76 uleshort x \b, StringTableHashBucketCount 0x%x 542b6cee71dSXin LI>>>>78 uleshort !0x407 \b, LanguageId %x 543b6cee71dSXin LI# only 407h found 544b6cee71dSXin LI#>>>>78 uleshort =0x407 \b, LanguageId %x 545b6cee71dSXin LI# InfSourcePathOffset often 0 546b6cee71dSXin LI#>>>>80 ulelong >0 \b, at 0x%x 547b6cee71dSXin LI>>>>80 ulelong >0 \b, 548b6cee71dSXin LI>>>>>4 ulelong&0x00000001 =0x00000001 549b6cee71dSXin LI>>>>>>(80.l) lestring16 x SourcePath "%s" 550b6cee71dSXin LI>>>>>4 ulelong&0x00000001 !0x00000001 551b6cee71dSXin LI>>>>>>(80.l) string >\0 SourcePath "%s" 552b6cee71dSXin LI# OriginalInfNameOffset often 0 553b6cee71dSXin LI#>>>>84 ulelong >0 \b, at 0x%x 554b6cee71dSXin LI>>>>84 ulelong >0 \b, 555b6cee71dSXin LI>>>>>4 ulelong&0x00000001 =0x00000001 556b6cee71dSXin LI>>>>>>(84.l) lestring16 x InfName "%s" 557b6cee71dSXin LI>>>>>4 ulelong&0x00000001 !0x00000001 558b6cee71dSXin LI>>>>>>(84.l) string >\0 InfName "%s" 559b6cee71dSXin LI 5603e41d09dSXin LI# Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003 5613e41d09dSXin LI# Extension: .bkf 5623e41d09dSXin LI# Created by: Joerg Jenderek 5633e41d09dSXin LI# URL: http://en.wikipedia.org/wiki/NTBackup 5643e41d09dSXin LI# Reference: http://laytongraphics.com/mtf/MTF_100a.PDF 5653e41d09dSXin LI# Descriptor BloCK name of Microsoft Tape Format 5663e41d09dSXin LI0 string TAPE 5673e41d09dSXin LI# Format Logical Address is zero 5683e41d09dSXin LI>20 ulequad 0 5693e41d09dSXin LI# Reserved for MBC is zero 5703e41d09dSXin LI>>28 uleshort 0 5713e41d09dSXin LI# Control Block ID is zero 5723e41d09dSXin LI>>>36 ulelong 0 5733e41d09dSXin LI# BIT4-BIT15, BIT18-BIT31 of block attributes are unused 5743e41d09dSXin LI>>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive 5753e41d09dSXin LI#!:mime application/x-ntbackup 5763e41d09dSXin LI!:ext bkf 5773e41d09dSXin LI# OS ID 5783e41d09dSXin LI>>>>>10 ubyte 1 \b NetWare 5793e41d09dSXin LI>>>>>10 ubyte 13 \b NetWare SMS 5803e41d09dSXin LI>>>>>10 ubyte 14 \b NT 5813e41d09dSXin LI>>>>>10 ubyte 24 \b 3 5823e41d09dSXin LI>>>>>10 ubyte 25 \b OS/2 5833e41d09dSXin LI>>>>>10 ubyte 26 \b 95 5843e41d09dSXin LI>>>>>10 ubyte 27 \b Macintosh 5853e41d09dSXin LI>>>>>10 ubyte 28 \b UNIX 5863e41d09dSXin LI# OS Version (2) 5873e41d09dSXin LI#>>>>>11 ubyte x OS V=%x 5883e41d09dSXin LI# MTF_CONTINUATION Media Sequence Number > 1 5893e41d09dSXin LI#>>>>>4 ulelong&0x00000001 !0 \b, continued 5903e41d09dSXin LI# MTF_COMPRESSION 5913e41d09dSXin LI>>>>>4 ulelong&0x00000004 !0 \b, compressed 5923e41d09dSXin LI# MTF_EOS_AT_EOM End Of Medium was hit during end of set processing 5933e41d09dSXin LI>>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit 5943e41d09dSXin LI>>>>>4 ulelong&0x00020000 0 5953e41d09dSXin LI# MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape 5963e41d09dSXin LI>>>>>>4 ulelong&0x00010000 !0 \b, with catalog 5973e41d09dSXin LI# MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present 5983e41d09dSXin LI>>>>>4 ulelong&0x00020000 !0 \b, with file catalog 5993e41d09dSXin LI# Offset To First Event 238h,240h,28Ch 6003e41d09dSXin LI#>>>>>8 uleshort x \b, event offset %4.4x 6013e41d09dSXin LI# Displayable Size (20e0230h 20e024ch 20e0224h) 6023e41d09dSXin LI#>>>>>8 ulequad x dis. size %16.16llx 6033e41d09dSXin LI# Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h) 6043e41d09dSXin LI#>>>>>52 ulelong x family ID %8.8x 6053e41d09dSXin LI# TAPE Attributes (3) 6063e41d09dSXin LI#>>>>>56 ulelong x TAPE %8.8x 6073e41d09dSXin LI# Media Sequence Number 6083e41d09dSXin LI>>>>>60 uleshort >1 \b, sequence %u 6093e41d09dSXin LI# Password Encryption Algorithm (3) 6103e41d09dSXin LI>>>>>62 uleshort >0 \b, 0x%x encrypted 6113e41d09dSXin LI# Soft Filemark Block Size * 512 (2) 6123e41d09dSXin LI#>>>>>64 uleshort =2 \b, soft size %u*512 6133e41d09dSXin LI>>>>>64 uleshort !2 \b, soft size %u*512 6143e41d09dSXin LI# Media Based Catalog Type (1,2) 6153e41d09dSXin LI#>>>>>66 uleshort x \b, catalog type %4.4x 6163e41d09dSXin LI# size of Media Name (66,68,6Eh) 6173e41d09dSXin LI>>>>>68 uleshort >0 6183e41d09dSXin LI# offset of Media Name (5Eh) 6193e41d09dSXin LI>>>>>>70 uleshort >0 6203e41d09dSXin LI# 0~, 1~ANSI, 2~UNICODE 6213e41d09dSXin LI>>>>>>>48 ubyte 1 6223e41d09dSXin LI# size terminated ansi coded string normally followed by "MTF Media Label" 6233e41d09dSXin LI>>>>>>>>(70.s) string >\0 \b, name: %s 6243e41d09dSXin LI>>>>>>>48 ubyte 2 6253e41d09dSXin LI# Not null, but size terminated unicoded string 6263e41d09dSXin LI>>>>>>>>(70.s) lestring16 x \b, name: %s 6273e41d09dSXin LI# size of Media Label (104h) 6283e41d09dSXin LI>>>>>72 uleshort >0 6293e41d09dSXin LI# offset of Media Label (C4h,C6h,CCh) 6303e41d09dSXin LI>>>>>74 uleshort >0 6313e41d09dSXin LI>>>>>>48 ubyte 1 6323e41d09dSXin LI#Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields 6333e41d09dSXin LI>>>>>>>(74.s) string >\0 \b, label: %s 6343e41d09dSXin LI>>>>>>48 ubyte 2 6353e41d09dSXin LI>>>>>>>(74.s) lestring16 x \b, label: %s 6363e41d09dSXin LI# size of password name (0,1Ch) 6373e41d09dSXin LI#>>>>>76 uleshort >0 \b, password size %4.4x 6383e41d09dSXin LI# Software Vendor ID (CBEh) 6393e41d09dSXin LI>>>>>86 uleshort x \b, software (0x%x) 6403e41d09dSXin LI# size of Software Name (6Eh) 6413e41d09dSXin LI>>>>>80 uleshort >0 6423e41d09dSXin LI# offset of Software Name (1C8h,1CAh,1D0h) 6433e41d09dSXin LI>>>>>>82 uleshort >0 6443e41d09dSXin LI# 1~ANSI, 2~UNICODE 6453e41d09dSXin LI>>>>>>>48 ubyte 1 6463e41d09dSXin LI>>>>>>>>(82.s) string >\0 \b: %s 6473e41d09dSXin LI>>>>>>>48 ubyte 2 6483e41d09dSXin LI# size terminated unicoded coded string normally followed by "SPAD" 6493e41d09dSXin LI>>>>>>>>(82.s) lestring16 x \b: %s 6503e41d09dSXin LI# Format Logical Block Size (512,1024) 6513e41d09dSXin LI#>>>>>84 uleshort =1024 \b, block size %u 6523e41d09dSXin LI>>>>>84 uleshort !1024 \b, block size %u 6533e41d09dSXin LI# Media Date of MTF_DATE_TIME type with 5 bytes 6543e41d09dSXin LI#>>>>>>88 ubequad x DATE %16.16llx 6553e41d09dSXin LI# MTF Major Version (1) 6563e41d09dSXin LI#>>>>>>93 ubyte x \b, MFT version %x 6573e41d09dSXin LI# 6583e41d09dSXin LI 659*58a0f0d0SEitan Adler# URL: https://en.wikipedia.org/wiki/PaintShop_Pro 660*58a0f0d0SEitan Adler# Reference: http://www.cryer.co.uk/file-types/p/pal.htm 661*58a0f0d0SEitan Adler# Created by: Joerg Jenderek 662*58a0f0d0SEitan Adler# Note: there exist other color palette formats also with .pal extension 663*58a0f0d0SEitan Adler0 string JASC-PAL\r\n PaintShop Pro color palette 664*58a0f0d0SEitan Adler#!:mime text/plain 665*58a0f0d0SEitan Adler# PspPalette extension is used by newer (probably 8) PaintShopPro versions 666*58a0f0d0SEitan Adler!:ext pal/PspPalette 667*58a0f0d0SEitan Adler# 2nd line contains palette file version. For example "0100" 668*58a0f0d0SEitan Adler>10 string !0100 \b, version %.4s 669*58a0f0d0SEitan Adler# third line contains the number of colours: 16 256 ... 670*58a0f0d0SEitan Adler>16 string x \b, %.3s colors 671*58a0f0d0SEitan Adler 672*58a0f0d0SEitan Adler# URL: http://en.wikipedia.org/wiki/Innosetup 673*58a0f0d0SEitan Adler# Reference: https://github.com/jrsoftware/issrc/blob/master/Projects/Undo.pas 674*58a0f0d0SEitan Adler# Created by: Joerg Jenderek 675*58a0f0d0SEitan Adler# Note: created by like "InnoSetup self-extracting archive" inside ./msdos 676*58a0f0d0SEitan Adler# TrID labeles the entry as "Inno Setup Uninstall Log" 677*58a0f0d0SEitan Adler# TUninstallLogID 678*58a0f0d0SEitan Adler0 string Inno\ Setup\ Uninstall\ Log\ (b) InnoSetup Log 679*58a0f0d0SEitan Adler!:mime application/x-innosetup 680*58a0f0d0SEitan Adler# unins000.dat, unins001.dat, ... 681*58a0f0d0SEitan Adler!:ext dat 682*58a0f0d0SEitan Adler# " 64-bit" variant 683*58a0f0d0SEitan Adler>0x1c string >\0 \b%.7s 684*58a0f0d0SEitan Adler# AppName[0x80] like "Minimal SYStem", ClamWin Free Antivirus , ... 685*58a0f0d0SEitan Adler>0xc0 string x %s 686*58a0f0d0SEitan Adler# AppId[0x80] is simliar to AppName or 687*58a0f0d0SEitan Adler# GUID like {4BB0DCDC-BC24-49EC-8937-72956C33A470} start with left brace 688*58a0f0d0SEitan Adler>0x40 ubyte 0x7b 689*58a0f0d0SEitan Adler>>0x40 string x %-.38s 690*58a0f0d0SEitan Adler# do not know how this log version correlates to program version 691*58a0f0d0SEitan Adler>0x140 ulelong x \b, version 0x%x 692*58a0f0d0SEitan Adler# NumRecs 693*58a0f0d0SEitan Adler#>0x144 ulelong x \b, 0x%4.4x records 694*58a0f0d0SEitan Adler# EndOffset means files size 695*58a0f0d0SEitan Adler>0x148 ulelong x \b, %u bytes 696*58a0f0d0SEitan Adler# Flags 5 25h 35h 697*58a0f0d0SEitan Adler#>0x14c ulelong x \b, flags %8.8x 698*58a0f0d0SEitan Adler# Reserved: array[0..26] of Longint 699*58a0f0d0SEitan Adler# the non Unicode HighestSupportedVersion may never become greater than or equal to 1000 700*58a0f0d0SEitan Adler>0x140 ulelong <1000 701*58a0f0d0SEitan Adler# hostname 702*58a0f0d0SEitan Adler>>0x1d6 pstring x \b, %s 703*58a0f0d0SEitan Adler# user name 704*58a0f0d0SEitan Adler>>>&0 pstring x \b\%s 705*58a0f0d0SEitan Adler# directory like C:\Program Files (x86)\GnuWin32 706*58a0f0d0SEitan Adler>>>>&0 pstring x \b, "%s" 707*58a0f0d0SEitan Adler# version 1000 or higher implies unicode 708*58a0f0d0SEitan Adler>0x140 ulelong >999 709*58a0f0d0SEitan Adler# hostname 710*58a0f0d0SEitan Adler>>0x1db lestring16 x \b, %-.9s 711*58a0f0d0SEitan Adler# utf string variant with prepending fe??ffFFff 712*58a0f0d0SEitan Adler>>0x1db search/43 \xFF\xFF\xFF 713*58a0f0d0SEitan Adler# user name 714*58a0f0d0SEitan Adler>>>&0 lestring16 x \b\%-.9s 715*58a0f0d0SEitan Adler>>>&0 search/43 \xFF\xFF\xFF 716*58a0f0d0SEitan Adler# directory like C:\Program Files\GIMP 2 717*58a0f0d0SEitan Adler>>>>&0 lestring16 x \b, %-.42s 718*58a0f0d0SEitan Adler 719