xref: /freebsd-10.0-release/contrib/file/Magdir/windows

#------------------------------------------------------------------------------
# $File: windows,v 1.4 2009/09/19 16:28:13 christos Exp $
# windows:  file(1) magic for Microsoft Windows
#
# This file is mainly reserved for files where programs
# using them are run almost always on MS Windows 3.x or
# above, or files only used exclusively in Windows OS,
# where there is no better category to allocate for.
# For example, even though WinZIP almost run on Windows
# only, it is better to treat them as "archive" instead.
# For format usable in DOS, such as generic executable
# format, please specify under "msdos" file.
#


# Summary: Outlook Express DBX file
# Extension: .dbx
# Created by: Christophe Monniez
0	string	\xCF\xAD\x12\xFE	MS Outlook Express DBX file
>4	byte	=0xC5			\b, message database
>4	byte	=0xC6			\b, folder database
>4	byte	=0xC7			\b, account information
>4	byte	=0x30			\b, offline database


# Summary: Windows crash dump
# Extension: .dmp
# Created by: Andreas Schuster (http://computer.forensikblog.de/)
# Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html
# Modified by (1): Abel Cheung (Avoid match with first 4 bytes only)
0	string		PAGE		
>4	string		DUMP		MS Windows 32bit crash dump
>>0x05c	byte            0		\b, no PAE
>>0x05c	byte            1		\b, PAE
>>0xf88	lelong		1		\b, full dump
>>0xf88	lelong		2		\b, kernel dump
>>0xf88	lelong		3		\b, small dump
>>0x068	lelong		x		\b, %ld pages
>4	string		DU64		MS Windows 64bit crash dump
>>0xf98	lelong		1		\b, full dump
>>0xf98	lelong		2		\b, kernel dump
>>0xf98	lelong		3		\b, small dump
>>0x090	lequad		x		\b, %lld pages


# Summary: Vista Event Log
# Extension: .evtx
# Created by: Andreas Schuster (http://computer.forensikblog.de/)
# Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html
0	string		ElfFile\0	MS Windows Vista Event Log
>0x2a	leshort		x		\b, %d chunks
>>0x10	lelong		x		\b (no. %d in use)
>0x18	lelong		>1		\b, next record no. %d
>0x18	lelong		=1		\b, empty
>0x78	lelong		&1		\b, DIRTY
>0x78	lelong		&2		\b, FULL


# Summary: Windows 3.1 group files
# Extension: .grp
# Created by: unknown
0	string		\120\115\103\103	MS Windows 3.1 group files


# Summary: Old format help files
# Extension: .hlp
# Created by: Dirk Jagdmann <doj@cubic.org>
0	lelong		0x00035f3f		MS Windows 3.x help file


# Summary: Hyper terminal
# Extension: .ht
# Created by: unknown
0	string		HyperTerminal\ 
>15	string		1.0\ --\ HyperTerminal\ data\ file	MS Windows HyperTerminal profile


# Summary: Windows shortcut
# Extension: .lnk
# Created by: unknown
0	string		\114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106	MS Windows shortcut


# Summary: Outlook Personal Folders
# Created by: unknown
0	lelong		0x4E444221	Microsoft Outlook email folder
>10	leshort		0x0e		(<=2002)
>10	leshort		0x17		(>=2003)


# Summary: Windows help cache
# Created by: unknown
0	string		\164\146\115\122\012\000\000\000\001\000\000\000	MS Windows help cache


# Summary: IE cache file
# Created by: Christophe Monniez
0	string	Client\ UrlCache\ MMF 	Internet Explorer cache file
>20	string	>\0			version %s


# Summary: Registry files
# Created by: unknown
# Modified by (1): Joerg Jenderek
0	string		regf		MS Windows registry file, NT/2000 or above
0	string		CREG		MS Windows 95/98/ME registry file
0	string		SHCC3		MS Windows 3.1 registry file


# Summary: Windows Registry text
# Extension: .reg
# Submitted by: Abel Cheung <abelcheung@gmail.com>
0	string		REGEDIT4\r\n\r\n	Windows Registry text (Win95 or above)
0	string		Windows\ Registry\ Editor\ 
>&0	string		Version\ 5.00\r\n\r\n	Windows Registry text (Win2K or above)


# From: Pal Tamas <folti@balabit.hu>
# Autorun File
0       string/c          [autorun]\r\n   Microsoft Windows Autorun file.
!:mime	application/x-setupscript.