xref: /freebsd-11.0-release/contrib/file/magic/Magdir/windows

#------------------------------------------------------------------------------
# $File: windows,v 1.14 2015/12/15 01:06:17 christos Exp $
# windows:  file(1) magic for Microsoft Windows
#
# This file is mainly reserved for files where programs
# using them are run almost always on MS Windows 3.x or
# above, or files only used exclusively in Windows OS,
# where there is no better category to allocate for.
# For example, even though WinZIP almost run on Windows
# only, it is better to treat them as "archive" instead.
# For format usable in DOS, such as generic executable
# format, please specify under "msdos" file.
#


# Summary: Outlook Express DBX file
# Extension: .dbx
# Created by: Christophe Monniez
0	string	\xCF\xAD\x12\xFE	MS Outlook Express DBX file
>4	byte	=0xC5			\b, message database
>4	byte	=0xC6			\b, folder database
>4	byte	=0xC7			\b, account information
>4	byte	=0x30			\b, offline database


# Summary: Windows crash dump
# Extension: .dmp
# Created by: Andreas Schuster (http://computer.forensikblog.de/)
# Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html
# Modified by (1): Abel Cheung (Avoid match with first 4 bytes only)
0	string		PAGE		
>4	string		DUMP		MS Windows 32bit crash dump
>>0x05c	byte            0		\b, no PAE
>>0x05c	byte            1		\b, PAE
>>0xf88	lelong		1		\b, full dump
>>0xf88	lelong		2		\b, kernel dump
>>0xf88	lelong		3		\b, small dump
>>0x068	lelong		x		\b, %d pages
>4	string		DU64		MS Windows 64bit crash dump
>>0xf98	lelong		1		\b, full dump
>>0xf98	lelong		2		\b, kernel dump
>>0xf98	lelong		3		\b, small dump
>>0x090	lequad		x		\b, %lld pages


# Summary: Vista Event Log
# Extension: .evtx
# Created by: Andreas Schuster (http://computer.forensikblog.de/)
# Reference (1): http://computer.forensikblog.de/en/2007/05/some_magic.html
0	string		ElfFile\0	MS Windows Vista Event Log
>0x2a	leshort		x		\b, %d chunks
>>0x10	lelong		x		\b (no. %d in use)
>0x18	lelong		>1		\b, next record no. %d
>0x18	lelong		=1		\b, empty
>0x78	lelong		&1		\b, DIRTY
>0x78	lelong		&2		\b, FULL


# Summary: Windows 3.1 group files
# Extension: .grp
# Created by: unknown
0	string		\120\115\103\103	MS Windows 3.1 group files


# Summary: Old format help files
# URL: https://en.wikipedia.org/wiki/WinHelp
# Reference: http://www.oocities.org/mwinterhoff/helpfile.htm
# Update: Joerg Jenderek 
# Created by: Dirk Jagdmann <doj@cubic.org>
#
# check and then display version and date inside MS Windows HeLP file fragment
0	name				help-ver-date
# look for Magic of SYSTEMHEADER
>0	leshort		0x036C		
# version Major		1 for right file fragment
>>4	leshort		1		Windows
# print non empty string above to avoid error message
# Warning: Current entry does not yet have a description for adding a MIME type
!:mime	application/winhelp
!:ext	hlp
# version Minor of help file format is hint for windows version
>>>2	leshort		0x0F		3.x
>>>2	leshort		0x15		3.0
>>>2	leshort		0x21		3.1
>>>2	leshort		0x27		x.y
>>>2	leshort		0x33		95
>>>2	default		x		y.z
>>>>2	leshort		x		0x%x
# to complete message string like "MS Windows 3.x help file"
>>>2	leshort		x		help
# GenDate often older than file creation date
>>>6	ldate		x		\b, %s
#
# Magic for HeLP files
0	lelong		0x00035f3f		
# ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file"
# file header magic 0x293B at DirectoryStart+9
>(4.l+9)	uleshort	0x293B		MS
# look for @VERSION	bmf.. like IBMAVW.ANN
>>0xD4		string	=\x62\x6D\x66\x01\x00	Windows help annotation
!:mime	application/x-winhelp
!:ext	ann
>>0xD4		string	!\x62\x6D\x66\x01\x00	
# "GID Help index" by TrID
>>>(4.l+0x65)	string	=|Pete			Windows help Global Index
!:mime	application/x-winhelp
!:ext	gid
# HeLP Bookmark or
# "Windows HELP File" by TrID
>>>(4.l+0x65)		string		!|Pete		
# maybe there exist a cleaner way to detect HeLP fragments
# brute search for Magic 0x036C with matching Major maximal 7 iterations
# discapp.hlp
>>>>16			search/0x49AF/s	\x6c\x03 	
>>>>>&0			use 		help-ver-date
>>>>>&4			leshort		!1		
# putty.hlp
>>>>>>&0		search/0x69AF/s	\x6c\x03 	
>>>>>>>&0		use 		help-ver-date
>>>>>>>&4		leshort		!1		
>>>>>>>>&0		search/0x49AF/s	\x6c\x03 	
>>>>>>>>>&0		use 		help-ver-date
>>>>>>>>>&4		leshort		!1		
>>>>>>>>>>&0		search/0x49AF/s	\x6c\x03 	
>>>>>>>>>>>&0		use 		help-ver-date
>>>>>>>>>>>&4		leshort		!1		
>>>>>>>>>>>>&0		search/0x49AF/s	\x6c\x03 	
>>>>>>>>>>>>>&0		use 		help-ver-date
>>>>>>>>>>>>>&4		leshort		!1		
>>>>>>>>>>>>>>&0	search/0x49AF/s	\x6c\x03 	
>>>>>>>>>>>>>>>&0	use 		help-ver-date
>>>>>>>>>>>>>>>&4	leshort		!1		
>>>>>>>>>>>>>>>>&0	search/0x49AF/s	\x6c\x03 	
# GCC.HLP is detected after 7 iterations
>>>>>>>>>>>>>>>>>&0	use 		help-ver-date
# this only happens if bigger hlp file is detected after used search iterations
>>>>>>>>>>>>>>>>>&4	leshort		!1		Windows y.z help
!:mime	application/winhelp
!:ext	hlp
# repeat search again or following default line does not work
>>>>16			search/0x49AF/s	\x6c\x03 	
# remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit)
>>>>16	default				x	Windows help Bookmark
!:mime	application/x-winhelp
!:ext	/bmk
## FirstFreeBlock normally FFFFFFFFh 10h for *ANN
##>>8	lelong			x		\b, FirstFreeBlock 0x%8.8x
# EntireFileSize
>>12	lelong			x		\b, %d bytes
## ReservedSpace normally 042Fh AFh for *.ANN
#>>(4.l)	lelong		x		\b, ReservedSpace 0x%8.8x
## UsedSpace normally 0426h A6h for *.ANN
#>>(4.l+4)	lelong		x		\b, UsedSpace 0x%8.8x
## FileFlags normally 04...
#>>(4.l+5)	lelong		x		\b, FileFlags 0x%8.8x
## file header magic 0x293B
#>>(4.l+9)	uleshort	x		\b, file header magic 0x%4.4x
## file header Flags		0x0402
#>>(4.l+11)	uleshort	x		\b, file header Flags 0x%4.4x
## file header PageSize	0400h 80h for *.ANN
#>>(4.l+13)	uleshort	x		\b, PageSize 0x%4.4x
## Structure[16]		z4
#>>(4.l+15)	string		>\0		\b, Structure_"%-.16s"
## MustBeZero			0
#>>(4.l+31)	uleshort	x		\b, MustBeZero 0x%4.4x
## PageSplits
#>>(4.l+33)	uleshort	x		\b, PageSplits 0x%4.4x
## RootPage
#>>(4.l+35)	uleshort	x		\b, RootPage 0x%4.4x
## MustBeNegOne			0xffff
#>>(4.l+37)	uleshort	x		\b, MustBeNegOne 0x%4.4x
## TotalPages			1
#>>(4.l+39)	uleshort	x		\b, TotalPages 0x%4.4x
## NLevels			0x0001
#>>(4.l+41)	uleshort	x		\b, NLevels 0x%4.4x
## TotalBtreeEntries
#>>(4.l+43)	ulelong		x		\b, TotalBtreeEntries 0x%8.8x
## pages of the B+ tree
#>>(4.l+47)	ubequad		x		\b, PageStart 0x%16.16llx

# start with colon or semicolon for comment line like Back2Life.cnt
0		regex		\^(:|;)		
# look for first keyword Base
>0		search/45	:Base 		
>>&0				use 		cnt-name
# only solution to search again from beginning , because relative offsets changes when use is called
>0		search/45	:Base 		
>0		default		x		
# look for other keyword Title like in putty.cnt
>>0		search/45	:Title 		
>>>&0				use 		cnt-name
#
# display mime type and name of Windows help Content source
0	name				cnt-name
# skip space at beginning
>0     string		\ 		
# name without extension and greater character or name with hlp extension
>>1	regex/c		\^([^\xd>]*|.*\.hlp)	MS Windows help file Content, based "%s"
!:mime	text/plain
!:apple	????TEXT
!:ext	cnt
#
# Windows creates an full text search from hlp file, if the user clicks the "Find" tab and enables keyword indexing
0	string		tfMR			MS Windows help Full Text Search index
!:mime application/x-winhelp-fts
!:ext	fts
>16	string		>\0			for "%s"

# Summary: Hyper terminal
# Extension: .ht
# Created by: unknown
0	string		HyperTerminal\ 
>15	string		1.0\ --\ HyperTerminal\ data\ file	MS Windows HyperTerminal profile

# http://ithreats.files.wordpress.com/2009/05/\
# lnk_the_windows_shortcut_file_format.pdf
# Summary: Windows shortcut
# Extension: .lnk
# Created by: unknown
# 'L' + GUUID
0	string		\114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106	MS Windows shortcut
>20	lelong&1	1	\b, Item id list present
>20	lelong&2	2	\b, Points to a file or directory
>20	lelong&4	4	\b, Has Description string
>20	lelong&8	8	\b, Has Relative path
>20	lelong&16	16	\b, Has Working directory
>20	lelong&32	32	\b, Has command line arguments
>20	lelong&64	64	\b, Icon
>>56	lelong		x	\b number=%d
>24	lelong&1	1	\b, Read-Only
>24	lelong&2	2	\b, Hidden
>24	lelong&4	4	\b, System
>24	lelong&8	8	\b, Volume Label
>24	lelong&16	16	\b, Directory
>24	lelong&32	32	\b, Archive
>24	lelong&64	64	\b, Encrypted
>24	lelong&128	128	\b, Normal
>24	lelong&256	256	\b, Temporary
>24	lelong&512	512	\b, Sparse
>24	lelong&1024	1024	\b, Reparse point
>24	lelong&2048	2048	\b, Compressed
>24	lelong&4096	4096	\b, Offline
>28	leqwdate	x	\b, ctime=%s
>36	leqwdate	x	\b, mtime=%s
>44	leqwdate	x	\b, atime=%s
>52	lelong		x	\b, length=%u, window=
>60	lelong&1	1	\bhide
>60	lelong&2	2	\bnormal
>60	lelong&4	4	\bshowminimized
>60	lelong&8	8	\bshowmaximized
>60	lelong&16	16	\bshownoactivate
>60	lelong&32	32	\bminimize
>60	lelong&64	64	\bshowminnoactive
>60	lelong&128	128	\bshowna
>60	lelong&256	256	\brestore
>60	lelong&512	512	\bshowdefault
#>20	lelong&1	0
#>>20	lelong&2	2
#>>>(72.l-64)	pstring/h	x	\b [%s]
#>20	lelong&1	1
#>>20	lelong&2	2
#>>>(72.s)	leshort	x
#>>>&75	pstring/h	x	\b [%s]

# Summary: Outlook Personal Folders
# Created by: unknown
0	lelong		0x4E444221	Microsoft Outlook email folder
>10	leshort		0x0e		(<=2002)
>10	leshort		0x17		(>=2003)


# Summary: Windows help cache
# Created by: unknown
0	string		\164\146\115\122\012\000\000\000\001\000\000\000	MS Windows help cache


# Summary: IE cache file
# Created by: Christophe Monniez
0	string	Client\ UrlCache\ MMF 	Internet Explorer cache file
>20	string	>\0			version %s


# Summary: Registry files
# Created by: unknown
# Modified by (1): Joerg Jenderek
0	string		regf		MS Windows registry file, NT/2000 or above
0	string		CREG		MS Windows 95/98/ME registry file
0	string		SHCC3		MS Windows 3.1 registry file


# Summary: Windows Registry text
# Extension: .reg
# Submitted by: Abel Cheung <abelcheung@gmail.com>
0	string		REGEDIT4\r\n\r\n	Windows Registry text (Win95 or above)
0	string		Windows\ Registry\ Editor\ 
>&0	string		Version\ 5.00\r\n\r\n	Windows Registry text (Win2K or above)

# Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013
# empty ,comment , section
# PR/383: remove unicode BOM because it is not portable across regex impls
0	regex/s		\\`(\\r\\n|;|[[])
# left bracket in section line
>&0	search/8192	[						
# http://en.wikipedia.org/wiki/Autorun.inf
# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx
>>&0	regex/c		\^(autorun)]\r\n				
>>>&0	ubyte		=0x5b						INItialization configuration
!:mime application/x-wine-extension-ini
# From: Pal Tamas <folti@balabit.hu>
# Autorun File
>>>&0	ubyte		!0x5b						Microsoft Windows Autorun file
!:mime application/x-setupscript
# http://msdn.microsoft.com/en-us/library/windows/hardware/ff549520(v=vs.85).aspx
# version strings ASCII coded case-independent for Windows setup information script file
>>&0	regex/c		\^(version|strings)]				Windows setup INFormation
!:mime	application/x-setupscript
#!:mime application/inf
#!:mime application/x-wine-extension-inf
>>&0	regex/c		\^(WinsockCRCList|OEMCPL)]			Windows setup INFormation
!:mime	text/inf
# http://www.winfaq.de/faq_html/Content/tip2500/onlinefaq.php?h=tip2653.htm
# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144102.aspx
# .ShellClassInfo DeleteOnCopy LocalizedFileNames ASCII coded case-independent
>>&0	regex/c	\^(\.ShellClassInfo|DeleteOnCopy|LocalizedFileNames)]	Windows desktop.ini
!:mime application/x-wine-extension-ini
#!:mime text/plain
# http://support.microsoft.com/kb/84709/
>>&0	regex/c		\^(don't\ load)]				Windows CONTROL.INI
!:mime application/x-wine-extension-ini
>>&0	regex/c		\^(ndishlp\\$|protman\\$|NETBEUI\\$)]		Windows PROTOCOL.INI
!:mime application/x-wine-extension-ini
# http://technet.microsoft.com/en-us/library/cc722567.aspx
# http://www.winfaq.de/faq_html/Content/tip0000/onlinefaq.php?h=tip0137.htm
>>&0	regex/c		\^(windows|Compatibility|embedding)]		Windows WIN.INI
!:mime application/x-wine-extension-ini
# http://en.wikipedia.org/wiki/SYSTEM.INI
>>&0	regex/c		\^(boot|386enh|drivers)]			Windows SYSTEM.INI
!:mime application/x-wine-extension-ini
# http://www.mdgx.com/newtip6.htm
>>&0	regex/c		\^(SafeList)]					Windows IOS.INI
!:mime application/x-wine-extension-ini
# http://en.wikipedia.org/wiki/NTLDR	Windows Boot Loader information
>>&0	regex/c		\^(boot\x20loader)]				Windows boot.ini
!:mime application/x-wine-extension-ini
>>>&0	ubyte		x						
# http://en.wikipedia.org/wiki/CONFIG.SYS
>>&0	regex/c		\^(menu)]\r\n					MS-DOS CONFIG.SYS
# http://support.microsoft.com/kb/118579/
>>&0	regex/c		\^(Paths)]\r\n					MS-DOS MSDOS.SYS
# VERS string unicoded case-independent
>>&0	ubequad&0xFFdfFFdfFFdfFFdf	0x0056004500520053		
# ION] string unicoded case-independent
>>>&0	ubequad&0xFFdfFFdfFFdfFFff	0x0049004f004e005d		Windows setup INFormation 
!:mime application/x-setupscript
# STRI string unicoded case-independent
>>&0	ubequad&0xFFdfFFdfFFdfFFdf	0x0053005400520049		
# NGS] string unicoded case-independent
>>>&0	ubequad&0xFFdfFFdfFFdfFFff	0x004e00470053005D		Windows setup INFormation 
!:mime application/x-setupscript
# unknown keyword after opening bracket
>>&0	default				x				
>>>&0	search/8192			[				
# version Strings FileIdentification
>>>>&0	string/c			version				Windows setup INFormation 
!:mime application/x-setupscript
# VERS string unicoded case-independent
>>>>&0	ubequad&0xFFdfFFdfFFdfFFdf	0x0056004500520053		
# ION] string unicoded case-independent
>>>>>&0	ubequad&0xFFdfFFdfFFdfFFff	0x0049004f004e005d		Windows setup INFormation 
!:mime application/x-setupscript
# http://en.wikipedia.org/wiki/Initialization_file	Windows Initialization File or other
#>>>>&0	default				x				Generic INItialization configuration
#!:mime application/x-wine-extension-ini

# Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h
# http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm
# GRR: line below too general as it catches also PDP-11 UNIX/RT ldp
0		leshort&0xFeFe	0x0000		
!:strength -5
# test for unused null bits in PNF_FLAGs
>4	ulelong&0xFCffFe00	0x00000000	
# only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure
>>68		ulelong		>0x57		
# test for zero high byte of InfValueBlockSize, followed by WinDirPath like
# C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT
>>>(68.l-1)	ubelong&0xffE0C519	=0x00400018	Windows Precompiled iNF
!:mime	application/x-pnf
# currently only found Major Version=1 and Minor Version=1
#>>>>0		uleshort	=0x0101		
#>>>>>1		ubyte		x		\b, version %u
#>>>>>0		ubyte		x		\b.%u
>>>>0		uleshort	!0x0101		
>>>>>1		ubyte		x		\b, version %u
>>>>>0		ubyte		x		\b.%u
# 1 ,2 (windows 98 SE)
#>>>>2		uleshort	=2		\b, InfStyle %u
>>>>2		uleshort	!2		\b, InfStyle %u
#	PNF_FLAG_IS_UNICODE		0x00000001
#	PNF_FLAG_HAS_STRINGS		0x00000002
#	PNF_FLAG_SRCPATH_IS_URL		0x00000004
#	PNF_FLAG_HAS_VOLATILE_DIRIDS	0x00000008
#	PNF_FLAG_INF_VERIFIED		0x00000010
#	PNF_FLAG_INF_DIGITALLY_SIGNED	0x00000020
#	??				0x00000100
#	??				0x01000000
#	??				0x02000000
>>>>4	ulelong&0x00000001	0x00000001	\b, unicoded
>>>>4	ulelong&0x00000020	0x00000020	\b, digitally signed
#>>>>8		ulelong		x		\b, InfSubstValueListOffset 0x%x
# many 0, 1 lmouusb.PNF, 2 linkfx10.PNF , f webfdr16.PNF
#>>>>12		uleshort	x		\b, InfSubstValueCount 0x%x
# only < 9 found
#>>>>14		uleshort	x		\b, InfVersionDatumCount 0x%x
# only found values lower 0x0000ffff
#>>>>16		ulelong		x		\b, InfVersionDataSize 0x%x
# only found positive values lower 0x00ffFFff for InfVersionDataOffset
>>>>20		ulelong		x		\b, at 0x%x
>>>>4	ulelong&0x00000001	=0x00000001	
# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature    
>>>>>(20.l)	lestring16	x		"%s"
>>>>4	ulelong&0x00000001	!0x00000001	
>>>>>(20.l)	string		x		"%s"
# FILETIME is number of 100-nanosecond intervals since 1 January 1601
#>>>>24		ulequad		x		\b, InfVersionLastWriteTime %16.16llx
# only found values lower 0x00ffFFff
#>>>>32		ulelong		x		\b, StringTableBlockOffset 0x%x
#>>>>36		ulelong		x		\b, StringTableBlockSize 0x%x
#>>>>40		ulelong		x		\b, InfSectionCount 0x%x
#>>>>44		ulelong		x		\b, InfSectionBlockOffset 0x%x
#>>>>48		ulelong		x		\b, InfSectionBlockSize 0x%x
#>>>>52		ulelong		x		\b, InfLineBlockOffset 0x%x
#>>>>56		ulelong		x		\b, InfLineBlockSize 0x%x
#>>>>60		ulelong		x		\b, InfValueBlockOffset 0x%x
#>>>>64		ulelong		x		\b, InfValueBlockSize 0x%x
# WinDirPathOffset
#>>>>68		ulelong		x		\b, at 0x%x
>>>>68		ulelong		>0x57		
>>>>>4	ulelong&0x00000001	=0x00000001	
>>>>>>(68.l)	ubequad		=0x43003a005c005700			
# normally unicoded C:\Windows
#>>>>>>>(68.l)	lestring16	x		\b, WinDirPath "%s"
>>>>>>(68.l)	ubequad		!0x43003a005c005700			
>>>>>>>(68.l)	lestring16	x		\b, WinDirPath "%s"
>>>>>4	ulelong&0x00000001	!0x00000001	
# normally ASCII C:\WINDOWS
#>>>>>>(68.l)	string		=C:\\WINDOWS	\b, WinDirPath "%s"
>>>>>>(68.l)	string		!C:\\WINDOWS	\b, WinDirPath "%s"
# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF 
#>>>>72		ulelong		>0		\b, at 0x%x
>>>>72		ulelong		>0		\b,
>>>>>4	ulelong&0x00000001	=0x00000001	
>>>>>>(72.l)	lestring16	x		OsLoaderPath "%s"
>>>>>4	ulelong&0x00000001	!0x00000001	
# seldom C:\ instead empty
>>>>>>(72.l)	string		x		OsLoaderPath "%s"
# 1fdh
#>>>>76		uleshort	x		\b, StringTableHashBucketCount 0x%x
>>>>78		uleshort	!0x407		\b, LanguageId %x
# only 407h found
#>>>>78		uleshort	=0x407		\b, LanguageId %x
# InfSourcePathOffset often 0
#>>>>80		ulelong		>0		\b, at 0x%x
>>>>80		ulelong		>0		\b,
>>>>>4	ulelong&0x00000001	=0x00000001	
>>>>>>(80.l)	lestring16	x		SourcePath "%s"
>>>>>4	ulelong&0x00000001	!0x00000001	
>>>>>>(80.l)	string		>\0		SourcePath "%s"
# OriginalInfNameOffset often 0
#>>>>84		ulelong		>0		\b, at 0x%x
>>>>84		ulelong		>0		\b,
>>>>>4	ulelong&0x00000001	=0x00000001	
>>>>>>(84.l)	lestring16	x		InfName "%s"
>>>>>4	ulelong&0x00000001	!0x00000001	
>>>>>>(84.l)	string		>\0		InfName "%s"

# Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003
# Extension: .bkf
# Created by: Joerg Jenderek
# URL: http://en.wikipedia.org/wiki/NTBackup
# Reference: http://laytongraphics.com/mtf/MTF_100a.PDF
# Descriptor BloCK name of Microsoft Tape Format
0	string			TAPE		
# Format Logical Address is zero
>20	ulequad			0		
# Reserved for MBC is zero
>>28	uleshort		0		
# Control Block ID is zero
>>>36	ulelong			0		
# BIT4-BIT15, BIT18-BIT31 of block attributes are unused
>>>>4	ulelong&0xFFfcFFe0	0		Windows NTbackup archive
#!:mime application/x-ntbackup
!:ext bkf
# OS ID
>>>>>10	ubyte			1		\b NetWare
>>>>>10	ubyte			13		\b NetWare SMS
>>>>>10	ubyte			14		\b NT
>>>>>10	ubyte			24		\b 3
>>>>>10	ubyte			25		\b OS/2
>>>>>10	ubyte			26		\b 95
>>>>>10	ubyte			27		\b Macintosh
>>>>>10	ubyte			28		\b UNIX
# OS Version (2)
#>>>>>11	ubyte			x		OS V=%x
# MTF_CONTINUATION	Media Sequence Number > 1
#>>>>>4	ulelong&0x00000001	!0		\b, continued
# MTF_COMPRESSION
>>>>>4	ulelong&0x00000004	!0		\b, compressed
# MTF_EOS_AT_EOM	End Of Medium was hit during end of set processing
>>>>>4	ulelong&0x00000008	!0		\b, End Of Medium hit
>>>>>4	ulelong&0x00020000	0		
# MTF_SET_MAP_EXISTS	A Media Based Catalog Set Map may exist on tape
>>>>>>4	ulelong&0x00010000	!0		\b, with catalog
# MTF_FDD_ALLOWED	However File/Directory Detail can only exist if a Set Map is also present
>>>>>4	ulelong&0x00020000	!0		\b, with file catalog
# Offset To First Event 238h,240h,28Ch
#>>>>>8	uleshort		x		\b, event offset %4.4x
# Displayable Size (20e0230h 20e024ch 20e0224h)
#>>>>>8	ulequad			x		dis. size %16.16llx
# Media Family ID (455288C4h 4570BD1Ah 45708F2Fh 4570BBF5h)
#>>>>>52	ulelong			x		family ID %8.8x
# TAPE Attributes (3)
#>>>>>56	ulelong			x		TAPE %8.8x
# Media Sequence Number
>>>>>60	uleshort		>1		\b, sequence %u
# Password Encryption Algorithm (3)
>>>>>62	uleshort		>0		\b, 0x%x encrypted
# Soft Filemark Block Size * 512 (2)
#>>>>>64	uleshort		=2		\b, soft size %u*512
>>>>>64	uleshort		!2		\b, soft size %u*512
# Media Based Catalog Type (1,2)
#>>>>>66	uleshort		x		\b, catalog type %4.4x
# size of Media Name (66,68,6Eh)
>>>>>68	uleshort		>0		
# offset of Media Name (5Eh)
>>>>>>70	uleshort	>0		
# 0~, 1~ANSI, 2~UNICODE
>>>>>>>48	ubyte		1		
# size terminated ansi coded string normally followed by "MTF Media Label"
>>>>>>>>(70.s)	string		>\0		\b, name: %s
>>>>>>>48	ubyte		2		
# Not null, but size terminated unicoded string
>>>>>>>>(70.s)	lestring16	x		\b, name: %s
# size of Media Label (104h)
>>>>>72	uleshort		>0		
# offset of Media Label (C4h,C6h,CCh)
>>>>>74		uleshort	>0		
>>>>>>48	ubyte		1		
#Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields
>>>>>>>(74.s)	string		>\0		\b, label: %s
>>>>>>48	ubyte		2		
>>>>>>>(74.s)	lestring16	x		\b, label: %s
# size of password name (0,1Ch)
#>>>>>76	uleshort		>0		\b, password size %4.4x
# Software Vendor ID (CBEh)
>>>>>86	uleshort		x		\b, software (0x%x)
# size of Software Name (6Eh)
>>>>>80	uleshort		>0		
# offset of Software Name (1C8h,1CAh,1D0h)
>>>>>>82	uleshort	>0		
# 1~ANSI, 2~UNICODE
>>>>>>>48	ubyte		1		
>>>>>>>>(82.s)	string		>\0		\b: %s
>>>>>>>48	ubyte		2		
# size terminated unicoded coded string normally followed by "SPAD"
>>>>>>>>(82.s)	lestring16	x		\b: %s
# Format Logical Block Size (512,1024)
#>>>>>84	uleshort		=1024		\b, block size %u
>>>>>84	uleshort		!1024		\b, block size %u
# Media Date of MTF_DATE_TIME type with 5 bytes
#>>>>>>88	ubequad			x		DATE %16.16llx
# MTF Major Version (1)
#>>>>>>93	ubyte		x		\b, MFT version %x
#