[File] [PATCH] of msdos, windows for Windows imaging: update+mime+extensions *.wim *.swm *.esd

Jörg Jenderek joerg.jen.der.ek at gmx.net
Wed Mar 13 01:06:41 UTC 2019

Hash: SHA1


some days ago i run file command version 5.36 on Windows imaging (WIM)
images found on install medium for modern Windows systems. All
examples are recognized by Magdir/msdos but no extension or mime type
is shown.

The described file format has nothing to do with DOS. So i removed
lines from Magdir/msdos by patch file-5.36-msdos-wim.diff and add
lines to

Furthermore i add Wikipedia page about "Windows Imaging Format" by URL
 # URL: https://en.wikipedia.org/wiki/Windows_Imaging_Format
As reference i also add URL on Microsoft server with document "Windows
Imaging File Format.rtf".

Besides the official Microsoft format there exist a wimlib pipable
variant mentioned in man page "wimoptimize". So there exist 2
different magic pattern which are handled as WIM-archives. This is now
done by subroutine like
 0	string		MSWIM\000\000\000
 >0	use		wim-archive
 0	string		WLPWM\000\000\000
 >0	use		wim-archive
 0      name    	wim-archive
 >0	string		x			Windows imaging
Now afterwards show now mime type by additional line
 !:mime	application/x-ms-wim
For Windows imaging there exist 3 different file name extensions
(*.wim *.swm *.esd). These can be distinguished by looking at more

According to docs there exist a a bit in field dwFlags for splitted
WIM archives with filename extension swm. This is now done by
 >16	ulelong		&0x00000008		(SWM
 !:ext	swm
Furthermore embedded information about current part number and total
parts for SWM is now shown for examples like boot-swm2.swm by lines
 >>40	uleshort	x			\b %u
 >>42	uleshort	x			\b of %u) image
The non splitted WIM are now handles by branch starting with line
 >16	ulelong		^0x00000008
According to "wimmount" man page for solid WIMs with decimal version
3584 ".esd" file extension is rather used than ".wim". This i now
expressed by lines
 >>12	ulelong		3584			(ESD) image
 !:ext	esd
 >>12	ulelong		!3584			(WIM) image
 !:ext	wim
This file format version dwVersion of the WIM file is later shown in a
more readable form by lines
 >14	uleshort	x			v%u
 >13	ubyte		x			\b.%u
So decimal version 3584 is shown as 0.14.
A WIM archive can contain more images and windows can boot from one
images. If more than one then this is now shown by additional lines
 >44	ulelong		>1			\b, %u images
 >0x78	ulelong		>0			\b, bootable no. %u

The flag header contains also more  interesting bits especially
concerning the used compression. This is now expressed by lines
 >16	ulelong		&0x00100000		\b, XPRESS2
 >16	ulelong		&0x00080000		\b, LZMS
 >16	ulelong		&0x00040000		\b, LZX
 >16	ulelong		&0x00020000		\b, XPRESS
 >16	ulelong		&0x00000002		compressed

I also tried to look for the XML data by rhXmlData structure by lines
 >0x50	ulelong		x			\b, at 0x%8.8x
 >(0x50.l)	ubequad	x			\b, xml=%16.16llx
The last line should show something like \xff\xfe<\0W\0I\0M\0, but it
does not work. Maybe somebody is smart enough to find what is wrong here

After applying the above mentioned modifications by patch
file-5.36-windows-wim.diff then all inspected examples are now
described like:

boot-10.wim:          Windows imaging (WIM) image v1.13,
	2 images, bootable no. 2,
	LZX compressed, reparse point fixup
boot-opt.wim:         Windows imaging (WIM) image v1.13,
	bootable no. 1,
	LZX compressed, reparse point fixup
boot-pipe.wim:        Windows imaging (WIM) image,
	wimlib pipable format v1.13,
	bootable no. 1,
	LZX compressed, reparse point fixup
boot-swm.swm:         Windows imaging (SWM 1 of 2) image v1.13,
	LZX compressed, reparse point fixup
boot-swm2.swm:        Windows imaging (SWM 2 of 2) image v1.13,
	LZX compressed, reparse point fixup
boot.wim:             Windows imaging (WIM) image v1.13,
	bootable no. 1,
	LZX compressed, reparse point fixup
install.esd:          Windows imaging (ESD) image v0.14,
	6 images,
	LZMS compressed, reparse point fixup
x-drive-boot.wim:     Windows imaging (WIM) image v1.13,
	bootable no. 1,
	LZX compressed
x-drive-fast.wim:     Windows imaging (WIM) image v1.13,
	XPRESS compressed, reparse point fixup
x-drive.wim:          Windows imaging (WIM) image v1.13,
	reparse point fixup

I hope my two diff file can be applied in future version of file utility

With best wishes
Jörg Jenderek
- -- 
Jörg Jenderek

Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

-------------- next part --------------
--- file-5.36/magic/Magdir/windows.old	2019-01-11 21:00:26 +0000
+++ file-5.36/magic/Magdir/windows	2019-03-13 00:59:04 +0000
@@ -728,2 +728,91 @@
 >>>>&0	lestring16	x				\b, %-.42s
+# Windows Imaging (WIM) Image
+# Update: Joerg Jenderek at Mar 2019
+# URL: https://en.wikipedia.org/wiki/Windows_Imaging_Format
+# Reference: http://download.microsoft.com/download/f/e/f/
+# fefdc36e-392d-4678-9e4e-771ffa2692ab/Windows%20Imaging%20File%20Format.rtf
+# Note: verified by like `7z t boot.wim` `wiminfo install.esd --header`
+0	string		MSWIM\000\000\000
+>0	use		wim-archive
+# https://wimlib.net/man1/wimoptimize.html
+0	string		WLPWM\000\000\000
+>0	use		wim-archive
+0	name		wim-archive
+>0	string		x			Windows imaging
+!:mime	application/x-ms-wim
+# TO avoid in file version 5.36 error like
+# Magdir/windows, 760: Warning: Current entry does not yet have a description
+# file: could not find any valid magic files! (No error)
+# splitted WIM
+>16	ulelong		&0x00000008		(SWM
+!:ext	swm
+# usPartNumber; 1, unless the file was split into multiple parts
+>>40	uleshort	x			\b %u
+# usTotalParts; The total number of WIM file parts in a spanned set
+>>42	uleshort	x			\b of %u) image
+# non splitted WIM
+>16	ulelong		^0x00000008
+# https://wimlib.net/man1/wimmount.html
+# solid WIMs; version 3584; usually contain LZMS-compressed and the .esd extension
+>>12	ulelong		3584			(ESD) image
+!:ext	esd
+>>12	ulelong		!3584			(WIM) image
+!:ext	wim
+>0	string/b	WLPWM\000\000\000	\b, wimlib pipable format
+# cbSize size of the WIM header in bytes like 208
+#>8	ulelong		x			\b, headersize %u
+# dwVersion version of the WIM file 00010d00h~1.13 00000e00h~0.14
+>14	uleshort	x			v%u
+>13	ubyte		x			\b.%u
+# dwImageCount; The number of images contained in the WIM file
+>44	ulelong		>1			\b, %u images
+# dwBootIndex
+# 1-based index of the bootable image of the WIM, or 0 if no image is bootable
+>0x78	ulelong		>0			\b, bootable no. %u
+# dwFlags
+#>16	ulelong		x			\b, flags 0x%8.8x
+#define FLAG_HEADER_COMPRESSION		0x00000002
+#define FLAG_HEADER_READONLY            0x00000004
+#define FLAG_HEADER_SPANNED		0x00000008
+#define FLAG_HEADER_RESOURCE_ONLY       0x00000010
+#define FLAG_HEADER_METADATA_ONLY       0x00000020
+#define FLAG_HEADER_WRITE_IN_PROGRESS   0x00000040
+#define FLAG_HEADER_RP_FIX		0x00000080 reparse point fixup
+#define FLAG_HEADER_COMPRESS_XPRESS     0x00020000
+#define FLAG_HEADER_COMPRESS_LZX	0x00040000
+#define FLAG_HEADER_COMPRESS_LZMS	0x00080000
+#define FLAG_HEADER_COMPRESS_XPRESS2    0x00100000 wimlib-1.13.0\include\wimlib\header.h 
+# XPRESS, with small chunk size
+>16	ulelong		&0x00100000		\b, XPRESS2
+>16	ulelong		&0x00080000		\b, LZMS
+>16	ulelong		&0x00040000		\b, LZX
+>16	ulelong		&0x00020000		\b, XPRESS
+>16	ulelong		&0x00000002		compressed
+>16	ulelong		&0x00000004		\b, read only
+>16	ulelong		&0x00000010		\b, resource only
+>16	ulelong		&0x00000020		\b, metadata only
+>16	ulelong		&0x00000080		\b, reparse point fixup
+#>16	ulelong		&0x00010000		\b, RESERVED
+# dwCompressionSize; Uncompressed chunk size for resources or 0 if uncompressed
+#>20	ulelong		>0			\b, chunk size %u bytes
+# gWIMGuid
+#>24	ubequad		x			\b, GUID 0x%16.16llx
+#>>32	ubequad		x			\b%16.16llx
+# rhOffsetTable; the location of the resource lookup table
+# wim_reshdr_disk[24]= u8 size_in_wim[7] + u8 flags + le64 offset_in_wim + le64 uncompressed_size
+#>48	ubequad		x			\b, rhOffsetTable 0x%16.16llx
+# rhXmlData; the location of the XML data
+#>0x50	ulelong		x			\b, at 0x%8.8x
+# NOT WORKING \xff\xfe<\0W\0I\0M\0
+#>(0x50.l)	ubequad	x			\b, xml=%16.16llx
+# rhBootMetadata; the location of the metadata resource
+#>0x60	ubequad		x			\b, rhBootMetadata 0x%16.16llx
+# rhIntegrity; the location of integrity table used to verify files
+#>0x7c	ubequad		x			\b, rhIntegrity 0x%16.16llx
+# Unused[60]
+#>148	ubequad		!0			\b,unused 0x%16.16llx
-------------- next part --------------
--- file-5.36/magic/Magdir/msdos.old	2018-11-11 01:58:19 +0000
+++ file-5.36/magic/Magdir/msdos	2019-03-13 00:55:00 +0000
@@ -1428,8 +1428,4 @@
 0	string/b	B000FF\n	Windows Embedded CE binary image
-# Windows Imaging (WIM) Image
-0	string/b	MSWIM\000\000\000	Windows imaging (WIM) image
-0	string/b	WLPWM\000\000\000	Windows imaging (WIM) image, wimlib pipable format
 # The second byte of these signatures is a file version; I don't know what,
 # if anything, produced files with version numbers 0-2.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.36-windows-wim.diff.sig
Type: application/octet-stream
Size: 95 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20190313/bbdd8eba/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.36-msdos-wim.diff.sig
Type: application/octet-stream
Size: 95 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20190313/bbdd8eba/attachment-0001.obj>

More information about the File mailing list