[File] [PATCH] of Magdir/windows for Windows Easy Transfer migration data *.mig
Jörg Jenderek
joerg.jen.der.ek at gmx.net
Sat Nov 2 22:08:30 UTC 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
some days ago i read an article about problems and solutions when
switching from Windows 7 to 10.
In Windows 7 there exist a tool migwiz.exe inside system32 sub
directory with name "Windows Easy Transfer". Microsoft does not
support this tool any more and you get no real help. What an arrogant
behaviour!
But this tool still can be used even with Windows 10 to transfer files
and settings. One possibility of the tool is to store the saved stuff
as file with name extension mig on an external USB drive on network
drive. When i run file command version 5.37 on such samples these are
described only as data.
Some information about Windows Easy Transfer can be found on
Wikipedia. So i add comment line to Magdir/windows like
# URL: https://en.wikipedia.org/wiki/Windows_Easy_Transfer
Unfortunately i find no file format specification for such MIG files.
The file identifier "TrID" ( see http://mark0.net/soft-trid-e.html)
describes such files as "Windows Easy Transfer migration data".
So i rely on TrID definition for identifying and mention that
reference by remark line like
# Reference: mark0.net/download/triddefs_xml.7z/defs/m/mig.trid.xml
According to TrID identify now such samples are described by line:
0 string 1giM Windows Easy Transfer migration data
Afterwards show a user defined mime type an file name extension by
lines:
!:mime application/x-ms-mig
!:ext mig
Microsoft itself called such saved archive "Migration Store" or
"EasyTransfer file".
Furthermore i rely on my own observations. Apparently after header
are structures coming with keyword MRTS at some different positions.
Afterwards first file name length seems to be stored and 20 bytes
forward first file name is stored as URL string like File\C:\3 with
UTF-16 little endian coding. This information can be shown by lines
like:
>0x18 search/29/b MRTS
>>&0 ulelong x \b, 1st length %u
>>&20 lestring16 x \b, 1st %-s
For MIG files without password MRTS tag always seems to be found at
offset 0x18. For samples with password this tag occur some bytes
forward. Some bytes after the filename a compressed structure seems
to be stored starting with byte sequence 7801h. For variants without
password this structure is 8 bytes after first file name part
For such samples with the help of stored file name length calculate
and print this offset to this structure and inspect this structure
by using other file magic parts. So this looks like
>0x18 string =MRTS without password
>>0x1c ulelong+0x38 x \b, at 0x%x
>>(0x1c.l+0x38) ubyte x
>>>&-1 indirect x
>0x18 string !MRTS with password
For my examples this structures are identified by Magdir/compress as
zlib compressed data. For samples with password zlib looking
structures seems to come also some bytes after file name part.
After applying the above mentioned modifications by patch
file-5.37-windows-mig.diff then i get an output like
TEST10PublicVideosNoPassword.MIG:
Windows Easy Transfer migration data
without password,
at 0xd0 zlib compressed data,
1st File\C:\Users\nutzer\AppData\Roaming\
Microsoft\Windows\Libraries\desktop.ini\003
TEST15-1File3rootdirPassworda-z1-0A-Z1-0.MIG:
Windows Easy Transfer migration data
with password,
1st File\C:\3\003\007\310
Windows-EasyTransfer - Elemente vom Quellcomputer.MIG:
Windows Easy Transfer migration data
without password,
at 0xa6 zlib compressed data,
1st File\
C:\Users\user\.dbus-keyrings\org_gtk_gdbus_general
Windows-EasyTransfer - TEST3.MIG:
Windows Easy Transfer migration data
with password,
1st File\
C:\Users\user\AppData\Roaming\
Microsoft\Internet Explorer\Quick Launch\desktop.ini
I hope my diff file can be applied in future version of
file utility.
With best wishes
Jörg Jenderek
- --
Jörg Jenderek
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCXb3+VQAKCRCv8rHJQhrU
1pj+AJ4/9twH7/KPOvj2Yj5wqNjSgWWtYwCfTfqIxmFdB5NX4Q9dTx7dJ5T0qe8=
=7mF2
-----END PGP SIGNATURE-----
-------------- next part --------------
--- file-5.37/magic/Magdir/windows.old 2019-05-01 17:55:25 +0000
+++ file-5.37/magic/Magdir/windows 2019-11-02 21:41:48 +0000
@@ -877,5 +877,29 @@
#>0x7c ubequad x \b, rhIntegrity 0x%16.16llx
# Unused[60]
#>148 ubequad !0 \b,unused 0x%16.16llx
#
+# From: Joerg Jenderek
+# URL: https://en.wikipedia.org/wiki/Windows_Easy_Transfer
+# Reference: http://mark0.net/download/triddefs_xml.7z/defs/m/mig.trid.xml
+# Note: called "Windows Easy Transfer migration data" by TrID,
+# "Migration Store" or "EasyTransfer file" by Microsoft
+0 string 1giM Windows Easy Transfer migration data
+#!:mime application/octet-stream
+!:mime application/x-ms-mig
+!:ext mig
+>0x18 string =MRTS without password
+# data offset with 1 space at end
+>>0x1c ulelong+0x38 x \b, at 0x%x
+# look for zlib compressed data by ./compress
+>>(0x1c.l+0x38) ubyte x
+>>>&-1 indirect x
+# in password protected examples MRTS comes some bytes further
+>0x18 string !MRTS with password
+# look for first MRTS tag
+>0x18 search/29/b MRTS
+# probably first file name length like 178, ...
+#>>&0 ulelong x \b, 1st length %u
+# URL like File\C:\Users\nutzer\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
+>>&20 lestring16 x \b, 1st %-s
+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.37-windows-mig.diff.sig
Type: application/octet-stream
Size: 95 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20191102/233461ca/attachment.obj>
More information about the File
mailing list