[File] [PATCH] of Magdir/windows; additional extension wim2+ppkg for Windows imaging

Jörg Jenderek joerg.jen.der.ek at gmx.net
Sun Jan 10 00:00:46 UTC 2021 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
some days ago i run Piriform ccleaner to scan my registry. It
complains about application provtool.exe. The supported types have
file name extension ppkg. This is registered for
Microsoft.ProvTool.Provisioning.1. That are Microsoft Windows
provisioning packages. Such packages can be created by Windows
Imaging and Configuration Designer icd.exe. That tool is part of
Windows 10 Assessment and Deployment Kit. Usually such samples are
found in Packages sub directory inside Provisioning sub directory
in modern Windows directory.
When running file command version 5.39 on such samples and related
files i get an output like:
TEST2PPKG.ppkg:
	Windows imaging (WIM) image v1.13,
	XPRESS compressed, reparse point fixup
Power.Settings.Sleep.ppkg:
	Windows imaging (WIM) image v1.13,
	XPRESS compressed, reparse point fixup
Power.EnergyEstimationEngine.Wifi.ppkg:
	Windows imaging (WIM) image v1.13,
	XPRESS compressed, reparse point fixup
Microsoft.Windows.Cosa.Desktop.Client.ppkg:
	Windows imaging (WIM) image v1.13,
	XPRESS compressed, reparse point fixup
Reconstruct.WIM2:
	Windows imaging (WIM) image v1.13,
	LZX compressed, reparse point fixup

Furthermore With --extension option wrong wim is displayed.
For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). This list correctly
the used file name extensions like:

File: TEST2PPKG.ppkg
 94.6% (.PPKG) Microsoft Windows Provisioning Package (266508/2/33)
  2.8% (.WIM) Windows Imaging Format (WIM) (8002/2)
  2.4% (.WIM/WIM2/SWM/ESD/PPKG) Windows Imaging Format (generic)
File: Power.Settings.Sleep.ppkg
 94.6% (.PPKG) Microsoft Windows Provisioning Package (266508/2/33)
  2.8% (.WIM) Windows Imaging Format (WIM) (8002/2)
  2.4% (.WIM/WIM2/SWM/ESD/PPKG) Windows Imaging Format (generic)
File: Power.EnergyEstimationEngine.Wifi.ppkg
 94.6% (.PPKG) Microsoft Windows Provisioning Package (266508/2/33)
  2.8% (.WIM) Windows Imaging Format (WIM) (8002/2)
  2.4% (.WIM/WIM2/SWM/ESD/PPKG) Windows Imaging Format (generic)
File: Microsoft.Windows.Cosa.Desktop.Client.ppkg
 94.6% (.PPKG) Microsoft Windows Provisioning Package (266508/2/33)
  2.8% (.WIM) Windows Imaging Format (WIM) (8002/2)
  2.4% (.WIM/WIM2/SWM/ESD/PPKG) Windows Imaging Format (generic)
File: Reconstruct.WIM2
 53.3% (.WIM) Windows Imaging Format (WIM) (8002/2)
 46.6% (.WIM/WIM2/SWM/ESD/PPKG) Windows Imaging Format (generic)

And with -v option the related URL pointing to used file format
information is displayed

So i add after line with link to web page on Wikipedia about Windows
Imaging Format a second link on file formats archive team web site.
This is now expressed inside Magdir/windows by additional comment
line like:
 # http://fileformats.archiveteam.org/wiki/Windows_Imaging_Format

There the file name extension WIM2 is also mentioned. Normally
for splited WIM images the file name extension SWM is used. But who
does not obey to that rule. Yes you guess it right. It is Microsoft!
The second disk image part created by Microsoft's recovery drive
creating tool RecoveryDrive.exe has name Reconstruct.WIM2. And no
good explanation or documentation for that name behaviour is found on
Microsoft web servers or other documentation sites. What an
annoyance! So i also add WIM2 as second possible file name extension.
That is no expressed as magic line like:
!:ext	wim/wim2

Unfortunately the documentation from Microsoft about Windows
provisioning package does not mention or explain the used ppkg file
format. On web site on deploymentresearch with title "Beyond Basic
Windows 10 Provisioning Packages" by Johan Arwidmark is mentioned
that the WIM file format is used for Windows provisioning package.
In consequence that means that PPKG samples can also be opened by
Microsoft tools ImageX and DISM. The samples can also be handled by
wimlib tools and 7-Zip packing tool.
The file command identifies all examples  as "Windows imaging (WIM)
image" with version "1.13" and as "XPRESS" compressed and "reparse
point fixup". I do not know if this is always true or just
triggered by lucky circumstances. These facts are observed for very
old samples from October 2015 and up-to-date examples from
September 2020.

So WIM tools like 7z can list the file contents, when forcing to
use WIM file type by -twim option. So i see always directories
Multivariant and CommonSettings. All my packages contain the
file RunTime.xml. So i look for that archive member RunTime.xml by
brute force with additional magic lines like:
 >>>156	search/68233/s		RunTime.xml	\bWindows provisioning package)
 !:ext	ppkg
If i do not find this file name string, then i assume it is as WIM
archive by lines like
 >>>156	default			x		\bWIM) image
 !:ext	wim/wim2

After applying the above mentioned modifications by patch
file-5.39-windows-wim.diff, then i get a more precise output like:

TEST2PPKG.ppkg:
	Windows imaging (Windows provisioning package) v1.13,
	XPRESS compressed, reparse point fixup
Power.Settings.Sleep.ppkg:
	Windows imaging (Windows provisioning package) v1.13,
	XPRESS compressed, reparse point fixup
Power.EnergyEstimationEngine.Wifi.ppkg:
	Windows imaging (Windows provisioning package) v1.13,
	XPRESS compressed, reparse point fixup
Microsoft.Windows.Cosa.Desktop.Client.ppkg:
	Windows imaging (Windows provisioning package) v1.13,
	XPRESS compressed, reparse point fixup
Reconstruct.WIM2:
	Windows imaging (WIM) image v1.13,
	LZX compressed, reparse point fixup

And with --extension option now the correct name extensions are shown
like:

TEST2PPKG.ppkg:                             ppkg
Power.Settings.Sleep.ppkg:                  ppkg
Power.EnergyEstimationEngine.Wifi.ppkg:     ppkg
Microsoft.Windows.Cosa.Desktop.Client.ppkg: ppkg
Reconstruct.WIM2:                           wim/wim2

I hope my diff file can be applied in future version of
file utility.

With best wishes
Jörg Jenderek
- --
Jörg Jenderek

















-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCX/pDmwAKCRCv8rHJQhrU
1lUnAKDUKrsyo+A/hXDUToSRpYR7I+XrfQCfbuAW+G0vtemkNLbQDHUGEanc59g=
=6ZtD
-----END PGP SIGNATURE-----
-------------- next part --------------
--- file-5.39/magic/Magdir/windows.old	2020-05-31 10:34:41 +0000
+++ file-5.39/magic/Magdir/windows	2021-01-09 22:54:26 +0000
@@ -921,4 +921,5 @@
 # Windows Imaging (WIM) Image
-# Update: Joerg Jenderek at Mar 2019
+# Update: Joerg Jenderek at Mar 2019, 2021
 # URL: https://en.wikipedia.org/wiki/Windows_Imaging_Format
+#      http://fileformats.archiveteam.org/wiki/Windows_Imaging_Format
 # Reference: https://download.microsoft.com/download/f/e/f/
@@ -951,4 +952,10 @@
 !:ext	esd
->>12	ulelong		!3584			(WIM) image
-!:ext	wim
+>>12	ulelong		!3584			(
+# look for archive member RunTime.xml like in Microsoft.Windows.Cosa.Desktop.Client.ppkg
+>>>156	search/68233/s		RunTime.xml	\bWindows provisioning package)
+!:ext	ppkg
+# if is is not a Windows provisioning package, then it is a WIM
+>>>156	default			x		\bWIM) image
+# second disk image part created by Microsoft's RecoveryDrive.exe has name Reconstruct.WIM2
+!:ext	wim/wim2
 >0	string/b	WLPWM\000\000\000	\b, wimlib pipable format
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.39-windows-wim.diff.sig
Type: application/octet-stream
Size: 95 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20210110/b0ea6dde/attachment.obj>

More information about the File mailing list