[File] [PATCH] of Magdir/Windows Policy Administrative Template misidentified as setup INFormation
Christos Zoulas
christos at zoulas.com
Wed Nov 10 23:06:12 UTC 2021
Committed, thanks!
christos
> On Oct 31, 2021, at 7:52 PM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
>
> Hello,
> some days ago i handled some Windows INI/INF examples. Some
> unexpected results lead me to inspect Windows ADM examples, which are
> typically stored in directory like:
> c:\windows\system32\GroupPolicy\ADM
>
> When running file command version 5.41 on such examples and related
> files i get an output like:
>
> AER_3082.ADM: Unicode text, UTF-16, little-endian text,
> with very long lines (755),
> with CRLF line terminators
> MultiPoint.adm: Windows setup INFormation
> arduino_gemma.inf: Windows setup INFormation
> common.adm: ASCII text,
> with CRLF line terminators
> conf.adm: Unicode text, UTF-16, little-endian text,
> with very long lines (465),
> with CRLF line terminators
> inetset.adm: ISO-8859 text,
> with very long lines (422),
> with CRLF line terminators
> mdmnokia.inf: Windows setup INFormation
> netnwcli.inf: Windows setup INFormation
> netvwifibus.inf: Windows setup INFormation
> subsm.adm: Windows setup INFormation
> test-if.adm: ASCII text,
> with CRLF line terminators
> wuau.adm: Unicode text, UTF-16, little-endian text,
> with very long lines (3042),
> with CRLF line terminators
>
>
> For comparison reason i run the file format identification utility
> TrID ( See https://mark0.net/soft-trid-e.html). This describes nearly
> all examples correctly as "Windows Policy Administrative Template"
> with 3 variants. This list the used file name extension ADM and often
> with -v option the related URL pointing to used file format
> information. (See appended adm_trid-v.txt.gz)
>
> This is now expressed by additional comment lines inside
> Magdir/Windows like:
> # URL: https://en.wikipedia.org/wiki/Administrative_Template
> # Ref.: http://mark0.net/download/triddefs_xml.7z/defs/a/adm.trid.xml
>
> Unfortunately there does not exist an official or complete file
> format description for such Windows ADM files. So i put displaying
> part inside sub routine windows-adm. So later if changes are needed
> only test lines must be changed or added. This sub routine starts like:
>
> 0 name windows-adm Windows Policy Administrative Template
> !:mime text/x-ms-adm
> !:ext adm
> Instead of generic mime type text/plain a user defined one is shown.
>
> During construction of magic lines i myself missed some variants or
> must work hard to distinguish ADM from INF examples. So i realize it
> is a good idea to display the starting bytes of ADM files. Because
> these are text files, so i display the first, second and maybe also
> the third text line.
> According to TrID (by adm-uni.trid.xml) some variant are UTF-16
> (Little Endian) encoded. These starts with a Byte order mark
> ( See http://en.wikipedia.org/wiki/Byte-order_mark) followed by
> UTF-16 LE text. So this text lines for that variant are shown by
> section like:
> >0 ubeshort =0xFFFE
> >>2 lestring16 x \b, 1st line "%s"
>
> If ADM file does not start with BOM then ADM is "ASCII" encoded and
> directly start with text lines. For this variant (by adm.trid.xml)
> information is shown by section starting like:
> >0 ubeshort !0xFFFE
> >>0 string x \b, 1st line "%s"
>
>
> According to Wikipedia a valid ADM file must have the following
> keyword Class followed by keyword MACHINE or USER. And according to
> TrID definitions the keywords are all upcased and separated by one
> space character. In best case such characteristic pattern occur in
> first line, but some times ADM examples start with a pre processor
> line like ""#if version <= 2". So magic pattern occurs later. Some
> ADM examples start with comment lines ( starting with semicolon as
> first character on line). So in worst cases like MultiPoint.adm the
> magic pattern occur on line number 5 or in line 4 in inetset.adm. So
> to catch such "worst" case examples the ASCII variant are now handled
> by magic test lines like:
> 0 search/0x4E CLASS\040
> >&0 string MACHINE
> >>0 use windows-adm
> >&0 string USER
> >>0 use windows-adm
>
> Next step is to handle misidentified ASCII examples like subsm.adm
> and MultiPoint.adm. These are described by TrID as third variant
> "Windows Policy Administrative Template (with rem)" by
> adm-rem.trid.xml. So that means such ADM examples start with a remark
> line ( semicolon at beginning).
>
> To test for bracket character like "[" which is characteristic for
> Windows setup INFormation run a command like:
> grep "\[" *adm
> This gives an output like:
> common.adm:[strings]
> inetset.adm:[strings]
> inetset.adm:[IEAK]
> MultiPoint.adm:[strings]
> subsm.adm:[strings]
> subsm.adm:[IEAK]
> So some ADM examples contain bracket section which is interpreted as
> INF or INI examples.
>
> So i look for the code flow for such INI files with remark lines.
> That was done by lines like:
> 0 string ;
> >0 use ini-file
> So this now becomes like
> 0 string ;
> >1 search/3548 END\040CATEGORY
> >1 default x
> >>0 use ini-file
>
> Instead of "CLASS" keyword i now look here for longer phrased
> "END\040CATEGORY" hoping that is now unique enough to distinguish ADM
> from INF examples. If this phrase is found then do nothing here
> because ADM remark examples are already handled by generic ASCII ADM
> tests. If this phrase is not found then assume that example is a
> INF/INI example and handle example by subroutine ini-file.
>
> The UTF-16 encoded INF examples are handled by starting test lines like
> 0 ubelong&0xFFff89FF =0xFFFE0900
> >2 search/8192 [
> In first line test for UTF-16 BOM followed by Carriage Return
> (~0D00), comment (semicolon~3B00) or section (bracket~5B00) was done.
> In second line test for left bracket character "[" was done.
> This now becomes like:
> 0 ubeshort =0xFFFE
> >2 search/0x384A E\0N\0D\0\040\0C\0A\0T\0E\0G\0O\0R\0Y\0
> >>0 use windows-adm
> >2 default x
> >>0 ubelong&0xFFff89FF =0xFFFE0900
> >>>2 search/8192 [
> So some additional test lines are inserted at the beginning. By first
> line test for BOM only is done. Then look again for characteristic
> phrase but in UTF-16 LE encoded form. If this is true then continue
> execution by handing as ADM case via sub routine windows-adm. If not
> true then assume it is an INF/INI example and continue with test
> lines like before.
>
> After applying the above mentioned modifications by patch
> file-5.41-windows-adm.diff then all ADM examples are now described
> correctly and INF samples still are described like:
>
> AER_3082.ADM: Windows Policy Administrative Template,
> 1st line "#if version <= 2",
> 2nd line "CLASS USER"
> MultiPoint.adm: Windows Policy Administrative Template,
> 1st line ";Privacy Notification
> - Group Policy Setting",
> 3th line "#if version >= 3",
> ASCII text, with very long lines (335),
> with CRLF line terminators
> arduino_gemma.inf: Windows setup INFormation
> common.adm: Windows Policy Administrative Template,
> 1st line "CLASS MACHINE",
> 3th line "CLASS USER",
> ASCII text,
> with CRLF line terminators
> conf.adm: Windows Policy Administrative Template,
> 1st line "; NetMeeting policy settings",
> 2nd line "#if version <= 2"
> inetset.adm: Windows Policy Administrative Template,
> 1st line "; Internet Settings Policy
> Template File",
> 2nd line ";",
> ISO-8859 text, with very long lines (422),
> with CRLF line terminators
> mdmnokia.inf: Windows setup INFormation
> netnwcli.inf: Windows setup INFormation
> netvwifibus.inf: Windows setup INFormation
> subsm.adm: Windows Policy Administrative Template,
> 1st line "; subs.adm",
> 2nd line ";",
> ASCII text,
> with CRLF line terminators
> test-if.adm: Windows Policy Administrative Template,
> 1st line "#if version <= 2",
> 2nd line "CLASS MACHINE",
> ASCII text,
> with CRLF line terminators
> wuau.adm: Windows Policy Administrative Template,
> 1st line "#if version <= 2",
> 2nd line "#endif"
>
> I hope my diff file can be applied in future version of
> file utility.
>
> In newer Windows versions ADM text files are replaced by XML based
> ADMX files. I will try to handle such files in a future session.
>
> With best wishes
> Jörg Jenderek
> --
> Jörg Jenderek
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <file-5_41-windows-adm_diff.DEFANGED-189><file-5_41-windows-adm_diff_sig.DEFANGED-190><adm_trid-v.txt.gz>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20211110/cd222bc8/attachment.asc>
More information about the File
mailing list