[File] [PATCH] of Magdir/Windows Policy Administrative Template misidentified as setup INFormation

Jörg Jenderek joerg.jen.der.ek at gmx.net
Sun Oct 31 23:52:09 UTC 2021


Hello,
some days ago i handled some Windows INI/INF examples. Some
unexpected results lead me to inspect Windows ADM examples, which are
typically stored in directory like:
c:\windows\system32\GroupPolicy\ADM

When running file command version 5.41 on such examples and related
files i get an output like:

AER_3082.ADM:      Unicode text, UTF-16, little-endian text,
		   with very long lines (755),
		   with CRLF line terminators
MultiPoint.adm:    Windows setup INFormation
arduino_gemma.inf: Windows setup INFormation
common.adm:        ASCII text,
		   with CRLF line terminators
conf.adm:          Unicode text, UTF-16, little-endian text,
		   with very long lines (465),
		   with CRLF line terminators
inetset.adm:       ISO-8859 text,
		   with very long lines (422),
		   with CRLF line terminators
mdmnokia.inf:      Windows setup INFormation
netnwcli.inf:      Windows setup INFormation
netvwifibus.inf:   Windows setup INFormation
subsm.adm:         Windows setup INFormation
test-if.adm:       ASCII text,
		   with CRLF line terminators
wuau.adm:          Unicode text, UTF-16, little-endian text,
		   with very long lines (3042),
		   with CRLF line terminators


For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). This describes nearly
all examples correctly as "Windows Policy Administrative Template"
with 3 variants. This list the used file name extension ADM and often
with -v option the related URL pointing to used file format
information. (See appended adm_trid-v.txt.gz)

This is now expressed by additional comment lines inside
Magdir/Windows like:
# URL:	https://en.wikipedia.org/wiki/Administrative_Template
# Ref.:	http://mark0.net/download/triddefs_xml.7z/defs/a/adm.trid.xml

Unfortunately there does not exist an official or complete file
format description for such Windows ADM files. So i put displaying
part inside sub routine windows-adm. So later if changes are needed
only test lines must be changed or added. This sub routine starts like:

0	name windows-adm Windows Policy Administrative Template
!:mime	text/x-ms-adm
!:ext	adm
Instead of generic mime type text/plain a user defined one is shown.

During construction of magic lines i myself missed some variants or
must work hard to distinguish ADM from INF examples. So i realize it
is a good idea to display the starting bytes of ADM files. Because
these are text files, so i display the first, second and maybe also
the third text line.
According to TrID (by adm-uni.trid.xml) some variant are UTF-16
(Little Endian) encoded. These starts with a Byte order mark
( See http://en.wikipedia.org/wiki/Byte-order_mark) followed by
UTF-16 LE text. So this text lines for that variant are shown by
section like:
  >0	ubeshort		=0xFFFE
  >>2	lestring16		x		\b, 1st line "%s"

If ADM file does not start with BOM then ADM is "ASCII" encoded and
directly start with text lines. For this variant (by adm.trid.xml)
information is shown by section starting like:
  >0	ubeshort		!0xFFFE
  >>0	string			x		\b, 1st line "%s"


According to Wikipedia a valid ADM file must have the following
keyword Class followed by keyword MACHINE or USER. And according to
TrID definitions the keywords are all upcased and separated by one
space character. In best case such characteristic pattern occur in
first line, but some times ADM examples start with a pre processor
line like ""#if version <= 2". So magic pattern occurs later. Some
ADM examples start with comment lines ( starting with semicolon as
first character on line). So in worst cases like MultiPoint.adm the
magic pattern occur on line number 5 or in line 4 in inetset.adm. So
to catch such "worst" case examples the ASCII variant are now handled
by magic test lines like:
  0	search/0x4E	CLASS\040
  >&0	string		MACHINE
  >>0	use		windows-adm
  >&0	string		USER
  >>0	use		windows-adm

Next step is to handle misidentified ASCII examples like subsm.adm
and MultiPoint.adm. These are described by TrID as third variant
"Windows Policy Administrative Template (with rem)" by
adm-rem.trid.xml. So that means such ADM examples start with a remark
line ( semicolon at beginning).

To test for bracket character like "[" which is characteristic for
Windows setup INFormation run a command like:
	grep "\["  *adm
This gives an output like:
	common.adm:[strings]
	inetset.adm:[strings]
	inetset.adm:[IEAK]
	MultiPoint.adm:[strings]
	subsm.adm:[strings]
	subsm.adm:[IEAK]
So some ADM examples contain bracket section which is interpreted as
INF or INI examples.

So i look for the code flow for such INI files with remark lines.
That was done by lines like:
  0	string		;
  >0	use		ini-file
So this now becomes like
  0	string		;
  >1	search/3548	END\040CATEGORY
  >1	default		x
  >>0	use		ini-file

Instead of "CLASS" keyword i now look here for longer phrased
"END\040CATEGORY" hoping that is now unique enough to distinguish ADM
from INF examples. If this phrase is found then do nothing here
because ADM remark examples are already handled by generic ASCII ADM
tests. If this phrase is not found then assume that example is a
INF/INI example and handle example by subroutine ini-file.

The UTF-16 encoded INF examples are handled by starting test lines like
0	ubelong&0xFFff89FF	=0xFFFE0900
 >2	search/8192		[
In first line test for UTF-16 BOM followed by Carriage Return
(~0D00), comment (semicolon~3B00) or section (bracket~5B00) was done.
In second line test for left bracket character "[" was done.
This now becomes like:
0	ubeshort		=0xFFFE
 >2	search/0x384A	E\0N\0D\0\040\0C\0A\0T\0E\0G\0O\0R\0Y\0
 >>0	use		windows-adm
 >2	default		x
 >>0	ubelong&0xFFff89FF	=0xFFFE0900
 >>>2	search/8192		[
So some additional test lines are inserted at the beginning. By first
line test for BOM only is done. Then look again for characteristic
phrase but in UTF-16 LE encoded form. If this is true then continue
execution by handing as ADM case via sub routine windows-adm. If not
true then assume it is an INF/INI example and continue with test
lines like before.

After applying the above mentioned modifications by patch
file-5.41-windows-adm.diff then all ADM examples are now described
correctly and INF samples still are described like:

AER_3082.ADM:      Windows Policy Administrative Template,
		   1st line "#if version <= 2",
		   2nd line "CLASS USER"
MultiPoint.adm:    Windows Policy Administrative Template,
		   1st line ";Privacy Notification
		   - Group Policy Setting",
		   3th line "#if version >= 3",
		   ASCII text, with very long lines (335),
		   with CRLF line terminators
arduino_gemma.inf: Windows setup INFormation
common.adm:        Windows Policy Administrative Template,
		   1st line "CLASS MACHINE",
		   3th line "CLASS USER",
		   ASCII text,
		   with CRLF line terminators
conf.adm:          Windows Policy Administrative Template,
		   1st line "; NetMeeting policy settings",
		   2nd line "#if version <= 2"
inetset.adm:       Windows Policy Administrative Template,
		   1st line "; Internet Settings Policy
		   Template File",
		   2nd line ";",
		   ISO-8859 text, with very long lines (422),
		   with CRLF line terminators
mdmnokia.inf:      Windows setup INFormation
netnwcli.inf:      Windows setup INFormation
netvwifibus.inf:   Windows setup INFormation
subsm.adm:         Windows Policy Administrative Template,
		   1st line "; subs.adm",
		   2nd line ";",
		   ASCII text,
		   with CRLF line terminators
test-if.adm:       Windows Policy Administrative Template,
		   1st line "#if version <= 2",
		   2nd line "CLASS MACHINE",
		   ASCII text,
		   with CRLF line terminators
wuau.adm:          Windows Policy Administrative Template,
		   1st line "#if version <= 2",
		   2nd line "#endif"

I hope my diff file can be applied in future version of
file utility.

In newer Windows versions ADM text files are replaced by XML based
ADMX files. I will try to handle such files in a future session.

With best wishes
Jörg Jenderek
--
Jörg Jenderek















-------------- next part --------------
--- file-5.41/magic/Magdir/windows.old	2021-05-12 16:30:24 +0000
+++ file-5.41/magic/Magdir/windows	2021-10-31 22:55:22 +0000
@@ -497,6 +497,12 @@
 >0	use		ini-file
-# comment line
+# comment line starting with semicolon
 0	string		;
->0	use		ini-file
-# section line
+# look for phrase of Windows policy ADMinistrative template (with starting remark)
+# like: WINDOW_95_CD/TOOLS/RESKIT/netadmin/poledit/conf.adm
+>1	search/3548	END\040CATEGORY
+# ADM with remark (by adm-rem.trid.xml) already done by generic ASCII variant
+# if no Windows policy ADMinistrative template then Windows INItialization
+>1	default		x
+>>0	use		ini-file
+# section line starting with left bracket
 0	string		[
@@ -605,21 +611,33 @@
 !:ext	ini/inf
+# UTF-16 BOM
+0	ubeshort		=0xFFFE
+# look for phrase of Windows policy ADMinistrative template (UTF-16 by adm-uni.trid.xml)
+# like: wuau.adm
+>2	search/0x384A	E\0N\0D\0\040\0C\0A\0T\0E\0G\0O\0R\0Y\0
+>>0	use		windows-adm
+# if no Windows policy ADMinistrative template then Windows INFormation
+>2	default		x
 # UTF-16 BOM followed by CR~0D00 , comment~semicolon~3B00 , section~bracket~5B00
-0	ubelong&0xFFff89FF	=0xFFFE0900
+>>0	ubelong&0xFFff89FF	=0xFFFE0900
 # look for left bracket in section line
->2	search/8192		[
+>>>2	search/8192		[
 # keyword without 1st letter which is maybe up-/down-case
->>&3	lestring16		ersion]			Windows setup INFormation
+>>>>&3	lestring16		ersion]			Windows setup INFormation
 !:mime	application/x-setupscript
+# like: hdaudio.inf iscsi.inf spaceport.inf tpm.inf usbhub3.inf UVncVirtualDisplay.inf
 !:ext	inf
->>&3	lestring16		trings]			Windows setup INFormation
+>>>>&3	lestring16		trings]			Windows setup INFormation
 !:mime	application/x-setupscript
+# like: arduino_gemma.inf iis.inf MSM8960.inf
 !:ext	inf
->>&3	lestring16		ourceDisksNames]	Windows setup INFormation
+>>>>&3	lestring16		ourceDisksNames]	Windows setup INFormation
 !:mime	application/x-setupscript
+# like: atiixpag.inf mdmnokia.inf netefe32.inf rdpbus.inf
 !:ext	inf
 # netnwcli.inf start with ;---[ NetNWCli.INX ]
->>&3	default			x
+>>>>&3	default			x
 # look for NL followed by left bracket
->>>&0	search/8192		\x0A\x00\x5b
->>>>&3	lestring16		ersion]			Windows setup INFormation
+>>>>>&0	search/8192		\x0A\x00\x5b
+# like: defltwk.inf netvwifibus.inf WSDPrint.inf
+>>>>>>&3 lestring16		ersion]			Windows setup INFormation
 !:mime	application/x-setupscript
@@ -627,2 +645,35 @@
 
+# Summary:	Windows Policy ADMinistrative template
+# From:		Joerg Jenderek
+# URL:		https://en.wikipedia.org/wiki/Administrative_Template
+# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/a/adm.trid.xml
+# Note:		typically stored in directory like: %WINDIR%\system32\GroupPolicy\ADM
+# worst case ASCII variant starting with remark line like: inetset.adm
+0	search/0x4E	CLASS\040
+>&0	string		MACHINE
+>>0	use		windows-adm
+>&0	string		USER
+>>0	use		windows-adm
+# display information about Windows policy ADMinistrative template
+0	name		windows-adm	Windows Policy Administrative Template
+!:mime	text/x-ms-adm
+!:ext	adm
+# UTF-16 BOM implies UTF-16 encoded ADM (by adm-uni.trid.xml)
+>0	ubeshort		=0xFFFE
+>>2	lestring16		x		\b, 1st line "%s"
+# look for UTF-16 encoded CarriageReturn LineFeed
+>>>2	search/0x3A		\r\0\n\0
+>>>>&0	lestring16		x		\b, 2nd line "%s"
+# no UTF-16 BOM implies "ASCII" encoded ADM (by adm.trid.xml)
+>0	ubeshort		!0xFFFE
+>>0		string		x		\b, 1st line "%s"
+#>>>&0		ubequad		x		\b, 2ND %16.16llx
+# 2nd line empty
+>>>&2		beshort		=0x0D0A
+>>>>&0		beshort		!0x0D0A		\b, 3th line
+>>>>>&-2	string		x		"%s"
+# 2nd line with content
+>>>&2		beshort		!0x0D0A		\b, 2nd line
+>>>>&-2		string		x		"%s"
+
 # Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.41-windows-adm.diff.sig
Type: application/octet-stream
Size: 1681 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20211101/278fda07/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: adm_trid-v.txt.gz
Type: application/x-gzip
Size: 677 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20211101/278fda07/attachment.bin>


More information about the File mailing list