[File] [PATCH] Magdir/ole2compounddocs Microsoft Windows Installer transform script *.MST

Wed Dec 28 23:40:32 UTC 2022

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

some day ago the Hewlett-Packard printer of my friend does not work
any more on Windows 10. So i downloaded from HP site all document
files and software. The printer is an HP ENVY 6000.  Just for
interest i extract the packages. Some files inside has name extension
MST.

When running file command 5.44 with -e soft or no extra option for
the MST examples i get lines like:

EN600x64_1028.mst: Composite Document File V2 Document,
		   Little Endian,
		   Os: Windows, Version 6.3, Code page: 950,
		   Title: Installation Database, Subject:
		   HP ENVY 6000 series mn, Author:
		   HP Inc., Keywords: Installer, Comments:
		   This installer database contains the logic and
		   data required to install HP ENVY 6000 series mn.,
		   Create Time/Date: Sat Nov  6 15:50:32 2021,
		   Name of Creating Application:
		   Windows Installer XML Toolset (3.11.1.2318),
		   Security: 4, Template: x64;1033, Last Saved By:
		   x64;1028, Revision Number:
		   {E1FA9DCE-0E52-4516-ABCA-7A134904B194}
		   51.3.4843.21310;
		   {882CBCA7-F9AD-403F-A32A-230948D8D044}
		   51.3.4843.21310;
		   {FD6E789E-3C21-427F-B5BF-CD8F7744596F},
		   Number of Pages: 200, Number of Characters: 131135
EN600x64_1066.mst: Composite Document File V2 Document,
		   Little Endian,
		   Os: Windows, Version 6.3, Code page: 1252,
		   Title: Installation Database, Subject:
		   HP ENVY 6000 series Basic Device Software, Author:
		   HP Inc., Keywords: Installer, Comments:
		   This installer database contains the logic and
		   data required to install HP ENVY 6000
		   series Basic Device Software.,
		   Create Time/Date: Sat Nov  6 15:53:50 2021,
		   Name of Creating Application:
		   Windows Installer XML Toolset (3.11.1.2318),
		   Security: 4, Template: x64;1033, Last Saved By:
		   x64;1033, Revision Number:
		   {E1FA9DCE-0E52-4516-ABCA-7A134904B194}
		   51.3.4843.21310;
		   {286EA72E-AF41-4E8A-A40E-A6474F10C054}
		   51.3.4843.21310;
		   {FD6E789E-3C21-427F-B5BF-CD8F7744596F},
		   Number of Pages: 200, Number of Characters: 131135
EN600x86_1031.mst: Composite Document File V2 Document,
		   Little Endian,
		   Os: Windows, Version 6.3, Code page: 1252,
		   Title: Installation Database, Subject:
		   HP ENVY 6000 series - Grundlegende Software
		   fr das Gert, Author:
		   HP Inc., Keywords: Installer, Comments:
		   This installer database contains the logic and
		   data required to install HP ENVY 6000 series
		   - Grundlegende Software fr das Gert.,
		   Create Time/Date: Sat Nov  6 14:20:48 2021,
		   Name of Creating Application:
		   Windows Installer XML Toolset (3.11.1.2318),
		   Security: 4, Template: Intel;1033, Last Saved By:
		   Intel;1031, Revision Number:
		   {81B5DD71-1547-4131-8FC1-E8D88AE54556}
		   51.3.4843.21310;
		   {411741A2-8B89-453D-AD0F-91A419717CC8}
		   51.3.4843.21310;
		   {FD6E789E-3C21-427F-B5BF-CD8F7744596F},
		   Number of Pages: 200, Number of Characters: 131135

With option --extension only 3 byte sequence ??? is shown and with
option -i application/vnd.ms-msi is shown.

When running file command version 5.44 with -e cdf option on such
samples i get an output like:

EN600x64_1028.mst: OLE 2 Compound Document, v4.62, SecID 0x1,
		   Mini FAT start sector 0x7, blocksize 4096
		   : UNKNOWN, clsid
		   0x82100c0000000000c000000000000046
		   {000C1082-0000-0000-C000-000000000046} with names
		   @\2127r\035\373 @N\2655 @R\354\354(
		   @\025x\346 @Y\362h7 @\033*\366
EN600x64_1066.mst: OLE 2 Compound Document, v4.62, SecID 0x1,
		   Mini FAT start sector 0x2, blocksize 4096
		   : UNKNOWN, clsid
		   0x82100c0000000000c000000000000046
		   {000C1082-0000-0000-C000-000000000046} with names
		   @Y\362h7 @?wlj\262/ @?wlj\344$
		   \005Summar
EN600x86_1031.mst: OLE 2 Compound Document, v4.62, SecID 0x1,
		   Mini FAT start sector 0xb, blocksize 4096
		   : UNKNOWN, clsid
		   0x82100c0000000000c000000000000046
		   {000C1082-0000-0000-C000-000000000046} with names
		   @\2127r\035\373 @N\2655 @\025x\346\214\361\354\25
		   @Y\362h7 @\334r\267 @ \373l\25

For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). This identifies also
all examples with low priority as "Generic OLE2 / Multistream
Compound" by docfile.trid.xml. The examples are described with
highest priority as "Windows SDK Setup Transform script" with correct
suffix MST and mime type application/x-ms-mst by mst.trid.xml and mid
range rate as "Windows Installer Patch" with wrong suffix MSP by
msp.trid.xml (See appended trid-v-mst.txt.gz).

For comparison reason i also run the file format identification
utility DROID ( See https://sourceforge.net/projects/droid/). This
identifies all layouts only generic as "OLE2 Compound Document"
by PUID fmt/111.

According to TrID i found a sentence about MST on Windows Installer
page on Wikipedia web site. That informations are now expressed by
comment lines inside Magdir/ole2compounddocs like:

# URL:		http://en.wikipedia.org/wiki/Windows_Installer
# Reference:	http://mark0.net/download/triddefs_xml.7z
#		defs/m/mst.trid.xml

The MST samples are recognized as "OLE 2 Compound Document"
by starting bytes (\320\317\021\340\241\261\032\341) at the beginning
inside Magdir/ole2compounddocs. Obviously there exist no code
fragment to do sub class identification. So the examples are
described as "UNKNOWN". Furthermore the examples have a registered
Root storage object CLSID. That value is shown as hexa decimal value
0x82100c0000000000c000000000000046 or expressed in standard curly
braces expression by {000C1082-0000-0000-C000-000000000046}.

That means that in branch handling non null CLSID GUID lines ,
lines must be added. For related Microsoft Windows Installer
Packages (9*:MSI) and Microsoft Windows Installer Patch (*.MSP)
there exist such entries. So i insert between lines that look like:
 >>>80 	ubequad		0x82100c0000000000	: \
			Microsoft Windows Installer transform script
 !:mime	application/x-ms-mst
 !:ext	mst

After applying the above mentioned modifications by patch
file-5.44-ole2compounddocs-mst.diff then all my inspected Microsoft
Windows Installer validation modules (*.MST) are now also
recognized together with MSI samples. This now looks with -e cdf
option like:

EN600x64_1028.mst: OLE 2 Compound Document, v4.62, SecID 0x1,
		   Mini FAT start sector 0x7, blocksize 4096
		   : Microsoft Windows Installer transform script
EN600x64_1066.mst: OLE 2 Compound Document, v4.62, SecID 0x1,
		   Mini FAT start sector 0x2, blocksize 4096
		   : Microsoft Windows Installer transform script
EN600x86_1031.mst: OLE 2 Compound Document, v4.62, SecID 0x1,
		   Mini FAT start sector 0xb, blocksize 4096
		   : Microsoft Windows Installer transform script

I hope my diff file can be applied in future version of file
utility. Maybe that there exist the possibility to do further sub
classification between MSI and CUB. But for that purpose you must
know what is specific for CUB samples and does not occur in "normal"
MSI samples. I do not know.

With best wishes,
Jörg Jenderek
- --
Jörg Jenderek



-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCY6zT4QAKCRCv8rHJQhrU
1ncNAJ49VaS5g6KcKXC1FOUWRhZyQDgE5wCfYbwrDyXDl+NMBxktXBp+PXqaiCs=
=KYDn
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-mst.txt.gz
Type: application/x-gzip
Size: 1128 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221229/e301fd9d/attachment.bin>
-------------- next part --------------

--- file-5.44/magic/Magdir/ole2compounddocs.old	2022-12-09 16:56:56.000000000 +0100
+++ file-5.44/magic/Magdir/ole2compounddocs	2022-12-28 21:42:08.047997600 +0100
@@ -340,14 +340,22 @@
 >>>80 	ubequad		0x84100c0000000000	: Microsoft Windows Installer Package or validation module
 !:mime	application/x-msi
 #!:mime	application/x-ms-win-installer
 #	https://learn.microsoft.com/en-us/windows/win32/msi/internal-consistency-evaluators-ices
 # cub is used for validation module like: Vstalogo.cub XPlogo.cub darice.cub logo.cub mergemod.cub
 #!:mime	application/x-ms-cub
 !:ext	msi/cub
+# From:		Joerg Jenderek
+# URL:		http://en.wikipedia.org/wiki/Windows_Installer
+# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/m/mst.trid.xml
+#		called "Windows SDK Setup Transform script" by TrID
+>>>80 	ubequad		0x82100c0000000000	: Microsoft Windows Installer transform script
+#!:mime	application/x-ole-storage
+!:mime	application/x-ms-mst
+!:ext	mst
 >>>80 	ubequad		0x86100c0000000000	: Microsoft Windows Installer Patch
 # ??
 !:mime	application/x-wine-extension-msp
 #!:mime	application/x-ms-msp
 !:ext	msp
 #
 # URL:	http://fileformats.archiveteam.org/wiki/DOC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.44-ole2compounddocs-mst.diff.sig
Type: application/octet-stream
Size: 735 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20221229/e301fd9d/attachment.obj>
