[File] [PATCH] Magdir/Windows Performance Monitor Alert *.PMA

Jörg Jenderek joerg.jen.der.ek at gmx.net
Tue May 31 13:14:14 UTC 2022 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

some days ago my Windows 10 eats up my rare space on my SSD. To get
back some space i run cleaning tool bleachbit. For Microsoft web
browser Edge one offered item is called "Edge Browser Metrics".
When using this item dozen of files are selected with extension PMA.

When running file command version 5.41 on such examples i get an
output like:

20210419214142.pma:               data
20220502134156830_15316.pma:      data
BrowserMetrics-61F6E703-23DC.pma: data
BrowserMetrics-61FC0174-3200.pma: data
CrashpadMetrics-active.pma:       data

For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). Some examples are
described as "Windows Performance Monitor Alert" by pma.trid.xml
(See appended trid-v-pma.txt.gz).

Luckily with shown information i use the general page about
Performance Monitor on Wikipedia site. That informations are
expressed by comment lines inside Magdir/Windows like:
# URL:		https://en.wikipedia.org/wiki/Performance_Monitor
# Reference:	http://mark0.net/download/triddefs_xml.7z
#		defs/p/pma.trid.xml

The detections now happens at the end of Magdir/Windows by lines like
:
 0	ubelong	=0xDC058340
 >4	ubyte	=0		Windows Performance Monitor Alert
 !:mime		application/x-perfmon
 !:ext		pma
 >>80	string			x		\b, "%s"
The first starting bytes are the same. The current TrID assumes
that the first six bytes are the same, but in my dozens of examples
only the first five are the same, but i found no official
specification. So i do not know if this is always true. Instead of
generic type application/octet-stream i use an user defined type
find on some sites. Interesting is that at offset 80 a string like
"BrowserMetrics",  "CrashpadMetrics" or "SetupMetrics" is stored.
So show also this information.

After applying the above mentioned modifications by patch
file-5.41-windows-pma.diff then the Performance Monitor Alerts now
are identified and described. This now looks like:
20210419214142.pma:               Windows Performance Monitor Alert
				  , "SetupMetrics"
20220502134156830_15316.pma:      Windows Performance Monitor Alert
				  , "SetupMetrics"
BrowserMetrics-61F6E703-23DC.pma: Windows Performance Monitor Alert
				  , "BrowserMetrics"
BrowserMetrics-61FC0174-3200.pma: Windows Performance Monitor Alert
				  , "BrowserMetrics"
CrashpadMetrics-active.pma:       Windows Performance Monitor Alert
				  , "CrashpadMetrics"

I hope my diff file can be applied in future version of file
utility.

With best wishes
Jörg Jenderek
- --
Jörg Jenderek










-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCYpYUpgAKCRCv8rHJQhrU
1uCPAJ9wOPLjkQDmYxG+QLh7fNUiyHAAxQCgxiclCgD7M4luKoPKIUthuqTEjHU=
=NNBk
-----END PGP SIGNATURE-----
-------------- next part --------------
-- 
File mailing list
File at astron.com
https://mailman.astron.com/mailman/listinfo/file

-------------- next part --------------
--- file-5.41/magic/Magdir/windows.old	2021-05-12 18:30:24.000000000 +0200
+++ file-5.41/magic/Magdir/windows	2022-05-31 15:02:38.402553600 +0200
@@ -1080,3 +1080,19 @@
 0	string	ID;P	Microsoft SYLK program
 >4	string	>0	\b, created by %s
 !:ext	slk/sylk
+
+# Summary:	Windows Performance Monitor Alert
+# From:		Joerg Jenderek
+# URL:		https://en.wikipedia.org/wiki/Performance_Monitor
+# Reference:	http://mark0.net/download/triddefs_xml.7z/defs/p/pma.trid.xml
+# Note:		called "Windows Performance Monitor Alert" by TrID
+0	ubelong			=0xDC058340
+>4	ubyte			=0		Windows Performance Monitor Alert
+#!:mime		application/octet-stream
+# https://www.thoughtco.com/mime-types-by-content-type-3469108
+# https://filext.com/file-extension/PAM
+!:mime		application/x-perfmon 
+#!:mime		application/x-ms-pma
+!:ext		pma
+# metric type like: "BrowserMetrics" "CrashpadMetrics" "SetupMetrics"
+>>80	string			x		\b, "%s"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.41-windows-pma.diff.sig
Type: application/octet-stream
Size: 702 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220531/83871ad7/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-pma.txt.gz
Type: application/x-gzip
Size: 400 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220531/83871ad7/attachment.bin>

More information about the File mailing list