[File] [PATCH] Magdir/Windows Performance Monitor Alert *.PMA

Christos Zoulas christos at zoulas.com
Tue May 31 17:39:44 UTC 2022 

On 2022-05-31 9:14 am, Jörg Jenderek wrote:
> Hello,
> 
> some days ago my Windows 10 eats up my rare space on my SSD. To get
> back some space i run cleaning tool bleachbit. For Microsoft web
> browser Edge one offered item is called "Edge Browser Metrics".
> When using this item dozen of files are selected with extension PMA.
> 
> When running file command version 5.41 on such examples i get an
> output like:
> 
> 20210419214142.pma:               data
> 20220502134156830_15316.pma:      data
> BrowserMetrics-61F6E703-23DC.pma: data
> BrowserMetrics-61FC0174-3200.pma: data
> CrashpadMetrics-active.pma:       data
> 
> For comparison reason i run the file format identification utility
> TrID ( See https://mark0.net/soft-trid-e.html). Some examples are
> described as "Windows Performance Monitor Alert" by pma.trid.xml
> (See appended trid-v-pma.txt.gz).
> 
> Luckily with shown information i use the general page about
> Performance Monitor on Wikipedia site. That informations are
> expressed by comment lines inside Magdir/Windows like:
> # URL:		https://en.wikipedia.org/wiki/Performance_Monitor
> # Reference:	http://mark0.net/download/triddefs_xml.7z
> #		defs/p/pma.trid.xml
> 
> The detections now happens at the end of Magdir/Windows by lines like
> :
>  0	ubelong	=0xDC058340
>  >4	ubyte	=0		Windows Performance Monitor Alert
>  !:mime		application/x-perfmon
>  !:ext		pma
>  >>80	string			x		\b, "%s"
> The first starting bytes are the same. The current TrID assumes
> that the first six bytes are the same, but in my dozens of examples
> only the first five are the same, but i found no official
> specification. So i do not know if this is always true. Instead of
> generic type application/octet-stream i use an user defined type
> find on some sites. Interesting is that at offset 80 a string like
> "BrowserMetrics",  "CrashpadMetrics" or "SetupMetrics" is stored.
> So show also this information.
> 
> After applying the above mentioned modifications by patch
> file-5.41-windows-pma.diff then the Performance Monitor Alerts now
> are identified and described. This now looks like:
> 20210419214142.pma:               Windows Performance Monitor Alert
> 				  , "SetupMetrics"
> 20220502134156830_15316.pma:      Windows Performance Monitor Alert
> 				  , "SetupMetrics"
> BrowserMetrics-61F6E703-23DC.pma: Windows Performance Monitor Alert
> 				  , "BrowserMetrics"
> BrowserMetrics-61FC0174-3200.pma: Windows Performance Monitor Alert
> 				  , "BrowserMetrics"
> CrashpadMetrics-active.pma:       Windows Performance Monitor Alert
> 				  , "CrashpadMetrics"
> 
> I hope my diff file can be applied in future version of file
> utility.

Committed, thanks!

christos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <https://mailman.astron.com/pipermail/file/attachments/20220531/d2978f29/attachment.asc>

More information about the File mailing list