[File] [PATCH] Magdir/ole2compounddocs for Microsoft feed *.feed-ms+FeedsStore.feedsdb-ms
Jörg Jenderek
joerg.jen.der.ek at gmx.net
Wed Sep 14 19:22:54 UTC 2022
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
Some days ago i run the cleaning tool czkawka found on
https://qarmin.github.io/czkawka/. One menu item concerns bad
extensions. After running tool i looked in saved file list
results_bad_extensions.txt for bad extension examples.
One listed extension is feed-ms. I found such examples on Windows XP,
Vista, 8 and 10 systems in Microsoft\Feeds sub directory or beneath
inside user appdata directory. There exist also a companion file
FeedsStore.feedsdb-ms found in directory "%USERPROFILE%\Local
Settings\Application Data\Microsoft\Feeds".
When running file command version 5.43 with -e cdf option on some
examples and related files i get an output like:
5jzdd15lZk1fex02Obdpd2koLf.stream: data
@McULBGCfcAWaHBbcOLcJDMWQdOUD.stream: ASCII text
, with CRLF line terminators
@RDNDVCAPYafICBfcGJEAAATQWBMA.stream: ASCII text
, with CRLF line terminators
@TLFYZKAGUCXEEBeNPSZUAAVbVMIC.stream: ASCII text
, with no line terminators
FeedsStore-10.feedsdb-ms: OLE 2 Compound Document, v3.62,
SecID 0,
Mini FAT start sector 0x6
: UNKNOWN with names
\0055jzdd15lZk1fex02
@TLFYZKAGUCXEEBeNPSZ
FeedsStore-vista.feedsdb-ms: OLE 2 Compound Document, v3.62,
SecID 0x2,
Mini FAT start sector 0x5
: UNKNOWN with names
\0055jzdd15lZk1fex02
@AVZfCYDEXQVeDBdNVGK
@CPUBcQBPBYUVFBfFOPY
FeedsStore-xp.feedsdb-ms: OLE 2 Compound Document, v3.62,
SecID 0,
Mini FAT start sector 0x6
: UNKNOWN with names
\0055jzdd15lZk1fex02
@McULBGCfcAWaHBbcOLc
FeedsStore.feedsdb-ms: OLE 2 Compound Document, v3.62,
SecID 0x2,
Mini FAT start sector 0x7
: UNKNOWN with names
\0055jzdd15lZk1fex02
@LfLRaUDQWPLDCBccSVJ
H10ieaqpSce2uo4bF5szlzjiOe.stream: data
Latest Headlines~.feed-ms: OLE 2 Compound Document, v4.62,
SecID 0x2,
Mini FAT start sector 0x4
, blocksize 4096
: UNKNOWN with names
\005H10ieaqpSce2uo4b
MSNBC News~.feed-ms: OLE 2 Compound Document, v4.62,
SecID 0x2,
Mini FAT start sector 0x4
, blocksize 4096
: UNKNOWN with names
\005H10ieaqpSce2uo4b
Microsoft at Work~.feed-ms: OLE 2 Compound Document, v4.62,
SecID 0x2,
Mini FAT start sector 0x4
, blocksize 4096
: UNKNOWN with names
\005H10ieaqpSce2uo4b
The NeoSmart Files~.feed-ms: OLE 2 Compound Document, v4.62,
SecID 0x2,
Mini FAT start sector 0x9
, blocksize 4096
: UNKNOWN with names
\005H10ieaqpSce2uo4b
0 1
Furthermore for feeds samples only generic mime type
application/x-ole-storage is shown with -i and -e cdf option. With
option --extension only 3 byte sequence ??? is shown.
When running file command with -e soft or no extra option for
inspected examples i get a output like:
5jzdd15lZk1fex02Obdpd2koLf.stream: data
@McULBGCfcAWaHBbcOLcJDMWQdOUD.stream: ASCII text
, with CRLF line terminators
@RDNDVCAPYafICBfcGJEAAATQWBMA.stream: ASCII text
, with CRLF line terminators
@TLFYZKAGUCXEEBeNPSZUAAVbVMIC.stream: ASCII text
, with no line terminators
FeedsStore-10.feedsdb-ms: Composite Document File V2
Document,
Cannot read section info
FeedsStore-vista.feedsdb-ms: Composite Document File V2
Document,
Cannot read section info
FeedsStore-xp.feedsdb-ms: Composite Document File V2
Document,
Cannot read section info
FeedsStore.feedsdb-ms: Composite Document File V2
Document,
Cannot read section info
H10ieaqpSce2uo4bF5szlzjiOe.stream: data
Latest Headlines~.feed-ms: Composite Document File V2
Document,
Cannot read section info
MSNBC News~.feed-ms: Composite Document File V2
Document,
Cannot read section info
Microsoft at Work~.feed-ms: Composite Document File V2
Document,
Cannot read section info
The NeoSmart Files~.feed-ms: Composite Document File V2
Document,
Cannot read section info
For comparison reason i run the file format identification utility
TrID ( See https://mark0.net/soft-trid-e.html). This identifies
all feed examples with low priority as "Generic OLE2 / Multistream
Compound" by docfile.trid.xml. The feed-ms examples are also
described with high rate as "Microsoft Feed" by feed-ms.trid.xml
(See appended trid-v-feed.txt.gz).
For comparison reason i also run the file format identification
utility DROID ( See https://sourceforge.net/projects/droid/). This
identifies the examples generic as "OLE2 Compound Document Format"
by fmt/111 signature.
On few sites is mentioned that examples are standard OLE documents.
These samples are apparently used by Microsoft Internet Explorer
and the newer Microsoft Edge browser. So these information are
found on site about extensions. So that informations are expressed
by comment
lines inside Magdir/ole2compounddocs like:
# Reference: http://mark0.net/download/triddefs_xml.7z
# defs/f/feed-ms.trid.xml
# URL: https://www.file-extensions.org/
# feedsdb-ms-file-extension
The examples are recognized as "OLE 2 Compound Document"
by starting bytes (\320\317\021\340\241\261\032\341) at the beginning
inside Magdir/ole2compounddocs. Obviously there exist no code
fragment to do sub class identification. So the examples are
described as "UNKNOWN". Furthermore the examples have no registered
Root storage object CLSID or this value is nil. In that case file
command would display afterwords this information by a phrase like
", clsid 0xc0c7266eb98cd311a1c800c04f612452". That means that in
branch handling CLSID GUID 0 code must be added.
So second entry for feed-ms apparently seems to start always
with \005H10ieaqpSce2uo4b encoded at UTF-16 string after first
directory entry, which is always "Root Entry".
The last similar entry was Microsoft Access wizard template (*.mdz).
So i add afterwards lines for my inspected examples. That looks like:
>>>>128 lestring16 \005H10ieaqpSce2uo4bF5s : Microsoft Feed
!:mime application/x-ms-feed
!:ext feed-ms
Instead of generic application/x-ole-storage i choose an user
defined mime type.
Because feed-ms are OLE2 Compound container we can inspect such
examples by suited tools like Michal Mutl Structured Storage Viewer
for example. There we see that such examples contain at least 2
steams. One with name shown by current file command. When inspecting
this we find inside an URL ( starting with phrase http:// ) pointing
to XML based file to download. Apparently the file is something like
an RSS feed. Unfortunately i found no little hint with information
about file format. When searching for information i get only bla-bla
text like "you must click on the green plant icon to get the cabanas
kick". So for all the people admiring Windows, you do not know what
it is doing in the back ground and where and why information is
stored. That is the really bad aspect of proprietary software. So i
was not able to add a real URL to file magic definition.
So second directory entry for feedsdb-ms examples apparently seem
to start always with \0055jzdd15lZk1fex02 encoded at UTF-16 string
after first directory entry, which is always "Root Entry". Third
and forth directory entries are names starting with at sign (like
@HdLETbARQWABGBPNHPH @AVZfCYDEXQVeDBdNVGK @CPUBcQBPBYUVFBfFOPY )
So i add afterwards lines for my inspected examples. That looks like:
>>>>128 lestring16 \0055jzdd15lZk1fex02 : Microsoft RSS Feeds Store
!:mime application/x-ms-feed
!:ext feedsdb-ms
Instead of generic application/x-ole-storage i choose an user
defined mime type.
Because feedsdb-ms are OLE2 Compound container we can inspect such
examples by suited tools like Michal Mutl Structured Storage Viewer
for example. There we see that such examples contain at least 2
steams. One with string with at sign and the other with name shown
by file command. The stream with at-sign apparently contains
relative path with corresponding FEED-MS samples like
<FeedDataCache Path="ms-feed-relativ-path">. The other stream
contains something like message strings encoded as UTF-16 ( like
"Feeds Schedules Rebuild Required" "NextToSync").
After applying the above mentioned modifications by patch
file-5.43-ole2compounddocs-feed.diff then all my inspected
Microsoft feed examples are now described with more details. This
now looks with option -e cdf like:
5jzdd15lZk1fex02Obdpd2koLf.stream: data
@McULBGCfcAWaHBbcOLcJDMWQdOUD.stream: ASCII text
, with CRLF line terminators
@RDNDVCAPYafICBfcGJEAAATQWBMA.stream: ASCII text
, with CRLF line terminators
@TLFYZKAGUCXEEBeNPSZUAAVbVMIC.stream: ASCII text
, with no line terminators
FeedsStore-10.feedsdb-ms: OLE 2 Compound Document, v3.62,
SecID 0,
Mini FAT start sector 0x6
: Microsoft RSS Feeds Store
FeedsStore-vista.feedsdb-ms: OLE 2 Compound Document, v3.62,
SecID 0x2,
Mini FAT start sector 0x5
: Microsoft RSS Feeds Store
FeedsStore-xp.feedsdb-ms: OLE 2 Compound Document, v3.62,
SecID 0,
Mini FAT start sector 0x6
: Microsoft RSS Feeds Store
FeedsStore.feedsdb-ms: OLE 2 Compound Document, v3.62,
SecID 0x2,
Mini FAT start sector 0x7
: Microsoft RSS Feeds Store
H10ieaqpSce2uo4bF5szlzjiOe.stream: data
Latest Headlines~.feed-ms: OLE 2 Compound Document, v4.62,
SecID 0x2,
Mini FAT start sector 0x4
, blocksize 4096
: Microsoft Feed
MSNBC News~.feed-ms: OLE 2 Compound Document, v4.62,
SecID 0x2,
Mini FAT start sector 0x4
, blocksize 4096
: Microsoft Feed
Microsoft at Work~.feed-ms: OLE 2 Compound Document, v4.62,
SecID 0x2,
Mini FAT start sector 0x4
, blocksize 4096
: Microsoft Feed
The NeoSmart Files~.feed-ms: OLE 2 Compound Document, v4.62,
SecID 0x2,
Mini FAT start sector 0x9
, blocksize 4096
: Microsoft Feed
I hope my diff file can be applied in future version of file
utility.
With best wishes,
Jörg Jenderek
- --
Jörg Jenderek
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCYyIqDgAKCRCv8rHJQhrU
1lkwAKDHt6DQdt/uEkUhSihOuohElNnE3ACcCcbhI3tysyWXbVuFgPIJb+6OPcQ=
=RbDa
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-feed.txt.gz
Type: application/x-gzip
Size: 818 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220914/934eb6d3/attachment-0001.bin>
-------------- next part --------------
--- file-5.43/magic/Magdir/ole2compounddocs.old 2022-09-13 20:05:40.000000000 +0200
+++ file-5.43/magic/Magdir/ole2compounddocs 2022-09-14 21:08:56.990146900 +0200
@@ -209,20 +209,37 @@
>>>>384 lestring16 TemplateID : Microsoft Access wizard template
# Second directory entry name like \005SummaryInformation and 3rd name like \005DocumentSummaryInformation
#!:mime application/x-ole-storage
#!:mime application/vnd.ms-office
#!:mime application/vnd.ms-access
#!:mime application/msaccess
!:mime application/x-ms-mdz
# http://extension.nirsoft.net/mdz
!:ext mdz
#
+# From: Joerg Jenderek
+# Reference: http://mark0.net/download/triddefs_xml.7z/defs/f/feed-ms.trid.xml
+# Note: found on Windows systems (XP-10) in Microsoft\Feeds subdirectory inside user appdata directory
+# Second directory entry name like \005H10ieaqpSce2uo4bF5szlzjiOe
+>>>>128 lestring16 \005H10ieaqpSce2uo4bF5s : Microsoft Feed
+#!:mime application/x-ole-storage
+!:mime application/x-ms-feed
+!:ext feed-ms
+# URL: https://www.file-extensions.org/feedsdb-ms-file-extension
+# Note: found on Windows systems (XP-10) as "%USERPROFILE%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms"
+# contains UTF string message like "Feeds Schedules Rebuild Required" "NextToSync"
+# Second directory entry name \0055jzdd15lZk1fex02Obdpd2koLf
+>>>>128 lestring16 \0055jzdd15lZk1fex02 : Microsoft RSS Feeds Store
+#!:mime application/x-ole-storage
+!:mime application/x-ms-feed
+!:ext feedsdb-ms
+#
# URL: http://fileformats.archiveteam.org/wiki/Corel_Print_House
# Second directory entry name Thumbnail
>>>>128 lestring16 Thumbnail : Corel PrintHouse image
#!:mime application/x-ole-storage
!:mime application/x-corel-cph
!:ext cph
# 3rd directory entry name Thumbnail
>>>>256 lestring16 Thumbnail : Corel PrintHouse image
!:mime application/x-corel-cph
!:ext cph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.43-ole2compounddocs-feed.diff.sig
Type: application/octet-stream
Size: 960 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20220914/934eb6d3/attachment-0001.obj>
More information about the File
mailing list