[File] [PATCH] of Magdir/msdos, windows Windows shortcut -duplicates -wrong items
Jörg Jenderek
joerg.jen.der.ek at gmx.net
Tue Apr 11 14:09:52 UTC 2023
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
some days ago i read an interesting article in German computer
magazine c't in number 24 from 2022. There was described the
efforts and methods of Microsoft to protect their system.
Unfortunately Microsoft is non-transparent like FIFA and do not
exactly explain why something is happing. Luckily in the article 39
file name suffix are listed which considered to be potential
dangerous. One extension is LNK.
So i look on my Systems for such files (8962 including duplicates).
When running file command version 5.44 on such examples without -k
option i get at first glance not bad looking output like:
AOL.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Relative path,
Archive,
ctime=Wed May 5 19:22:00 1999,
mtime=Thu Jul 10 21:00:00 2014,
atime=Wed May 5 19:22:00 1999,
length=86016
, window=hide
Aktenkoffer.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Relative path,
Read-Only,
Directory,
ctime=Tue Jul 23 15:26:10 2019,
mtime=Mon Jul 22 21:00:00 2019,
atime=Tue Jul 23 15:26:12 2019,
length=0
, window=hide
Autoruns.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Description string,
Has Relative path,
Has Working directory,
Archive,
ctime=Thu Oct 14 12:09:14 2021,
mtime=Thu Oct 14 12:09:14 2021,
atime=Thu Feb 17 18:43:33 2022,
length=344064
, window=hide
Calculator.lnk: MS Windows shortcut,
Has Description string,
Icon number=0,
ctime=Sun Dec 31 23:00:00 1600,
mtime=Sun Dec 31 23:00:00 1600,
time=Sun Dec 31 23:00:00 1600,
length=0
, window=hide
HerzlichMEDION.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Description string,
Has Relative path,
Has Working directory,
Icon number=0,
Archive,
ctime=Tue Aug 26 10:44:09 2008,
mtime=Tue Aug 26 10:44:14 2008,
atime=Mon Aug 25 23:04:22 2008,
length=8347
, window=hidenormal
Java (32-Bit).lnk: MS Windows shortcut,
Item id list present,
ctime=Sun Dec 31 23:00:00 1600,
mtime=Sun Dec 31 23:00:00 1600,
atime=Sun Dec 31 23:00:00 1600,
length=0
, window=hide
Notepad.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Description string,
Has Relative path,
Has Working directory,
Icon number=0,
Archive,
ctime=Thu Nov 2 07:47:59 2006,
mtime=Thu Nov 2 09:38:56 2006,
atime=Thu Nov 2 08:45:30 2006,
length=151040
, window=hide
SD Card Formatter.lnk: MS Windows shortcut,
Item id list present,
Has Relative path,
Icon number=0,
ctime=Sun Dec 31 23:00:00 1600,
mtime=Sun Dec 31 23:00:00 1600,
atime=Sun Dec 31 23:00:00 1600,
length=0
, window=hide
StarOffice 5.2.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Relative path,
Has Working directory,
Archive,
ctime=Mon May 8 02:20:00 2000,
mtime=Sun May 7 21:00:00 2000,
atime=Mon May 8 02:20:00 2000,
length=217088
, window=hide
WinImage (administrator).lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Description string,
Has Relative path,
Archive,
ctime=Wed Apr 15 07:00:00 2020,
mtime=Sun Apr 17 10:25:50 2016,
atime=Wed Apr 15 07:00:00 2020,
length=2211432
, window=hide
YaCy.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Relative path,
Has Working directory,
Icon number=0,
Archive,
ctime=Mon Dec 26 13:20:32 2016,
mtime=Sun Dec 10 03:43:47 2017,
atime=Mon Dec 26 13:20:32 2016,
length=2512
, window=hidenormalshowminimized
obd-1.reg.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Relative path,
Has Working directory,
Read-Only,
Hidden,
System,
Directory,
Archive,
Encrypted,
Temporary,
Compressed,
Offline,
ctime=Thu Jun 9 18:15:08 1661,
mtime=Sat Mar 19 21:56:55 -56051,
atime=Wed Feb 2 09:36:25 1661,
length=4435072
, window=hide
test-lnk.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Relative path,
Has Working directory,
Archive,
ctime=Fri Sep 12 19:27:17 2008,
mtime=Fri Sep 12 19:27:17 2008,
atime=Fri Sep 12 19:27:17 2008,
length=0
, window=hide
x-fmt-428-signature-id-262.lnk: MS Windows shortcut,
ctime=Sun Dec 31 23:00:00 1600,
mtime=Sun Dec 31 23:00:00 1600,
atime=Sun Dec 31 23:00:00 1600
Furthermore with -i option application/x-ms-shortcut is shown and
with --extension correct 3 byte sequence lnk is displayed.
But when running with additional -m Magdir/msdos then with option -i
only generic application/octet-stream is shown and with --extension
only ??? is displayed.
For comparison reason i run other utilities. The file identifier tool
TrID (see http://mark0.net/soft-trid-e.html) describes such LNK
examples as "Windows Shortcut" by definition lnk-shortcut.trid.xml
(see appended trid-v-lnk.txt.gz).
DROID (Digital Record and Object Identification) is a software tool
developed by The National Archives of UK to perform automated batch
identification of file formats. See
https://digital-preservation.github.io/droid/
According to that tool the samples are described as "Microsoft
Windows Shortcut" by PUID x-fmt/428 ( see appended droid-lnk.csv.gz).
First we see that we get duplicate messages, because in Magdir/msdos
and Magdir/windows in principal the same recognition lines are found.
This is looking for 4 byte header size 4C followed by 16 byte
LinkCLSID 00021401-0000-0000-C000-000000000046. In msdos this consist
of 2 lines like:
0 lelong 0x4C
>4 lelong 0x00021401 Windows shortcut file
In windows it starts with lines like
0 string \114\0\0\0
\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut
!:mime application/x-ms-shortcut
!:ext lnk
So first i delete concerning lines inside msdos by patch
file-5.44-msdos-lnk.diff to remove duplicated messages.
Luckily with information given by the other tools i also found a
page about Windows Shortcut on file formats archive team web
site. Surprisingly there exist an official specification from
Microsoft covering most aspects. That informations are expressed by
comment lines inside Magdir/images like:
# URL: http://fileformats.archiveteam.org/
# wiki/Windows_Shortcut
# https://learn.microsoft.com/
# en-us/openspecs/windows_protocols/ms-shllink/
# Reference: http://mark0.net/download/triddefs_xml.7z
# defs/l/lnk-shortcut.trid.xml
# https://winprotocoldoc.blob.core.windows.net/
# productionwindowsarchives/MS-SHLLINK/
# %5bMS-SHLLINK%5d.pdf
2 of 3 time stamps are shown by lines like:
>36 leqwdate x \b, mtime=%s
>44 leqwdate x \b, atime=%s
These are just swapped. According to documentation in the middle
comes the access time of the target in UTC and last comes the write
time of target in UTC. This can be verified by command line tool
command like:
lnkinfo AOL.lnk
Furthermore value zero means there is no time set on the target. So
these lines now become like:
>36 leqwdate !0 \b, atime=%s
>44 leqwdate !0 \b, mtime=%s
After the target link size the window state (ShowCommand) of the
launched application is shown by lines like:
>52 lelong x \b, length=%u, window=
>60 lelong&1 1 \bhide
>60 lelong&2 2 \bnormal
>60 lelong&4 4 \bshowminimized
>60 lelong&8 8 \bshowmaximized
>60 lelong&16 16 \bshownoactivate
>60 lelong&32 32 \bminimize
>60 lelong&64 64 \bshowminnoactive
>60 lelong&128 128 \bshowna
>60 lelong&256 256 \brestore
>60 lelong&512 512 \bshowdefault
That interpretation is wrong. That is really fake news. This is not
visible at first glance. Most samples have ShowCommand value 1 ( That
is SW_SHOWNORMAL). So most samples are currently described by phrase
"window=hide". But using brain we should expect "window=normal" for
most cases. For sample HerzlichMEDION.lnk with link to a welcome html
page in full screen with ShowCommand 3 (That is SW_SHOWMAXIMIZED)
obviously nonsense phrase "window=hidenormal" is shown. Most worst
are samples like YaCy.lnk, Privoxy.lnk starting web proxy software
minimised with ShowCommand value 7 (That is SW_SHOWMINNOACTIVE).
Here i get phrase like "window=hidenormalshowminimized".
Unfortunately my lnkinfo version 20181227 also reports no expected
values here, but calling property function on Windows itself
reports the 3 window behaviour described in documentation. All
other values like 2 MUST be treated as SW_SHOWNORMAL. So this is
now described by lines like:
>60 lelong x
>>60 lelong 3 \bshowmaximized
>>60 lelong 7 \bshowminnoactive
>>60 default x \bnormal
The LinkFlags structure specifies information about the shell link
and the presence of optional portions of the structure. That
information are shown by lines like:
>20 lelong&1 1 \b, Item id list present
>20 lelong&2 2 \b, Points to a file or directory
>20 lelong&4 4 \b, Has Description string
>20 lelong&8 8 \b, Has Relative path
>20 lelong&16 16 \b, Has Working directory
>20 lelong&32 32 \b, Has command line arguments
Only 6 bits from 32 are interpreted. I do not know why? To be
consistent i also show the other bits in interpreted form although
i do not always exactly know what this means because i am no windows
internals expert. So maybe a person with more knowledge could check
if description text is human readable, useful and correct. For
example the sample "WinImage (administrator).lnk" is calling the
program winimage.exe obviously as user administrator. So here this
information is now shown by line like:
>20 lelong&8192 8192 \b, RunAsUser
Some LinkFlags are indicator for existence or absence of a special
data block. Often this blocks start with some characteristic byte
sequences. So the flag HasExpString is indicator for an
EnvironmentVariableDataBlock which starts with 4 byte Block Size 314h
followed by Block Signature A0000001h. Afterwards the path to
environment variable encoded with system default code page is stored
as 260 byte string TargetAnsi. Afterwards the same variable is stored
as 520 bytes TargetUnicode uni coded. In my examples on German and
English machines these 2 strings are the same like
"%windir%\system32\calc.exe" in sample Calculator.lnk. Maybe that on
machine with exotic languages like Chinese this looks different. So i
show only TargetUnicode which probably is more reliable because it
does not depend on some system code pages which are not known by the
file command. So this information is shown by lines like:
>20 lelong&512 512 \b, HasEnvironment
>>76 search/1972 \x14\x03\x00\x00\x01\x00\x00\xa0
#>>>&0 string x '%s'
# like: "%windir%\system32\calc.exe"
>>>&260 lestring16 x "%s"
So the flag HasExpIcon is indicator for an IconEnvironmentDataBlock
which starts with 4 byte Block Size 314h followed by Block Signature
A0000007h. Afterwards the path to environment icon variable encoded
with system default code page is stored as 260 byte string
TargetAnsi. Afterwards the same variable is stored as 520 bytes
TargetUnicode uni coded. In my examples on German and English
machines these 2 strings are the same like ""%SystemDrive%\Program
Files\YaCy\addon\YaCy.ico" in sample YaCy.lnk. So this information is
shown by lines like:
>20 lelong&16384 16384 \b, HasExpIcon
>>76 search/1972 \x14\x03\x00\x00\x07\x00\x00\xa0
#>>>&0 string x '%s'
# like: "%SystemDrive%\Program Files\YaCy\addon\YaCy.ico"
>>>&260 lestring16 x "%s"
Similar problem occurs for FileAttributes. The FileAttributesFlags
structure that specifies information about the link target.That
information are shown by lines like:
>24 lelong&1 1 \b, Read-Only
>24 lelong&2 2 \b, Hidden
>24 lelong&4 4 \b, System
>24 lelong&8 8 \b, Volume Label
>24 lelong&16 16 \b, Directory
>24 lelong&32 32 \b, Archive
>24 lelong&64 64 \b, Encrypted
>24 lelong&128 128 \b, Normal
>24 lelong&256 256 \b, Temporary
>24 lelong&512 512 \b, Sparse
>24 lelong&1024 1024 \b, Reparse point
>24 lelong&2048 2048 \b, Compressed
>24 lelong&4096 4096 \b, Offline
Only the first thirteen bits are interpreted. So for some samples
like Notepad.lnk YaCy.lnk show FILE_ATTRIBUTE_NOT_CONTENT_INDEXED
attribute. As far as i understand this that means contents needs to
be indexed by line like:
>24 lelong&8192 8192 \b, NeedIndexed
More worse some fields are interpreted wrong by lines like
>24 lelong&8 8 \b, Volume Label
>24 lelong&64 64 \b, Encrypted
According to documentation (i did not verified this) these must be
interpreted by lines like:
>24 lelong&8 8 \b, Reserved1
>24 lelong&64 64 \b, Reserved2
>24 lelong&16384 16384 \b, Encrypted
For some samples i get no program or icon name. So i look for more
information hints. If LinkFlags bit HasLinkTargetIDList is set the
there follows LINKTARGET_IDLIST after header (76=4C). This start with
size of whole IDList by variable IDListSize. Then follows the items
itself starting with size of item itself by ItemIDSize variable
followed by Item data. With the help of this size i jump to position
of next item and inspect item by calling sub routine lnk-item. So i
inspect first 4 items. Luckily the list is terminated by size value
TerminalID. That means value 0x0000. So you can interpret that such
a item size value means end of list is reached. So this is expressed
by lines like:
>20 lelong&1 1
>>76 uleshort x \b, IDListSize %#4.4x
# 1st item
>>78 use lnk-item
# 2nd possible item
>>(78.s+78) uleshort >0
>>>(78.s+78) use lnk-item
# 3rd possible item
>>>&(&-2.s-2) uleshort >0
>>>>&-2 use lnk-item
# 4th possible item
>>>>&(&-2.s-2) uleshort >0
>>>>>&-2 use lnk-item
The sub routine in first step check for size and step forward if the
size is not zero. According to lnkinfo source ( which i do not fully
understand) if data start with byte value 1f then this is followed by
guid. So in sample "Java (32-Bit).lnk" the guid
"26EE668-A00A-44D7-9371-BEB064C98683" means Control Panel item.
If data start with by value 2f then this is followed by Volume name
like "C:\" or "D:\". So this is done by sub routine lnk-item. This
looks like:
0 name lnk-item
>0 uleshort >0
>>0 uleshort x \b, ItemIDSize %#4.4x
#>>2 ubequad x \b, Item data=%#16.16llx
>>2 ubyte x \b, Item type=%#x
>>2 ubyte =0x1f \b, Root folder
>>>4 guid x "%s"
>>2 ubyte =0x2f \b, Volume
>>>3 string x "%s"
At this point for some samples like "WinImage (administrator).lnk"
and test-lnk.lnk mentioned in documentation still no program name
or icon name is shown. With the help of additional sub routine lnk-in
fo
is can show more information of LinkInfo structure like size flags
and offsets (relative to start of this structure). Interesting is the
LocalBasePathOffset pointing to LocalBasePath field like
"C:\test\a.txt". This field only exist if VolumeIDAndLocalBasePath
(value 1)
in LinkInfoFlags is set. So this can be show by calling sub routine
which look like:
0 name lnk-info
>0 ulelong x \b, LinkInfoSize %#x
>4 ulelong x \b, LinkInfoHeaderSize %#x
#>8 ulelong x \b, LinkInfoFlags=%#x
>8 ulelong&1 1 \b, VolumeIDAndLocalBasePath
>>12 ulelong x \b, VolumeIDOffset %#x
>>16 ulelong x \b, LocalBasePathOffset %#x
With the help of this sub routine i was able to show LocalBasePath
in the end. Maybe somebody find a way to do it in a better and
100% perfect way. First i must check for existence of LinkInfo.
This is true if HasLinkInfo flag is set. Then the position of this
structure varies. If there exist no LINKTARGET_IDLIST (no
HasLinkTargetIDList flag set) then this structure comes direct
after header, but i found no such samples. If there exist an
LINKTARGET_IDLIST then LinkInfo comes after this (additional
IDListSize bytes). Then after moving pointer to LinkInfo structure
i can show LocalBasePath. This looks like:
>20 lelong&2 2
>>20 lelong&1 =0
>>>76 use lnk-info
>>20 lelong&1 =1
>>>76 uleshort >0
#>>>>(76.s+78) use lnk-info
>>>>(76.s+78) ubelong x
>>>>>&-8 ubelong x
#>>>>>>&16 ulelong x \b, LocalBasePathOffset=%#8.8x
>>>>>>&(&16.l) string x \b, LocalBasePath "%s"
After applying the above mentioned modifications by patch
file-5.44-msdos-lnk.diff and file-5.44-windows-lnk.diff then the
duplicates vanish, wrong items are shown with correct values and some
more details (like program and/or icon names) are also shown. So i
get now an output like:
AOL.lnk: MS Windows shortcut
, Item id list present,
Points to a file or directory,
Has Relative path,
Archive,
ctime=Wed May 5 19:22:00 1999,
atime=Thu Jul 10 21:00:00 2014,
mtime=Wed May 5 19:22:00 1999,
length=86016
, window=normal,
IDListSize 0x00a5,
Root folder
"20D04FE0-3AEA-1069-A2D8-08002B30309D",
LocalBasePath
"C:\Programme\Online-Dienste\AOL\AOLSETUP.EXE"
Aktenkoffer.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Relative path,
Read-Only,
Directory,
ctime=Tue Jul 23 15:26:10 2019,
atime=Mon Jul 22 21:00:00 2019,
mtime=Tue Jul 23 15:26:12 2019,
length=0
, window=normal,
IDListSize 0x00d4,
Root folder
"20D04FE0-3AEA-1069-A2D8-08002B30309D",
LocalBasePath "C:\"
Autoruns.lnk: MS Windows shortcut
, Item id list present,
Points to a file or directory,
Has Description string,
Has Relative path,
Has Working directory,
Unicoded,
MachineID NETBIOSNAME1,
EnableTargetMetadata,
Archive,
NeedIndexed,
ctime=Thu Oct 14 12:09:14 2021,
atime=Thu Oct 14 12:09:14 2021,
mtime=Thu Feb 17 18:43:33 2022,
length=344064
, window=normal,
hot key A+CONTROL+ALT,
IDListSize 0x01a1,
Root folder
"20D04FE0-3AEA-1069-A2D8-08002B30309D",
Volume "C:\",
LocalBasePath
"C:\ProgramData\chocolatey\bin\Autoruns64.exe"
Calculator.lnk: MS Windows shortcut,
Has Description string,
Icon number=0,
Unicoded,
NoLinkInfo,
HasEnvironment
"%windir%\system32\calc.exe",
PreferEnvironmentPath,
length=0
, window=normal
HerzlichMEDION.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Description string,
Has Relative path,
Has Working directory,
Icon number=0,
Unicoded,
HasExpIcon
"%SystemRoot%\system32\oobe\info\Icon\Medion1.ico",
MachineID benutzer-628c25,
Archive,
ctime=Tue Aug 26 10:44:09 2008,
atime=Tue Aug 26 10:44:14 2008,
mtime=Mon Aug 25 23:04:22 2008,
length=8347
, window=showmaximized,
IDListSize 0x01f9,
Root folder
"20D04FE0-3AEA-1069-A2D8-08002B30309D",
Volume "C:\",
LocalBasePath
"C:\WINDOWS\system32\oobe\info\Medion Offlineseite\
Herzlich willkommen bei MEDION Deutschland.htm"
Java (32-Bit).lnk: MS Windows shortcut,
Item id list present,
Unicoded,
DisableKnownFolderTracking,
length=0
, window=normal,
IDListSize 0x0040,
Root folder
"26EE0668-A00A-44D7-9371-BEB064C98683"
Notepad.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Description string,
Has Relative path,
Has Working directory,
Icon number=0,
Unicoded,
HasEnvironment
"%SystemRoot%\system32\notepad.exe",
MachineID lh-n9iove4y59ds
KnownFolderID
1AC14E77-02E7-4E5D-B744-2EB1AE5198B7,
Archive,
NeedIndexed,
ctime=Thu Nov 2 07:47:59 2006,
atime=Thu Nov 2 09:38:56 2006,
mtime=Thu Nov 2 08:45:30 2006,
length=151040
, window=normal,
IDListSize 0x0129,
Root folder
"20D04FE0-3AEA-1069-A2D8-08002B30309D",
Volume "D:\",
LocalBasePath
"D:\Windows\System32\notepad.exe"
SD Card Formatter.lnk: MS Windows shortcut,
Item id list present,
Has Relative path,
Icon number=0,
Unicoded,
HasDarwinID
"n-{tkDZ]6=Tff5IvP8[K>gMc10V5YbA{qx6pXddz4",
HasExpIcon
"%SystemRoot%\Installer\
{D02212EA-E02A-4521-9036-5367734FC66E}\
NewShortcut1_69C2B9A012C943F8B6BC658D1AC73474.exe",
length=0
, window=normal,
IDListSize 0x0227,
Root folder
"20D04FE0-3AEA-1069-A2D8-08002B30309D",
Volume "C:\"
StarOffice 5.2.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Relative path,
Has Working directory, Archive,
ctime=Mon May 8 02:20:00 2000,
atime=Sun May 7 21:00:00 2000,
mtime=Mon May 8 02:20:00 2000,
length=217088
, window=normal,
IDListSize 0x0093,
Root folder
"20D04FE0-3AEA-1069-A2D8-08002B30309D",
LocalBasePath "C:\"
WinImage (administrator).lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Description string,
Has Relative path,
Unicoded,
RunAsUser,
MachineID NETBIOSNAME2
KnownFolderID
905E63B6-C1BF-494E-B29C-65B732D3D21A,
Archive,
ctime=Wed Apr 15 07:00:00 2020,
atime=Sun Apr 17 10:25:50 2016,
mtime=Wed Apr 15 07:00:00 2020,
length=2211432
, window=normal,
IDListSize 0x017b,
Root folder
"20D04FE0-3AEA-1069-A2D8-08002B30309D",
Volume "C:\",
LocalBasePath
"C:\Program Files\WinImage\winimage.exe"
YaCy.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Relative path,
Has Working directory,
Icon number=0,
Unicoded,
HasExpIcon
"%SystemDrive%\Program Files\YaCy\addon\YaCy.ico",
MachineID YACY_SEARCH_PC,
Archive,
NeedIndexed,
ctime=Mon Dec 26 13:20:32 2016,
atime=Sun Dec 10 03:43:47 2017,
mtime=Mon Dec 26 13:20:32 2016,
length=2512
, window=showminnoactive,
IDListSize 0x0171,
Root folder
"20D04FE0-3AEA-1069-A2D8-08002B30309D",
Volume "C:\",
LocalBasePath
"C:\Program Files\YaCy\startYACY.bat"
obd-1.reg.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Relative path,
Has Working directory,
Read-Only,
Hidden,
System,
Directory,
Archive,
Reserved2,
Temporary,
Compressed,
Offline,
NeedIndexed, c
time=Thu Jun 9 18:15:08 1661,
atime=Sat Mar 19 21:56:55 -56051,
mtime=Wed Feb 2 09:36:25 1661,
length=4435072
, window=normal,
IDListSize 0x00ad,
Root folder
"20D04FE0-3AEA-1069-A2D8-08002B30309D",
Volume "C:\",
LocalBasePath "C:\"
test-lnk.lnk: MS Windows shortcut,
Item id list present,
Points to a file or directory,
Has Relative path,
Has Working directory,
Unicoded,
MachineID chris-xps,
EnableTargetMetadata,
Archive,
ctime=Fri Sep 12 19:27:17 2008,
atime=Fri Sep 12 19:27:17 2008,
mtime=Fri Sep 12 19:27:17 2008,
length=0
, window=normal,
IDListSize 0x00bd,
Root folder
"20D04FE0-3AEA-1069-A2D8-08002B30309D",
Volume "C:\",
LocalBasePath
"C:\test\a.txt"
x-fmt-428-signature-id-262.lnk: MS Windows shortcut
I hope my diff file can be applied in future version of
file utility.
With best wishes
Jörg Jenderek
- --
Jörg Jenderek
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCZDVqKAAKCRCv8rHJQhrU
1urrAJ0Ta7snsmjUzuU2fHNf5yztLOwDHQCgr2VjnGdkJqnofbb7r3QBDSZcUAY=
=m1Qh
-----END PGP SIGNATURE-----
-------------- next part --------------
--- file-5.44/magic/Magdir/msdos.old 2022-12-26 19:00:48.000000000 +0100
+++ file-5.44/magic/Magdir/msdos 2023-04-04 03:10:56.060452800 +0200
@@ -1644,8 +1644,6 @@
1 string RDC-meg MegaDots
>8 byte >0x2F version %c
>9 byte >0x2F \b.%c file
-0 lelong 0x4C
->4 lelong 0x00021401 Windows shortcut file
# .PIF files added by Joerg Jenderek from https://smsoft.ru/en/pifdoc.htm
# only for windows versions equal or greater 3.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.44-msdos-lnk.diff.sig
Type: application/octet-stream
Size: 467 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20230411/86a2c45f/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trid-v-lnk.txt.gz
Type: application/x-gzip
Size: 526 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20230411/86a2c45f/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: droid-lnk.csv.gz
Type: application/x-gzip
Size: 736 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20230411/86a2c45f/attachment-0003.bin>
-------------- next part --------------
--- file-5.44/magic/Magdir/windows.old 2022-12-02 17:18:19.000000000 +0100
+++ file-5.44/magic/Magdir/windows 2023-04-11 15:39:23.350619900 +0200
@@ -489,5 +489,12 @@
# Summary: Windows shortcut
-# Extension: .lnk
# Created by: unknown
+# Update: Joerg Jenderek
+# URL: http://fileformats.archiveteam.org/wiki/Windows_Shortcut
+# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/
+# Reference: http://mark0.net/download/triddefs_xml.7z/defs/l/lnk-shortcut.trid.xml
+# https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/%5bMS-SHLLINK%5d.pdf
+# Note: called "Windows Shortcut" by TrID, "Microsoft Windows Shortcut" by DROID via PUID x-fmt/428 and "Windows shortcut file" by ./msdos (v 1.158)
+# partly verified by command like `lnkinfo AOL.lnk`
# 'L' + GUUID
+# HeaderSize + LinkCLSID 00021401-0000-0000-C000-000000000046
0 string \114\0\0\0\001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut
@@ -495,3 +502,6 @@
!:ext lnk
+# LinkFlags
+# HasLinkTargetIDList; if set a LinkTargetIDList structure MUST follow the ShellLinkHeader; If is not set, structure MUST NOT be present
>20 lelong&1 1 \b, Item id list present
+# HasLinkInfo; if set a LinkInfo structure MUST follow the ShellLinkHeader or LinkTargetIDList; If is not set, structure MUST NOT be present
>20 lelong&2 2 \b, Points to a file or directory
@@ -502,3 +512,86 @@
>20 lelong&64 64 \b, Icon
+# IconIndex
>>56 lelong x \b number=%d
+# IsUnicode; If set then StringData section contains Unicode-encoded strings
+>20 lelong&128 128 \b, Unicoded
+# ForceNoLinkInfo; LinkInfo structure is ignored
+>20 lelong&256 256 \b, NoLinkInfo
+# HasExpString; with an EnvironmentVariableDataBlock
+>20 lelong&512 512 \b, HasEnvironment
+# look for BlockSize 314h and EnvironmentVariableDataBlock BlockSignature A0000001h
+>>76 search/1972 \x14\x03\x00\x00\x01\x00\x00\xa0
+# TargetAnsi (260 bytes); NULL-terminated path to environment variable encoded with system default code page
+#>>>&0 string x '%s'
+# TargetUnicode (520 bytes): optional NULL-terminated path to same environment variable Unicode encoded
+# like: "%windir%\system32\calc.exe"
+>>>&260 lestring16 x "%s"
+# RunInSeparateProcess; run in a separate virtual machine when launching a 16-bit application; no examples found
+>20 lelong&1024 1024 \b, RunInSeparateProcess
+# Unused1; undefined and MUST be ignored
+#>20 lelong&2048 2048 \b, Unused1
+# HasDarwinID; with a DarwinDataBlock
+>20 lelong&4096 4096 \b, HasDarwinID
+# look for BlockSize 314h and DarwinDataBlock BlockSignature A0000006h
+>>76 search/1972 \x14\x03\x00\x00\x06\x00\x00\xa0
+# DarwinDataAnsi (260 bytes); NULL-terminated application identifier encoded with system default code page; SHOULD be ignored
+#>>>&0 string x '%s'
+# DarwinDataUnicode (520 bytes); NULL-terminated application identifier Unicode encoded
+>>>&260 lestring16 x "%s"
+# RunAsUser; target application is run as a different user
+>20 lelong&8192 8192 \b, RunAsUser
+# HasExpIcon; with an IconEnvironmentDataBlock
+>20 lelong&16384 16384 \b, HasExpIcon
+# look for BlockSize 314h and IconEnvironmentDataBlock BlockSignature A0000007h
+>>76 search/1972 \x14\x03\x00\x00\x07\x00\x00\xa0
+# TargetAnsi (260 bytes); NULL-terminated path to environment icon variable encoded with system default code page
+#>>>&0 string x '%s'
+# TargetUnicode (520 bytes); optional NULL-terminated path to same icon environment variable Unicode encoded
+# like: "%SystemDrive%\Program Files\YaCy\addon\YaCy.ico"
+>>>&260 lestring16 x "%s"
+# NoPidlAlias; represented in the shell namespace; no examples found
+>20 lelong&32768 32768 \b, NoPidlAlias
+# Unused2; undefined and MUST be ignored
+#>20 lelong&65536 65536 \b, Unused2
+# RunWithShimLayer; with a ShimDataBlock; no examples found
+>20 lelong&131072 131072 \b, RunWithShimLayer
+# ForceNoLinkTrack; TrackerDataBlock is ignored; no examples found
+>20 lelong&262144 262144 \b, ForceNoLinkTrack
+>20 lelong&262144 0
+# look for BlockSize 60h, TrackerDataBlock BlockSignature A0000003h, it length 58h and Version 0
+>>76 search/1972 \x60\x00\x00\x00\x03\x00\x00\xa0\x58\x00\x00\x00\0\0\0\0
+# MachineID (16 bytes); a NULL-terminated NetBIOS name encoded with system default code page of the machine
+>>>&0 string x \b, MachineID %0.16s
+# Droid (32 bytes)
+#
+# DroidBirth (32 bytes)
+#
+# EnableTargetMetadata; collect target properties and store in PropertyStoreDataBlock
+>20 lelong&524288 524288 \b, EnableTargetMetadata
+# look for BlockSize >= Ch, PropertyStoreDataBlock BlockSignature A0000009h
+#>>76 search/1972 \x00\x00\x09\x00\x00\xa0
+# PropertyStore (variable)
+#
+# DisableLinkPathTracking; EnvironmentVariableDataBlock is ignored; no examples found
+>20 lelong&1048576 1048576 \b, DisableLinkPathTracking
+# DisableKnownFolderTracking; SpecialFolderDataBlock and KnownFolderDataBlock are ignored and not saved
+>20 lelong&2097152 2097152 \b, DisableKnownFolderTracking
+>20 lelong&2097152 0
+# look for BlockSize 1Ch and KnownFolderDataBlock BlockSignature A000000Bh
+>>76 search/1972 \x1c\x00\x00\x00\x0B\x00\x00\xa0
+# https://learn.microsoft.com/en-us/dotnet/desktop/winforms/controls/known-folder-guids-for-file-dialog-custom-places
+# KnownFolderID specifies the folder GUID ID
+# ProgramFiles 905E63B6-C1BF-494E-B29C-65B732D3D21A
+# ProgramFilesX86 7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E
+>>>&0 guid x KnownFolderID %s
+# DisableKnownFolderAlias; unaliased form of the known folder IDList SHOULD be used; no examples found
+>20 lelong&4194304 4194304 \b, DisableKnownFolderAlias
+# AllowLinkToLink; link that references another link is enabled; no examples found
+>20 lelong&8388608 8388608 \b, AllowLinkToLink
+# UnaliasOnSave; unaliased form of that known folder or the target IDList SHOULD be used; no examples found
+>20 lelong&16777216 16777216 \b, UnaliasOnSave
+# PreferEnvironmentPath; path specified in the EnvironmentVariableDataBlock SHOULD be used
+>20 lelong&33554432 33554432 \b, PreferEnvironmentPath
+# KeepLocalIDListForUNCTarget; UNC name SHOULD be stored in local path IDList in PropertyStoreDataBlock; no examples found
+>20 lelong&67108864 67108864 \b, KeepLocalIDListForUNCTarget
+# FileAttributes
>24 lelong&1 1 \b, Read-Only
@@ -506,9 +599,13 @@
>24 lelong&4 4 \b, System
->24 lelong&8 8 \b, Volume Label
+# Reserved1; MUST be zero
+>24 lelong&8 8 \b, Reserved1
>24 lelong&16 16 \b, Directory
>24 lelong&32 32 \b, Archive
->24 lelong&64 64 \b, Encrypted
+# Reserved2; MUST be zero
+>24 lelong&64 64 \b, Reserved2
>24 lelong&128 128 \b, Normal
>24 lelong&256 256 \b, Temporary
+# no examples found
>24 lelong&512 512 \b, Sparse
+# no examples found
>24 lelong&1024 1024 \b, Reparse point
@@ -516,23 +613,105 @@
>24 lelong&4096 4096 \b, Offline
->28 leqwdate x \b, ctime=%s
->36 leqwdate x \b, mtime=%s
->44 leqwdate x \b, atime=%s
+# FILE_ATTRIBUTE_NOT_CONTENT_INDEXED; contents need to be indexed
+>24 lelong&8192 8192 \b, NeedIndexed
+# FILE_ATTRIBUTE_ENCRYPTED; file or directory is encrypted
+>24 lelong&16384 16384 \b, Encrypted
+# value zero means there is no time set on the target
+>28 leqwdate !0 \b, ctime=%s
+# Access time of target in UTC
+>36 leqwdate !0 \b, atime=%s
+# write time of target in UTC
+>44 leqwdate !0 \b, mtime=%s
+# FileSize; 32 bit size of target in bytes
>52 lelong x \b, length=%u, window=
->60 lelong&1 1 \bhide
->60 lelong&2 2 \bnormal
->60 lelong&4 4 \bshowminimized
->60 lelong&8 8 \bshowmaximized
->60 lelong&16 16 \bshownoactivate
->60 lelong&32 32 \bminimize
->60 lelong&64 64 \bshowminnoactive
->60 lelong&128 128 \bshowna
->60 lelong&256 256 \brestore
->60 lelong&512 512 \bshowdefault
-#>20 lelong&1 0
-#>>20 lelong&2 2
-#>>>(72.l-64) pstring/h x \b [%s]
-#>20 lelong&1 1
-#>>20 lelong&2 2
-#>>>(72.s) leshort x
-#>>>&75 pstring/h x \b [%s]
+# ShowCommand; 1~SW_SHOWNORMAL 3~SW_SHOWMAXIMIZED HerzlichMEDION.lnk 7~SW_SHOWMINNOACTIVE YaCy.lnk Privoxy.lnk; All other values like 2 MUST be treated as SW_SHOWNORMAL
+#>60 lelong x ShowCommand=%#x
+>60 lelong x
+>>60 lelong 3 \bshowmaximized
+>>60 lelong 7 \bshowminnoactive
+>>60 default x \bnormal
+# Hotkey
+>64 uleshort >0 \b, hot key
+# 41h~A 42h~B ...
+>>64 ubyte x %c
+# modifier keys: 0x01~HOTKEYF_SHIFT 0x02~HOTKEYF_CONTROL 0x04~HOTKEYF_ALT
+>>65 ubyte&1 1 \b+SHIFT
+>>65 ubyte&2 2 \b+CONTROL
+>>65 ubyte&4 4 \b+ALT
+# Reserved; MUST be zero
+#>66 uleshort !0 \b, reserved %#x
+# Reserved2; MUST be zero
+#>68 ulelong !0 \b, reserved2 %#x
+# Reserved3; MUST be zero
+#>72 ulelong !0 \b, reserved3 %#x
+# optional LINKTARGET_IDLIST if LinkFlags bit HasLinkTargetIDList is set
+>20 lelong&1 1
+# IDListSize; size of IDList
+>>76 uleshort x \b, IDListSize %#4.4x
+# 1st item
+>>78 use lnk-item
+# 2nd possible item
+>>(78.s+78) uleshort >0
+>>>(78.s+78) use lnk-item
+# 3rd possible item
+>>>&(&-2.s-2) uleshort >0
+>>>>&-2 use lnk-item
+# 4th possible item
+>>>>&(&-2.s-2) uleshort >0
+>>>>>&-2 use lnk-item
+# Because HasLinkInfo is set, a LinkInfo structure follows
+>20 lelong&2 2
+# if no LINKTARGET_IDLIST (no HasLinkTargetIDList) then direct after header; no example found
+>>20 lelong&1 =0
+>>>76 use lnk-info
+# if LINKTARGET_IDLIST (HasLinkTargetIDList) then after LINKTARGET_IDLIST by addtional IDListSize bytes
+>>20 lelong&1 =1
+>>>76 uleshort >0
+#>>>>(76.s+78) use lnk-info
+>>>>(76.s+78) ubelong x
+# move pointer to beginnig of LinkInfo structure
+>>>>>&-8 ubelong x
+#>>>>>>&16 ulelong x \b, LocalBasePathOffset=%#8.8x
+>>>>>>&(&16.l) string x \b, LocalBasePath "%s"
+# check and then display link item (size,data)
+0 name lnk-item
+# size value 0x0000 means TerminalID; indicates the end of the item IDs list
+>0 uleshort >0
+#>>0 uleshort x \b, ItemIDSize %#4.4x
+# item Data
+#>>2 ubequad x \b, Item data=%#16.16llx
+#>>2 ubyte x \b, Item type=%#x
+>>2 ubyte =0x1f \b, Root folder
+# like: "26EE0668-A00A-44D7-9371-BEB064C98683" Control Panel
+# "20D04FE0-3AEA-1069-A2D8-08002B30309D" My Computer
+# "871C5380-42A0-1069-A2EA-08002B30309D" Internet Explorer
+>>>4 guid x "%s"
+>>2 ubyte =0x2f \b, Volume
+# like: "C:\" "D:\"
+>>>3 string x "%s"
+# Control panel category
+#>>2 ubyte foo \b, Control panel category
+# display LinkInfo structure (size,flags,offsets)
+0 name lnk-info
+# LinkInfoSize; size of the LinkInfo structure
+>0 ulelong x \b, LinkInfoSize %#x
+# LinkInfoHeaderSize; if 1C no optional fields; >=24 optional fields are specified
+>4 ulelong x \b, LinkInfoHeaderSize %#x
+# LinkInfoFlags;
+#>8 ulelong x \b, LinkInfoFlags=%#x
+>8 ulelong&1 1 \b, VolumeIDAndLocalBasePath
+# VolumeIDOffset; location of the VolumeID field (VolumeIDSize DriveType DriveSerialNumber VolumeLabelOffset ... ) inside LinkInfo structure
+>>12 ulelong x \b, VolumeIDOffset %#x
+# LocalBasePathOffset; location of LocalBasePath field like "C:\test\a.txt" inside LinkInfo structure
+>>16 ulelong x \b, LocalBasePathOffset %#x
+# LocalBasePathOffsetUnicode; location of the LocalBasePathUnicode field inside LinkInfo structure
+>>4 ulelong >23
+>>>28 ulelong x \b, LocalBasePathOffsetUnicode %#x
+>8 ulelong&2 2 \b, CommonNetworkRelativeLinkAndPathSuffix
+# CommonNetworkRelativeLinkOffset; location of the CommonNetworkRelativeLink field inside LinkInfo structure
+>>20 ulelong x \b, CommonNetworkRelativeLinkOffset %#x
+# CommonPathSuffixOffset; location of CommonPathSuffix field
+>24 ulelong x \b, CommonPathSuffixOffset %#x
+# CommonPathSuffixOffsetUnicode; location of CommonPathSuffixUnicode field inside LinkInfo structure
+>4 ulelong >23
+>>32 ulelong x \b, CommonPathSuffixOffsetUnicode %#x
-------------- next part --------------
A non-text attachment was scrubbed...
Name: file-5.44-windows-lnk.diff.sig
Type: application/octet-stream
Size: 4302 bytes
Desc: not available
URL: <https://mailman.astron.com/pipermail/file/attachments/20230411/86a2c45f/attachment-0003.obj>
More information about the File
mailing list