[File] [PATCH] of Magdir/msdos, windows Windows shortcut -duplicates -wrong items
Christos Zoulas
christos at zoulas.com
Mon Apr 17 16:39:31 UTC 2023
Committed, thanks!
christos
> On Apr 11, 2023, at 10:09 AM, Jörg Jenderek <joerg.jen.der.ek at gmx.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> some days ago i read an interesting article in German computer
> magazine c't in number 24 from 2022. There was described the
> efforts and methods of Microsoft to protect their system.
> Unfortunately Microsoft is non-transparent like FIFA and do not
> exactly explain why something is happing. Luckily in the article 39
> file name suffix are listed which considered to be potential
> dangerous. One extension is LNK.
>
> So i look on my Systems for such files (8962 including duplicates).
> When running file command version 5.44 on such examples without -k
> option i get at first glance not bad looking output like:
> AOL.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Relative path,
> Archive,
> ctime=Wed May 5 19:22:00 1999,
> mtime=Thu Jul 10 21:00:00 2014,
> atime=Wed May 5 19:22:00 1999,
> length=86016
> , window=hide
> Aktenkoffer.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Relative path,
> Read-Only,
> Directory,
> ctime=Tue Jul 23 15:26:10 2019,
> mtime=Mon Jul 22 21:00:00 2019,
> atime=Tue Jul 23 15:26:12 2019,
> length=0
> , window=hide
> Autoruns.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Description string,
> Has Relative path,
> Has Working directory,
> Archive,
> ctime=Thu Oct 14 12:09:14 2021,
> mtime=Thu Oct 14 12:09:14 2021,
> atime=Thu Feb 17 18:43:33 2022,
> length=344064
> , window=hide
> Calculator.lnk: MS Windows shortcut,
> Has Description string,
> Icon number=0,
> ctime=Sun Dec 31 23:00:00 1600,
> mtime=Sun Dec 31 23:00:00 1600,
> time=Sun Dec 31 23:00:00 1600,
> length=0
> , window=hide
> HerzlichMEDION.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Description string,
> Has Relative path,
> Has Working directory,
> Icon number=0,
> Archive,
> ctime=Tue Aug 26 10:44:09 2008,
> mtime=Tue Aug 26 10:44:14 2008,
> atime=Mon Aug 25 23:04:22 2008,
> length=8347
> , window=hidenormal
> Java (32-Bit).lnk: MS Windows shortcut,
> Item id list present,
> ctime=Sun Dec 31 23:00:00 1600,
> mtime=Sun Dec 31 23:00:00 1600,
> atime=Sun Dec 31 23:00:00 1600,
> length=0
> , window=hide
> Notepad.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Description string,
> Has Relative path,
> Has Working directory,
> Icon number=0,
> Archive,
> ctime=Thu Nov 2 07:47:59 2006,
> mtime=Thu Nov 2 09:38:56 2006,
> atime=Thu Nov 2 08:45:30 2006,
> length=151040
> , window=hide
> SD Card Formatter.lnk: MS Windows shortcut,
> Item id list present,
> Has Relative path,
> Icon number=0,
> ctime=Sun Dec 31 23:00:00 1600,
> mtime=Sun Dec 31 23:00:00 1600,
> atime=Sun Dec 31 23:00:00 1600,
> length=0
> , window=hide
> StarOffice 5.2.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Relative path,
> Has Working directory,
> Archive,
> ctime=Mon May 8 02:20:00 2000,
> mtime=Sun May 7 21:00:00 2000,
> atime=Mon May 8 02:20:00 2000,
> length=217088
> , window=hide
> WinImage (administrator).lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Description string,
> Has Relative path,
> Archive,
> ctime=Wed Apr 15 07:00:00 2020,
> mtime=Sun Apr 17 10:25:50 2016,
> atime=Wed Apr 15 07:00:00 2020,
> length=2211432
> , window=hide
> YaCy.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Relative path,
> Has Working directory,
> Icon number=0,
> Archive,
> ctime=Mon Dec 26 13:20:32 2016,
> mtime=Sun Dec 10 03:43:47 2017,
> atime=Mon Dec 26 13:20:32 2016,
> length=2512
> , window=hidenormalshowminimized
> obd-1.reg.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Relative path,
> Has Working directory,
> Read-Only,
> Hidden,
> System,
> Directory,
> Archive,
> Encrypted,
> Temporary,
> Compressed,
> Offline,
> ctime=Thu Jun 9 18:15:08 1661,
> mtime=Sat Mar 19 21:56:55 -56051,
> atime=Wed Feb 2 09:36:25 1661,
> length=4435072
> , window=hide
> test-lnk.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Relative path,
> Has Working directory,
> Archive,
> ctime=Fri Sep 12 19:27:17 2008,
> mtime=Fri Sep 12 19:27:17 2008,
> atime=Fri Sep 12 19:27:17 2008,
> length=0
> , window=hide
> x-fmt-428-signature-id-262.lnk: MS Windows shortcut,
> ctime=Sun Dec 31 23:00:00 1600,
> mtime=Sun Dec 31 23:00:00 1600,
> atime=Sun Dec 31 23:00:00 1600
>
>
> Furthermore with -i option application/x-ms-shortcut is shown and
> with --extension correct 3 byte sequence lnk is displayed.
>
> But when running with additional -m Magdir/msdos then with option -i
> only generic application/octet-stream is shown and with --extension
> only ??? is displayed.
>
> For comparison reason i run other utilities. The file identifier tool
> TrID (see http://mark0.net/soft-trid-e.html) describes such LNK
> examples as "Windows Shortcut" by definition lnk-shortcut.trid.xml
> (see appended trid-v-lnk.txt.gz).
>
> DROID (Digital Record and Object Identification) is a software tool
> developed by The National Archives of UK to perform automated batch
> identification of file formats. See
> https://digital-preservation.github.io/droid/
> According to that tool the samples are described as "Microsoft
> Windows Shortcut" by PUID x-fmt/428 ( see appended droid-lnk.csv.gz).
>
> First we see that we get duplicate messages, because in Magdir/msdos
> and Magdir/windows in principal the same recognition lines are found.
> This is looking for 4 byte header size 4C followed by 16 byte
> LinkCLSID 00021401-0000-0000-C000-000000000046. In msdos this consist
> of 2 lines like:
> 0 lelong 0x4C
>> 4 lelong 0x00021401 Windows shortcut file
>
> In windows it starts with lines like
> 0 string \114\0\0\0
> \001\024\002\0\0\0\0\0\300\0\0\0\0\0\0\106 MS Windows shortcut
> !:mime application/x-ms-shortcut
> !:ext lnk
>
> So first i delete concerning lines inside msdos by patch
> file-5.44-msdos-lnk.diff to remove duplicated messages.
>
> Luckily with information given by the other tools i also found a
> page about Windows Shortcut on file formats archive team web
> site. Surprisingly there exist an official specification from
> Microsoft covering most aspects. That informations are expressed by
> comment lines inside Magdir/images like:
> # URL: http://fileformats.archiveteam.org/
> # wiki/Windows_Shortcut
> # https://learn.microsoft.com/
> # en-us/openspecs/windows_protocols/ms-shllink/
> # Reference: http://mark0.net/download/triddefs_xml.7z
> # defs/l/lnk-shortcut.trid.xml
> # https://winprotocoldoc.blob.core.windows.net/
> # productionwindowsarchives/MS-SHLLINK/
> # %5bMS-SHLLINK%5d.pdf
>
> 2 of 3 time stamps are shown by lines like:
>> 36 leqwdate x \b, mtime=%s
>> 44 leqwdate x \b, atime=%s
> These are just swapped. According to documentation in the middle
> comes the access time of the target in UTC and last comes the write
> time of target in UTC. This can be verified by command line tool
> command like:
> lnkinfo AOL.lnk
>
> Furthermore value zero means there is no time set on the target. So
> these lines now become like:
>> 36 leqwdate !0 \b, atime=%s
>> 44 leqwdate !0 \b, mtime=%s
>
> After the target link size the window state (ShowCommand) of the
> launched application is shown by lines like:
>> 52 lelong x \b, length=%u, window=
>> 60 lelong&1 1 \bhide
>> 60 lelong&2 2 \bnormal
>> 60 lelong&4 4 \bshowminimized
>> 60 lelong&8 8 \bshowmaximized
>> 60 lelong&16 16 \bshownoactivate
>> 60 lelong&32 32 \bminimize
>> 60 lelong&64 64 \bshowminnoactive
>> 60 lelong&128 128 \bshowna
>> 60 lelong&256 256 \brestore
>> 60 lelong&512 512 \bshowdefault
>
> That interpretation is wrong. That is really fake news. This is not
> visible at first glance. Most samples have ShowCommand value 1 ( That
> is SW_SHOWNORMAL). So most samples are currently described by phrase
> "window=hide". But using brain we should expect "window=normal" for
> most cases. For sample HerzlichMEDION.lnk with link to a welcome html
> page in full screen with ShowCommand 3 (That is SW_SHOWMAXIMIZED)
> obviously nonsense phrase "window=hidenormal" is shown. Most worst
> are samples like YaCy.lnk, Privoxy.lnk starting web proxy software
> minimised with ShowCommand value 7 (That is SW_SHOWMINNOACTIVE).
> Here i get phrase like "window=hidenormalshowminimized".
> Unfortunately my lnkinfo version 20181227 also reports no expected
> values here, but calling property function on Windows itself
> reports the 3 window behaviour described in documentation. All
> other values like 2 MUST be treated as SW_SHOWNORMAL. So this is
> now described by lines like:
>> 60 lelong x
>>> 60 lelong 3 \bshowmaximized
>>> 60 lelong 7 \bshowminnoactive
>>> 60 default x \bnormal
>
> The LinkFlags structure specifies information about the shell link
> and the presence of optional portions of the structure. That
> information are shown by lines like:
>> 20 lelong&1 1 \b, Item id list present
>> 20 lelong&2 2 \b, Points to a file or directory
>> 20 lelong&4 4 \b, Has Description string
>> 20 lelong&8 8 \b, Has Relative path
>> 20 lelong&16 16 \b, Has Working directory
>> 20 lelong&32 32 \b, Has command line arguments
>
> Only 6 bits from 32 are interpreted. I do not know why? To be
> consistent i also show the other bits in interpreted form although
> i do not always exactly know what this means because i am no windows
> internals expert. So maybe a person with more knowledge could check
> if description text is human readable, useful and correct. For
> example the sample "WinImage (administrator).lnk" is calling the
> program winimage.exe obviously as user administrator. So here this
> information is now shown by line like:
>> 20 lelong&8192 8192 \b, RunAsUser
>
> Some LinkFlags are indicator for existence or absence of a special
> data block. Often this blocks start with some characteristic byte
> sequences. So the flag HasExpString is indicator for an
> EnvironmentVariableDataBlock which starts with 4 byte Block Size 314h
> followed by Block Signature A0000001h. Afterwards the path to
> environment variable encoded with system default code page is stored
> as 260 byte string TargetAnsi. Afterwards the same variable is stored
> as 520 bytes TargetUnicode uni coded. In my examples on German and
> English machines these 2 strings are the same like
> "%windir%\system32\calc.exe" in sample Calculator.lnk. Maybe that on
> machine with exotic languages like Chinese this looks different. So i
> show only TargetUnicode which probably is more reliable because it
> does not depend on some system code pages which are not known by the
> file command. So this information is shown by lines like:
>> 20 lelong&512 512 \b, HasEnvironment
>>> 76 search/1972 \x14\x03\x00\x00\x01\x00\x00\xa0
> #>>>&0 string x '%s'
> # like: "%windir%\system32\calc.exe"
>>>> &260 lestring16 x "%s"
>
> So the flag HasExpIcon is indicator for an IconEnvironmentDataBlock
> which starts with 4 byte Block Size 314h followed by Block Signature
> A0000007h. Afterwards the path to environment icon variable encoded
> with system default code page is stored as 260 byte string
> TargetAnsi. Afterwards the same variable is stored as 520 bytes
> TargetUnicode uni coded. In my examples on German and English
> machines these 2 strings are the same like ""%SystemDrive%\Program
> Files\YaCy\addon\YaCy.ico" in sample YaCy.lnk. So this information is
> shown by lines like:
>> 20 lelong&16384 16384 \b, HasExpIcon
>>> 76 search/1972 \x14\x03\x00\x00\x07\x00\x00\xa0
> #>>>&0 string x '%s'
> # like: "%SystemDrive%\Program Files\YaCy\addon\YaCy.ico"
>>>> &260 lestring16 x "%s"
>
> Similar problem occurs for FileAttributes. The FileAttributesFlags
> structure that specifies information about the link target.That
> information are shown by lines like:
>> 24 lelong&1 1 \b, Read-Only
>> 24 lelong&2 2 \b, Hidden
>> 24 lelong&4 4 \b, System
>> 24 lelong&8 8 \b, Volume Label
>> 24 lelong&16 16 \b, Directory
>> 24 lelong&32 32 \b, Archive
>> 24 lelong&64 64 \b, Encrypted
>> 24 lelong&128 128 \b, Normal
>> 24 lelong&256 256 \b, Temporary
>> 24 lelong&512 512 \b, Sparse
>> 24 lelong&1024 1024 \b, Reparse point
>> 24 lelong&2048 2048 \b, Compressed
>> 24 lelong&4096 4096 \b, Offline
>
> Only the first thirteen bits are interpreted. So for some samples
> like Notepad.lnk YaCy.lnk show FILE_ATTRIBUTE_NOT_CONTENT_INDEXED
> attribute. As far as i understand this that means contents needs to
> be indexed by line like:
>> 24 lelong&8192 8192 \b, NeedIndexed
>
> More worse some fields are interpreted wrong by lines like
>> 24 lelong&8 8 \b, Volume Label
>> 24 lelong&64 64 \b, Encrypted
> According to documentation (i did not verified this) these must be
> interpreted by lines like:
>> 24 lelong&8 8 \b, Reserved1
>> 24 lelong&64 64 \b, Reserved2
>> 24 lelong&16384 16384 \b, Encrypted
>
> For some samples i get no program or icon name. So i look for more
> information hints. If LinkFlags bit HasLinkTargetIDList is set the
> there follows LINKTARGET_IDLIST after header (76=4C). This start with
> size of whole IDList by variable IDListSize. Then follows the items
> itself starting with size of item itself by ItemIDSize variable
> followed by Item data. With the help of this size i jump to position
> of next item and inspect item by calling sub routine lnk-item. So i
> inspect first 4 items. Luckily the list is terminated by size value
> TerminalID. That means value 0x0000. So you can interpret that such
> a item size value means end of list is reached. So this is expressed
> by lines like:
>> 20 lelong&1 1
>>> 76 uleshort x \b, IDListSize %#4.4x
> # 1st item
>>> 78 use lnk-item
> # 2nd possible item
>>> (78.s+78) uleshort >0
>>>> (78.s+78) use lnk-item
> # 3rd possible item
>>>> &(&-2.s-2) uleshort >0
>>>>> &-2 use lnk-item
> # 4th possible item
>>>>> &(&-2.s-2) uleshort >0
>>>>>> &-2 use lnk-item
>
> The sub routine in first step check for size and step forward if the
> size is not zero. According to lnkinfo source ( which i do not fully
> understand) if data start with byte value 1f then this is followed by
> guid. So in sample "Java (32-Bit).lnk" the guid
> "26EE668-A00A-44D7-9371-BEB064C98683" means Control Panel item.
> If data start with by value 2f then this is followed by Volume name
> like "C:\" or "D:\". So this is done by sub routine lnk-item. This
> looks like:
> 0 name lnk-item
>> 0 uleshort >0
>>> 0 uleshort x \b, ItemIDSize %#4.4x
> #>>2 ubequad x \b, Item data=%#16.16llx
>>> 2 ubyte x \b, Item type=%#x
>>> 2 ubyte =0x1f \b, Root folder
>>>> 4 guid x "%s"
>>> 2 ubyte =0x2f \b, Volume
>>>> 3 string x "%s"
>
> At this point for some samples like "WinImage (administrator).lnk"
> and test-lnk.lnk mentioned in documentation still no program name
> or icon name is shown. With the help of additional sub routine lnk-in
> fo
> is can show more information of LinkInfo structure like size flags
> and offsets (relative to start of this structure). Interesting is the
> LocalBasePathOffset pointing to LocalBasePath field like
> "C:\test\a.txt". This field only exist if VolumeIDAndLocalBasePath
> (value 1)
> in LinkInfoFlags is set. So this can be show by calling sub routine
> which look like:
> 0 name lnk-info
>> 0 ulelong x \b, LinkInfoSize %#x
>> 4 ulelong x \b, LinkInfoHeaderSize %#x
> #>8 ulelong x \b, LinkInfoFlags=%#x
>> 8 ulelong&1 1 \b, VolumeIDAndLocalBasePath
>>> 12 ulelong x \b, VolumeIDOffset %#x
>>> 16 ulelong x \b, LocalBasePathOffset %#x
>
> With the help of this sub routine i was able to show LocalBasePath
> in the end. Maybe somebody find a way to do it in a better and
> 100% perfect way. First i must check for existence of LinkInfo.
> This is true if HasLinkInfo flag is set. Then the position of this
> structure varies. If there exist no LINKTARGET_IDLIST (no
> HasLinkTargetIDList flag set) then this structure comes direct
> after header, but i found no such samples. If there exist an
> LINKTARGET_IDLIST then LinkInfo comes after this (additional
> IDListSize bytes). Then after moving pointer to LinkInfo structure
> i can show LocalBasePath. This looks like:
>> 20 lelong&2 2
>>> 20 lelong&1 =0
>>>> 76 use lnk-info
>>> 20 lelong&1 =1
>>>> 76 uleshort >0
> #>>>>(76.s+78) use lnk-info
>>>>> (76.s+78) ubelong x
>>>>>> &-8 ubelong x
> #>>>>>>&16 ulelong x \b, LocalBasePathOffset=%#8.8x
>>>>>>> &(&16.l) string x \b, LocalBasePath "%s"
>
> After applying the above mentioned modifications by patch
> file-5.44-msdos-lnk.diff and file-5.44-windows-lnk.diff then the
> duplicates vanish, wrong items are shown with correct values and some
> more details (like program and/or icon names) are also shown. So i
> get now an output like:
>
> AOL.lnk: MS Windows shortcut
> , Item id list present,
> Points to a file or directory,
> Has Relative path,
> Archive,
> ctime=Wed May 5 19:22:00 1999,
> atime=Thu Jul 10 21:00:00 2014,
> mtime=Wed May 5 19:22:00 1999,
> length=86016
> , window=normal,
> IDListSize 0x00a5,
> Root folder
> "20D04FE0-3AEA-1069-A2D8-08002B30309D",
> LocalBasePath
> "C:\Programme\Online-Dienste\AOL\AOLSETUP.EXE"
> Aktenkoffer.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Relative path,
> Read-Only,
> Directory,
> ctime=Tue Jul 23 15:26:10 2019,
> atime=Mon Jul 22 21:00:00 2019,
> mtime=Tue Jul 23 15:26:12 2019,
> length=0
> , window=normal,
> IDListSize 0x00d4,
> Root folder
> "20D04FE0-3AEA-1069-A2D8-08002B30309D",
> LocalBasePath "C:\"
> Autoruns.lnk: MS Windows shortcut
> , Item id list present,
> Points to a file or directory,
> Has Description string,
> Has Relative path,
> Has Working directory,
> Unicoded,
> MachineID NETBIOSNAME1,
> EnableTargetMetadata,
> Archive,
> NeedIndexed,
> ctime=Thu Oct 14 12:09:14 2021,
> atime=Thu Oct 14 12:09:14 2021,
> mtime=Thu Feb 17 18:43:33 2022,
> length=344064
> , window=normal,
> hot key A+CONTROL+ALT,
> IDListSize 0x01a1,
> Root folder
> "20D04FE0-3AEA-1069-A2D8-08002B30309D",
> Volume "C:\",
> LocalBasePath
> "C:\ProgramData\chocolatey\bin\Autoruns64.exe"
> Calculator.lnk: MS Windows shortcut,
> Has Description string,
> Icon number=0,
> Unicoded,
> NoLinkInfo,
> HasEnvironment
> "%windir%\system32\calc.exe",
> PreferEnvironmentPath,
> length=0
> , window=normal
> HerzlichMEDION.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Description string,
> Has Relative path,
> Has Working directory,
> Icon number=0,
> Unicoded,
> HasExpIcon
> "%SystemRoot%\system32\oobe\info\Icon\Medion1.ico",
> MachineID benutzer-628c25,
> Archive,
> ctime=Tue Aug 26 10:44:09 2008,
> atime=Tue Aug 26 10:44:14 2008,
> mtime=Mon Aug 25 23:04:22 2008,
> length=8347
> , window=showmaximized,
> IDListSize 0x01f9,
> Root folder
> "20D04FE0-3AEA-1069-A2D8-08002B30309D",
> Volume "C:\",
> LocalBasePath
> "C:\WINDOWS\system32\oobe\info\Medion Offlineseite\
> Herzlich willkommen bei MEDION Deutschland.htm"
> Java (32-Bit).lnk: MS Windows shortcut,
> Item id list present,
> Unicoded,
> DisableKnownFolderTracking,
> length=0
> , window=normal,
> IDListSize 0x0040,
> Root folder
> "26EE0668-A00A-44D7-9371-BEB064C98683"
> Notepad.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Description string,
> Has Relative path,
> Has Working directory,
> Icon number=0,
> Unicoded,
> HasEnvironment
> "%SystemRoot%\system32\notepad.exe",
> MachineID lh-n9iove4y59ds
> KnownFolderID
> 1AC14E77-02E7-4E5D-B744-2EB1AE5198B7,
> Archive,
> NeedIndexed,
> ctime=Thu Nov 2 07:47:59 2006,
> atime=Thu Nov 2 09:38:56 2006,
> mtime=Thu Nov 2 08:45:30 2006,
> length=151040
> , window=normal,
> IDListSize 0x0129,
> Root folder
> "20D04FE0-3AEA-1069-A2D8-08002B30309D",
> Volume "D:\",
> LocalBasePath
> "D:\Windows\System32\notepad.exe"
> SD Card Formatter.lnk: MS Windows shortcut,
> Item id list present,
> Has Relative path,
> Icon number=0,
> Unicoded,
> HasDarwinID
> "n-{tkDZ]6=Tff5IvP8[K>gMc10V5YbA{qx6pXddz4",
> HasExpIcon
> "%SystemRoot%\Installer\
> {D02212EA-E02A-4521-9036-5367734FC66E}\
> NewShortcut1_69C2B9A012C943F8B6BC658D1AC73474.exe",
> length=0
> , window=normal,
> IDListSize 0x0227,
> Root folder
> "20D04FE0-3AEA-1069-A2D8-08002B30309D",
> Volume "C:\"
> StarOffice 5.2.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Relative path,
> Has Working directory, Archive,
> ctime=Mon May 8 02:20:00 2000,
> atime=Sun May 7 21:00:00 2000,
> mtime=Mon May 8 02:20:00 2000,
> length=217088
> , window=normal,
> IDListSize 0x0093,
> Root folder
> "20D04FE0-3AEA-1069-A2D8-08002B30309D",
> LocalBasePath "C:\"
> WinImage (administrator).lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Description string,
> Has Relative path,
> Unicoded,
> RunAsUser,
> MachineID NETBIOSNAME2
> KnownFolderID
> 905E63B6-C1BF-494E-B29C-65B732D3D21A,
> Archive,
> ctime=Wed Apr 15 07:00:00 2020,
> atime=Sun Apr 17 10:25:50 2016,
> mtime=Wed Apr 15 07:00:00 2020,
> length=2211432
> , window=normal,
> IDListSize 0x017b,
> Root folder
> "20D04FE0-3AEA-1069-A2D8-08002B30309D",
> Volume "C:\",
> LocalBasePath
> "C:\Program Files\WinImage\winimage.exe"
> YaCy.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Relative path,
> Has Working directory,
> Icon number=0,
> Unicoded,
> HasExpIcon
> "%SystemDrive%\Program Files\YaCy\addon\YaCy.ico",
> MachineID YACY_SEARCH_PC,
> Archive,
> NeedIndexed,
> ctime=Mon Dec 26 13:20:32 2016,
> atime=Sun Dec 10 03:43:47 2017,
> mtime=Mon Dec 26 13:20:32 2016,
> length=2512
> , window=showminnoactive,
> IDListSize 0x0171,
> Root folder
> "20D04FE0-3AEA-1069-A2D8-08002B30309D",
> Volume "C:\",
> LocalBasePath
> "C:\Program Files\YaCy\startYACY.bat"
> obd-1.reg.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Relative path,
> Has Working directory,
> Read-Only,
> Hidden,
> System,
> Directory,
> Archive,
> Reserved2,
> Temporary,
> Compressed,
> Offline,
> NeedIndexed, c
> time=Thu Jun 9 18:15:08 1661,
> atime=Sat Mar 19 21:56:55 -56051,
> mtime=Wed Feb 2 09:36:25 1661,
> length=4435072
> , window=normal,
> IDListSize 0x00ad,
> Root folder
> "20D04FE0-3AEA-1069-A2D8-08002B30309D",
> Volume "C:\",
> LocalBasePath "C:\"
> test-lnk.lnk: MS Windows shortcut,
> Item id list present,
> Points to a file or directory,
> Has Relative path,
> Has Working directory,
> Unicoded,
> MachineID chris-xps,
> EnableTargetMetadata,
> Archive,
> ctime=Fri Sep 12 19:27:17 2008,
> atime=Fri Sep 12 19:27:17 2008,
> mtime=Fri Sep 12 19:27:17 2008,
> length=0
> , window=normal,
> IDListSize 0x00bd,
> Root folder
> "20D04FE0-3AEA-1069-A2D8-08002B30309D",
> Volume "C:\",
> LocalBasePath
> "C:\test\a.txt"
> x-fmt-428-signature-id-262.lnk: MS Windows shortcut
>
> I hope my diff file can be applied in future version of
> file utility.
>
> With best wishes
> Jörg Jenderek
> - --
> Jörg Jenderek
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iF0EARECAB0WIQS5/qNWKD4ASGOJGL+v8rHJQhrU1gUCZDVqKAAKCRCv8rHJQhrU
> 1urrAJ0Ta7snsmjUzuU2fHNf5yztLOwDHQCgr2VjnGdkJqnofbb7r3QBDSZcUAY=
> =m1Qh
> -----END PGP SIGNATURE-----
> <file-5_44-msdos-lnk_diff.DEFANGED-1309><file-5_44-msdos-lnk_diff_sig.DEFANGED-1310><trid-v-lnk.txt.gz><droid-lnk.csv.gz><file-5_44-windows-lnk_diff.DEFANGED-1311><file-5_44-windows-lnk_diff_sig.DEFANGED-1312>--
> File mailing list
> File at astron.com
> https://mailman.astron.com/mailman/listinfo/file
> <sanitizer.log>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20230417/a49899ad/attachment-0001.asc>
More information about the File
mailing list