diff options
author | Christos Zoulas <christos@zoulas.com> | 2019-11-18 03:11:20 +0000 |
---|---|---|
committer | Christos Zoulas <christos@zoulas.com> | 2019-11-18 03:11:20 +0000 |
commit | 4020d6819dd155ab2780ce6daa9e18e76621a190 (patch) | |
tree | 0e245f7540f89c0fcb22ac328a889408a7d9c8e7 | |
parent | 5ad78c726bb03e0fbdb6d237ef2b13e51968ffea (diff) | |
download | file-git-4020d6819dd155ab2780ce6daa9e18e76621a190.tar.gz |
Recognize windows BOOTSTAT.DAT files. (Joerg Jenderek)
-rw-r--r-- | magic/Magdir/windows | 90 |
1 files changed, 89 insertions, 1 deletions
diff --git a/magic/Magdir/windows b/magic/Magdir/windows index 7657e073..812ae1a8 100644 --- a/magic/Magdir/windows +++ b/magic/Magdir/windows @@ -1,6 +1,6 @@ #------------------------------------------------------------------------------ -# $File: windows,v 1.28 2019/11/15 21:03:14 christos Exp $ +# $File: windows,v 1.29 2019/11/18 03:11:20 christos Exp $ # windows: file(1) magic for Microsoft Windows # # This file is mainly reserved for files where programs @@ -119,6 +119,94 @@ # 3rd BLOB >>0x480 string >\0 \b, type %-3.8s +# Summary: Windows boot status log BOOTSTAT.DAT +# From: Joerg Jenderek +# Reference: https://www.geoffchappell.com/notes/windows/boot/bsd.htm +# Note: mainly refers to older Windows Vista, sometimes +# BOOTSTAT.DAT only contains nulls or invalid data +# checking for valid version below 5 +0 ulelong <5 +# skip many ISO images by checking for valid 64 KiB file size +>8 ulelong =0x00010000 +>>0 use bootstat-dat +# display information of BOOTSTAT.DAT +0 name bootstat-dat +>0 ulelong x Windows boot log +#!:mime application/octet-stream +!:mime application/x-ms-dat +# BOOTSTAT.DAT in BOOT subdirectory +!:ext dat +# apparently a version number: 2 for older like Vista, 3, 4 Windows 10 +>0 ulelong >2 \b, version %u +# apparently the size of the header: often 10h in older Windows, 14h, 18h +>4 ulelong !0x10 \b, header size 0x%x +#>4 ulelong !0x10 \b, header size %u +# apparently the size of the file: always 0x00010000~64KiB +# the file is acceptable to BOOTMGR only if it is exactly 64 KiB +>8 ulelong !0x00010000 \b, file size 0x%x +# size of valid data, in bytes: C8h 50h 172h 5D5Ch +>0xc ulelong x \b, 0x%x valid bytes +# skip header and jump to first bootstat entry and display information +>(0x4.l-1) ubyte x +>>&0 use bootstat-entry +# jump to first entry again because pointer are bad after "use" +>(0x4.l-1) ubyte x +# by 1st entry size jump to 2nd entry and display information +>>&(&0x18.l-1) ubyte x +>>>&0 use bootstat-entry +# jump to possible 3rd boot entry and display information +# >(0x4.l-1) ubyte x +# >>&(&0x18.l-1) ubyte x +# >>>&(&0x18.l-1) ubyte x +# >>>>&0 use bootstat-entry +# display BOOTSTAT.DAT entry +0 name bootstat-entry +#>0x00 ubequad x \b, ENTRY %16.16llx +# size of entry, in bytes: 40h(init) 78h(launced) 9Ch +#>0x18 ulelong x \b; entry size %u +>0x18 ulelong x \b; entry size 0x%x +# time stamp, in seconds +>0x00 ulelong x \b, 0x%x seconds +# always zero, significance unknown +>0x04 ulelong !0 \b, not null %u +# GUID of event source; but empty if event source is BOOTMGR +>0x08 ubequad !0 \b, GUID 0x%16.16llx +>>0x10 ubequad x \b%16.16llx +# severity code: 1~informational 3~errors +>0x1C ulelong !1 \b, severity 0x%x +# apparently a version number: 2 +>0x20 ulelong !2 \b, version %u +# event identifier 1~log file initialised 11h~boot application launched +#>0x24 ulelong x \b, event 0x%x +>0x24 ulelong !1 +>>0x24 ulelong !0x11 \b, event 0x%x +# entry data; size depends on event identifier +#>0x28 ubequad x \b, data 0x%16.16llx +>0x24 ulelong =0x1 \b, Init +# always 0, significance unknown +>>0x34 uleshort !0 \b, not null %u +# always 7, significance unknown +>>0x36 uleshort !7 \b, not seven %u +# year +>>0x28 uleshort x %u +# month +>>0x2A uleshort x \b-%u +# day +>>0x2C uleshort x \b-%u +# hour +>>0x2E uleshort x %u +# minute +>>0x30 uleshort x \b:%u +# second +>>0x32 uleshort x \b:%u +# boot application launched +>0x24 ulelong =0x11 \b, launched +# type of start: 0 normally, 1 or 2 maybe in a recovery sequence +>>0x38 uleshort !0 \b, type %u +# pathname of boot application, as null-terminated Unicode string; typically +# \Windows\system32\winload.exe \Windows\system32\winload.efi +>>0x3C lestring16 x %s + # Summary: Windows Error Report text files # URL: https://en.wikipedia.org/wiki/Windows_Error_Reporting # Reference: https://www.nirsoft.net/utils/app_crash_view.html |