when i run TrID on Windows desktop theme packages *themepack some like
"TGS Black.themepack" are identified too general as "Microsoft Cabinet
Archive" (see appended output/trid-old.txt ).
First i thought to update themepack.trid.xml, but when looking in this
file there exist only one pattern like:
<Bytes>4D53434600000000</Bytes>
<ASCII> M S C F</ASCII>
<Pos>0</Pos>
This are the start bytes of cabinet. At offset 24 of cabinet file
format version is stored. Currently only versionMajor = 1 and
versionMinor = 3. So byte sequence 0301h should occur as pattern.
For identifying such one pattern is sufficient, but if you want to do
some deeper inspection additional information is lost. That is not
problem if official or complete file specification exist. Unfortunately
this is not the case. There exist Microsoft Cabinet Format found at
https://msdn.microsoft.com/en-us/library/bb267310.aspx .
And the Theme File Format is described at
https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspxThere is only mentioned that theme packs are cabinet archive.
Nothing is written about used compression method, id , etc.
Old reference link
http://windows.microsoft.com/en-US/windows/downloads/personalize is
dead and now redirects to something "Downloads for Windows". So above
theme site is most matching and therefore is now used by XML line:
<RefURL>
https://msdn.microsoft.com/en-us/library/windows/desktop/bb773190(v=vs.85).aspx </RefURL>
If you do not build theme packs by Windows Personalization Control
Panel, because you running Linux with WINE emulator for example you
need additional information or exact identification to create
compatible package.
So i decided to start a replacement definition by running tridscan and
finally generate ark-cab-themepack.trid.xml.
On theme concerning site for image besides JPEG format also other
image formats like "PNG" are mentioned . So i create valid example
j-them.deskthemepack with only PNG image as Wallpaper. So this file
is not recognized as Windows theme, because wrong is here in global
string section now line:
<String>.JPG</String>
Later i also found packages like "TGS Black.themepack" which contains
only a theme text file and no images. Because of now missing wall pager
also in global section following line must be removed:
<String>DESKTOPBACKGROUND</String>
and only 1 line in section is left:
<String>.THEME</String>
These facts can be verified by looking at output of 7-Zip console
unpacking tool with list command (see output/7z-l.txt).
At offset 30 cabinet archive flag is stored as short little endian
value. Value 1 and 2 are used to for additional header bytes for
building cabinet chains (for example PRECOPY1.CAB-> PRECOPY2.CAB->
PRECOPY3.CAB). Obviously this is not used for theme packs. Value 4 is
used to reserve additional bytes in header for something like
signatures. So this features was implemented but apparently never used
in such cabinets. So for Windows theme packs flag value is apparently
always 0.
At offset 32 setID is stored as short little endian. This value is
apparently always 0.
iCabinet at offset 34 is number of cabinet file in a set, where 0 is used for
the first cabinet. So for examples this is seems to be always 0.
These 3 facts are now expressed by 4th XML construct:
<Pattern>
<Bytes>000000000000</Bytes>
<Pos>30</Pos>
</Pattern>
Reserved areas have 0 values. So second pattern for reserved2 is
expressed by second XML construct:
<Pattern>
<Bytes>00000000</Bytes>
<Pos>12</Pos>
</Pattern>
So third pattern with reserved3 and version is now expressed by XML
construct:
<Pattern>
<Bytes>000000000301</Bytes>
<Pos>20</Pos>
</Pattern>
Number of CFFOLDER entries is low . This was expressed by XML
construct:
<Pattern>
<Bytes>00</Bytes>
<Pos>27</Pos>
</Pattern>
But maybe this is not always true especially if archive gets bigger.
So removed that pattern.
At position 36 long offset of 1st CFDATA block (following file entry) is stored
as "coffCabStart". If archive contains only some members, then number of CFFILE
structure is low and and offset is not so high. This was expressed by:
<Pattern>
<Bytes>0000</Bytes>
<Pos>38</Pos>
</Pattern>
This must become false if archive contains many members. So i removed that
pattern.
Following number of CFDATA blocks in folder by short "cCFData" at position
40. Often this low when archive contain only few and little members. So removed
that pattern part. At position 42 compression type indicator is stored as
short "typeCompress". 0315h means compression LZX:21. This is expressed now
by XML construct:
<Pattern>
<Bytes>0315</Bytes>
<Pos>42</Pos>
</Pattern>
If only 1 cFolders then at position 44 CFFILE structure starts with
uncompressed size of file as long "cbFile". If member is small then
this value is low. But if member is big, that value grows. So you can
not rely on such null bytes. So removed pattern:
<Pattern>
<Bytes>00</Bytes>
<Pos>47</Pos>
</Pattern>
At position 48 uncompressed byte offset of the start of data is stored
as long "uoffFolderStart" if only 1 cFolders. If more then one
cFolders then number of CFDATA blocks in second folder. If small then
this value is low. But if is big, that value grows. So you can
not rely on such null bytes. So removed pattern:
<Pattern>
<Bytes>00</Bytes>
<Pos>49</Pos>
</Pattern>
In old output we got something like:
74.6% (.THEMEPACK/DESKTHEMEPACK) Windows Theme Pack (23500/1/4)
25.3% (.CAB) Microsoft Cabinet Archive (8000/1)
that looks for user at first glance like
49.9% (.PI2) DEGAS med-res bitmap (2000/1)
25.0% (.ABR) Adobe PhotoShop Brush (1002/3)
where trid offers more file types and user must do further inspection to decide
what is true.
But in reality theme packages are just cab archives with theme files. So
this is easy visible for users when using replacement
ark-cab-themepack.trid.xml with new description like:
57.9% (.DESKTHEMEPACK/THEMEPACK) Windows desktop theme package (Cabinet Archive) (11028/9/1)
42.0% (.CAB) Microsoft Cabinet Archive (8000/1)
(see appended output/trid-new.txt).
By this trid definition theme packages suited for Windows 8-10 with
extension ".deskthemepack" and older incompatible packages with extension
"themepack" for Windows 7 are now detected. So mention this fact in remark
line.
But finally i was able to create ark-cab-deskthemepack.trid.xml for some
newer packages with extension ".deskthemepack".
This behaviour for newer themes is not documented by Microsoft but described
on another website for such theme files. So i change reference URL here by
XML line:
<RefURL>
http://www.drewkeller.com/content/using-theme-both-windows-7-and-windows-8 </RefURL>
There the difference is mentioned. Windows 8 has the ability to use a
panoramic image. When looking on Microsoft website for "Panoramic (dual
monitor)" windows themes we are landing at URL like:
https://support.microsoft.com/en-us/help/14022There official downloads with "deskthemepack" extensions are offered.
When looking at output of 7-Zip console unpacking tool with list command
(see Panoram/output/7z-l.txt) we see high resolution JPEG images are used as
wallpaper. So in global section again lines appear like:
<String>.JPG</String>
<String>DESKTOPBACKGROUND</String>
Also is seen that first cabinet archive member is text file "Panoramas.theme"
or "Panoramic.theme". This gives in global string section additional
distinguishing line:
<String>PANORAM</String>
Finally change, delete pattern at fixed offsets in same manner in second
XML file and summarize observed facts by remark line:
<Rem>
CABinet with LZX:21 compression, ID 0, panoram{as,ic}.theme and
panorama JPEG image only suited for Windows 8-10
</Rem>
With second trid definitions file many *.deskthemepack examples are more
precise described as "Windows 8-10 desktop theme package (Cabinet
Archive)". See appended Panoram/output/trid-new.txt.
TrID definition, some examples and output are stored in archive theme_cab.zip.
I hope that my 2 XML files can be used in future version of triddefs.
With best wishes
J?rg Jenderek
