Author Topic: updated msm.trid.xml for Windows Installer Merge Module *.msm  (Read 247 times)


  • Full Member
  • ***
  • Posts: 153
Hello trid users,

some days ago i run trid on Windows Installer Merge Modules (*.msm). Many
are not recognized as "Windows Installer Merge Module" by msm.trid.xml.
Instead these samples are described as "Microsoft Windows Installer" by
msi.trid.xml (See appended output/trid-v-old.txt)

For comparison reason i run other file identifying tools. The newest file(1)
command has also difficulties and was not able to distinguish between
Windows Installer MSI, MSM and PCP (See appended output/file-new.txt)

On page about Windows Installer on Wikipedia is mentioned that MSM samples are
used as merge modules. So instead global Microsoft page i now use this site
as reference URL. This is now expressed by reference URL line like:
Furthermore i add a user defined mime type. That is expressed by line line:

After running tridscan on unrecognized samples in global string section many
long sentences now vanish like:
Furthermore i also delete non making sense phrases like:
   <String>FOR W</String>

With the updated trid definitions all my inspected MSM samples are now
recognized, but often the MSI description still comes first. (See appended
output/trid-new-v.txt). So probably the trid definition for MSI also need some
refinements, but i do not know what phrases are required key words and which
are optional. Further more for Windows installer PCP a trid definition is
missing. I will try to do this work. Furthermore there seems to exist a MSM
variant which is not based on Generic OLE2, but seems to use the CAB format
as container. I will try to look for these examples.

TrID definition, some examples and output are stored in archive I
hope that my updated XML file can be used in future version of triddefs.

With best wishes
Jörg Jenderek


  • Administrator
  • Hero Member
  • *****
  • Posts: 2085
    • Mark0's Home Page
Re: updated msm.trid.xml for Windows Installer Merge Module *.msm
« Reply #1 on: April 24, 2020, 04:10:01 PM »
They are indeed all very similar formats. We'll see.
Thanks for the updated def!