updated 3; adm.trid.xml etc. for Windows Policy Administrative Template *.adm
Hello trid users,
some weeks ago i read in German computer technical magazine c't an
interesting article about Microsoft's own Windows file recovery tools
winfr.exe (See
https://aka.ms/winfrhelp or
wikipedia.org/wiki/Windows_File_Recovery ). Interesting under item file
extension filter list are the mentioned extension. First was 3 byte
"ADM". So i looked for such "ADM" examples.
When i run TrID on such examples most are described like "Windows Policy
Administrative Template" by definitions like adm.trid.xml or
adm-rem.trid.xml. But some templates are not described in that way.
One example common.adm (found inside Windows 95 poledit kit) was described
as "Unknown!" with warning message "file seems to be plain text/ASCII" ( see
appended ASCII/no-rem/output/trid-old.txt). For comparison reason i also
run the file utility (version 5.40). This describes this example similar as
"ASCII text, with CRLF line terminators". This short example consist of just
3 text lines separated by 2 empty lines like:
CLASS MACHINE
CLASS USER
[strings]
This example should be described by definition adm.trid.xml. Other examples
of that type contain more lines with optional characteristic keywords. This
was expressed inside global string section by lines like:
<String>CLASS MACHINE</String>
<String>END CATEGORY</String>
<String>END POLICY</String>
<String>VALUENAME</String>
<String>KEYNAME</String>
After updating definition by tridscan only 1 construct survives. That is now
expressed by one line like:
<String>CLASS MACHINE</String>
Luckily there exist still one characteristic. All such examples still start
with up case word CLASS followed by space character. That is still expressed
inside front block section by XML construct like:
<Bytes>434C41535320</Bytes>
<ASCII> C L A S S</ASCII>
<Pos>0</Pos>
The definition does not contain a mime type construct. Because the ADM
examples are just pure text files, at least generic mime type "text/plain"
could be used like done by file command (see appended
ASCII/no-rem/output/file-i-5.40.txt). There exit also other file types with
ADM name extension. So i choose a more specific user defined one. That is
now expressed by line like:
<Mime>text/x-ms-adm</Mime>
In newer Windows version the ADM file format is replaced by ADMX file
format. As consequence the mentioned reference URL dated from 2007 does not
exist any more. That was expressed by line like:
<RefURL>
http://support.microsoft.com/kb/228460</RefURL>
I still find on Microsoft server a page about Administrative Template File
(ADM) Format. So i could used this as reference URL, but i found on
Wikipedia a page about Administrative Templates. Because information on
Wikipedia is reliable and more time resistant i choose that page as
reference. That is now expressed by line like:
<RefURL>
https://en.wikipedia.org/wiki/Administrative_Template </RefURL>
Then i found 4 examples that are only described as "Unknown!" (see appended
ASCII/output/trid-old.txt). The file command misidentifies these examples as
"Windows setup INFormation" with wrong 3 byte extension "inf" (see appended
file-5.40.txt and file-extension-5.40.txt in ASCII/output directory.)
These examples should be identified by variant adm-rem.trid.xml. The
difference to first definition is that such described examples start with a
comment ( remark line) with a semicolon at the beginning of the page. That
characteristic is expressed inside front block by XML construct like:
<Bytes>3B</Bytes>
<ASCII> ;</ASCII>
<Pos>0</Pos>
The characteristic described by adm.trid.xml also appears in the second
variant but later. That was described inside global string section by lines
like:
<String>CLASS MACHINE</String>
<String>END CATEGORY</String>
<String>END POLICY</String>
<String>VALUENAME</String>
<String>KEYNAME</String>
Most examples described by second definition contain the two word phrase
"CLASS MACHINE". This was expressed by first line in global string
section. But a few examples contain instead the two word phrase "CLASS
USER". So after updating second definition this first line now becomes like:
<String>CLASS</String>
Four examples are only described generic as "Text - UTF-16 (LE) encoded" by
txt-utf-16-le.trid.xml (see appended le16/output/trid-v-old.txt).
The file command describes these examples in a similar way was as
"Little-endian UTF-16 Unicode text" and "with CRLF line terminators" (see
appended le16/output/file-5.40.txt).
These examples should be described by third definition adm-uni.trid.xml with
additional phrase "(Unicode)". This variant describes ADM text examples with
text encoded as UTF-16 Little Endian. In many other UTF based definitions
that information is written in parenthesis like "(UTF-16LE)" or "(UTF-16
LE)" and the file name is like foo-utf16le.trid.xml. To be consistent that
should also be use for this definition in my opinion.
The characteristic are or should be the same as in other definitions,
because of UTF 16 encoding inside global strings section this looks here
like:
<String>E'N'D' 'C'A'T'E'G'O'R'Y</String>
<String>E'N'D' 'P'O'L'I'C'Y</String>
<String>V'A'L'U'E'N'A'M'E</String>
<String>K'E'Y'N'A'M'E</String>
<String>M'A'C'H'I'N'E</String>
<String>C'L'A'S'S</String>
All examples described by third variant start with up case word CLASS
followed by space character but encoded as UTF-16 little endian. So this was
expressed in Front Block section by XML construct like:
<Bytes>FFFE43004C004100530053002000</Bytes>
<ASCII> . . C . L . A . S . S</ASCII>
<Pos>0</Pos>
So when looking at UTF encoded examples i found the same problems as for
ASCII variants. One example conf.adm starts with a comment like like:
; NetMeeting policy settings
In three examples like AER_3082.ADM the first statement is an "IF"
comparison conditional with starting line like:
#if version <= 2
One could create definition variants (Remark and if) like for ASCII
variants, but here it is possible to refine definition by running
tridscan. Afterwards in the front block section the first XML construct now
becomes like in txt-utf-16-le.trid.xml:
<Bytes>FFFE</Bytes>
<Pos>0</Pos>
Together with lines in global string section this is probably still unique
enough.
With the three updated trid definitions all of my inspected ADM examples are now
recognized ( see appended trid-new.txt). TrID definition and output
are stored in archive adm_.zip. I hope that the XML files can be used
in future version of triddefs.
With best wishes
Jörg Jenderek
