Author Topic: feedsdb-ms.trid.xml for Microsoft RSS Feeds Store  (Read 791 times)

jenderek

  • Sr. Member
  • ****
  • Posts: 375
feedsdb-ms.trid.xml for Microsoft RSS Feeds Store
« on: September 14, 2022, 01:25:57 AM »
Hello trid users,

Some days ago i send definition feed-ms.trid.xml for Microsoft Feed with
file name extension FEED-MS. When looking in directory of fond examples or
in parent directories i also found a file with name FeedsStore.feedsdb-ms.
I found such examples on Windows XP, Vista, 8 and 10 systems.

So i run trid utility on my FEEDSDB-MS examples. All are described generic
as "Generic OLE2 / Multistream Compound" by docfile.trid.xml (See appended
output/trid-v-old.txt)

For comparison reason i check these examples by file command utility. When
running file command (version 5.42). Here all examples are also described
generic as OLE 2 Compound Document" (See appended output/file-5.42.txt) and
with mime type application/x-ole-storage (See appended
output/file-i-4.52.txt). It was not able to do sub classification, but it
display directory entry names. So second one apparently seem to start always
with \0055jzdd15lZk1fex02 encoded at UTF-16 string after first directory
entry, which is always "Root Entry". Third and forth directory entries are
names starting with at sign (like @HdLETbARQWABGBPNHPH @AVZfCYDEXQVeDBdNVGK
@CPUBcQBPBYUVFBfFOPY See appended output/file-soft-5.42.txt).

For comparison reason i also run the file format identification utility
DROID ( See https://sourceforge.net/projects/droid/). This identifies all
examples also only generic as "OLE2 Compound Document Format" by PUID
fmt/111.

Because feed-ms are OLE2 Compound container we can inspect such examples by
suited tools like Michal Mutl Structured Storage Viewer for example. There
we see that such examples contain at least 2 steams. One with string with at
sign and the other with name shown by file command. The stream with at-sign
apparently contains relative path with corresponding FEED-MS samples like
<FeedDataCache Path="foo-path">.  This fact is shown in definition inside
global string section by line like:
   <String>FEEDDATACACHE PATH</String>

Furthermore these streams obviously contain dates when to download the feeds
by phrase like <ftLastDownloadTime FILETIME_remainder=
"0x853db1">2022-09-13T04:54:44Z</ftLastDownloadTime>. These facts are shown
in definition inside global string section by lines like:
   <String>FTLASTDOWNLOADTIME FILETIME_REMAINDER</String>
   <String>SCHEDULE</String>

The other stream contains something like message strings encoded as UTF-16
These facts are shown in definition inside global string section by lines
like:
      <String>F'E'E'D'S' 'S'C'H'E'D'U'L'E'S' 'R'E'B'U'I'L'D' 'R'E'Q'U'I'R</String>
      <String>N'E'X'T'T'O'S'Y'N'C</String>

Unfortunately i found no little hint with information about file format. All
site show nearly the same information. On few site is mentioned that
examples are standard OLE documents. These samples are apparently used by
Microsoft Internet Explorer and the newer Microsoft Edge browser. So these
infor mation are found on site about extensions. So this is here expressed
by line like:
   <RefURL>https://www.file-extensions.org/feedsdb-ms-file-extension</RefURL>

After running tridscan to generate definition feedsdb-ms.trid.xml i looked
what XML construct are created and try to understand it. The first XML
construct looked like:
 <Bytes>D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF090006000000000000000000000001000000</Bytes>
 <Pos>0</Pos>
This looks like the starting magic of Generic OLE2 / Multistream Compound
files done by docfile.trid.xml. There this looks like:
 <Bytes>D0CF11E0A1B11AE1</Bytes>
 <Pos>0</Pos>

I would like to reduce the XML construct , but i was not able to do this. So
the byte 3E000300 means version 3.62 like reported by file command. And FFFE
sequence means little-endian.  But i have only a dozen of such feed examples
and found no hint of information about file format. So i do not know if this
is always true or just triggered by lucky circumstances. So i keep first XML
construct. The same considerations applies to the other XML constructs.

The second relevant part in Front Block section is construct like:
 <Bytes>000000000000050035006A007A0064006400310035006C005A006B003100660065007800300032004F00620064007000640032006B006F004C00660000000000000000000000380002</Bytes>
 <ASCII> . . . . . . . . 5 . j . z . d . d . 1 . 5 . l . Z . k . 1 . f . e . x . 0 . 2 . O . b . d . p . d . 2 . k . o . L . f . . . . . . . . . . . 8</ASCII>
 <Pos>634</Pos>
That represent the second directory entry name. This is stored at relative
offset 128 of directory. If directory is stored at block starting at offset
512 the 64 entry name is stored at offset 640 (=512+128).

The next relevant part in Front Block section is construct like:

   <Bytes>010000000000004000</Bytes>
   <ASCII> . . . . . . . @</ASCII>
   <Pos>761</Pos>
That represent the third directory entry name. This is stored at relative
offset 256 of directory. If directory is stored at block starting at offset
512 the 64 entry name is stored at offset 768 (=512+256). So we see that
third directory entry name starts with at sign (that is @). Of course there
is no guarantee that directory always start at offset 512.

The definition contain many short nil patterns like:
      <Pattern>
         <Bytes>000000</Bytes>
         <Pos>49</Pos>
      </Pattern>
      <Pattern>
         <Bytes>000000000000</Bytes>
         <Pos>2042</Pos>
      </Pattern>
I assume that this are generated by lucky circumstances. So i delete such
constructs.

The definition contain no mime type. Because feeds are OLE2 documents i
could add generic mime type application/x-ole-storage. But i choose an user
defined one. That is expressed by line like:
   <Mime>application/x-ms-feed</Mime>

With the new trid definition now all my feed store examples are described
now more precisely (see appended output/trid-v-new.txt). TrID definition and
output are stored in archive feedsdb-ms_.zip. I hope that my XML file can be
used in future version of triddefs.

With best wishes
Jörg Jenderek

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: feedsdb-ms.trid.xml for Microsoft RSS Feeds Store
« Reply #1 on: September 19, 2022, 09:13:46 PM »
Scanned another couple of files (from Win 10 and XP) and trimmed the def a bit. Thanks!