Hello trid users,
Some days ago i run the cleaning tool czkawka found on
https://qarmin.github.io/czkawka/. One menu item concerns bad
extensions. After running tool i looked in saved file list
results_bad_extensions.txt for bad extension examples.
One listed extension is ETL. These files were generated by Windows. So i run
trid utility on my ETL examples. Many (690 of 758) are described correctly
as "Window tracing/diagnostic binary log" by etl.trid.xml. But dozen
examples are not recognized. Often examples (recognized or not) are
described wrong also as "Windows Icon" with file name extension ICO by
bitmap-ico.trid.xml (See appended output/trid-v-old.txt). That is what also
reported wrong by czkawka tool (version 5.0.2).
For comparison reason i check these examples by file command utility. When
running file command (version 5.43) here all ETL examples are not
recognized. But samples are misidentified as other types (dBase III DBT,
Apple HFS/HFS+ resource fork, GeoSwath RDF; See appended
output/file-5.43.txt).
For comparison reason i also run the file format identification utility
DROID ( See
https://sourceforge.net/projects/droid/). This does not
recognize the ETL examples.
After running tridscan to update definition etl.trid.xml i looked what has
changed and why. Some short short patterns inside front block section
vanished like:
<Pattern>
<Bytes>00</Bytes>
<Pos>449</Pos>
</Pattern>
<Pattern>
<Bytes>00</Bytes>
<Pos>451</Pos>
</Pattern>
<Pattern>
<Bytes>00</Bytes>
<Pos>453</Pos>
</Pattern>
<Pattern>
<Bytes>00</Bytes>
<Pos>455</Pos>
</Pattern>
<Pattern>
<Bytes>00</Bytes>
<Pos>457</Pos>
</Pattern>
<Pattern>
<Bytes>00</Bytes>
<Pos>459</Pos>
</Pattern>
<Pattern>
<Bytes>00</Bytes>
<Pos>461</Pos>
</Pattern>
<Pattern>
<Bytes>00</Bytes>
<Pos>463</Pos>
</Pattern>
<Pattern>
<Bytes>FF</Bytes>
<Pos>767</Pos>
</Pattern>
<Pattern>
<Bytes>FFFFFFFF</Bytes>
<Pos>884</Pos>
</Pattern>
<Pattern>
<Bytes>FF</Bytes>
<Pos>999</Pos>
</Pattern>
<Pattern>
<Bytes>FF</Bytes>
<Pos>1103</Pos>
</Pattern>
<Pattern>
<Bytes>FFFF</Bytes>
<Pos>1222</Pos>
</Pattern>
The really characteristic is inside global strings section the one line
like:
<String>.'E'T'L</String>
According to Software Analyst Geoff Chappell after the trace log file header
the names of the logger and the log file are stored as null-terminated
Unicode strings. So ETL files contain near the beginning the bytes sequence
.\0e\0\t\0l\0\0\0 triggered by used file name suffix .etl. That is expressed
by above line. This explanation and related information can be found on file
formats archive team web site. That is now expressed by line like:
<RefURL>
http://fileformats.archiveteam.org/wiki/ETL</RefURL>
According to Geoff Chappell the header contains no "magic" pattern. And for
32-bit and 64-bit forms the header structures are different also in sizes.
Also some fields has changed from version to version. So what is described
by etl.trid.xml is the average of all variants and versions. So the danger
appears that the definition becomes too general. So it maybe would be wise
to generate different definitions (at least for 32 and 64 bit).
The current definition contain generic mime type application/octet-stream.
But according to website nirsoft.net it has an own mime type. That is
expressed by line like:
<Mime>application/etl</Mime>
That is what i found on my systems after i have installed the Windows
Toolkit. Then ETL files are connected via registry as "wpa.etl_file" with
Windows Performance Analyzer wpa.exe.
But unfortunately it is not officially registered as IANA. Oh, Microsoft now
says they become friends of open source, wants to improve user experience
and protect the user by things like secure boot. This is like illness. They
try to care about the symptoms and not the basic reasons. That is not
surprising, when there exist many places inside the windows system, which
are not explained and documented. So they must make high efforts to protect
directories by their virus defender software. This would not be necessary if
things are well documented. Remember, Microsoft is not a well fare
society. It is a company to make money and in the past the used methods like
mafia. So why they should have changed their behavior now. So you can not
trust them like Putin. The gifts they offered maybe under Tolkien motto "a
system to find, bind and bring them all in the darkness to becomes
slaves". Even when Microsoft would promise to be not evil. This does not
help when an American government like Trump arises again and forces
Microsoft as American company by law to give all data to him. The counter
part in my eyes is Linus Torvalds. He has never tried to make "big"
business. From the beginning he shared his ideas with all people. So become
prepared that you can switch to alternatives when things become worse.
With the updated trid definition now most of my ETL examples are described
(see appended output/trid-v-new.txt). TrID definition,few examples and
output are stored in archive etl_trid.zip. I hope that my updated XML file
can be used in future version of triddefs.
Not all ETL samples are recognized. 17 examples are not recognized. But these
seem to be only two examples (EtwRTEventlog-Security.etl EtwRTDiagLog.etl)
in different directories. In found these examples on Vista system. All these
examples start with string rlfs at the beginning and contains no readable
file name. So i do not know if this triggered by accident or if this another
"undocumented" feature of Microsoft.
With best wishes
Jörg Jenderek
