Author Topic: TrID IndexerVolumeGuid.trid.xml for Microsoft Windows search  (Read 4160 times)

jenderek

  • Sr. Member
  • ****
  • Posts: 375
Hello,

when i mount a virtual disk image inside Microsoft Windows OS like Windows
8.1 it always create a directory "System Volume Information" with file
IndexerVolumeGuid.

My first attempt was to run TrID on these files, but all are not recognized
("Unknown!" see appended output/trid-old.txt ).

So i start investigations about this file type. OK after some minutes i find
that it is used by Microsoft Windows Search. Apparently indexing can only
disabled on removable Drive by setting DisableRemovableDriveIndexing to 1 in
registry tree HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search. But
there seems not to exist a way to exclude some drives from indexing. Only
excluding a subdirectory inside an indexed directory is possible.

Dammed Microsoft! Still proprietary closed source software or undocumented
ffeatures and digging on every drive with file system like FAT thinking it
belong to their Windows OS. I thought the days of things like Windows 98
annoyances are over, but still exist today.

What helped me is stopping the index process ( That is SearchIndexer.exe in
system32 subdirectory ) completely by stopping Windows Search via GUI
control panel of service or by command "net stop wsearch" in administrative
console.

Unfortunately i found no web site with deeper information about Microsoft
search concerning the GUID in IndexerVolumeGuid. But i find keys like URL
and Path containing inspected drive and GUID under
HKLM\SOFTWARE\Microsoft\Windows Search\ . But i do not know how GUID, such
registry keys and Windows Search software are logically connected. So
mentioned observed items in remark line and i concentrate on file format of
IndexerVolumeGuid.

This contains a GUID as little endian UTF-16 text. So mime type is expressed
by line:
   <Mime>text/plain</Mime>
This is not recognized by file command because no end of line terminator is
used and text appears like data.

Luckily GUID structure is documented. So i add as reference wikipedia site
describing this things by line
   <RefURL>https://en.wikipedia.org/wiki/Universally_unique_identifier</RefURL>

After wasting hours dealing with such GUID staff i create
IndexerVolumeGuid.trid.xml. I hope that my XML file can be used in future
version of triddefs to help other people to give some hints about such files
and make their own decision what to do, when they are looking inside
"System Volume Information" directory.

With new trid.xml file now IndexerVolumeGuid are identified ( see appended
output/trid-new.txt ). TrID definition, some examples and output are stored in archive
IndexerVolumeGuid_.zip

With best wishes
J?rg Jenderek

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: TrID IndexerVolumeGuid.trid.xml for Microsoft Windows search
« Reply #1 on: July 28, 2017, 01:09:17 PM »
Hi!
Thanks for the def and the info. I'll try to scan some other file of this filetype, but I have the feel that it won't be "unique" enough.