Hello trid users,
some days ago i run trid on Windows Installer Merge Modules (*.msm). Many
are not recognized as "Windows Installer Merge Module" by msm.trid.xml.
Instead these samples are described as "Microsoft Windows Installer" by
msi.trid.xml (See appended output/trid-v-old.txt)
For comparison reason i run other file identifying tools. The newest file(1)
command has also difficulties and was not able to distinguish between
Windows Installer MSI, MSM and PCP (See appended output/file-new.txt)
On page about Windows Installer on Wikipedia is mentioned that MSM samples are
used as merge modules. So instead global Microsoft page i now use this site
as reference URL. This is now expressed by reference URL line like:
<RefURL>
http://en.wikipedia.org/wiki/Windows_Installer</RefURL>
Furthermore i add a user defined mime type. That is expressed by line line:
<Mime>application/x-ms-msm</Mime>
After running tridscan on unrecognized samples in global string section many
long sentences now vanish like:
<String>THE REGISTRY VALUE NAME.PRIMARY KEY</String>
Furthermore i also delete non making sense phrases like:
<String>ATION</String>
<String>FOR W</String>
With the updated trid definitions all my inspected MSM samples are now
recognized, but often the MSI description still comes first. (See appended
output/trid-new-v.txt). So probably the trid definition for MSI also need some
refinements, but i do not know what phrases are required key words and which
are optional. Further more for Windows installer PCP a trid definition is
missing. I will try to do this work. Furthermore there seems to exist a MSM
variant which is not based on Generic OLE2, but seems to use the CAB format
as container. I will try to look for these examples.
TrID definition, some examples and output are stored in archive msm.zip. I
hope that my updated XML file can be used in future version of triddefs.
With best wishes
Jörg Jenderek
