Hello trid users,
some days ago i run Piriform ccleaner to scan my registry. It complains
about application provtool.exe. The supported types have file name extension
ppkg. This is registered for Microsoft.ProvTool.Provisioning.1. That are
Microsoft Windows provisioning packages. Such packages can be created by
Windows Imaging and Configuration Designer icd.exe. That tool is part of
Windows 10 Assessment and Deployment Kit. Usually such samples are found in
Packages sub directory inside Provisioning sub directory in modern Windows
directory.
All samples are described generically by wim.trid.xml as "Windows Imaging
Format (generic)" (see appended output/trid-v.txt).
Unfortunately the documentation from Microsoft about Windows provisioning
package does not mention or explain the used ppkg file format. On web site
on deploymentresearch with title "Beyond Basic Windows 10 Provisioning
Packages" by Johan Arwidmark is mentioned that the WIM file format is used
for Windows provisioning package. That information is also linked on file
formats archive team web site. That is used as reference inside new trid
definition by line like:
<RefURL>
http://fileformats.archiveteam.org/wiki/Windows_Imaging_Format</RefURL>
In consequence that means that PPKG samples can also be opened by Microsoft
tools ImageX and DISM. The samples can also be handled by wimlib tools and
7-Zip packing tool.
For comparison reasons i also run other identifying tools on such
examples. The file command identifies all examples "Windows imaging (WIM)
image" with version "1.13" and as "XPRESS" compressed and "reparse point
fixup" (see appended output/file-5.39.txt). I do not know if this is always
true or just triggered by lucky circumstances. These facts are observed for
very old samples from October 2015 and up-to-date examples from September
2020. The file command also displays correct mime type (see appended
output/file-i-5.39.txt). So i add this to trid definition. That is expressed
by additional line like:
<Mime>application/x-ms-wim</Mime>
So i run tridscan on my samples and i generate trid definition file
wim-ppkg.trid.xml. All samples still start with characteristic WIM magic.
That is expressed by XML construct like:
<Bytes>4D5357494D000000D0000000000D01008200020000800000</Bytes>
<ASCII> M S W I M</ASCII>
<Pos>0</Pos>
So WIM tools like 7z can list the file contents, when forcing to use WIM
file type by -twim option (See appended output/7z-l.txt). So i see always
directories Multivariant and CommonSettings. All my packages contain the
file RunTime.xml. These things are expressed inside global string sections
by lines like:
<String>MULTIVARIANT</String>
<String>COMMONSETTINGS</String>
<String>RUNTIME.XML</String>
Furthermore i updated the generic trid definition file wim.trid.xml. So i
add also extension PPKG. Instead of web page on Wikipedia i use web page on
on file formats archive team web site as reference URL. There the Wikipedia
page is also mentioned as link.
Furthermore there the file name extension WIM2 is also mentioned. Normally
for splited WIM images the file name extension SWM is used. But who does not
obey to that rule. Yes you guess it right. It is Microsoft! The second disk
image part created by Microsoft's recovery drive creating tool
RecoveryDrive.exe has name Reconstruct.WIM2. And no good explanation or
documentation for that name behavior is found on Microsoft web servers or
other documentation sites. What an annoyance! So i also add WIM2 as file
name extension.
With the updated definitions the unspecific described Windows provisioning
packages are now described correctly (see appended
output/trid-new-v.txt). TrID definition, some examples and output are stored
in archive ppkg.zip. I hope that my 2 XML files can be used in future
version of triddefs.
With best wishes
Jörg Jenderek
