Hello trid users,
Some days ago i run the cleaning tool czkawka found on
https://qarmin.github.io/czkawka/. One menu item concerns bad
extensions. After running tool i looked in saved file list
results_bad_extensions.txt for bad extension examples.
One listed extension is FEED-MS. I found such examples on Windows Vista, 8
and 10 systems in Microsoft\Feeds sub directory inside user appdata
directory.
So i run trid utility on my FEED-MS examples. All are described generic as
"Generic OLE2 / Multistream Compound" by docfile.trid.xml (See appended
output/trid-v-old.txt)
For comparison reason i check these examples by file command utility. When
running file command (version 5.42). Here all examples are also described
generic as OLE 2 Compound Document" (See appended output/file-5.42.txt) and
with mime type application/x-ole-storage (See appended
output/file-i-4.52.txt). It was not able to do sub classification , but it
display directory entry names. So second one apparently seem to start always
with \005H10ieaqpSce2uo4b encoded at UTF-16 string after first directory
entry, which is always "Root Entry".
For comparison reason i also run the file format identification utility
DROID ( See
https://sourceforge.net/projects/droid/). This identifies all
examples also only generic as "OLE2 Compound Document Format" by PUID
fmt/111 (See appended output/droid-feed-ms.csv).
Because feed-ms are OLE2 Compound container we can inspect such examples by
suited tools like Michal Mutl Structured Storage Viewer for example. There
we see that such examples contain at least 2 steams. One with class id
{00446B67-527C-4E10-9D0F-E5CBBC72428E} and the other with name shown by file
command. In both streams something like an URL is stored. Following this an
XML based file is download. Apparently the file is something like an RSS
feed. Unfortunately i found no little hint with information about file
format. When searching for information i get only bla-bla text like "you
must click on the green plant icon to get the cabanas kick". So for all the
people admiring Windows, you do not know what it is doing in the back ground
and where information is stored. That is the really bad aspect of
proprietary software. So i was not able to add a reference URL to TrID
definition.
After running tridscan to generate definition feed-ms.trid.xml i looked what
XML construct are created and try to understand it. The first XML construct
looked like:
<Pattern>
<Bytes>D0CF11E0A1B11AE1000000000000000000000000000000003E000400FEFF0C000600000000000000</Bytes>
<Pos>0</Pos>
</Pattern>
This looks like the starting magic of Generic OLE2 / Multistream Compound
files done by docfile.trid.xml. There this looks like:
<Pattern>
<Bytes>D0CF11E0A1B11AE1</Bytes>
<Pos>0</Pos>
</Pattern>
I would like to reduce the XML construct , but i was not able to do this. So
the byte 3E000400 means version 4.62 like reported by file command. And FFFE
sequence means little-endian.
But i have only a dozen of such feed examples and found no hint of
information about file format. So i do not know if this is always true or
just triggered by lucky circumstances. So i keep first XML construct.
The same considerations applies to the other XML constructs.
The relevant parts are 2 lines in global strings section like:
<String>H'1'0'I'E'A'Q'P'S'C'E'2'U'O'4'B'F'5'S'Z'L'Z'J'I'O'E'''''''''''8</String>
<String>H'T'T'P</String>
The first described the name of embedded stream ( the last 63
characters). And the second that embedded is data with http URL pointing to
feed it self for downloading or viewing.
The definition contain no mime type. Because feeds are OLE2 documents i
could add generic mime type application/x-ole-storage. But i choose an user
defined one. That is expressed by line like:
<Mime>application/x-ms-feed</Mime>
With the new trid definition now all my feed examples are described now more
precisely (see appended output/trid-v-new.txt). TrID definition and output
are stored in archive feed-ms_.zip. I hope that my XML file can be used in
future version of triddefs.
With best wishes
Jörg Jenderek
