Parsing the windows shortcut file format
Author: cuick
I have been working on Linux projects for a long time and have not come to the VC knowledge base. I 'd like to ask you a good question! Isn't it too late to worship your old age? (I don't mean it's not too late to celebrate the Year August 15 !! Hey hey)
Now, let's get down to the truth. We all know that the ishelllink interface can be used to obtain various attributes of shortcuts. How to do this? There are manyArticle. Now I want to analyze the format of the shortcut file and write a ParsingProgram.
For ease of understanding, after each section is explained, the example data corresponding to the corresponding section of the shortcut is attached with content explanation. Here, the shortcut of Windows Media Player on the desktop is used as an example.
I. Overall file structure
Ii. File Header
For the file header structure, see the following table:
Offset |
Size/Type |
Description |
0 h |
1 DWORD |
The value is always CH, which is the character "L" |
4 h |
16 bytes |
Guid |
① 14 h |
1 DWORD |
Flags is used to identify the optional attributes in the shortcut file. The following table separately explains the meaning of each bit. |
② 18 h |
1 DWORD |
The properties of the target file, which will be explained later. |
1ch |
1 qword |
File Creation Time |
24 h |
1 qword |
File modification time |
2ch |
1 qword |
Last file access time |
34 h |
1 DWORD |
Target file length |
38 H |
1 DWORD |
Number of custom icons, |
3ch |
1 DWORD |
Display Mode of the target file during execution: 1. Normal display 2. Minimize 3. Maximize |
40 h |
1 DWORD |
Hotkey |
44 h |
2 DWORD |
It is unclear that the purpose value is usually 0. |
① The flag starting with a 14 h offset indicates the optional attributes, as shown in the following table:
Bit |
1 represents |
0 |
Shell item ID list |
1 |
Point to a file or folder. If this bit is 0, point to another folder. |
2 |
Description string exists |
3 |
Relative Path |
4 |
Working path exists |
5 |
Command line parameters exist |
6 |
Custom icon exists |
② Target file attributes starting with 18 h offset:
Bit |
1 represents |
0 |
The destination file indicated by the shortcut has a read-only attribute. |
1 |
The destination file indicated by the shortcut has a hidden attribute. |
2 |
The shortcut indicates that the target file is a system file. |
3 |
The target of the shortcut is the volume label. |
4 |
The destination of the shortcut is a folder. |
5 |
The shortcut indicates that the target file has been changed since the last archive. |
6 |
The target file specified by the shortcut is encrypted. |
7 |
The destination file attribute indicated by the shortcut is normal. |
8 |
The destination file in the shortcut is temporary. |
9 |
The target file referred to by the shortcut is a sparse file) |
10 |
The destination file indicated by the shortcut has reparse point data) |
11 |
The target file indicated by the shortcut is compressed. |
12 |
The target file specified by the shortcut is offline. |
Example:
Offset Data Interpretation
0000 4C 00 00 character "L"
0004 01 14 02 00 the guid of the shortcut. Fixed value
00 00 00 00
C0 00 00 00
00 00 00 46
0014 8f 00 00 flags. Comparison table
Shell item ID list
Target is File
Description string exists
Relative Path
0018 00 00 file attributes. For details, refer to the preceding attribute description table.
001c 40 51 0a 0C File Creation Time
Ad CB C4 01
0024 C4 D8 A5 91 file modification time
Ad CB C4 01
002c 00 33 16 74 last file access time
F6 C7 C3 01
File length: 0034 00 20 01 00
0038 00 00 00 00 custom icon count
003c 01 00 00 00 the window is normal when it is opened
0040 00 00 00 00 Hot Key
0044 00 00 00 00 the usage value is usually 0
00 00 00 00
Iii. Shell item ID list segment
This parameter is available only when the 0th position of ○ 1 is in the file header. The first unsigned short integer indicates the total length of the item ID list segment. Followed by the shitemid structure. The shitemid is defined as follows:
Typedef struct _ shitemid {
Ushort CB;
Byte Abid [0];
} Shitemid, * lpshitemid;
CB stores the size of the shitemid structure. Abid is the identifier of a variable-length object. For more information about the meaning, see msdn. Because the beginning of the item ID list segment is the total length of this segment, you can skip this segment during reading without processing !! :)
Example: (the flags mark of the file header section shows that the shell item ID list segment exists)
description of offset data
004c 9C 00 total length of item ID list (the starting address of the next section is 004e + 009c = 00ea)
length of the first item ID for 004e 14 00
0050 1f 50 E0 4f content of the first item id
D0 20 EA 3A
69 10 A2 D8
08 00 2B 30
30 9d
0062 19 00 length of the second item id
0064 23 43 3A 5C second item ID content
00 00 00 00
00 00 00 00
00 00 00
00 00 00 00 00
00 F1 93
007b 25 00
007d 31 00 00 00
00 00 70 31
47 3B 31 00
50 72 6f 67
72 61 6D 20
46 69 6c 65
73 00 50 52
4f 47 52 41
7E 31 00
00a0 2C 00
00a2 31 00 00 00
00 00 70 31
47 3B 10 00
57 69 6e 64
6f 77 73 20
4D 65 64 69
61 20 50 6C
61 79 65 72
00 57 49 4E
44 4f 57 7E
32 00
00cc 1C 00
00ce 32 00 00 20
01 00 95 2f
A1 99 20 00
77 6D 70 6C
61 79 65 72
2E 65 78 65
00 00
00e8 00 00 00 item ID list segment ended
Iv. File Location Information Section
A long integer at the beginning indicates the total length of this segment. When the 1st bits of ○ 1 in the file header are not set, this information is neither a file nor a folder, so this information is meaningless, therefore, the total length is 0. Let's take a look at the header of this section:
Offset |
Size/Type |
Description |
0 h |
1 DWORD |
Total length of this segment |
4 h |
1 DWORD |
Header Length, fixed to 1 Ch |
8 h |
1 DWORD |
Flags indicates the volumes in which the file is valid. Here, only two lower-level files are used. The first bit indicates that the local volume is valid. The second position indicates that the network volume is valid. Otherwise, the network volume is invalid. |
Ch |
1 DWORD |
Offset of the local volume information table (fixed 1ch) |
10 h |
1 DWORD |
Offset of local path information |
14 h |
1 DWORD |
Offset of the network volume information table |
18 h |
1 DWORD |
Offset of additional information |
If the file is in the local volume, the file name is: local path information + additional information
If the file is in the network volume, the file name is: shared name + additional information in the network volume information.
The local volume information table (the offset in the segment is 1ch) followed by the field header. The structure is as follows:
offset |
size/type |
description |
0 h |
1 DWORD |
length of the local volume information table |
4 H |
1 DWORD |
volume type: 0 unknown 1 No root directory 2 removable (floppy, zip, Etc ..) 3 fixed (hard disk) 4 remote (network drive) 5 CD-ROM 6 RAM drive (shortcuts to stuff on a RAM drive, now that's smart ...) |
8 h |
1 DWORD |
volume serial number |
CH |
1 DWORD |
fixed length Part Size, fixed to 10 h |
10 h |
Variable Length |
volume label |
Then, the offset in the local path information string is determined10 h.
The offset in the network volume information table segment is determined14 h. The structure is as follows:
Offset |
Size/Type |
Description |
0 h |
1 DWORD |
Length of the network volume information table |
4 h |
1 DWORD |
Fixed to 2 h |
8 h |
1 DWORD |
Size of the Fixed Length part, fixed to 14 h |
Ch |
1 DWORD |
Fixed to 0 h |
10 h |
1 DWORD |
Fixed to 20000 H |
14 h |
Variable Length |
Network Share Name |
Finally, the value of 18 h is determined by the offset in the string segment of the additional information:
Offset Data Interpretation
Field Header
00ea 67 00 00 00 total length of File Location Information segment
00ee 1C 00 00 00 segment head length, fixed to 1 Ch
00f2 01 00 00 00 local volume
00f6 1C 00 00 00 intra-segment offset of the local volume information table
00fa 33 00 00 00 00 offset of local path information
Offset of the 00fe 00 00 00 network volume information table
0102 66 00 00 00 additional information offset
Local volume information table
0106 17 00 00 00 table length
010a 03 00 00 00 fixed (hard disk)
010e ad C9 B2 F0 volume serial number
0112 10 00 00 00 fixed to 10 h
0116 73 79 73 74 marking "system"
65 6D 00
Local path information string
011d 43 3A 5C 50 c: \ Program Files \ Windows Media Player \ wmplayer.exe
72 6f 67 72
61 6D 20 46
69 6C 65 73
5C 57 69 6e
64 6f 77 73
20 4D 65 64
69 61 20 50
6c 61 79 65
72 5C 77 6d
70 6C 61 79
65 72 2E 65
78 65 00
In the network volume information table, the flags in the segment header indicates that only the local volume is used, and the Offset Value of the network volume information table is zero. Therefore, the network volume information table does not exist.
|
Additional information string
00, 0150
5. Description
This parameter is available only when the 2nd position of ○ 1 is in the file header. The starting unsigned short int represents the length of the description string (the description character is a Unicode character, so the number of bytes must be multiplied by 2. You can use the API function widechartomultibyte to convert it to an ANSI character ). The content is later. Example:
Offset Data Interpretation
0151 20 00 description character Length
0153 ad 64 3E 65
70 65 57 5b
92 5A 53 4f
0C FF 05 53
EC 62 F3 97
50 4E 01 30
C6 89 91 98
01 30 43 00
44 00 20 00
8C 54 20 00
49 00 6e 00
74 00 65 00
72 00 6e 00
65 00 74 00
20 00 35 75
F0 53 02 30
Convert to the ANSI character "play digital media, including music, video, CD, and Internet radio.
Vi. Relative Path
This parameter is available only when the 3rd position of ○ 1 is in the file header. An unsigned short int starting with the same description character segment represents the length of the relative path string. The content is later. Example:
Offset Data Interpretation
0193 38 00 relative path character Length
0195 2E 00 2E 00
5C 00 2E 00
2e 00 5C 00
2e 00 2E 00
5C 00 50 00
72 00 6f 00
67 00 72 00
61 00 6D 00
20 00 46 00
69 00 6C 00
65 00 73 00
5C 00 57 00
69 00 6e 00
64 00 6f 00
77 00 73 00
20 00 4D 00
65 00 64 00
69 00 61 00
20 00 50 00
6c 00 61 00
79 00 65 00
72 00 5C 00
77 00 6D 00
70 00 6C 00
61 00 79 00
65 00 72 00
2e 00 65 00
78 00 65 00
Convert to ANSI: "... \ Program Files \ Windows Media Player \ wmplayer.exe"
VII. The working directory is the same as above.
For example, this segment does not exist because the fourth position of ○ 1flags in the file header is not set.
8. The command line segment is the same as the preceding one.
For example, this segment does not exist because the fifth position of ○ 1flags in the file header is not set.
9. The icon file segment is the same as the preceding one.
For example, this segment does not exist because the sixth bit of ○ 1flags in the file header is not set.
10. The details of the additional information section are unclear !!!!!
many of the above materials are from the Internet and are not Microsoft documents. Therefore, it is inevitable that you may have an incorrect understanding. Please include them. The attached Code is only used for tracking and display. No output is provided. Hey, check it out by yourself !! :) If you are interested, you can write a class to analyze all the information about the shortcut.