Permalink
Branch: master
Find file Copy path
563d1f1 Nov 4, 2017
1 contributor

Users who have contributed to this file

3506 lines (3068 sloc) 149 KB

Windows Shell Item format specification

Summary

The Windows Shell uses Shell Items (Shell item list) to identify items within the Windows Folder Hierarchy. A Shell Item list is much like a path, and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions. This specification is based on earlier work on the format and was complimented by reverse engineering.

This document is intended as a working document for the Windows Shell Items format specification. Which should allow existing Open Source forensic tooling to be able to process this file type.

Document information

Author(s):

Joachim Metz <joachim.metz@gmail.com>

Abstract:

This document contains information about the Windows Shell Item format.

Classification:

Public

Keywords:

Windows Shell Item

License

Copyright (C) 2010-2017, Joachim Metz <joachim.metz@gmail.com>.
Permission is granted to copy, distribute and/or modify this document under the
terms of the GNU Free Documentation License, Version 1.3 or any later version
published by the Free Software Foundation; with no Invariant Sections, no
Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included
in the section entitled "GNU Free Documentation License".

Revision history

Version Author Date Comments

0.0.1

J.B. Metz

July 2010

Initial version based on earlier work.

0.0.2

J.B. Metz

August 2010

Additional Windows 7 information.

0.0.3

J.B. Metz

August 2010

Additional known folder identifiers

0.0.4

J.B. Metz

August 2010

Additional shell item information, control panel shell item information, folder type and Windows 7 shell library information.

0.0.5

J.B. Metz

August 2010

Additional shell column property information.

0.0.6

J.B. Metz

September 2010

Merged directory name and filename shell items into file entry shell item.
Added information about NTFS file reference.
Corrected references.

0.0.7

J.B. Metz

January 2011

License version update
Additional Windows 2000 and 2003 information.

0.0.8

J.B. Metz

March 2012

Added information about known folder identifiers.
Found additional shell items in test files [LOPEZ10].

0.0.9

J.B. Metz

May 2012

Updates for Windows 8 Consumer Preview.

0.0.10

J.B. Metz

August 2012

New findings regarding shell property sheets (formerly indicated as shell column properties) with thanks to H. Carvey and J. Moore.

0.0.11

J.B. Metz

February 2013

Additional information regarding Windows 95 shell item types.

0.0.12

J.B. Metz

February 2013

Additional information regarding Windows 95 shell item types. Merged file entry name and file entry seem to be the same type.

0.0.13

J.B. Metz

February 2013

Renamed the shell property sheets (formerly indicated as shell column properties) to property store as indicated in the LNK documentation.

0.0.14

J.B. Metz

June 2013

Additional information regarding regarding class type indicators.
Additional findings regarding class type indicator flag 0x80.

0.0.15

J.B. Metz

June 2013

New findings regarding shell item type 0x1f, 0x2f and 0x74.

0.0.16

J.B. Metz

June 2013

New findings regarding Windows 98 shell items, shell item class 0x40, extension blocks and delegate items. Special thanks to J. Sánchez López for revisiting his previous findings.

0.0.17

J.B. Metz

June 2013

New findings regarding shell item type 0x00 and 0xff with thanks to Eduardo P.

0.0.18

J.B. Metz

June 2013

New findings regarding shell item types 0x35, 0x4c, 0x61 and FTP sub shell items, and extension blocks.

0.0.19

J.B. Metz

June 2013

New findings regarding shell item type 0x00 and extension blocks. Moved Property store definitions to separate document.

0.0.20

J.B. Metz

July 2013

Renamed folder identifier shell item to root folder shell item and volume name shell item to volume shell item.

0.0.21

J.B. Metz

October 2013

New findings on Windows 8.1 with thanks to E. Zimmerman.

0.0.22

J.B. Metz

July 2014

Textual changes.

0.0.22

J.B. Metz

July 2014

New findings on Control Panel 0x01 shell item with thanks to E. Zimmerman.

0.0.23

J.B. Metz

July 2014

Found new file entry 0x32 shell item – SWN1. Added findings on the compressed folder 0x52 shell item with thanks to D. Pullega and findings on MTP and MSC storage device shell items with thanks to N. Ibrahim.

0.0.24

J.B. Metz

July 2014
August 2014

Additional information on file entry 0x32 shell item – SWN1 and property view shell items. New findings on extension block 0xbeef0025 with thanks to E. Zimmerman and findings on file entry 0x36 shell item with thanks to F. Picasso.

0.0.25

J.B. Metz

August 2014

Restructured document, textual changes and additional information on the CD burn, delegate, compressed folder and MTP storage device shell items and extension blocks with thanks to E. Zimmerman.

0.0.26

J.B. Metz

August 2014

Moved property set information to LIBWPS documentation.
Updated information regarding the control panel CPL file and delegate shell item.
Additional information regarding extension blocks 0xbeef0000, 0xbeef0001, 0xbeef0008 and 0xbeef0010 with thanks to E. Zimmerman.

0.0.27

J.B. Metz

August 2014

Textual changes.
Updated information regarding the delegate shell item.

0.0.28

J.B. Metz

September 2014

Additional information regarding shell item 0x67 and extension block 0xbeef0021 with thanks to E. Zimmerman.

0.0.29

J.B. Metz

October 2014

Additional information regarding CDBurn shell item and extension blocks 0xbeef000b, 0xbeef000e and 0xbeef0016 with thanks to E. Zimmerman.

0.0.30

J.B. Metz

December 2014

Switched to asccidoc format.

0.0.31

J.B. Metz

February 2015

Additional information compressed folder 0x52 shell item with thanks to D. White and various yet unknown shell items with thanks to E. Zimmerman.

0.0.32

J.B. Metz

June 2015

Additional information regarding Windows 10 shell items from LNK files.

0.0.33

J.B. Metz

November 2017

Additional information regarding extension blocks and extension block 0xbeef0013.

0.0.34

J.B. Metz

November 2017

Additional information regarding FTP URI and URI sub shell items with thanks to S. Polshyn.

1. Overview

The Windows Shell uses Shell Items (Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item list is much like a path, and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.

MSDN-SHELLEXT

Characteristics Description

Byte order

little-endian

Date and time values

FAT date and time and FILETIME

Character strings

ASCII strings are Single Byte Character (SBC) or Multi Byte Character (MBC) string stored with a codepage. Sometimes referred to as ANSI string representation.
Though technically maybe incorrect, this document will use term (extended) ASCII string.
Unicode strings are stored in UTF-16 little-endian without the byte order mark (BOM).

1.1. Test versions

The following version of programs were used to test the information within this document:

  • Windows 95

  • Windows 98

  • TODO: Windows Me

  • Windows NT4

  • Windows 2000 (SP4)

  • Windows XP (SP3)

  • Windows 2003

  • Windows Vista (SP0)

  • Windows 2008

  • Windows 7 (SP0)

  • Windows 8

  • TODO: Windows 2012

  • Windows 8.1

  • Windows 10

2. Shell Item list

The Shell Item list (ITEMIDLIST) is variable of size and consists of:

Offset Size Value Description

0

…​

The Shell Item

…​

2

0

Terminal identifier
Signifies the end of the Shell Item list

The shell items identifiers list consists of Shell Item terminated by the terminal identifier (an empty Shell Item).

2.1. Shell Item

The Shell Item (SHITEMID) is variable of size and consists of:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself, 0 if shell item is empty

Shell Item data

2

1

Class type indicator

3

…​

Class type specific data

Related class identifier CLSID_ShellItem?

The class type indicator has proven not to be a foolproof indicator for all shell items, but it appears to be a strong one for others hence (for now) we divide the shell items into two categories:

  • type indicator-base shell items

  • signature-base shell items

3. Type indicator-based shell items

3.1. Class type indicator

The class type indicator is a combination of a type, sub-type and flags.

Value Related class identifier (CLSID) Description

0x00

Unknown

0x01

Unknown

0x17

Unknown

0x1e

CLSID_ShellDesktop

Not seen in wild but reason to believe it exists.

0x1f

CLSID_ShellDesktop
Likely IshellFolder interface?

Root folder shell item

0x20 – 0x2f

CLSID_MyComputer

Volume shell item
See section: Volume shell item

0x30 – 0x3f

CLSID_ShellFSFolder

File entry shell item
See section: File entry shell item

0x40 – 0x4f

CLSID_NetworkRoot
CLSID_NetworkPlaces

Network location shell item
See section: Network location shell item

0x52

Compressed folder shell item
See section: Compressed folder shell item

0x61

CLSID_Internet

URI shell item

0x70

ControlPanel

Not seen in wild but reason to believe it exists.
item has no item data at offset 0x04

0x71

ControlPanel
ControlPanelTasks

Control Panel shell item

0x72

Printers

Not seen in wild but reason to believe it exists.
Printers

0x73

CommonPlacesFolder

Not seen in wild but reason to believe it exists.

0x74

UsersFilesFolder

Unknown
Only seen as delegate item

0x76

Unknown

0x80

Unknown – different meaning per class type indicator?

0xff

Unknown

Type 0x08 (with size of 6) is alias ? Type 0x0c is alias ?

0x3a Name space object? Link blessing? My Computer (CRegFolder)?

0x7b extension?

What is the relationship between the root (first) shell item (0x1f/0x1e?) and the other shell items?

3.2. Root folder shell item

The root folder shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0x1f

Class type indicator

3

1

Sort index

4

16

Shell folder identifier
Contains a GUID
For a list of shell folder identifiers see: [LIBFWSI-WIKI]

Present if shell item size > 20 (seen in Windows 7)

20

…​

Extension block 0xbeef0017
See section: Extension block 0xbeef0017

Shell item from Windows 7 ShellMRU (Search Home)

00000000: 1f 80 2e 81 43 93 37 1c  49 4a a1 2e 4b 2d 81 0d   ....C.7. IJ..K-..
00000010: 95 6b 46 00 01 00 17 00  ef be 00 00 00 00 01 00   .kF..... ........
00000020: 00 00 02 00 00 80 01 00  00 00 01 00 00 00 02 00   ........ ........
00000030: 00 00 00 00 00 00 00 00  00 00 02 00 00 00 00 00   ........ ........
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000050: 00 00 00 00 00 00 14 00                            ........

3.2.1. Sort index

Value Identifier Description

0x00

Internet Explorer

0x42

Libraries

0x44

Users

0x48

My Documents

0x50

My Computer

0x58

My Network Places/Network

0x60

Recycle Bin

0x68

Internet Explorer

0x70

Unknown

0x80

My Games

Common sort indexes matches info in oleview.exe

3.3. Volume shell item

The volume shell item is identified by a value of 0x20 after applying a bitmask of 0x70. The remaining bits in the class type indicator are presumed to be a sub-type or flags.

Value Identifier Description

0x01

Has name

0x02

Unknown (0x23 C:, 0x2f C: or D:, 0x2a J:)

0x04

Unknown (0x23 C:, 0x25 D:)

0x08

Is removable media (0x23 C:, 0x29 A:, 0x2a J:)

Values that have been seen: 0x23, 0x25, 0x29, 0x2a, 0x2e, 0x2f

The volume shell item is variable bytes of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

Class type indicator
0x20 after applying a bitmask of 0x70

If class type indicator flag 0x01 (has name) is not set

3

1

Unknown (Flags) Seen 0x00, 0x1e, 0x80

4

Found in Windows 7 BagMRU

00000000: 2f 44 3a 5c 00 00 00 00  00 00 00 00 00 00 00 00   /D:\.... ........
00000010: 00 00 00 00 00 01 01 05  8a eb fb ee be 42 44 80   ........ .....BD.
00000020: 4e 40 9d 6c 45 15 e9                               N@.lE..

00000000  32 00 2e 80 3a cc bf b4  2c db 4c 42 b0 29 7f e9  |2...:...,.LB.)..|
00000010  9a 87 c6 41 1e 00 00 00  25 00 ef be 11 00 00 00  |...A....%.......|
00000020  fa 66 a2 86 36 74 cf 01  2d 81 fe bc ba 9b cf 01  |.f..6t..-.......|
00000030  14 00 00 00                                       |....|

00000000  32 00 2e 80 90 e2 4d 37  3f 12 65 45 91 64 39 c4  |2.....M7?.eE.d9.|
00000010  92 5e 46 7b 1e 00 00 00  25 00 ef be 11 00 00 00  |.^F{....%.......|
00000020  fa 66 a2 86 36 74 cf 01  33 cb 2c 72 3b 74 cf 01  |.f..6t..3.,r;t..|
00000030  14 00 00 00                                       |....|

3.4. File entry shell item

The file entry shell item is identified by a value of 0x30 after applying a bitmask of 0x70. The remaining bits in the class type indicator are presumed to be a sub-type or flags.

Value Identifier Description

0x01

Is directory

0x02

Is file

0x04

Has Unicode strings

0x08

Unknown (common item flag?)
Related to the common item dialog?

0x80

Has class identifier (related to junction?)

Values that have been seen: 0x30, 0x31, 0x32, 0x35, 0x36, 0xb1. Possible other values: 0x38.

According to [LOPEZ10] the value in the last two bytes of the shell can be used to find the offset of the extension block version and if this value is sane the file entry shell item contains an extension block (Windows XP or later) or otherwise the secondary name value (pre Windows XP).

3.4.1. File entry shell item – pre Windows XP

This version of the the file entry shell item is used by Windows versions predating Windows XP, e.g. Windows 95, Windows NT4, Windows 2000.

The file entry shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

Class type indicator
0x30 after applying a bitmask of 0x70

3

1

0

Unknown (Empty value)

4

4

File size
What about > 32-bit file sizes?

8

4

Last modification date and time
Contains a FAT date and time in UTC

12

2

File attribute flags
Contains the lower 16-bit part of the file attribute flags.
See section: File attribute flags
What does 0x8000 represent? Seen in windows 98 lnk.

14

…​

Primary name
Depending on flag 0x04 an ASCII or UTF-16 little-endian string with end-of-string character.
Also see below.

…​

…​

Secondary name
Depending on flag 0x04 an ASCII or UTF-16 little-endian string with end-of-string character.
Also see below.

If class type indicator flag 0x80 is set

…​

16

Shell folder identifier
Contains a GUID
For a list of shell folder identifiers see: [LIBFWSI-WIKI]

The primary name contains the long name if available otherwise it contains the short name. If the primary name contains the long name the secondary name contains the short name otherwise it is empty (consist of a single end-of-string character).

It is unknown when Unicode string support was added but it is assumed that it also applies to pre Windows XP file entry shell item.

On Windows 95 for type 0x30 (without flags) none of the values in the first 11 bytes after the type indicator are set.

3.4.2. File entry shell item – Windows XP and later

This version of the the file entry shell item is used by Windows XP and later versions.

The file entry shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

Class type indicator
0x30 after applying a bitmask of 0x70

3

1

0

Unknown (Empty value)

4

4

File size
What about > 32-bit file sizes?

8

4

Last modification date and time
Contains a FAT date and time in UTC

12

2

File attribute flags
Contains the lower 16-bit part of the file attribute flags.
See section: File attribute flags

14

…​

Primary name
Depending on flag 0x04 an ASCII or UTF-16 little-endian string with end-of-string character.
This value is 16-bit aligned, so for ASCII strings it can contain an additional zero byte.
Also see below.

…​

…​

Extension block 0xbeef0004
This value contains the the size of the extension block or 0 if not set
See section: File entry extension block (0xbeef0004)

Present if shell item contains more data (and flag 0x80 is not set?) (seen in Windows 2003)

…​

…​

Extension block
Seen extension block 0xbeef0005, 0xbeef0006 and 0xbeef001a.

If class type indicator flag 0x80 is set

…​

…​

Extension block 0xbeef0003
See section: Extension block 0xbeef0003

The primary name often contains the short name, but can contain the long name as well e.g. when class indicator flag 0x04 is set.

Note
The date and time values do not always seem to be set.

3.4.3. File entry shell item - SolidWorks

Seen in Windows 7 in LastVisitedPidMRU and LNK files after shell item 0xb1 with extension block 0xbeef0003 which contains the SolidWorks Enterprise PDM CLSID: 0bd8e793-d371-11d1-b0b5-0060972919d7.

The file entry shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

Seen: 0x32

Class type indicator
0x30 after applying a bitmask of 0x70

3

1

0

Unknown (Empty value)

4

4

Seen: 0

File size
What about > 32-bit file sizes?

8

4

Seen: 0

Last modification date and time
Contains s FAT date and time in UTC

12

2

Seen: 0

File attribute flags
Contains the lower 16-bit part of the file attribute flags.
See section: File attribute flags

14

…​

Primary name
UTF-16 little-endian string with end-of-string character.

…​

2

Seen: 0

Extension block
This value contains the the size of the extension block or 0 if not set

…​

7

"S.W.N.1"

Signature

…​

1

The file entry type?
0x01 ⇒ directory
0x02= > file
Likely part of signature

…​

4

Unknown

…​

4

Unknown

…​

8

Seen: 2

Unknown

…​

6

Seen: 0

Unknown (Empty values)

3.4.4. Notes

File date and time values populated from WIN32_FIND_DATA?

Part before the extension block FolderItem typelib interface?

Class identifier (CLSID) Related interface identifier(s) (IID) Related class

CLSID_FolderItem

IID_IPersistFolder

3.5. Network location shell item

The network location shell item is identified by a value of 0x40 after applying a bitmask of 0x70. The remaining bits in the class type indicator are presumed to be a sub-type or flags.

Value Identifier Description

0x01

Domain/Workgroup name

0x02

Server UNC path

0x03

Share UNC path

0x06

Microsoft Windows Network

0x07

Entire Network

0x0d

NetworkPlaces

if resource display type is generic or root

0x0e

NetworkPlaces

if resource display type is server

0x80

Unknown

Values that have been seen: 0x41, 0x42, 0x46, 0x47, 0x4c, 0xc3

The Network location shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

Class type indicator
0x40 after applying a bitmask of 0x70

3

1

Unknown
0x00, 0x01 (in UNC path), 0x03

4

1

Flags
0x01
0x02
0x04
0x40 ⇒ has comments
0x80 ⇒ has description

5

…​

Location
Contains the network name or UNC path
ASCII string with end-of-string character

If flag 0x80 is set

…​

…​

Description
ASCII string with end-of-string character

If flag 0x40 is set

…​

…​

Comments
ASCII string with end-of-string character

If size > ?

…​

…​

Unknown
0x0000
0x0002
0x000042

3.6. Compressed folder shell item

The compressed folder shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0x52

Class type indicator

3

1

Seen: 0x67

Unknown

4

2

Seen: 0xacb1

Unknown (flags or signature of some kind)

Controlled by one of the flags?

6

4

Seen: 1, 2, 3

Unknown

10

8

Unknown (empty values)

18

4

Seen: 0x10, 0x11, 0x16

Unknown

22

4

Unknown
Possibly used for higher precision timestamps

26

4

Unknown (date and time) Contains a FAT date and time in UTC, or 0 if not set

30

4

Unknown Possibly used for higher precision timestamps

34

4

Unknown (date and time)
Contains a FAT date and time in UTC, or 0 if not set

38

8

0

Unknown (empty values)

Common

46

4

Unknown string size
Contains the number of characters which includes the end-of-string character
An empty strings is stored with a size of 1

50

…​

Unknown string (file entry name?)
UTF-16 little-endian string with end-of-string character.

…​

4

Unknown string size
Contains the number of characters which includes the end-of-string character
An empty strings is stored with a size of 1

…​

…​

Unknown string
UTF-16 little-endian string with end-of-string character.

…​

4

Full path string size
Contains the number of characters which includes the end-of-string character
An empty strings is stored with a size of 1

…​

…​

Full path string
UTF-16 little-endian string with end-of-string character.

…​

4

Unknown string size
Contains the number of characters which includes the end-of-string character
An empty strings is stored with a size of 1

…​

…​

Unknown string
UTF-16 little-endian string with end-of-string character.

Possible fields:
* Compression ratio
* Compression method
* Compression CRC
* File type
* Original size
* Compressed size
* Encrypted status?
00000000: 67 b1 ac 02 00 00 00 00  00 00 00 00 00 00 00 16   g....... ........
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000020: 00 00 00 00 00 00 00 00  00 00 00 03 00 00 00 43   ........ .......C
00000030: 00 3a 00 00 00 03 00 00  00 43 00 3a 00 00 00 03   .:...... .C.:....
00000040: 00 00 00 43 00 3a 00 00  00 01 00 00 00 00 00      ...C.:.. .......

00000000: 67 b1 ac 01 00 00 00 00  00 00 00 00 00 00 00 00   g....... ........
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 03 de 3d   ........ .......=
00000020: 27 74 42 00 00 00 00 00  00 00 00 25 00 00 00 30   'tB..... ...%...0
00000030: 00 43 00 32 00 46 00 34  00 45 00 45 00 42 00 2d   .C.2.F.4 .E.E.B.-
00000040: 00 30 00 42 00 30 00 39  00 2d 00 34 00 43 00 39   .0.B.0.9 .-.4.C.9
00000050: 00 32 00 2d 00 39 00 30  00 44 00 31 00 2d 00 34   .2.-.9.0 .D.1.-.4
00000060: 00 31 00 39 00 31 00 30  00 41 00 31 00 41 00 41   .1.9.1.0 .A.1.A.A
00000070: 00 46 00 42 00 33 00 00  00 0d 00 00 00 4d 00 79   .F.B.3.. .....M.y
00000080: 00 20 00 44 00 6f 00 63  00 75 00 6d 00 65 00 6e   . .D.o.c .u.m.e.n
00000090: 00 74 00 73 00 00 00 01  00 00 00 00 00 01 00 00   .t.s.... ........
000000a0: 00 00 00                                           ...
Different variants:

00000000  52 00 67 45 23 01 00 00  36 00 37 00 45 00 46 00  |R.gE#...6.7.E.F.|
00000010  33 00 38 00 38 00 31 00  2d 00 35 00 33 00 35 00  |3.8.8.1.-.5.3.5.|
00000020  36 00 2d 00 34 00 65 00  61 00 35 00 2d 00 38 00  |6.-.4.e.a.5.-.8.|
00000030  43 00 42 00 45 00 2d 00  43 00 43 00 46 00 38 00  |C.B.E.-.C.C.F.8.|
00000040  33 00 42 00 46 00 41 00  36 00 43 00 42 00 34 00  |3.B.F.A.6.C.B.4.|
00000050  00 00                                             |..|

00000000: 52 00 45 00 47 00 00 00  00 00 00 00 00 00 00 00   R.E.G... ........
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 10 00   ........ ........
00000020: 00 00 4e 00 2f 00 41 00  00 00 00 00 00 00 90 64   ..N./.A. .......d
00000030: 6d 07 00 00 00 00 00 00  00 00 00 00 00 00 b8 a0   m....... ........
00000040: 3f f6 fe 07 00 00 40 80  00 00 00 00 00 00 ff ff   ?.....@. ........
00000050: 00 00 24 00 00 00 00 00  00 00 53 00 75 00 62 00   ..$..... ..S.u.b.
00000060: 77 00 61 00 79 00 20 00  53 00 75 00 72 00 66 00   w.a.y. . S.u.r.f.
00000070: 65 00 72 00 73 00 20 00  2d 00 20 00 4c 00 61 00   e.r.s. . -. .L.a.
00000080: 75 00 6e 00 63 00 68 00  20 00 54 00 72 00 61 00   u.n.c.h.  .T.r.a.
00000090: 69 00 6c 00 65 00 72 00  20 00 32 00 30 00 31 00   i.l.e.r.  .2.0.1.
000000a0: 33 00 00 00 00 00 34 03  00 00                     3.....4. ..
Interface identifier (IID) GUID

CLSID_ZipFolder

e88dcce0-b7b3-11d1-a9f0-00aa0060fa31

%SystemRoot%\System32\zipfldr.dll

3.7. URI shell item

The URI shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0x61

Class type indicator

3

1

Flags
0x01
0x02
0x80 set if URI string in Unicode

4

2

Size of data
Does not include the 2 bytes of the size itself. 0 if no data

If size of data > 0 (or is this controlled by flag 0x01 or 0x02?)

…​

4

Unknown

…​

4

Unknown

…​

8

Unknown timestamp
For FTP presumably first access time to the server (access != successfull authentification)
Contains a FILETIME

…​

4

Unknown
Seen: 0x00000000, 0xffffffff

…​

12

Unknown (Empty values)

…​

4

Unknown

…​

4

String1 data size
Value in bytes

…​

…​

String1 data
For FTP hostname or IP address
Depending on flag 0x80 an ASCII or UTF-16 little-endian string with end-of-string character. The string is 4-byte aligned unused bytes are filled with 0-byte values. Therefore an empty string is stored as 4x 0-byte values.

…​

4

String2 data size
Value in bytes

…​

4

String2 data
For FTP the username
Depending on flag 0x80 an ASCII or UTF-16 little-endian string with end-of-string character. The string is 4-byte aligned unused bytes are filled with 0-byte values. Therefore an empty string is stored as 4x 0-byte values.

…​

4

String3 data size
Value in bytes

…​

4

String3 data
For FTP the password
Depending on flag 0x80 an ASCII or UTF-16 little-endian string with end-of-string character. The string is 4-byte aligned unused bytes are filled with 0-byte values. Therefore an empty string is stored as 4x 0-byte values.

Common

…​

…​

URI string
Depending on flag 0x80 an ASCII or UTF-16 little-endian string with end-of-string character.
Not always present is this controlled by flag 0x01 or 0x02 ?

…​

2

Unknown (Empty values)
Present if shell item contains more data (Seen in Vista in combination with MSIE 7)

…​

4

Extension block 0xbeef0014
See section: Extension block 0xbeef0014

3.7.1. FTP URI sub shell item

Seen after 0x61 shell item type with ftp URI.

The ftp sub shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

Class type indicator?
Seen: 0x00, 0x17, 0x30, 0x5b, 0xb5, 0xb7, 0xb9, 0xba, 0xc2, 0xc4, 0xe6

3

1

Unknown
Seen: 0x00, 0x06, 0x09

4

2

Unknown
If 0 no string padding?

6

2

Unknown
Seen: 0x0005, 0x0009

8

2

Unknown
Seen: 0x0000, 0x0003

10

4

Unknown (flags?)
Seen: 0x00000080, 0x00000090

14

4

Unknown

18

4

Unknown

22

8

Unknown (last modified time of folder on server?)
Contains a FILETIME

30

4

Unknown
Seen: 0x0755

34

4

Unknown

38

…​

String
ASCII string with end-of-string character
Sometimes is 4-byte aligned unused bytes are filled with 0-byte values?

…​

…​

Unicode string
UTF-16 little-endian string with end-of-string character
Sometimes is 4-byte aligned unused bytes are filled with 0-byte values?

…​

…​

Unknown
Not always present, but is an ASCII string sometimes without an end-of-string character. Maybe remnant data?

Indication that the value at offset 0x10 contains a FILETIME

00000000: 76 00 6f 00 05 00 00 00  90 00 00 00 00 00 00 00   v.o..... ........
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000020: 01 00 00 00 74 65 73 74  00 00 00 00 74 00 65 00   ....test ....t.e.
00000030: 73 00 74 00 00 00 73 00                            s.t...s.

3.8. Control Panel shell item

The Control Panel shell item is 30 bytes of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0x71

Class type indicator

3

1

Unknown (sort order?)
Seen: 0x80

4

10

Unknown (Empty values)

14

16

Control Panel Item identifier
Contains a GUID
For a list of control panel identifiers see: [LIBFWSI-WIKI]

4. Signature-based shell items

4.1. Application shell item

Seen in Windows 10 after root shell item with applications shell folder identifier.

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

2

Unknown

4

2

Unknown (data size?)

6

4

"APPS"
0x53505041

Signature

10

4

Unknown

14

4

Unknown

If data size > 0 ?

…​

…​

Property store data
Contains one or more property stores
See: [LIBFWPS]

4.1.1. Notes

libfwsi_item_list_copy_from_byte_stream: shell item: 1 size             : 290
libfwsi_item_copy_from_byte_stream: size                                : 290
libfwsi_item_copy_from_byte_stream: data:
00000000: 00 00 1c 01 41 50 50 53  0a 01 08 00 03 00 00 00   ....APPS ........
00000010: 01 00 00 00 31 00 00 00  31 53 50 53 30 f1 25 b7   ....1... 1SPS0.%.
00000020: ef 47 1a 10 a5 f1 02 60  8c 9e eb ac 15 00 00 00   .G.....` ........
00000030: 0a 00 00 00 00 1f 00 00  00 01 00 00 00 00 00 00   ........ ........
00000040: 00 00 00 00 00 d5 00 00  00 31 53 50 53 55 28 4c   ........ .1SPSU(L
00000050: 9f 79 9f 39 4b a8 d0 e1  d4 2d e1 d5 f3 b9 00 00   .y.9K... .-......
00000060: 00 05 00 00 00 00 1f 00  00 00 54 00 00 00 77 00   ........ ..T...w.
00000070: 69 00 6e 00 64 00 6f 00  77 00 73 00 2e 00 69 00   i.n.d.o. w.s...i.
00000080: 6d 00 6d 00 65 00 72 00  73 00 69 00 76 00 65 00   m.m.e.r. s.i.v.e.
00000090: 63 00 6f 00 6e 00 74 00  72 00 6f 00 6c 00 70 00   c.o.n.t. r.o.l.p.
000000a0: 61 00 6e 00 65 00 6c 00  5f 00 63 00 77 00 35 00   a.n.e.l. _.c.w.5.
000000b0: 6e 00 31 00 68 00 32 00  74 00 78 00 79 00 65 00   n.1.h.2. t.x.y.e.
000000c0: 77 00 79 00 21 00 6d 00  69 00 63 00 72 00 6f 00   w.y.!.m. i.c.r.o.
000000d0: 73 00 6f 00 66 00 74 00  2e 00 77 00 69 00 6e 00   s.o.f.t. ..w.i.n.
000000e0: 64 00 6f 00 77 00 73 00  2e 00 69 00 6d 00 6d 00   d.o.w.s. ..i.m.m.
000000f0: 65 00 72 00 73 00 69 00  76 00 65 00 63 00 6f 00   e.r.s.i. v.e.c.o.
00000100: 6e 00 74 00 72 00 6f 00  6c 00 70 00 61 00 6e 00   n.t.r.o. l.p.a.n.
00000110: 65 00 6c 00 00 00 00 00  00 00 00 00 00 00 00 00   e.l..... ........

4.2. CDBurn shell item

Seen in Windows XP after volume shell item pointing to CDBurn (related) CLSID.

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

Unknown (Class type indicator)
Seen: 0, 1
1 ⇒ flag to indicate trailing bytes after each shell item?

3

1

Unknown (Empty value)

4

4

"AugM"
0x4d677541

Signature

8

4

Unknown (number of 16-bit values that follow?)
Seen: 2, 4

12

4

Unknown
Related to the number of sub shell items in the sub shell item list?

If number of 16-bit values that follow == 4

18

4

Unknown
Seen: 0x00010000

Common

…​

2

Sub shell item list

4.2.1. Notes

00000000  c0 00 01 00 41 75 67 4d  04 00 00 00 02 00 00 00  |....AugM........|
00000010  00 00 01 00 52 00 31 00  00 00 00 00 00 00 00 00  |....R.1.........|
00000020  10 00 45 6e 67 6c 69 73  68 00 3c 00 08 00 04 00  |..English.<.....|
00000030  ef be 00 00 00 00 00 00  00 00 2a 00 00 00 00 00  |..........*.....|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 45 00 6e 00  67 00 6c 00 69 00 73 00  |....E.n.g.l.i.s.|
00000060  68 00 00 00 16 00 00 00  01 00 00 00 52 00 31 00  |h...........R.1.|
00000070  00 00 00 00 00 00 00 00  10 00 45 6e 67 6c 69 73  |..........Englis|
00000080  68 00 3c 00 08 00 04 00  ef be 00 00 00 00 00 00  |h.<.............|
00000090  00 00 2a 00 00 00 00 00  00 00 00 00 00 00 00 00  |..*.............|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 45 00 6e 00  |............E.n.|
000000b0  67 00 6c 00 69 00 73 00  68 00 00 00 16 00 00 00  |g.l.i.s.h.......|
000000c0  00 00                                             |..|
000000c2

4.3. Control panel shell items

4.3.1. Control panel CPL file shell item

Seen after volume shell item pointing to Control Panel CLSID.

The Control panel CPL file shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0x00

Class type indicator

3

1

Unknown (Empty value)

4

4

0xffffff38

Signature

8

4

Unknown (Empty values)

12

4

Unknown Seen: 0x00006a00

16

4

Unknown (Empty values)

20

2

Name offset
Contains the number of characters (16-bit values)

22

2

Comments offset
Contains the number of characters (16-bit values)

24

…​

.cpl file path
UTF-16 little-endian string with end-of-string character

…​

…​

Name
UTF-16 little-endian string with end-of-string character

…​

…​

Comments
UTF-16 little-endian string with end-of-string character

4.3.2. Control panel category shell item

Seen in Windows 7 in BagMRU and also seen in LNK after shell item type 0x1f with Control Panel CLSID.

The Control panel category shell item is 12 bytes of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

Seen: 0x01

Class type indicator

3

1

Unknown (Empty value)

4

4

0x39de2184

Signature

8

4

Control panel category
See section: Control panel categories

Control panel categories
Value Identifier Description

0

All Control Panel Items

1

Appearance and Personalization

2

Hardware and Sound

3

Network and Internet

4

Sounds, Speech, and Audio Devices
No longer used as Windows Vista

5

System and Security

6

Clock, Language, and Region

7

Ease of Access

8

Programs

9

User Accounts

10

Security Center
No longer used as Windows Vista, only available in Windows XP, SP2 or later

11

Mobile PC
Only available in mobile version of Windows Vista

4.4. Game Folder shell item

Seen after root folder shell item containing a My Games shell folder identifier: ed228fdf-9ea8-4870-83b1-96b02cfe0d52.

The Game Folder Shell Item is 32 bytes of size and consists of:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0x00

Class type indicator

3

1

Unknown (Empty value)

4

4

"GFSI"
0x49534647

Signature

8

16

Class identifier
Contains a GameExplorer related GUID
d1a7f7e0-d4e9-49e8-bf2c-ceaa01d2e670

24

8

Unknown (Empty values)

4.5. MTP storage device shell items

TODO

MTP ⇒ Media Transfer Protocol

Seen in Windows 7 BagMRU and LNK files

4.5.1. MTP storage device volume shell item

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0x00

Class type indicator

3

1

Unknown (Empty value)

4

2

Data size
The size of the following data, the extension block sizes not included

6

4

0x10312005

Data signature

Data

10

4

Seen: 3

Unknown

14

2

Unknown

16

2

Unknown

18

2

Unknown

20

2

Unknown

22

4

Unknown

26

8

Unknown (Empty values)

34

4

Unknown size

38

4

Name string size
Contains the number of characters including the end-of-string character

42

4

Identifier string number of characters
Contains the number of characters including the end-of-string character

46

4

File system string number of characters
Contains the number of characters including the end-of-string character

50

4

Number of GUID strings

54

…​

Name string
UTF-16 little-endian with end-of-string character

…​

…​

Identifier string
UTF-16 little-endian with end-of-string character

…​

…​

File system string
UTF-16 little-endian with end-of-string character

…​

78 x n

GUID strings
UTF-16 little-endian with end-of-string character
Each GUID string is 78 bytes in size
The GUIDs relate to WPD event handler identifiers

…​

4

0xd

Unknown

…​

16

Class identifier
Contains a GUID
CLSID: PortableDeviceValues Class

…​

4

Number of properties

…​

…​

Properties array

…​

2

Unknown (empty values)

4.5.2. MTP storage device file entry shell item

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0x00

Class type indicator

3

1

Unknown (Empty value)

4

2

Data size
The size of the following data, the extension block sizes not included

6

4

0x07192006

Data signature

10

4

Unknown

14

2

Unknown

16

2

Unknown

18

2

Unknown

20

2

Unknown

22

4

Unknown

26

8

Last modification time?
Contains a FILETIME

34

8

Creation time?
Contains a FILETIME

42

16

Contains a GUID
WPD_CONTENT_TYPE_FOLDER

58

4

Unknown size

62

4

String 1 size

66

4

String 2 size

70

4

String 3 size

74

…​

String 1 (Folder name)
UTF-16 little-endian with end-of-string character

…​

…​

String 2 (Folder name)
UTF-16 little-endian with end-of-string character

…​

…​

String 3 (Folder identifier)
UTF-16 little-endian with end-of-string character

…​

4

0xd

Unknown

…​

16

Class identifier
Contains a GUID
CLSID: PortableDeviceValues Class

…​

4

Number of properties

…​

…​

Properties array

…​

2

Unknown (empty values)

4.5.3. Properties array

Property

A property is variable of size and consists of:

Offset Size Value Description

0

16

Format class (or property set) identifier
Contains a GUID

16

4

Property value identifier

20

4

Property value type
Contains an OLE defines property (variant) types. Also see [LIBFOLE]

24

…​

Property value

Format class (or property set) identifiers

The following format class (or property set) identifier are known to be used. For more information about the property sets and values see: [LIBFWPS]

Identifier Description

01a3057a-74d6-4e80-bea7-dc4c212ce50a

WPD_STORAGE_OBJECT_PROPERTIES_V1

4d545058-4fce-4578-95c8-8698a9bc0f49

Unknown

8f052d93-abca-4fc5-a5ac-b01df4dbe598

WPD_FUNCTIONAL_OBJECT_PROPERTIES_V1

ef6b490d-5cd8-437a-affc-da8b60ee4a3c

WPD_OBJECT_PROPERTIES_V1

4.6. Delegate shell item

The delegate shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

Class type indicator
Seen: 0x2e, 0x53

3

1

Unknown
Seen: 0x00, 0x44

4

2

Data size
Does not includes the 2 bytes of the size itself

6

…​

Data

…​

16

Delegate item identifier
Contains a GUID
5e591a74-df96-48d3-8d67-1733bcee28ba

…​

16

Shell folder identifier
Contains a GUID
For a list of shell folder identifiers see: [LIBFWSI-WIKI]

4.6.1. Shell folder identifiers

Identifier Description

35786d3c-b075-49b9-88dd-029876e11c01

Portable Devices

59031a47-3f72-44a7-89c5-5595fe6b30ee

Shared Documents Folder (Users Files)

4.6.2. Shell folder: 35786d3c-b075-49b9-88dd-029876e11c01 data

Offset Size Value Description

0

4

Unknown

4

4

Seen: 3

Unknown

8

4

Unknown (empty values)

12

4

Seen: 2

Unknown

16

4

Unknown

20

4

Unknown

24

4

String 1 size
Contains the number of characters which includes the end-of-string character

28

4

String 2 size
Contains the number of characters which includes the end-of-string character

32

2

Unknown

34

…​

String 1
UTF-16 little-endian string with end-of-string character

…​

…​

String 2
UTF-16 little-endian string with end-of-string character

…​

4

0xd

Unknown

…​

16

Class identifier
Contains a GUID

…​

4

Number of properties

…​

…​

Properties array

…​

2

Unknown (empty values)

00000000: 06 20 31 08 03 00 00 00  00 00 00 00 02 00 00 00   . 1..... ........

number of chars in string 1
number of chars in string 2?
00000010: 74 00 00 00 01 00 00 00  0c 00 00 00 52 00 00 00   t....... ....R...
00000020: 00 00 53 00 61 00 6e 00  73 00 61 00 20 00 6d 00   ..S.a.n. s.a. .m.
00000030: 32 00 34 00 30 00 20 00  00 00 5c 00 5c 00 3f 00   2.4.0. . ..\.\.?.
00000040: 5c 00 75 00 73 00 62 00  23 00 76 00 69 00 64 00   \.u.s.b. #.v.i.d.
00000050: 5f 00 30 00 37 00 38 00  31 00 26 00 70 00 69 00   _.0.7.8. 1.&.p.i.
00000060: 64 00 5f 00 37 00 34 00  30 00 30 00 23 00 30 00   d._.7.4. 0.0.#.0.
00000070: 37 00 38 00 31 00 30 00  30 00 35 00 62 00 33 00   7.8.1.0. 0.5.b.3.
00000080: 30 00 30 00 33 00 30 00  34 00 63 00 37 00 23 00   0.0.3.0. 4.c.7.#.
00000090: 7b 00 36 00 61 00 63 00  32 00 37 00 38 00 37 00   {.6.a.c. 2.7.8.7.
000000a0: 38 00 2d 00 61 00 36 00  66 00 61 00 2d 00 34 00   8.-.a.6. f.a.-.4.
000000b0: 31 00 35 00 35 00 2d 00  62 00 61 00 38 00 35 00   1.5.5.-. b.a.8.5.
000000c0: 2d 00 66 00 39 00 38 00  66 00 34 00 39 00 31 00   -.f.9.8. f.4.9.1.
000000d0: 64 00 34 00 66 00 33 00  33 00 7d 00 00 00         d.4.f.3. 3.}.....

000000d0:                                            0d 00   d.4.f.3. 3.}.....
000000e0: 00 00 03 d5 15 0c 17 d0  ce 47 90 16 7b 3f 97 87   ........ .G..{?..
000000f0: 21 cc 02 00 00 00 9a 97  d4 26 43 e6 26 46 9e 2b   !....... .&C.&F.+
00000100: 73 6d c0 c9 2f dc 0c 00  00 00 1f 00 00 00 18 00   sm../... ........
00000110: 00 00 53 00 61 00 6e 00  73 00 61 00 20 00 6d 00   ..S.a.n. s.a. .m.
00000120: 32 00 34 00 30 00 20 00  00 00 93 2d 05 8f ca ab   2.4.0. . ...-....
00000130: c5 4f a5 ac b0 1d f4 db  e5 98 02 00 00 00 48 00   .O...... ......H.
00000140: 00 00 6b 46 ea 08 a4 e3  36 43 a1 f3 a4 4d 2b 5c   ..kF.... 6C...M+\
00000150: 43 8c 00 00                                        C...

4.6.3. Shell folder: 59031a47-3f72-44a7-89c5-5595fe6b30ee data

Offset Size Value Description

0

4

Seen: 2

Unknown

4

…​

Username?
UTF-16 little-endian string with end-of-string character

…​

8

Unknown (empty values)
4-byte alignment padding?

Seen 12 and 32 bytes in size, where the 12 byte variant appears to be empty.

00000000: 00 00 00 00 00 00 00 00  00 00 00 00               ........ ....

4.6.4. Notes

Data signature

00000000        53 44 0e 00 d5 df  a3 23 00 00 04 00 00 00  |4.SD.....#......|
00000010  00 00 00 00 74 1a 59 5e  96 df d3 48 8d 67 17 33  |....t.Y^...H.g.3|
00000020  bc ee 28 ba 40 d0 13 e4  88 67 22 4c 95 7e 17 5d  |..(.@....g"L.~.]|
00000030  1c 51 3a 34                                       |.Q:4..|
00000036

4.6.5. 0x74 delegate shell item

Could this variant be related?

The 0x74 delegate shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0x74

Class type indicator
Outer or delegating private data?

3

1

Unknown (Empty value)

4

2

Unknown (size?)
Size does not Includes the 2 bytes of the size itself, should map up to the start of the delegate item identifier
Inner or delegated data size?

6

4

"CFSF"
0x46534643

Unknown (signature)

10

2

Sub shell item data size
Value does not includes the 2 bytes of the size itself

Sub shell item

12

1

0x31

Sub class type indicator

13

1

Unknown (empty value)

14

4

File size
What about > 32-bit file sizes?

8

4

Last modification date and time
Contains a FAT date and time in UTC

12

2

File attribute flags
Contains the lower 16-bit part of the file attribute flags.
See section: File attribute flags

14

…​

Primary name
ASCII string with end-of-string character
This value is 16-bit aligned, so it can contain an additional zero byte

…​

2

Unknown (Empty values)
Empty extension block?

Common

…​

16

Delegate item identifier
Contains a GUID
5e591a74-df96-48d3-8d67-1733bcee28ba

…​

16

Item (class) identifier
Contains a GUID

…​

…​

Extension block 0xbeef0004
See section: File entry extension block (0xbeef0004)

4.6.6. Notes

libfwsi_item_copy_from_byte_stream: size                                : 130
libfwsi_item_copy_from_byte_stream: data:
00000000: 74 00 1c 00 43 46 53 46  16 00 31 00 00 00 00 00   t...CFSF ..1.....
00000010: ae 46 24 b1 12 00 41 70  70 44 61 74 61 00 00 00   .F$...Ap pData...
00000020: 74 1a 59 5e 96 df d3 48  8d 67 17 33 bc ee 28 ba   t.Y^...H .g.3..(.
00000030: c5 cd fa df 9f 67 56 41  89 47 c5 c7 6b c0 b6 7f   .....gVA .G..k...
00000040: 40 00 09 00 04 00 ef be  ae 46 24 b1 ae 46 24 b1   @....... .F$..F$.
00000050: 2e 00 00 00 15 9d 02 00  00 00 01 00 00 00 00 00   ........ ........
00000060: 00 00 00 00 00 00 00 00  00 00 ee e3 73 00 41 00   ........ ....s.A.
00000070: 70 00 70 00 44 00 61 00  74 00 61 00 00 00 42 00   p.p.D.a. t.a...B.

4.7. Users property view

4.7.1. Users property view shell item

Seen after root folder shell item pointing to Users Libraries shell folder identifier (031e4825-7b94-4dc3-b131-e946b44c8dd5) or Users shell folder identifier (59031a47-3f72-44a7-89c5-5595fe6b30ee).

The Users property view shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

Seen: 0x00

Class type indicator

3

1

Unknown (Empty value)

4

2

Data size
The size of the following data, the extension block sizes not included

6

4

Data signature

10

2

Property store data size
Contains 0 if not present

12

2

Identifier size

If identifier size > 0

14

…​

Identifier data
If size of shell property sheet list size > 0

…​

…​

Property store data
Contains one or more property stores
See: [LIBFWPS]

Common

…​

2

Unknown (Empty values)
Present if shell item contains more data

…​

…​

One or more extension blocks
Seen extension blocks 0xbeef0000 and 0xbeef0019.
See sections: Extension block 0xbeef0000 and Extension block 0xbeef0019

Data signatures
Data signature Size Description

0x10141981

32

Unknown

0x23febbee

16

Know folder identifier
Contains a GUID
For a list of known folder identifiers see: [LIBFWSI-WIKI]

0x3b93afbb

4

Contains a 32-bit value

0xbeebee00

4

Contains a 32-bit value

Format class (or property set) identifiers

The following format class (or property set) identifiers are known to be used. For more information about the property sets and values see: [LIBFWPS]

Identifier Description

b725f130-47ef-101a-a5f1-02608c9eebac

Unknown (Windows Search related?)

Notes

Found in Vista BagMRU

shell item size                     : 259
shell item data:
00000000: 00 00 fd 00 00 ee eb be  ef 00 04 00 01 00 00 00   ........ ........

00000010: 55 00 00 00 31 53 50 53  30 f1 25 b7 ef 47 1a 10   U...1SPS 0.%..G..
00000020: a5 f1 02 60 8c 9e eb ac  39 00 00 00 0a 00 00 00   ...`.... 9.......
00000030: 00 1f 00 00 00 13 00 00  00 44 00 65 00 73 00 6b   ........ .D.e.s.k
00000040: 00 74 00 6f 00 70 00 20  00 42 00 61 00 63 00 6b   .t.o.p.  .B.a.c.k
00000050: 00 67 00 72 00 6f 00 75  00 6e 00 64 00 00 00 00   .g.r.o.u .n.d....
00000060: 00 00 00 00 00 4d 00 00  00 31 53 50 53 87 27 bf   .....M.. .1SPS.'.
00000070: 5c cf 48 08 42 b9 0e ee  5e 5d 42 02 94 31 00 00   \.H.B... ^]B..1..
00000080: 00 19 00 00 00 00 1f 00  00 00 10 00 00 00 74 00   ........ ......t.
00000090: 68 00 65 00 6d 00 65 00  63 00 70 00 6c 00 2e 00   h.e.m.e. c.p.l...
000000a0: 64 00 6c 00 6c 00 2c 00  2d 00 31 00 00 00 00 00   d.l.l.,. -.1.....
000000b0: 00 00 49 00 00 00 31 53  50 53 53 7d ef 0c 64 fa   ..I...1S PSS}..d.
000000c0: d1 11 a2 03 00 00 f8 1f  ed ee 2d 00 00 00 05 00   ........ ..-.....
000000d0: 00 00 00 1f 00 00 00 0e  00 00 00 70 00 61 00 67   ........ ...p.a.g
000000e0: 00 65 00 57 00 61 00 6c  00 6c 00 70 00 61 00 70   .e.W.a.l .l.p.a.p
000000f0: 00 65 00 72 00 00 00 00  00 00 00 00 00 00 00 00   .e.r.... ........
00000100: 00                                                 .

number of characters

shell item type                     : 0x00
shell item flags                    : 0x00
shell item list size                : 253

shell item size                     : 251
libfwsi_item_copy_from_byte_stream: shell item data:
00000000: 00 00 f5 00 00 ee eb be  e7 00 04 00 01 00 00 00   ........ ........

00000010: 4d 00 00 00 31 53 50 53  30 f1 25 b7 ef 47 1a 10   M...1SPS 0.%..G..
00000020: a5 f1 02 60 8c 9e eb ac  31 00 00 00 0a 00 00 00   ...`.... 1.......
00000030: 00 1f 00 00 00 10 00 00  00 43 00 68 00 61 00 6e   ........ .C.h.a.n
00000040: 00 67 00 65 00 20 00 73  00 65 00 74 00 74 00 69   .g.e. .s .e.t.t.i
00000050: 00 6e 00 67 00 73 00 00  00 00 00 00 00            .n.g.s.. .....M..

Variant type
Number of characters

00000050:                                         4d 00 00   .n.g.s.. .....M..
00000060: 00 31 53 50 53 87 27 bf  5c cf 48 08 42 b9 0e ee   .1SPS.'. \.H.B...
00000070: 5e 5d 42 02 94 31 00 00  00 19 00 00 00 00 1f 00   ^]B..1.. ........
00000080: 00 00 0f 00 00 00 77 00  75 00 63 00 6c 00 74 00   ......w. u.c.l.t.
00000090: 75 00 78 00 2e 00 64 00  6c 00 6c 00 2c 00 2d 00   u.x...d. l.l.,.-.
000000a0: 31 00 00 00 00 00 00 00  00 00                     1....... ..I...1S

000000a0:                                49 00 00 00 31 53   1....... ..I...1S
000000b0: 50 53 53 7d ef 0c 64 fa  d1 11 a2 03 00 00 f8 1f   PSS}..d. ........
000000c0: ed ee 2d 00 00 00 05 00  00 00 00 1f 00 00 00 0d   ..-..... ........
000000d0: 00 00 00 70 00 61 00 67  00 65 00 53 00 65 00 74   ...p.a.g .e.S.e.t
000000e0: 00 74 00 69 00 6e 00 67  00 73 00 00 00 00 00 00   .t.i.n.g .s......
000000f0: 00 00 00 00 00 00 00 00  00                        ........ .

shell item type                     : 0x00
shell item flags                    : 0x00
shell item list size                : 245

00000000: 00 00 b1 00 bb af 93 3b  a3 00 04 00 00 00 00 00   .......; ........

00000010: 45 00 00 00 31 53 50 53  30 f1 25 b7 ef 47 1a 10   E...1SPS 0.%..G..
00000020: a5 f1 02 60 8c 9e eb ac  29 00 00 00 0a 00 00 00   ...`.... ).......
00000030: 00 1f 00 00 00 0c 00 00  00 31 00 30 00 2e 00 31   ........ .1.0...1
00000040: 00 30 00 2e 00 31 00 30  00 2e 00 35 00 35 00 00   .0...1.0 ...5.5..
00000050: 00 00 00 00 00 2d 00 00  00 31 53 50 53 3a a4 bd   .....-.. .1SPS:..
00000060: de b3 37 83 43 91 e7 44  98 da 29 95 ab 11 00 00   ..7.C..D ..).....
00000070: 00 03 00 00 00 00 13 00  00 00 00 00 00 00 00 00   ........ ........
00000080: 00 00 2d 00 00 00 31 53  50 53 73 43 e5 0a be 43   ..-...1S PSsC...C
00000090: ad 4f 85 e4 69 dc 86 33  98 6e 11 00 00 00 0b 00   .O..i..3 .n......
000000a0: 00 00 00 0b 00 00 00 ff  ff 00 00 00 00 00 00 00   ........ ........
000000b0: 00 00 00 00 00                                     .....

Related to details list view?
IColumnProvider?
Shell Column information (SHCOLUMNINFO)
Windows System Property key (PROPERTYKEY) or Shell Column identifier (SHCOLUMNID)

Preceded by shell item item type 0x1f flags 0x44
00000000: 00 00 1a 00 ee bb fe 23  00 00 10 00 90 e2 4d 37   .......# ......M7
00000010: 3f 12 65 45 91 64 39 c4  92 5e 46 7b 00 00         ?.eE.d9. .^F{..

Found in Win7 BagMRU
indicates the type?

00000000: 00 00 1a 00 ee bb fe 23  00 00 10 00 7d b1 0d 7b   .......# ....}..{
00000010: d2 9c 93 4a 97 33 46 cc  89 02 2e 7c 00 00         ...J.3F. ...|..*.

known folder id

Specific to win7 shell library (IShellLibrary), e.g. child folders?

class type indicator          : 0x00
unknown0                      : 0x00
data size                     : 963
signature                     : 0x10141981
property store size           : 921
identifier size               : 32
identifier data:
00000000: 00 00 48 40 00 00 00 00  00 00 00 00 00 00 00 00   ..H@.... ........
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........

4.7.2. Users property view delegate item

The Users property view 0x1f delegate item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

Seen: 0x1f

Class type indicator

3

1

Unknown (Empty value)

4

2

Data size
The size of the following data, the extension block sizes not included

6

4

Data signature

10

2

Property store data size
Contains 0 if not present

12

2

Identifier size

If identifier size > 0

14

…​

Identifier data

If size of shell property sheet list size > 0

…​

…​

Property store data
Contains one or more property stores
See: [LIBFWPS]

Common

…​

2

Unknown (Empty values)

…​

16

Delegate item identifier
Contains a GUID
5e591a74-df96-48d3-8d67-1733bcee28ba

…​

16

Item (class) identifier
Contains a GUID
Present if shell item contains more data

…​

…​

Extension block
Seen extension block 0xbeef0013.
See section: Extension block 0xbeef0013

Shell item from Windows 7 ShellMRU root level

00000000: 1f 00 31 28 d5 df a3 23  23 28 04 00 00 00 00 00   ..1(...# #(......
00000010: 1f 28 00 00 31 53 50 53  05 d5 cd d5 9c 2e 1b 10   .(..1SPS ........
00000020: 93 97 08 00 2b 2c f9 ae  57 27 00 00 12 00 00 00   ....+,.. W'......
00000030: 00 41 00 75 00 74 00 6f  00 4c 00 69 00 73 00 74   .A.u.t.o .L.i.s.t
...
Data signatures
Data signature Size Description

0x23a3dfd5

4

Contains a 32-bit value

5. Unknown shell items

5.1. 0x01 shell item

RealPlayer Cloud related?

Includes shell item size:
00000000  2a 00 01 26 0d 00 00 00  00 01 00 00 00 20 53 00  |*..&......... S.|
00000010  68 00 61 00 72 00 65 00  64 00 20 00 42 00 79 00  |h.a.r.e.d. .B.y.|
00000020  20 00 4d 00 65 00 00 00  00 00 00 00              | .M.e.......|

Includes shell item size:
00000000  2e 00 01 26 0f 00 00 00  00 01 00 00 00 08 4d 00  |...&..........M.|
00000010  79 00 20 00 43 00 6f 00  6c 00 6c 00 65 00 63 00  |y. .C.o.l.l.e.c.|
00000020  74 00 69 00 6f 00 6e 00  73 00 00 00 00 00 00 00  |t.i.o.n.s.......|

5.2. Hyper-V 0x00, 0x01 and 0x02 shell items

Related to Hyper-V?

Includes shell item size:
00000000  30 00 00 00 00 00 73 00  75 00 2d 00 68 00 79 00  |0.....s.u.-.h.y.|
00000010  70 00 65 00 72 00 76 00  30 00 31 00 2e 00 53 00  |p.e.r.v.0.1...S.|
00000020  55 00 2e 00 6c 00 6f 00  63 00 61 00 6c 00 00 00  |U...l.o.c.a.l...|
00000030  00 00                                             |..|

Includes shell item size:
00000000  58 00 01 00 00 00 44 00  3a 00 00 00 00 00 00 00  |X.....D.:.......|
00000010  00 00 00 f0 ff 39 74 00  00 00 00 e0 ab 30 74 00  |.....9t......0t.|
00000020  00 00 08 00 00 00 08 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 4d 00 6f 00 72 00  65 00 20 00 73 00 74 00  |..M.o.r.e. .s.t.|
00000040  6f 00 72 00 61 00 67 00  65 00 20 00 28 00 44 00  |o.r.a.g.e. .(.D.|
00000050  3a 00 29 00 20 00 00 00  00 00                    |:.). .....|

Includes shell item size:
00000000  54 00 01 00 00 00 43 00  3a 00 00 00 00 00 00 00  |T.....C.:.......|
00000010  00 00 00 f0 af e0 e8 00  00 00 00 70 46 74 e7 00  |...........pFt..|
00000020  00 00 08 00 00 00 08 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 4c 00 6f 00 63 00  61 00 6c 00 20 00 44 00  |..L.o.c.a.l. .D.|
00000040  69 00 73 00 6b 00 20 00  28 00 43 00 3a 00 29 00  |i.s.k. .(.C.:.).|
00000050  20 00 00 00 00 00                                 | .....|

Includes shell item size:
00000000  3e 00 02 00 00 00 00 00  00 00 00 00 00 00 00 00  |>...............|
00000010  00 00 11 00 00 00 94 4e  0a 94 3c 9f ce 01 fe f6  |.......N..<.....|
00000020  b9 b2 7a 15 d0 01 fe f6  b9 b2 7a 15 d0 01 00 00  |..z.......z.....|
00000030  00 00 75 00 73 00 65 00  72 00 73 00 00 00 00 00  |..u.s.e.r.s.....|

5.3. 0x1f shell item

Includes shell item size:
00000000  55 00 1f 00 2f 00 10 b7  a6 f5 19 00 2f 4c 3a 5c  |U.../......./L:\|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 74 1a 59  5e 96 df d3 48 8d 67 17  |.....t.Y^...H.g.|
00000040  33 bc ee 28 ba 77 2c fb  f5 2f 0e 16 4a a3 81 3e  |3..(.w,../..J..>|
00000050  56 0c 68 bc 83 00 00                              |V.h....|

Includes shell item size:
00000000  55 00 1f 00 2f 00 10 b7  a6 f5 19 00 2f 4a 3a 5c  |U.../......./J:\|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 74 1a 59  5e 96 df d3 48 8d 67 17  |.....t.Y^...H.g.|
00000040  33 bc ee 28 ba 77 2c fb  f5 2f 0e 16 4a a3 81 3e  |3..(.w,../..J..>|
00000050  56 0c 68 bc 83 00 00                              |V.h....|

5.4. 0x4c shell item

Seen after shell item 0x2e with CLSID Web Folders

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0x4c

Class type indicator

3

1

Unknown

0x50

4

4

Unknown

8

16

Unknown (empty values)
Reserved for a GUID?

24

4

00000000: 4c 50 00 11 42 57 00 00  00 00 00 00 00 00 00 00   LP..BW.. ........
00000010: 00 00 00 00 00 00 10 00  00 00                     ........ ....M.y.

00000010:                                13 00 4d 00 79 00   ........ ....M.y.
00000020: 20 00 57 00 65 00 62 00  20 00 53 00 69 00 74 00    .W.e.b.  .S.i.t.
00000030: 65 00 73 00 20 00 6f 00  6e 00 20 00 4d 00 53 00   e.s. .o. n. .M.S.
00000040: 4e 00

00000040:       00 00

Number of 16-bit characters?
00000040:             17 00 68 00  74 00 74 00 70 00 3a 00   N.....h. t.t.p.:.
00000050: 2f 00 2f 00 77 00 77 00  77 00 2e 00 6d 00 73 00   /./.w.w. w...m.s.
00000060: 6e 00 75 00 73 00 65 00  72 00 73 00 2e 00 63 00   n.u.s.e. r.s...c.
00000070: 6f 00 6d 00

00000070:             00 00 00 00  00 00                     o.m..... ..

5.5. 0x67 shell item

The 0x67 shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0x67

Class type indicator

3

1

Unknown

4

4

Unknown

6

…​

Unknown string UTF-16 little-endian string with end-of-string character

00000000  52 00 67 45 23 01 00 00  36 00 37 00 45 00 46 00  |R.gE#...6.7.E.F.|
00000010  33 00 38 00 38 00 31 00  2d 00 35 00 33 00 35 00  |3.8.8.1.-.5.3.5.|
00000020  36 00 2d 00 34 00 65 00  61 00 35 00 2d 00 38 00  |6.-.4.e.a.5.-.8.|
00000030  43 00 42 00 45 00 2d 00  43 00 43 00 46 00 38 00  |C.B.E.-.C.C.F.8.|
00000040  33 00 42 00 46 00 41 00  36 00 43 00 42 00 34 00  |3.B.F.A.6.C.B.4.|
00000050  00 00                                             |..|
00000054

5.6. 0x76 shell item

The 0x76 shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0x76

Class type indicator

3

1

Unknown (Empty value)

4

2

Unknown

6

4

Unknown

10

…​

00000000: 76 00 6f 00 05 00 00 00  90 00 00 00 00 00 00 00   v.o..... ........
00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000020: 01 00 00 00 74 65 73 74  00 00 00 00 74 00 65 00   ....test ....t.e.
00000030: 73 00 74 00 00 00 73 00                            s.t...s.

5.7. 0xff shell item

Seen after shell item 0x71 with CLSID Network Connections

The 0xff shell item is variable of size and consists of the following values:

Offset Size Value Description

0

2

The size of the shell item
Includes the 2 bytes of the size itself

2

1

0xff

Class type indicator

3

1

Unknown

4

4

Unknown

8

4

Unknown
Seen: 0x30fe5eff

12

4

Unknown (empty values)

16

16

Unknown GUID1

32

16

Unknown GUID2

48

4

Unknown

52

4

Unknown

56

4

Unknown

60

4

Unknown

64

4

Unknown

68

4

Unknown (empty values)

72

4

Unknown

76

4

Unknown

80

4

Unknown

84

4

Unknown

88

4

Unknown

92

4

Unknown

96

…​

Unknown (Local Area Connection #)
UTF-16 little-endian string with end-of-string character

…​

…​

Unknown (Description of Network Controller)
UTF-16 little-endian string with end-of-string character

…​

16

Unknown GUID3
Value is the same as that of GUID2

…​

4

Unknown (empty values)

…​

2

Unknown
Seen: 0xffff

6. Extension blocks

If the extension block is variable of size but at minimum consists of:

Offset Size Value Description

0

2

Extension block size
Includes the 2 bytes of the size itself, 0 if the extension block is empty

2

2

Extension version

4

4

Extension signature

8

…​

Extension block data

…​

2

First extension block version offset
The offset is relative from the start of the shell item.

The extension signature seems to always consist of 0xbeef followed by a 16-bit value that indicates the block type.

According to [LOPEZ10] the first extension block version offset value is likely used to determine if the file shell entry item contains the secondary name or not. So likely this value is used for internal validation of the shell item and extension block data.

6.1. Extension block 0xbeef0000

The extension block 0xbeef0000 is 14 or 42 bytes of size and consists of:

Offset Size Value Description

0

2

The size of the data
Includes the 2 bytes of the size itself

2

2

Extension version
Seen: 0

4

4

0xbeef0000

Extension signature

If size == 14

8

4

Unknown

Else if size == 42

8

16

Folder type
Contains a GUID

6.1.1. Notes

Related to CMergedFolder object

Folder type:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes

IShellLibrary data block?

Specific to win7 shell library (IShellLibrary), e.g. child folders?

00000010:                                            2a 00   ...J.3F. ...|..*.
00000020: 00 00 00 00 ef be 00 00  00 20 00 00 00 00 00 00   ........ . ......
00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000040: 00 00 01 00 00 00 20 00  2a 00 00 00 00 00 ef be   ...... . *.......
00000050: 7e 47 b3 fb e4 c9 3b 4b  a2 ba d3 f5 d3 cd 46 f9   ~G....;K ......F.
00000060: 82 07 ba 82 7a 5b 69 45  b5 d7 ec 83 08 5f 08 cc   ....z[iE ....._..
82ba0782-5b7a-4569-b5d7-ec83085f08c

00000070: 20 00 2a 00 00 00 00 00  ef be 00 00 00 20 00 00    .*..... ..... ..
00000080: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000090: 00 00 00 00 00 00 01 00  00 00 20 00               ........ .. .

empty folder type? Empty unknown GUID?

6.2. Extension block 0xbeef0001

The extension block 0xbeef0001 is 14 bytes of size and consists of:

Offset Size Value Description

0

2

14

The size of the data
Includes the 2 bytes of the size itself

2

2

Seen: 0

Extension version

4

4

0xbeef0001

Extension signature

8

4

Unknown

6.2.1. Notes

Related to CFileUrlStub object. Used for display name?

6.3. Extension block 0xbeef0002

Not seen in the wild but indications that the extension block exists.

Related to CFileUrlStub object. Used for display name?

6.4. Extension block 0xbeef0003

The extension block 0xbeef0003 is 26 bytes of size and consists of:

Offset Size Value Description

0

2

26

Extension size
Includes the 2 bytes of the size itself

2

2

Seen: 0

Extension version

4

4

0xbeef0003

Extension signature

8

16

Shell folder identifier
Contains a GUID
For a list of shell folder identifiers see: [LIBFWSI-WIKI]

24

2

First extension block version offset
The offset is relative from the start of the shell item.

The class identifier seems to indicate which class of shell folders will foll the shell item that has the extension block 0xbeef0003.

6.4.1. Notes

Related to CFSFolder and CFileSysItemString object. Used for junction information?

6.5. File entry extension block (0xbeef0004)

The file entry extension block (0xbeef0004) is variable of size and consists of:

Offset Size Value Description

0

2

Extension size
Includes the 2 bytes of the size itself

2

2

Extension version
3 ⇒ Windows XP or 2003
7 ⇒ Windows Vista (SP0)
8 ⇒ Windows 2008, 7, 8.0
9 ⇒ Windows 8.1, 10

4

4

0xbeef0004

Extension signature

8

4

Creation date and time
Contains a FAT date and time in UTC

12

4

Last access date and time
Contains a FAT date and time in UTC

16

2

Unknown (version or identifier?)
0x14 ⇒ Windows XP or 2003
0x26 ⇒ Windows Vista (SP0)
0x2a ⇒ Windows 2008, 7, 8.0
0x2e ⇒ Windows 8.1, 10

If extension version >= 7

…​

2

Unknown (empty values)

…​

8

File reference
See section: NTFS file reference
Not always a file reference value?

…​

8

Unknown

If extension version >= 3

…​

2

Long string size
Contains the size of long name and localized name or 0 if no localized name is present. For extension version 8 and later it also includes the size of values after this size and before the long name.

If extension version >= 9

…​

4

Unknown (empty values)

If extension version >= 8

…​

4

Unknown

If extension version >= 3

…​

…​

Long name
UTF-16 little-endian string with end-of-string character

If extension version >= 3 and long string size > 0

…​

…​

Localized name
ASCII string with end-of-string character
E.g. @shell32.dll,-21781

If extension version >= 7 and long string size > 0

…​

…​

Localized name
UTF-16 little-endian string with end-of-string character
E.g. @shell32.dll,-21781

If extension version >= 3

…​

2

First extension block version offset
The offset is relative from the start of the shell item.

6.5.1. NTFS file reference

The NTFS file reference is 8 bytes of size and consists of:

Offset Size Value Description

0

6

MFT entry index

6

2

Sequence number

6.5.2. Notes

Related to CFSFolder and CFileSysItem object.

6.6. Extension block 0xbeef0005

The extension block 0xbeef0005 is variable of size and consists of:

Offset Size Value Description

0

2

Extension size
Includes the 2 bytes of the size itself

2

2

Extension version
Seen 0x0000

4

4

0xbeef0005

Extension signature

8

16

Unknown (empty values)
Could this be reserved for a GUID?

24

…​

Embedded shell item list

…​

2

First extension block version offset
The offset is relative from the start of the shell item.

6.6.1. Notes

Related to CFindFolder object.

6.7. Extension block 0xbeef0006

The extension block 0xbeef0006 is variable of size and consists of:

Offset Size Value Description

0

2

Extension size
Includes the 2 bytes of the size itself

2

2

Extension version
Seen 0x0000, 0x0027

4

4

0xbeef0006

Extension signature

8

…​

Username
UTF-16 little-endian string with end-of-string character

…​

2

First extension block version offset
The offset is relative from the start of the shell item.

6.7.1. Notes

Related to CFSFolder and CFileSysItem object. Used for personalized name?

6.8. Extension block 0xbeef0008

The extension block 0xbeef0008 is variable of size and consists of:

Offset Size Value Description

0

2

Extension size
Includes the 2 bytes of the size itself

2

2

Extension version
Seen 0x0000

4

4

0xbeef0008

Extension signature

8

8

Unknown

16

8

Deletion time?
Contains a FILETIME

24

520

Original path?
UTF-16 little-endian string with end-of-string character
Unused bytes can contain 0-byte values

544

…​

Recycle bin path?
UTF-16 little-endian string with end-of-string character

…​

…​

File extension?
UTF-16 little-endian string with end-of-string character

…​

…​

Unknown

…​

2

First extension block version offset
The offset is relative from the start of the shell item.

00000050                                 2a 04 00 00 08 00  |G.F.6.....*.....|
00000060  ef be 9c 65 23 07 00 00  00 00 f0 f5 e1 58 21 a1  |...e#........X!.|
00000070  cf 01 43 00 3a 00 5c 00  55 00 73 00 65 00 72 00  |..C.:.\.U.s.e.r.|
...
000000a0  73 00 54 00 72 00 69 00  61 00 67 00 65 00 32 00  |s.T.r.i.a.g.e.2.|
000000b0  00 00 32 00 2e 00 6a 00  70 00 67 00 00 00 00 00  |..2...j.p.g.....|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000270  00 00 00 00 00 00 00 00  00 00 43 00 3a 00 5c 00  |..........C.:.\.|
00000280  24 00 52 00 45 00 43 00  59 00 43 00 4c 00 45 00  |$.R.E.C.Y.C.L.E.|
00000290  2e 00 42 00 49 00 4e 00  5c 00 53 00 2d 00 31 00  |..B.I.N.\.S.-.1.|
...
000002f0  31 00 30 00 35 00 5c 00  24 00 52 00 56 00 41 00  |1.0.5.\.$.R.V.A.|
00000300  34 00 47 00 46 00 36 00  00 00 6a 00 70 00 67 00  |4.G.F.6...j.p.g.|
00000310  00 00                                             |................|

00000310        00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000320  00 00                                             |................|

Remnant data the 0x7f values could be pointers?
00000320        10 04 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000330  00 00 00 00 00 00 00 00  00 00 41 00 00 00 00 00  |..........A.....|
00000340  00 00 00 00 01 01 00 00  00 00 08 00 00 00 00 00  |................|
00000350  00 00 00 04 00 00 00 00  00 00 b2 b3 54 6b fc 7f  |............Tk..|
00000360  00 00 00 00 fb 00 00 00  00 00 00 00 00 00 fc 7f  |................|
00000370  00 00 00 04 00 00 00 00  00 00 08 00 00 00 00 00  |................|
00000380  00 00 c0 51 a1 05 00 00  00 00 00 00 00 00 00 00  |...Q............|
00000390  00 00 30 00 00 00 00 00  00 00 00 00 00 00 00 00  |..0.............|
000003a0  00 00 00 00 00 00 00 00  00 00 03 00 00 00 00 00  |................|
000003b0  00 00 00 00 01 01 00 00  00 00 08 00 00 00 00 00  |................|
000003c0  00 00 28 00 00 00 00 00  00 00 b2 b3 54 6b fc 7f  |..(.........Tk..|
000003d0  00 00 00 00 fb 00 00 00  00 00 00 00 00 00 fc 7f  |................|
000003e0  00 00 28 00 00 00 00 00  00 00 08 00 00 00 00 00  |..(.............|
000003f0  00 00 10 f3 85 0c 00 00  00 00 60 9a 64 07 00 00  |..........`.d...|
00000400  00 00 00 00 00 00 00 00  00 00 8f 29 c8 69 fc 7f  |...........).i..|
00000410  00 00 00 00 00 00 00 00  00 00 b2 34 7b 69 fc 7f  |...........4{i..|
00000420  00 00 80 16 5b 00 00 00  00 00 40 2d 95 68 fc 7f  |....[.....@-.h..|
00000430  00 00 00 00 00 00 00 00  00 00 00 98 64 07 00 00  |............d...|
00000440  00 00 00 1c 2c 1f 00 00  00 00 20 5b 84 05 00 00  |....,..... [....|
00000450  00 00 20 a6 9b 05 00 00  00 00 80 00 00 00 00 00  |.. .............|
00000460  00 00 f0 a2 9b 05 00 00  00 00 e3 68 c8 69 fc 7f  |...........h.i..|
00000470  00 00 00 00 00 00 00 00  00 00 02 00 00 00 fc 7f  |................|
00000480  00 00                                             |......|

00000480        18 00                                       |......|

Is this remnant data in the sample?
00000480              00 00                                 |......|

6.8.1. Notes

Related to CBitBucket object.

6.9. Extension block 0xbeef0009

Not seen in the wild but indications that the extension block exists.

Related to CBitBucket object. Used for original path?

6.10. Extension block 0xbeef000a

The extension block 0xbeef000a is 14 bytes of size and consists of:

Offset Size Value Description

0

2

14

Extension size
Includes the 2 bytes of the size itself

2

2

0

Extension version

4

4

0xbeef000a

Extension signature

8

4

Unknown (empty values)

12

2

First extension block version offset
The offset is relative from the start of the shell item.

6.10.1. Notes

Related to CMergedFolder object. Used for source count or sub shell item list?

6.11. Extension block 0xbeef000b

The extension block 0xbeef000b is variable of size and consists of:

Offset Size Value Description

0

2

Extension size
Includes the 2 bytes of the size itself

2

2

Extension version
Seen 0x0005

4

4

0xbeef000b

Extension signature

6

8

Unknown (empty values)
Maybe an empty string array?

8

…​

Unknown (filename?)
UTF-16 little-endian string with end-of-string character
Seen: %windir%\system32\cmd.exe

…​

…​

Unknown (empty values)
Maybe an empty string array or 8-byte alignment padding?

…​

…​

Unknown (filename?)
UTF-16 little-endian string with end-of-string character
Seen: {%GUID%}\cmd.exe

…​

…​

Unknown (empty values)
Maybe an empty string array or 8-byte alignment padding?

…​

8

Unknown
Contains a FILETIME

…​

8

Unknown
Contains a FILETIME

…​

4

Unknown (empty values)

…​

4

Unknown
Seen: 1

…​

4

Unknown (empty values)

…​

…​

Unknown (filename?)
UTF-16 little-endian string with end-of-string character
Seen: {%GUID%}\cmd.exe

…​

…​

Unknown (empty values)
Maybe an empty string array or 4-byte alignment padding?

…​

2

Unknown (empty values)

…​

2

First extension block version offset
The offset is relative from the start of the shell item.

6.12. Extension block 0xbeef000c

Not seen in the wild but indications that the extension block exists.

Related to CControlPanelFolder object. Used for display name/CPL category?

6.13. Extension block 0xbeef000e

The extension block 0xbeef000e is variable of size and consists of:

Offset Size Value Description

0

2

Extension size Includes the 2 bytes of the size itself

2

2

Extension version
Seen 0x0003

4

4

0xbeef000e

Extension signature

6

2

Unknown (number of sub shell items?)
Seen: 0x0002

8

…​

Sub shell item list

…​

2

First extension block version offset
The offset is relative from the start of the shell item.

6.14. Extension block 0xbeef0010

The extension block 0xbeef0010 is variable of size and consists of:

Offset Size Value Description

0

2

Extension size
Includes the 2 bytes of the size itself

2

2

Extension version
Seen 0x0000

4

4

0xbeef0010

Extension signature

8

4

Unknown

00000000  9b 04 00 00 10 00 ef be  01 00 00 00 89 04 00 00  |................|

00000010  85 04 00 00 31 53 50 53  05 d5 cd d5 9c 2e 1b 10  |....1SPS........|
00000020  93 97 08 00 2b 2c f9 ae  21 00 00 00 10 00 00 00  |....+,..!.......|
00000030  00 4b 00 65 00 79 00 3a  00 50 00 49 00 44 00 00  |.K.e.y.:.P.I.D..|
00000040  00 13 00 00 00 64 00 00  00 79 03 00 00 14 00 00  |.....d...y......|
00000050  00 00 43 00 6f 00 6e 00  64 00 69 00 74 00 69 00  |..C.o.n.d.i.t.i.|
00000060  6f 00 6e 00 00 00 42 00  00 00 1e 00 00 00 70 00  |o.n...B.......p.|
00000070  72 00 6f 00 70 00 34 00  32 00 39 00 34 00 39 00  |r.o.p.4.2.9.4.9.|
00000080  36 00 37 00 32 00 39 00  35 00 00 00 00 00 2f 03  |6.7.2.9.5...../.|
00000090  00 00 13 8d 6f 11 1e 10  a5 4f 84 d4 ff 82 79 38  |....o....O....y8|
000000a0  19 35 00 00 00 00 01 00  00 00 0b 00 00 00 89 5c  |.5.............\|
000000b0  f1 52 17 5a e1 48 bb cd  46 a3 f8 9c 7c c2 00 00  |.R.Z.H..F...|...|
000000c0  00 00 e0 5a cf 41 5a f7  06 48 bd 87 59 c7 d9 24  |...Z.AZ..H..Y..$|
000000d0  8e b9 64 00 00 00 0b 00  00 00 1f 00 06 00 00 00  |..d.............|
000000e0  2a 00 2e 00 6a 00 70 00  67 00 00 00 00 00 01 00  |*...j.p.g.......|
000000f0  00 00 00 00 00 89 5c f1  52 17 5a e1 48 bb cd 46  |......\.R.Z.H..F|
00000100  a3 f8 9c 7c c2 00 00 00  00 e0 5a cf 41 5a f7 06  |...|......Z.AZ..|
00000110  48 bd 87 59 c7 d9 24 8e  b9 64 00 00 00 0b 00 00  |H..Y..$..d......|
00000120  00 1f 00 07 00 00 00 2a  00 2e 00 6a 00 70 00 65  |.......*...j.p.e|
00000130  00 67 00 00 00 00 00 01  00 00 00 00 00 00 89 5c  |.g.............\|
00000140  f1 52 17 5a e1 48 bb cd  46 a3 f8 9c 7c c2 00 00  |.R.Z.H..F...|...|
00000150  00 00 e0 5a cf 41 5a f7  06 48 bd 87 59 c7 d9 24  |...Z.AZ..H..Y..$|
00000160  8e b9 64 00 00 00 0b 00  00 00 1f 00 06 00 00 00  |..d.............|
00000170  2a 00 2e 00 62 00 6d 00  70 00 00 00 00 00 01 00  |*...b.m.p.......|
00000180  00 00 00 00 00 89 5c f1  52 17 5a e1 48 bb cd 46  |......\.R.Z.H..F|
00000190  a3 f8 9c 7c c2 00 00 00  00 e0 5a cf 41 5a f7 06  |...|......Z.AZ..|
000001a0  48 bd 87 59 c7 d9 24 8e  b9 64 00 00 00 0b 00 00  |H..Y..$..d......|
000001b0  00 1f 00 06 00 00 00 2a  00 2e 00 64 00 69 00 62  |.......*...d.i.b|
000001c0  00 00 00 00 00 01 00 00  00 00 00 00 89 5c f1 52  |.............\.R|
000001d0  17 5a e1 48 bb cd 46 a3  f8 9c 7c c2 00 00 00 00  |.Z.H..F...|.....|
000001e0  e0 5a cf 41 5a f7 06 48  bd 87 59 c7 d9 24 8e b9  |.Z.AZ..H..Y..$..|
000001f0  64 00 00 00 0b 00 00 00  1f 00 06 00 00 00 2a 00  |d.............*.|
00000200  2e 00 70 00 6e 00 67 00  00 00 00 00 01 00 00 00  |..p.n.g.........|
00000210  00 00 00 89 5c f1 52 17  5a e1 48 bb cd 46 a3 f8  |....\.R.Z.H..F..|
00000220  9c 7c c2 00 00 00 00 e0  5a cf 41 5a f7 06 48 bd  |.|......Z.AZ..H.|
00000230  87 59 c7 d9 24 8e b9 64  00 00 00 0b 00 00 00 1f  |.Y..$..d........|
00000240  00 06 00 00 00 2a 00 2e  00 67 00 69 00 66 00 00  |.....*...g.i.f..|
00000250  00 00 00 01 00 00 00 00  00 00 89 5c f1 52 17 5a  |...........\.R.Z|
00000260  e1 48 bb cd 46 a3 f8 9c  7c c2 00 00 00 00 e0 5a  |.H..F...|......Z|
00000270  cf 41 5a f7 06 48 bd 87  59 c7 d9 24 8e b9 64 00  |.AZ..H..Y..$..d.|
00000280  00 00 0b 00 00 00 1f 00  07 00 00 00 2a 00 2e 00  |............*...|
00000290  6a 00 66 00 69 00 66 00  00 00 00 00 01 00 00 00  |j.f.i.f.........|
000002a0  00 00 00 89 5c f1 52 17  5a e1 48 bb cd 46 a3 f8  |....\.R.Z.H..F..|
000002b0  9c 7c c2 00 00 00 00 e0  5a cf 41 5a f7 06 48 bd  |.|......Z.AZ..H.|
000002c0  87 59 c7 d9 24 8e b9 64  00 00 00 0b 00 00 00 1f  |.Y..$..d........|
000002d0  00 06 00 00 00 2a 00 2e  00 6a 00 70 00 65 00 00  |.....*...j.p.e..|
000002e0  00 00 00 01 00 00 00 00  00 00 89 5c f1 52 17 5a  |...........\.R.Z|
000002f0  e1 48 bb cd 46 a3 f8 9c  7c c2 00 00 00 00 e0 5a  |.H..F...|......Z|
00000300  cf 41 5a f7 06 48 bd 87  59 c7 d9 24 8e b9 64 00  |.AZ..H..Y..$..d.|
00000310  00 00 0b 00 00 00 1f 00  06 00 00 00 2a 00 2e 00  |............*...|
00000320  74 00 69 00 66 00 00 00  00 00 01 00 00 00 00 00  |t.i.f...........|
00000330  00 89 5c f1 52 17 5a e1  48 bb cd 46 a3 f8 9c 7c  |..\.R.Z.H..F...||
00000340  c2 00 00 00 00 e0 5a cf  41 5a f7 06 48 bd 87 59  |......Z.AZ..H..Y|
00000350  c7 d9 24 8e b9 64 00 00  00 0b 00 00 00 1f 00 07  |..$..d..........|
00000360  00 00 00 2a 00 2e 00 74  00 69 00 66 00 66 00 00  |...*...t.i.f.f..|
00000370  00 00 00 01 00 00 00 00  00 00 89 5c f1 52 17 5a  |...........\.R.Z|
00000380  e1 48 bb cd 46 a3 f8 9c  7c c2 00 00 00 00 e0 5a  |.H..F...|......Z|
00000390  cf 41 5a f7 06 48 bd 87  59 c7 d9 24 8e b9 64 00  |.AZ..H..Y..$..d.|
000003a0  00 00 0b 00 00 00 1f 00  06 00 00 00 2a 00 2e 00  |............*...|
000003b0  77 00 64 00 70 00 00 00  00 00 01 00 00 00 00 00  |w.d.p...........|
000003c0  00 00 75 00 00 00 14 00  00 00 00 4b 00 65 00 79  |..u........K.e.y|
000003d0  00 3a 00 46 00 4d 00 54  00 49 00 44 00 00 00 08  |.:.F.M.T.I.D....|
000003e0  00 00 00 4e 00 00 00 7b  00 34 00 31 00 43 00 46  |...N...{.4.1.C.F|
000003f0  00 35 00 41 00 45 00 30  00 2d 00 46 00 37 00 35  |.5.A.E.0.-.F.7.5|
00000400  00 41 00 2d 00 34 00 38  00 30 00 36 00 2d 00 42  |.A.-.4.8.0.6.-.B|
00000410  00 44 00 38 00 37 00 2d  00 35 00 39 00 43 00 37  |.D.8.7.-.5.9.C.7|
00000420  00 44 00 39 00 32 00 34  00 38 00 45 00 42 00 39  |.D.9.2.4.8.E.B.9|
00000430  00 7d 00 00 00 00 00 3f  00 00 00 0a 00 00 00 00  |.}.....?........|
00000440  4e 00 61 00 6d 00 65 00  00 00 08 00 00 00 24 00  |N.a.m.e.......$.|
00000450  00 00 44 00 65 00 73 00  6b 00 74 00 6f 00 70 00  |..D.e.s.k.t.o.p.|
00000460  42 00 61 00 63 00 6b 00  67 00 72 00 6f 00 75 00  |B.a.c.k.g.r.o.u.|
00000470  6e 00 64 00 00 00 1b 00  00 00 0a 00 00 00 00 54  |n.d............T|
00000480  00 79 00 70 00 65 00 00  00                       |.y.p.e..........|

00000480                              13 00 00 00 00 00 00  |.y.p.e..........|

00000490  00 00 00 00 00 00 00 00  00 18 00                 |...........|
0000049b

6.15. Extension block 0xbeef0013

The extension block 0xbeef0013 is 42 bytes of size and consists of:

Offset Size Value Description

0

2

Extension size
Includes the 2 bytes of the size itself

2

2

Extension version
Seen 0x0000

4

4

0xbeef0013

Extension signature

8

4

Unknown (flags?)

12

24

Unknown (Empty values)

36

4

Unknown

40

2

First extension block version offset
The offset is relative from the start of the shell item.

6.16. Extension block 0xbeef0014

The extension block 0xbeef0014 is variable of size and consists of:

Offset Size Value Description

0

2

Extension size
Includes the 2 bytes of the size itself

2

2

0

Extension version

4

4

0xbeef0014

Extension signature

8

16

Class identifier

24

…​

Class data

…​

2

First extension block version offset
The offset is relative from the start of the shell item.

Note
This extension block can likely be used for different class identifiers and that the class data is specific to the class.

The extension block has seen to be used with the CUri class identifier which is the GUID "df2fce13-25ec-45bb-9d4c-cecd47c2430c". The CUri data could be a Vista and/or MSIE 7 specific extension.

6.16.1. CUri class data

Offset Size Value Description

0

4

Data size
Includes the 2 bytes of the size itself

4

8

Unknown (Empty values)

12

4

0x00002b84

Unknown (signature?)

16

12

Unknown (Empty values)

24

…​

Property table

6.16.2. CUri property table

Offset Size Value Description

0

4

Number of properties

4

…​

Array of property entries

6.16.3. CUri property entry

Offset Size Value Description

0

4

Property type

4

4

Property size

8

…​

Property data

6.16.4. CUri property types

Value Identifier Description

0

Uri_PROPERTY_ABSOLUTE_URI

The entire canonicalized URI.

1

Uri_PROPERTY_AUTHORITY

Combination of user name, password, fully qualified domain name, and port number.

2

Uri_PROPERTY_DISPLAY_URI

Combination of protocol scheme, fully qualified domain name, port number, full path, query string, and (optionally) fragment.

3

Uri_PROPERTY_DOMAIN

The private domain name and public suffix (top-level domain).

4

Uri_PROPERTY_EXTENSION

The file name extension.

5

Uri_PROPERTY_FRAGMENT

The fragment (secondary resource, or named anchor identifier).

6

Uri_PROPERTY_HOST

The fully qualified domain name or plain hostname.

7

Uri_PROPERTY_PASSWORD

The password.

8

Uri_PROPERTY_PATH

The path and resource.

9

Uri_PROPERTY_PATH_AND_QUERY

The full path to resource with URI query string.

10

Uri_PROPERTY_QUERY

The query (or search) string.

11

Uri_PROPERTY_RAW_URI

The entire original URI as entered.

12

Uri_PROPERTY_SCHEME_NAME

The protocol scheme name.

13

Uri_PROPERTY_USER_INFO

Combination of the user name and password.

14

Uri_PROPERTY_USER_NAME

The user name.

15

Uri_PROPERTY_HOST_TYPE

The CUri host type.

16

Uri_PROPERTY_PORT

The port number.

17

Uri_PROPERTY_SCHEME

The CUri URL scheme.

18

Uri_PROPERTY_ZONE

The zone.
Not implemented according to [MSDN].

6.16.5. CUri host type

Value Identifier Description

0

Uri_HOST_UNKNOWN

Unrecognized (or future version) format.

1

Uri_HOST_DNS

DNS format.

2

Uri_HOST_IPV4

IPv4 host format.

3

Uri_HOST_IPV6

IPv6 host format.

4

Uri_HOST_IDN

Internationalized Domain Name (IDN) format.

6.16.6. CUri URL schemes

Value Identifier Description

-1

URL_SCHEME_INVALID

An invalid scheme.

0

URL_SCHEME_UNKNOWN

An unknown scheme.

1

URL_SCHEME_FTP

ftp: (File Transfer Protocol)

2

URL_SCHEME_HTTP

http: (Hypertext Transfer Protocol)

3

URL_SCHEME_GOPHER

gopher: (Gopher)

4

URL_SCHEME_MAILTO

mailto: (Mail-to)

5

URL_SCHEME_NEWS

news: (Usenet news)

6

URL_SCHEME_NNTP

nntp: (Network News Transfer Protocol)

7

URL_SCHEME_TELNET

telnet: (Telnet)

8

URL_SCHEME_WAIS

wais: (Wide Area Information Server)

9

URL_SCHEME_FILE

file: (File)

10

URL_SCHEME_MK

mk: (URL moniker)

11

URL_SCHEME_HTTPS

12

URL_SCHEME_SHELL

13

URL_SCHEME_SNEWS

14

URL_SCHEME_LOCAL

15

URL_SCHEME_JAVASCRIPT

16

URL_SCHEME_VBSCRIPT

17

URL_SCHEME_ABOUT

18

URL_SCHEME_RES

19

URL_SCHEME_MSSHELLROOTED

20

URL_SCHEME_MSSHELLIDLIST

21

URL_SCHEME_MSHELP

22

URL_SCHEME_MSSHELLDEVICE

23

URL_SCHEME_WILDCARD

24

URL_SCHEME_SEARCH_MS

25

URL_SCHEME_SEARCH

26

URL_SCHEME_KNOWNFOLDER

TODO

URL_SCHEME_HTTPS
URL HTTPS (https:).
URL_SCHEME_SHELL
Shell (shell:).
URL_SCHEME_SNEWS
NNTP news postings with SSL (snews:).
URL_SCHEME_LOCAL
Local (local:).
URL_SCHEME_JAVASCRIPT
JavaScript (javascript:).
URL_SCHEME_VBSCRIPT
VBScript (vbscript:).
URL_SCHEME_ABOUT
About (about:).
URL_SCHEME_RES
Res (res:).
URL_SCHEME_MSSHELLROOTED
Internet Explorer 6 and later only. Shell-rooted (ms-shell-rooted:)
URL_SCHEME_MSSHELLIDLIST
Internet Explorer 6 and later only. Shell ID-list (ms-shell-idlist:).
URL_SCHEME_MSHELP
Internet Explorer 6 and later only. MSHelp (hcp:).
URL_SCHEME_MSSHELLDEVICE
Not supported.
URL_SCHEME_WILDCARD
Internet Explorer 7 and later only. Wildcard (*:).
URL_SCHEME_SEARCH_MS
Windows Vista and later only. Search-MS (search-ms:).
URL_SCHEME_SEARCH
Windows Vista with SP1 and later only. Search (search:).
URL_SCHEME_KNOWNFOLDER
Windows 7 and later. Known folder (knownfolder:).
URL_SCHEME_MAXVALUE
The highest legitimate value in the enumeration, used for validation purposes.

6.17. Extension block 0xbeef0016

The extension block 0xbeef0016 is variable of size and consists of:

Offset Size Value Description

0

2

Extension size
Includes the 2 bytes of the size itself

2

2

Extension version
Seen 0x0000

4

4

0xbeef0016

Extension signature

6

2

Unknown Seen 0x0002

8

…​

Unknown string?
UTF-16 little-endian string with end-of-string character
Seen: "boy" and "order"

…​

2

First extension block version offset
The offset is relative from the start of the shell item.

6.18. Extension block 0xbeef0017

The extension block 0xbeef0017 is 74 bytes of size and consists of:

Offset Size Value Description

0

2

74

Extension size
Includes the 2 bytes of the size itself

2

2

1

Extension version

4

4

0xbeef0017

Extension signature

8

4

Unknown (Empty values)

12

4

Unknown

16

4

Unknown

20

4

Unknown

24

4

Unknown

28

4

Unknown

32

4

Unknown

36

8

Unknown (Empty values)

44

4

Unknown

48

24

Unknown (Empty values)

72

2

First extension block version offset
The offset is relative from the start of the shell item.

Shell item from Windows 7 BagMRU (Search Home)

00000000: 1f 80 2e 81 43 93 37 1c  49 4a a1 2e 4b 2d 81 0d   ....C.7. IJ..K-..
00000010: 95 6b 46 00 01 00 17 00  ef be 00 00 00 00 01 00   .kF..... ........
00000020: 00 00 02 00 00 80 01 00  00 00 01 00 00 00 02 00   ........ ........
00000030: 00 00 00 00 00 00 00 00  00 00 02 00 00 00 00 00   ........ ........
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
00000050: 00 00 00 00 00 00 14 00                            ........

6.19. Extension block 0xbeef0019

The extension block 0xbeef0019 is 42 bytes of size and consists of:

Offset Size Value Description

0

2

42

The size of the data
Includes the 2 bytes of the size itself

2

2

0

Extension version

4

4

0xbeef0019

Extension signature

8

16

Folder type identifier
Contains a GUID e.g. Documents Library: fbb3477e-c9e4-4b3b-a2ba-d3f5d3cd46f9

24

16

Unknown
Contains a GUID (related to TopViews?)

40

2

First extension block version offset
The offset is relative from the start of the shell item.

6.19.1. Notes

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\TopViews

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{0B2BAAEB-0042-4DCA-AA4D-3EE8648D03E5}\TopViews\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}

6.20. Extension block 0xbeef001a

The extension block 0xbeef001a is variable of size and consists of:

Offset Size Value Description

0

2

Extension size
Includes the 2 bytes of the size itself

2

2

Extension version
Seen 0x0000

4

4

0xbeef001a

Extension signature

8

2

Unknown Seen 0x0002

10

16

File/Document type string? UTF-16 little-endian string with end-of-string character
Seen: "AcroExch.Document"

24

…​

Embedded shell item list

…​

2

First extension block version offset
The offset is relative from the start of the shell item.

6.21. Extension block 0xbeef0021

The extension block 0xbeef021 is variable of size and consists of:

Offset Size Value Description

0

2

Extension size
Includes the 2 bytes of the size itself

2

2

Extension version
Seen 0x0000

4

4

0xbeef0021

Extension signature

8

…​

Property store data
Contains one or more property stores
See: [LIBFWPS]

…​

2

Unknown (empty values)

…​

2

First extension block version offset
The offset is relative from the start of the shell item.

6.22. Extension block 0xbeef0025

The extension block 0xbeef025 is 32 bytes of size and consists of:

Offset Size Value Description

0

2

Extension size
Includes the 2 bytes of the size itself

2

2

Extension version
Seen 0x0000

4

4

0xbeef0025

Extension signature

8

4

Unknown
Seen 0x00000011

12

8

Unknown
Contains a FILETIME

20

8

Unknown
Contains a FILETIME

28

4

First extension block version offset
The offset is relative from the start of the shell item.

7. Windows definitions

7.1. File attribute flags

The file attribute flags consist of the following values:

Value Identifier Description

0x00000001

FILE_ATTRIBUTE_READONLY

Is read-Only

0x00000002

FILE_ATTRIBUTE_HIDDEN

Is hidden

0x00000004

FILE_ATTRIBUTE_SYSTEM

Is a system file or directory

0x00000008

Is a volume label

0x00000010

FILE_ATTRIBUTE_DIRECTORY

Is a directory

0x00000020

FILE_ATTRIBUTE_ARCHIVE

Should be archived

0x00000040

FILE_ATTRIBUTE_DEVICE

Is a device

0x00000080

FILE_ATTRIBUTE_NORMAL

Is normal
None of the other flags should be set

0x00000100

FILE_ATTRIBUTE_TEMPORARY

Is temporary

0x00000200

FILE_ATTRIBUTE_SPARSE_FILE

Is a sparse file

0x00000400

FILE_ATTRIBUTE_REPARSE_POINT

Is a reparse point or symbolic link

0x00000800

FILE_ATTRIBUTE_COMPRESSED

Is compressed

0x00001000

FILE_ATTRIBUTE_OFFLINE

Is offline
The data of the file is stored on an offline storage.

0x00002000

FILE_ATTRIBUTE_NOT_CONTENT_INDEXED

Do not index content
The content of the file or directory should not be indexed by the indexing service.

0x00004000

FILE_ATTRIBUTE_ENCRYPTED

Is encrypted

0x00008000

FILE_ATTRIBUTE_INTEGRITY_STREAM

The directory or user data stream is configured with integrity (only supported on ReFS volumes).

0x00010000

FILE_ATTRIBUTE_VIRTUAL

Is virtual

0x00020000

FILE_ATTRIBUTE_NO_SCRUB_DATA

The user data stream not to be read by the background data integrity scanner (AKA scrubber).

8. Notes

Related to .libary-ms XML files. These files also contain serialized data.

{DF0AD8E0-F91C-4109-AE46-1EAA5CD8AB08} WMEncMonMainPage Class WMEnc.WMEncMonMainPage.1
{DF0AD8E1-F91C-4109-AE46-1EAA5CD8AB08} WMEncMonStatsPage Class WMEnc.WMEncMonStatsPage.1
{DF0AD8E3-F91C-4109-AE46-1EAA5CD8AB08} WMEncMonServerPage Class WMEnc.WMEncMonServerPage.1
{DF0B3D60-548F-101B-8E65-08002B2BD119} PSSupportErrorInfo
{DF0DAEF2-A289-11D1-8697-006008B0E5D2} MDhcp Class Mdhcp.MDhcp.1
{DF2269F4-F7D4-4E83-9D31-D2D43C26EDF1} CR7OptBtnGroup.General
{DF26FD0F-DCAC-4042-883E-29A2712D5348} PSTNConnectService Class Msnpcs.PSTNConnectService.1
{DF2EFCB5-917A-11D3-A49E-00C04F6843FB} AnimTargetDHTMLBehavior Class MsoRun.AnimTargetDHTMLBehavior.1
{DF2FCE13-25EC-45BB-9D4C-CECD47C2430C} CUri
{DF30358B-F480-338E-AC08-92E0ACDA476A} Microsoft.AnalysisServices.MdxScript Microsoft.AnalysisServices.MdxScript
{DF3C5EDD-029A-31A1-BA90-96B6A118E0F0} Microsoft.SqlServer.Replication.TracerToken Microsoft.SqlServer.Replication.TracerToken
{DF5E5E34-AE22-483D-94C3-9DD02FFF231E} Nero Video Controls Property Page
{DF66AFC9-C61D-404A-B535-64FBF91D420F} MessengerNative.UIAutomation.1
{DF712EC6-6ED2-41E2-AE46-A29E9E793485} MixerSource Class uICE.MixerSource.1
{DF7A2782-9F74-4BFE-83AF-C4BCDFE2DD68} CDDBControl2 Class CDDBControlYahoo.CDDBControl2.1
{DF9A1DA0-23C0-101B-B02E-FDFDFDFDFDFD} Adobe Acrobat Document
{DFA22B8E-E68D-11D0-97E4-00C04FC2AD98} SQLOLEDB Enumerator SQLOLEDB Enumerator.1
{DFA699C5-B2C4-4CB7-BBAB-0AA56C566965} Microsoft Clip Organizer MSClipGallery.Application.11
{DFAC1B20-4681-11D1-AA83-00008612DCF1} PureCoverage version of Java VM Event Monitor. ICoverageJavaEventMonitor
{DFBC8609-D77F-3512-98BC-CF3FBCEF034F} Microsoft.SqlServer.Management.Smo.Agent.JobCategory Microsoft.SqlServer.Management.Smo.Agent.JobCategory
{DFC8BDC0-E378-11D0-9B30-0080C7E9FE95} MSDAOSP MSDAOSP.1
{DFCB3BDD-51BE-416D-9E6C-3655EBB2845D} Microsoft.AnalysisServices.DimensionAttribute Microsoft.AnalysisServices.DimensionAttribute
{DFD181E0-5E2F-11CE-A449-00AA004A803D} Microsoft Forms 2.0 ScrollBar Forms.ScrollBar.1
{DFD74844-990B-4410-9DA0-2848EFA85D14} WMPlayer ClipPropPage Class
{DFD888A7-A6B0-3B1B-985E-4CDAB0E4C17D} System.Diagnostics.SymbolStore.SymLanguageVendor System.Diagnostics.SymbolStore.SymLanguageVendor
{DFD8B167-5652-4962-A162-9A227825AFAA} PropLockout Class
{DFE49CFE-CD09-11D2-9643-00C04F79ADF0} Cabview Data Object
{DFEF3E96-F1D4-47CE-A429-2CC8C10DFDB6} CddbID3TagManager Class CDDBControl.CddbID3TagManager.1
{DFEF4B09-1B0A-4529-9775-AC437D6A93B3} HotfixWz Class vmappcfg.HotfixWz.9
{DFF332ED-0C72-416B-B128-5CC5BD888865} Photoshop GalleryThumbnailOptions Photoshop.GalleryThumbnailOptions.9
{DFF44AEC-2370-469D-8A22-DF82448BFF64} VmdbUpdates Class vmdbCOM.VmdbUpdates.9

8.1. Extension blocks/signatures

CPrinterFolder 0xbebadb00

Extension blocks also referred to as hidden id?

Unknown (file entry type indicator?)

Directory: 0x0014 0x0018 0x001a 0x001c

File: 0x001a

8.2. more notes

Related Registry keys

HKLM\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\

HEID_PIDL ID_PIDL

8.3. Notes

Bit values

Offset Size Value Description

0.0 

4 bits

Unknown

0.4

2 bits

Related to KF_CATEGORY?

0.6

2 bits

Unknown

Syntax
Copy

typedef enum _KF_CATEGORY {
  KF_CATEGORY_VIRTUAL   = 1,
  KF_CATEGORY_FIXED     = 2,
  KF_CATEGORY_COMMON    = 3,
  KF_CATEGORY_PERUSER   = 4
} KF_CATEGORY;

Constants

KF_CATEGORY_VIRTUAL

    Virtual folders are not part of the file system, which is to say that they have no path. For example, Control Panel and Printers are virtual folders. A number of features such as folder path and redirection do not apply to this category.
KF_CATEGORY_FIXED

    Fixed file system folders are not managed by the Shell and are usually given a permanent path when the system is installed. For example, the Windows and Program Files folders are fixed folders. A number of features such as redirection do not apply to this category.
KF_CATEGORY_COMMON

    Common folders are those file system folders used for sharing data and settings, accessible by all users of a system. For example, all users share a common Documents folder as well as their per-user Documents folder.
KF_CATEGORY_PERUSER

    Per-user folders are those stored under each user's profile and accessible only by that user. For example, %USERPROFILE%\Pictures. This category of folder usually supports many features including aliasing, redirection and customization.

    Note  The user profile root folder (FOLDERID_Profile) does not support redirection.

8.4. Sort order index

TODO Registry Key: HKEY_CLASSES_ROOT\CLSID\%CLSID% Value: SortOrderIndex

8.5. Known folder identifiers

TODO move to winreg-kb The known folder identifiers can be found in:

HKEY_CLASSES_ROOT\CLSID\{%CLSID%}

E.g. on Windows XP the corresponding class identifier {450d8fba-ad25-11d0-98a8-0800361b1103} Registry key contains the value:

HKEY_CLASSES_ROOT\CLSID\{450d8fba-ad25-11d0-98a8-0800361b1103}\LocalizedString

This value contains:

@%SystemRoot%\system32\SHELL32.dll,-9227

This technique, known as Registry string redirection [MSDN-MUI].

[MSDN-MUI]

Title: Using Registry String Redirection

URL:

http://msdn.microsoft.com/library/dd374120(VS.85).aspx

The value refers to the multi-language user interface (MUI) string resource with identifier 9227 stored in SHELL32.dll. Which, for an English version of SHELL32.dll, corresponds to:

My Documents
9227 => 0x0000240b
resource string node with identifier 0x00000240
sub string 0x0b
Note
The My Computer folder identifier is unique for an installation of Windows.

8.6. The delegate item

CLSID_RegFolder CRegFolder

Related registry key

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders

Related view interface IShellView

Class identifier (CLSID) Related interface identifier(s) (IID) Related class

CLSID_ControlPanel

CControlPanelFolder

CLSID_Internet

CInternetFolder

CLSID_MyComputer

IID_IShellFolder
IID_IShellFolder2

CDrivesFolder

CLSID_MyDocuments

CLSID_MruLongList

CMruLongList

CLSID_MruPidlList

CMruPidlList

CLSID_NetworkPlaces

CNetRootFolder

CLSID_NetworkRoot

CNetFolder

CLSID_Printers

CPrinterFolder

CLSID_ShellDesktop

CDesktopFolder

CLSID_ShellFSFolder

IID_IFileSystemBindData
IID_IFileSystemBindData2

CFSFolder

CLSID_ShellItem

IID_IShellItem
IID_IShellItem2

CShellItem

What about SID_ names e.g. SID_SShellDesktop

8.8. Class identifiers

Interface identifier (IID) GUID

CLSID_Briefcase

85bbd920-42a0-1069-a2e4-08002b30309d

CLSID_BriefcaseFolder

86747ac0-42a0-1069-a2e6-08002b30309d

CLSID_CCommonShellExtInit

a2ad3100-3b84-1069-a2df-08002b30309d

CLSID_CDocObjectFolder

e7e4bc40-e76a-11ce-a9bb-00aa004ae837

CLSID_CFonts

bd84b380-8ca2-1069-ab1d-08000948f534

CLSID_Clouds

869dada0-42a0-1069-a2e7-08002b30309d

CLSID_CmdFileIcon

57651662-ce3e-11d0-8d77-00c04fc99d61

CLSID_ControlPanel

21ec2020-3aea-1069-a2dd-08002b30309d

CLSID_CShellFrameAuto

20c46560-8491-11cf-960c-0080c7f4ee85

CLSID_CShellHlinkFrame

2c5a8fc0-8401-11cf-a12b-00aa004ae837

CLSID_CSiteMapNode

a61d5780-ba29-11cf-952e-00c04fd705b4

CLSID_CStubBindStatusCallback

2b4f54b1-3d6d-11d0-8258-00c04fd5ae38

CLSID_CURLFolder

3dc7a020-0acd-11cf-a9bb-00aa004ae837

CLSID_ExeDropTarget

86c86720-42a0-1069-a2e8-08002b30309d

CLSID_Internet

871c5380-42a0-1069-a2ea-08002b30309d

CLSID_InternetShortcut

fbf23b40-e3f0-101b-8488-00aa003e56f8

CLSID_MruLongList

53bd6b4e-3780-4693-afc3-7161c2f3ee9c

CLSID_MruPidlList

42aedc87-2188-41fd-b9a3-0c966feabec1

CLSID_MyComputer

20d04fe0-3aea-1069-a2d8-08002b30309d

CLSID_MyDocuments

450d8fba-ad25-11d0-98a8-0800361b1103

CLSID_NetworkDomain

46e06680-4bf0-11d1-83ee-00a0c90dc849

CLSID_NetworkPlaces

208d2c60-3aea-1069-a2d7-08002b30309d

CLSID_NetworkRoot

953d732d-ab45-11d2-84e0-00c04fa31a86

CLSID_NetworkServer

c0542a90-4bf0-11d1-83ee-00a0c90dc849

CLSID_NetworkShare

54a754c0-4bf1-11d1-83ee-00a0c90dc849

CLSID_PifProperties

86f19a00-42a0-1069-a2e9-08002b30309d

CLSID_Printers

2227a280-3aea-1069-a2de-08002b30309d

CLSID_RecycleBin

645ff040-5081-101b-9f08-00aa002f954e

CLSID_RegFolder

0997898b-0713-11d2-a4aa-00c04f8eeb3e

CLSID_ShellCopyHook

217fc9c0-3aea-1069-a2db-08002b30309d

CLSID_ShellDesktop

00021400-0000-0000-c000-000000000046

CLSID_ShellDrvDefExt

5f5295e0-429f-1069-a2e2-08002b30309d

CLSID_ShellFileDefExt

21b22460-3aea-1069-a2dc-08002b30309d

CLSID_ShellFindExt

61e218e0-65d3-101b-9f08-061ceac3d50d

CLSID_ShellFSFolder

f3364ba0-65b9-11ce-a9ba-00aa004ae837

CLSID_ShellItem

9ac9fbe1-e0a2-4ad6-b4ee-e212013ea917

CLSID_ShellNetDefExt

86422020-42a0-1069-a2e5-08002b30309d

CLSID_ShellSearchExt

169a0691-8df9-11d1-a1c4-00c04fd75d13

CLSID_ShellViewerExt

84f26ea0-42a0-1069-a2e3-08002b30309d

CLSID_WebSearchExt

07798131-af23-11d1-9111-00a0c98ba67d

CLSID_FolderMarshalStub

bf50b68e-29b8-4386-ae9c-9734d5117cd5

CLSID_CDocObjectFolder

E7E4BC40-E76A-11CE-A9BB-00AA004AE837

CLSID_CBaseBrowser

A5E46E3A-8849-11D1-9D8C-00C04FC99D61

CLSID_TaskbarList

56FDF344-FD6D-11d0-958A-006097C9A090

CLSID_ShellUIHelper

64AB4BB7-111E-11d1-8F79-00C04FC2FBE1

CLSID_CUrlHistory

3C374A40-BAE4-11CF-BF7D-00AA006946EE

CLSID_CURLSearchHook

CFBFAE00-17A6-11D0-99CB-00C04FD64497

CLSID_CStubBindStatusCallback

2B4F54B1-3D6D-11d0-8258-00C04FD5AE38

CLSID_NSCTree

43A8F463-4222-11d2-B641-006097DF5BD4

CLSID_Mshtml

25336920-03F9-11CF-8FD0-00AA00686F13

CLSID_Internet

871C5380-42A0-1069-A2EA-08002B30309D

CLSID_SHDocVwTypeLib

EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B

CLSID_WebBrowser1

EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B

CLSID_WebBrowser2

8856F961-340A-11D0-A96B-00C04FD705A2

CLSID_ShellDispatchInproc

0A89A860-D7B1-11CE-8350-444553540000

CLSID_InternetShortcut

FBF23B40-E3F0-101B-8488-00AA003E56F8

CLSID_ShellLink

00021401-0000-0000-C000-000000000046

CLSID_SplashScreen

A2B0DD40-CC59-11d0-A3A5-00C04FD706EC

CLSID_HIST

FF393560-C2A7-11CF-BFF4-444553540000

CLSID_CACHE

7BD29E00-76C1-11CF-9DD0-00A0C9034933

CLSID_CACHE2

7BD29E01-76C1-11CF-9DD0-00A0C9034933

CLSID_WinListShellProc

ffdc1a80-d527-11d0-a32c-34af06c10000

CLSID_PanMap

BD84B381-8CA2-1069-AB1D-08000948F534

CLSID_CDFCopyHook

67EA19A0-CCEF-11d0-8024-00C04FD75D13

CLSID_CacheCleaner

9B0EFD60-F7B0-11D0-BAEF-00C04FC308C9

CLSID_OfflineCleaner

8E6E6079-0CB7-11d2-8F10-0000F87ABD16

CLSID_DocFileInfoTip

83799FE0-1F5A-11d1-95C7-00609797EA4F

CLSID_HostProxyISF

4F748358-CD6B-11d0-9816-00C04FD91972

CLSID_DocHostUIHandler

7057e952-bd1b-11d1-8919-00c04fc2c836

CLSID_ToolbarExtBand

E0DD6CAB-2D10-11d2-8F1A-0000F87ABD16

CLSID_ToolbarExtExec

1FBA04EE-3024-11d2-8F1F-0000F87ABD16

CLSID_HistBand

EFA24E62-B078-11d0-89E4-00C04FC9E26E

CLSID_FavBand

EFA24E61-B078-11d0-89E4-00C04FC9E26E

CLSID_ExplorerBand

EFA24E64-B078-11d0-89E4-00C04FC9E26E

CLSID_NSCOC

55136805-B2DE-11D1-B9F2-00A0C98BC547

CLSID_SearchAssistantOC

B45FF030-4447-11D2-85DE-00C04FA35C89

CLSID_TipOfTheDay

4D5C8C25-D075-11d0-B416-00C04FB90376

CLSID_ISFBandOC

131A6951-7F78-11D0-A979-00C04FD705A2

CLSID_SearchAssistant

9461b922-3c5a-11d2-bf8b-00c04fb93661

CLSID_CShellFrameAuto

20C46560-8491-11CF-960C-0080C7F4EE85

CLSID_CShellDataSource

D4903360-44DA-11D0-89E2-00A0C90A90AC

8.9. Interface identifiers

Interface identifier (IID) GUID

IID_IAdviseSink

0000010f-0000-0000-c000-000000000046

IID_ICommDlgBrowser

000214f1-0000-0000-c000-000000000046

IID_IContextMenu

000214e4-0000-0000-c000-000000000046

IID_IContextMenu2

000214f4-0000-0000-c000-000000000046

IID_ICopyHookA

000214ef-0000-0000-c000-000000000046

IID_ICopyHookW

000214fc-0000-0000-c000-000000000046

IID_IDataObject

0000010e-0000-0000-c000-000000000046

IID_IEnumIDList

000214f2-0000-0000-c000-000000000046

IID_IExtractIconA

000214eb-0000-0000-c000-000000000046

IID_IExtractIconW

000214fa-0000-0000-c000-000000000046

IID_IFileViewerA

000214f0-0000-0000-c000-000000000046

IID_IFileViewerSite

000214f3-0000-0000-c000-000000000046

IID_IFileViewerW

000214f8-0000-0000-c000-000000000046

IID_INewShortcutHookA

000214e1-0000-0000-c000-000000000046

IID_INewShortcutHookW

000214f7-0000-0000-c000-000000000046

IID_IPersistFolder

000214ea-0000-0000-c000-000000000046

IID_IShellBrowser

000214e2-0000-0000-c000-000000000046

IID_IShellExecuteHookA

000214f5-0000-0000-c000-000000000046

IID_IShellExecuteHookW

000214fb-0000-0000-c000-000000000046

IID_IShellExtInit

000214e8-0000-0000-c000-000000000046

IID_IShellFolder

000214e6-0000-0000-c000-000000000046

IID_IShellFolder2

93f2f68c-1d1b-11d3-a30e-00c04f79abd1

IID_IShellIcon

000214e5-0000-0000-c000-000000000046

IID_IShellItem

43826d1e-e718-42ee-bc55-a1e261c37bfe

IID_IShellItem2

IID_IShellLinkA

000214ee-0000-0000-c000-000000000046

IID_IShellLinkW

000214f9-0000-0000-c000-000000000046

IID_IShellPropSheetExt

000214e9-0000-0000-c000-000000000046

IID_IShellView

000214e3-0000-0000-c000-000000000046

IID_IShellView2

88e39e80-3578-11cf-ae69-08002b2e1262

8.10. Shell identifiers

Shell Identifier (SID) GUID

SID_IActiveDesktop

f490eb00-1240-11d1-9888-006097deacf9

SID_ICommDlgBrowser

000214f1-0000-0000-c000-000000000046

SID_IContextMenu

000214e4-0000-0000-c000-000000000046

SID_IContextMenu2

000214f4-0000-0000-c000-000000000046

SID_IContextMenu3

bcfce0a0-ec17-11d0-8d10-00a0c90f2719

SID_IDeskBand

eb0fe172-1a3a-11d0-89b3-00a0c90a90ac

SID_IDockingWindow

012dd920-7b26-11d0-8ca9-00a0c92dbfe8

SID_IDockingWindowFrame

47d2657a-7b27-11d0-8ca9-00a0c92dbfe8

SID_IDockingWindowSite

2a342fc2-7b26-11d0-8ca9-00a0c92dbfe8

SID_IEnumExtraSearch

0e700be1-9db6-11d1-a1ce-00c04fd75d13

SID_IEnumIDList

000214f2-0000-0000-c000-000000000046

SID_IExtractIconA

000214eb-0000-0000-c000-000000000046

SID_IExtractIconW

000214fa-0000-0000-c000-000000000046

SID_IFileViewerA

000214f0-0000-0000-c000-000000000046

SID_IFileViewerSite

000214f3-0000-0000-c000-000000000046

SID_IFileViewerW

000214f8-0000-0000-c000-000000000046

SID_IInputObject

68284faa-6a48-11d0-8c78-00c04fd918b4

SID_IInputObjectSite

f1db8392-7331-11d0-8c99-00a0c92dbfe8

SID_INewShortcutHookA

000214e1-0000-0000-c000-000000000046

SID_INewShortcutHookW

000214f7-0000-0000-c000-000000000046

SID_IPersistFolder

000214ea-0000-0000-c000-000000000046

SID_IPersistFolder2

1ac3d9f0-175c-11d1-95be-00609797ea4f

SID_IPropSheetPage

000214f6-0000-0000-c000-000000000046

SID_IQueryInfo

00021500-0000-0000-c000-000000000046

SID_IShellBrowser

000214e2-0000-0000-c000-000000000046

SID_IShellChangeNotify

00000000-0000-0000-0000-000000000000

SID_IShellCopyHookA

000214ef-0000-0000-c000-000000000046

SID_IShellCopyHookW

000214fc-0000-0000-c000-000000000046

SID_IShellDetails

000214ec-0000-0000-c000-000000000046

SID_IShellExecuteHookA

000214f5-0000-0000-c000-000000000046

SID_IShellExecuteHookW

000214fb-0000-0000-c000-000000000046

SID_IShellExtInit

000214e8-0000-0000-c000-000000000046

SID_IShellFolder

000214e6-0000-0000-c000-000000000046

SID_IShellFolder2

b82c5aa8-a41b-11d2-be32-00c04fb93661

SID_IShellIcon

000214e5-0000-0000-c000-000000000046

SID_IShellIconOverlay

7d688a70-c613-11d0-999b-00c04fd655e1

SID_IShellIconOverlayIdentifier

0c6c4200-c589-11d0-999a-00c04fd655e1

SID_IShellLinkA

000214ee-0000-0000-c000-000000000046

SID_IShellLinkW

000214f9-0000-0000-c000-000000000046

SID_IShellPropSheetExt

000214e9-0000-0000-c000-000000000046

SID_IShellView

000214e3-0000-0000-c000-000000000046

SID_IShellView2

88e39e80-3578-11cf-ae69-08002b2e1262

SID_IURLSearchHook

ac60f6a0-0fd9-11d0-99cb-00c04fd64497

8.11. Shell versions

Shell32.dll

Version Distribution Platform

4.0

Windows 95 and Microsoft Windows NT 4.0

4.71

Microsoft Internet Explorer 4.0. See note 1.

4.72

Internet Explorer 4.01 and Windows 98. See note 1.

5.0

Windows 2000 and Windows Millennium Edition (Windows Me). See note 2.

6.0

Windows XP

6.0.1

Windows Vista

6.1

Windows 7

Shlwapi.dll

Version Distribution Platform

4.0

Windows 95 and Microsoft Windows NT 4.0

4.71

Internet Explorer 4.0. See note 1.

4.72

Internet Explorer 4.01 and Windows 98. See note 1.

4.7

Internet Explorer 3.x

5.0

Microsoft Internet Explorer 5 and Windows 98 SE. See note 2.

5.5

Microsoft Internet Explorer 5.5 and Windows Millennium Edition (Windows Me)

6.0

Windows XP and Windows Vista

8.13. Notes

ILRootedBindToRoot

CLSID_MyComputer 20d04fe0-3aea-1069-a2d8-08002b30309d IShellFolder 000214e6-0000-0000-c000-000000000046 CDesktopFolder

IshellFolder:EnumObjects → IEnumIDList

8.14. Shell folder identifiers

Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders\%GUID%\ Default value

Identifier Description

35786d3c-b075-49b9-88dd-029876e11c01

Portable Devices

9113a02d-00a3-46b9-bc5f-9c04daddd5d7

Enhanced Storage Data Source

b155bdf8-02f0-451e-9a26-ae317cfd7779

nethood delegate folder

Appendix A: References

[HAY04]

Title: MiTeC Registry Analyser

Author(s):

Allan S Hay

Date:

December 2004

URL:

http://mysite.verizon.net/hartsec/files/WRA_Guidance.pdf

[ZHU09]

Title: Using shellbag information to reconstruct user activities

Author(s):

Yuandong Zhu, Pavel Gladyshev, Joshua James

Date:

2009

URL:

http://www.dfrws.org/2009/proceedings/p69-zhu.pdf

[CHAPPEL09]

Title: RegFolder

Author(s):

Geoff Chappel

Date:

August 4, 2009

URL:

http://www.geoffchappell.com/studies/windows/shell/shell32/classes/regfolder.htm

[KHATRI09]

Title: Shell BAG Format Analysis

Author(s):

Yogesh Khatri

Date:

October 7, 2009

URL:

http://42llc.net/index.php?Itemid=39&=&=&option=com_myblog&show=Shell-BAG-Format.html

[LOPEZ10]

Title: LNK Parsing: You’re doing it wrong (II)

Author(s):

Jordi Sánchez López

Date:

August 13, 2010

URL:

http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/

[LIBFOLE]

Title: Object Linking and Embedding (OLE) definitions

Author(s):

Joachim Metz

Date:

September 2009

URL:

https://googledrive.com/host/0B3fBvzttpiiSaDZmMHFNNDgtNDA/OLE%20Definitions.pdf

[LIBFWSI-WIKI]

Title: Shell Folder Identifiers

URL:

https://code.google.com/p/libfwsi/wiki/ShellFolderIdentifiers

[LIBFWPS]

Title: Windows Property Store format

Author(s):

Joachim Metz

Date:

June 2013

URL:

https://googledrive.com/host/0B3fBvzttpiiSc3VuS1J1QmtEYzA/Windows%20Property%20Store%20format.pdf

[MSDN]

Title: Microsoft Developer Network

URL:

http://msdn.microsoft.com/

[MSDN-CONTROLPANELCATEGORY]

Title: Assigning Control Panel Categories

URL:

http://msdn.microsoft.com/en-us/library/windows/desktop/cc144183(v=vs.85).aspx

[MSDN-DELEGATEITEMID]

Title: DELEGATEITEMID structure

URL:

http://msdn.microsoft.com/en-us/library/windows/desktop/bb773254(v=vs.85).aspx

[MSDN-IURI]

Title: Microsoft Developer Network - IUri Interface

URL:

http://msdn.microsoft.com/en-us/library/ms775038.aspx
http://msdn.microsoft.com/en-us/library/ms775141(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/ms775140(v=vs.85).aspx
http://msdn.microsoft.com/en-us/library/bb762576(v=vs.85).aspx

[MSDN-ITEMIDLIST]

Title: ITEMIDLIST structure

URL:

http://msdn.microsoft.com/en-us/library/windows/desktop/bb773321(v=vs.85).aspx

[MSDN-PROPERTYKEY]

Title: PROPERTYKEY structure

URL:

http://msdn.microsoft.com/en-us/library/windows/desktop/bb773381(v=vs.85).aspx

[MSDN-SHCOLUMNID]

Title: SHCOLUMNID structure

URL:

http://msdn.microsoft.com/en-us/library/windows/desktop/bb759748(v=vs.85).aspx

[MSDN-SHITEMID]

Title: SHITEMID structure

URL:

http://msdn.microsoft.com/en-us/library/windows/desktop/bb759800(v=vs.85).aspx

[MSDN-SHLNS]

Title: Introduction to the Shell Namespace

URL:

http://msdn.microsoft.com/en-us/library/cc144090%28v=VS.85%29.aspx

[MSDN-SHELLDEV]

Title: Shell and Shlwapi DLL Versions

URL:

http://msdn.microsoft.com/en-us/library/windows/desktop/bb776779(v=vs.85).aspx

[MSDN-SHELLEXT]

Title: Implementing the Basic Folder Object Interfaces

URL:

https://msdn.microsoft.com/en-us/library/windows/desktop/cc144093(v=vs.85).aspx

[MSDN-WP]

Title: Windows Properties

URL:

http://msdn.microsoft.com/en-us/library/dd561977%28v=VS.85%29.aspx

Appendix B: GNU Free Documentation License

Version 1.3, 3 November 2008 Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc. http://fsf.org/

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.

1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document’s overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work’s title, preceding the beginning of the body of the text.

The "publisher" means any person or entity that distributes copies of the Document to the public.

A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition.

The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.

2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.

3. COPYING IN QUANTITY

If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document’s license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.

4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

  1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

  2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement.

  3. State on the Title page the name of the publisher of the Modified Version, as the publisher.

  4. Preserve all the copyright notices of the Document.

  5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

  6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.

  7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document’s license notice.

  8. Include an unaltered copy of this License.

  9. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

  10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

  11. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

  12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

  13. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version.

  14. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section.

  15. Preserve any Warranty Disclaimers.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version’s license notice. These titles must be distinct from any other section titles.

You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties—for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements".

6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation’s users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document’s Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.

8. TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.

If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.

9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, or distribute it is void, and will automatically terminate your rights under this License.

However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.

Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.

Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, receipt of a copy of some or all of the same material does not give you any rights to use it.

10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. If the Document specifies that a proxy can decide which future versions of this License can be used, that proxy’s public statement of acceptance of a version permanently authorizes you to choose that version for the Document.

11. RELICENSING

"Massive Multiauthor Collaboration Site" (or "MMC Site") means any World Wide Web server that publishes copyrightable works and also provides prominent facilities for anybody to edit those works. A public wiki that anybody can edit is an example of such a server. A "Massive Multiauthor Collaboration" (or "MMC") contained in the site means any set of copyrightable works thus published on the MMC site.

"CC-BY-SA" means the Creative Commons Attribution-Share Alike 3.0 license published by Creative Commons Corporation, a not-for-profit corporation with a principal place of business in San Francisco, California, as well as future copyleft versions of that license published by that same organization.

"Incorporate" means to publish or republish a Document, in whole or in part, as part of another Document.

An MMC is "eligible for relicensing" if it is licensed under this License, and if all works that were first published under this License somewhere other than this MMC, and subsequently incorporated in whole or in part into the MMC, (1) had no cover texts or invariant sections, and (2) were thus incorporated prior to November 1, 2008.

The operator of an MMC Site may republish an MMC contained in the site under CC-BY-SA on the same site at any time before August 1, 2009, provided the MMC is eligible for relicensing.