Microsoft Compound File

From Just Solve the File Format Problem
(Difference between revisions)
Jump to: navigation, search
m
(Programs, libraries, and utilities)
(13 intermediate revisions by 2 users not shown)
Line 6: Line 6:
 
|pronom={{PRONOM|fmt/111}}
 
|pronom={{PRONOM|fmt/111}}
 
}}
 
}}
'''Microsoft Compound File''' is a complex container format used by some versions of Microsoft Office, and other Microsoft applications. It has features similar to those of a [[filesystem]] format.
+
'''Microsoft Compound File''' is a complex container format used by some versions of [[Microsoft Office]], and other Windows-centric applications. It has features similar to those of a [[filesystem]] format.
  
It is also known as '''Compound File Binary File Format''' ('''CFBF''' or '''CFB'''), '''Microsoft Compound Document File Format''', '''OLE Compound Document Format''', '''OLE2 Compound Document Format''', '''Composite Document File''', etc.
+
Its name has many variations, including:
 +
* '''Compound File Binary File Format''' ('''CFBF''' or '''CFB''')
 +
* '''Microsoft Compound Document File Format'''
 +
* '''OLE Compound Document Format'''
 +
* '''OLE2 Compound Document Format'''
 +
* '''Composite Document File'''
 +
* '''DocFile'''
  
 
The format was not publicly documented by Microsoft until 2008.
 
The format was not publicly documented by Microsoft until 2008.
Line 15: Line 21:
  
 
== Identification ==
 
== Identification ==
Files begin with signature bytes <code>D0 CF 11 E0 A1 B1 1A E1</code>.
+
Files begin with signature bytes {{magic|D0 CF 11 E0 A1 B1 1A E1}}.
  
Identifying the specific document format is difficult. This is one of the few formats for which the [[file command]] resorts to a hard-coded identification algorithm (see [https://github.com/file/file/blob/master/src/readcdf.c readcdf.c]).
+
Identifying the specific document type can be difficult. Some, but not all, document types can be identified by the [[CLSID]] field in the "root storage" directory entry. This field is usually located at file offset 512×(1 + {the 32-bit integer at offset 48}) + 80.
 +
 
 +
Some files have a stream named "<code>&lt;U+0005&gt;SummaryInformation</code>" containing metadata, which may include information about the creating application.
 +
 
 +
=== Root storage object CLSIDs ===
 +
The table below lists some of the root storage object CLSIDs that have been observed in this type of file. Use this information at your own risk, as these identifiers can be unreliable.
 +
 
 +
Microsoft's documentation says this about the CLSID field:
 +
 
 +
<blockquote>This field contains an object class GUID. [...] If not [all zeroes], the object class GUID can be used as a parameter to start applications.</blockquote>
 +
 
 +
Although every ''storage object'' (think ''subdirectory'') can have a CLSID, this table is only concerned with the file's ''root'' storage object.
 +
 
 +
Note that the CLSIDs are stored as [[GUID]]s in little-endian binary format, so they have a strange byte order.
 +
 
 +
{| class="wikitable"
 +
! Root storage object CLSID !! Format
 +
|-
 +
|<code>{00000000-0000-0000-0000-000000000000}</code> || Unspecified (could be [[Windows thumbnail cache|Thumbs.db]], [[Visual Studio Solution Options file|SUO]], ...)
 +
|-
 +
|<code>{00020810-0000-0000-c000-000000000046}</code> || [[XLS]]
 +
|-
 +
|<code>{00020820-0000-0000-c000-000000000046}</code> || [[XLS]]
 +
|-
 +
|<code>{00020906-0000-0000-c000-000000000046}</code> || [[DOC]]
 +
|-
 +
|<code>{00020d0b-0000-0000-c000-000000000046}</code> || [[Outlook Item File]]
 +
|-
 +
|<code>{00021201-0000-0000-00c0-000000000046}</code> || [[Microsoft Publisher]]
 +
|-
 +
|<code>{0006f046-0000-0000-c000-000000000046}</code> || [[Outlook Item File]]
 +
|-
 +
|<code>{000c1084-0000-0000-c000-000000000046}</code> || [[Windows Installer|MSI]]
 +
|-
 +
|<code>{1cdd8c7b-81c0-45a0-9fed-04143144cc1e}</code> || [[MAX (3ds Max)]]
 +
|-
 +
|<code>{18b8d021-b4fd-11d0-a97e-00a0c905410d}</code> || [[MIX (PhotoDraw)]]
 +
|-
 +
|<code>{56616700-c154-11ce-8553-00aa00a1f95b}</code> || [[FlashPix]]
 +
|-
 +
|<code>{56616800-c154-11ce-8553-00aa00a1f95b}</code> || [[MIX (PhotoDraw)]] or [[MIX (Picture It!)]]
 +
|-
 +
|<code>{64818d10-4f9b-11cf-86ea-00aa00b929e8}</code> || [[PPT]]
 +
|-
 +
|<code>{c65e63e1-6c0e-11cf-842e-00aa006130ba}</code> || [[Softimage SCN]]
 +
|}
  
 
== Related formats ==
 
== Related formats ==
See [[:Category:Microsoft Compound File]].
+
* [[OLE Property Set]]
 +
 
 +
For formats based on this format, see [[:Category:Microsoft Compound File]].
  
 
== Specifications ==
 
== Specifications ==
* [http://msdn.microsoft.com/en-us/library/dd942138.aspx MSDN: Compound File Binary File Format] → [MS-CFB] PDF
+
* [https://msdn.microsoft.com/en-us/library/dd942138.aspx MSDN: Compound File Binary File Format] → [MS-CFB] PDF
* [http://www.openoffice.org/sc/compdocfileformat.pdf OpenOffice.org's documentation]
+
* [https://www.openoffice.org/sc/compdocfileformat.pdf OpenOffice.org's documentation]
  
 
== Programs, libraries, and utilities ==
 
== Programs, libraries, and utilities ==
Line 33: Line 86:
 
* [https://github.com/unixfreak0037/officeparser officeparser]
 
* [https://github.com/unixfreak0037/officeparser officeparser]
 
* [http://decalage.info/python/oletools python-oletools - python tools to analyze OLE files]
 
* [http://decalage.info/python/oletools python-oletools - python tools to analyze OLE files]
 +
* [https://sourceforge.net/projects/openmcdf/ OpenMCDF]
 +
* [https://poi.apache.org/ Apache POI] - Java API for Microsoft documents
 +
* [https://github.com/renyxa/re-lab Re-lab / OLE Toy]
 +
* [[7-Zip]]
  
 
== Links ==
 
== Links ==
Line 41: Line 98:
 
* [http://blog.avira.com/malicious-office-macros-dead/ Malicious Office macros are not dead]
 
* [http://blog.avira.com/malicious-office-macros-dead/ Malicious Office macros are not dead]
 
* [http://decalage.info/file_formats_security/office MS Office 97-2003 legacy/binary formats security] - article with lots of resources on MS Office formats, including analysis techniques, tools and parsing libraries
 
* [http://decalage.info/file_formats_security/office MS Office 97-2003 legacy/binary formats security] - article with lots of resources on MS Office formats, including analysis techniques, tools and parsing libraries
 
+
* [https://msdn.microsoft.com/en-us/library/aa295067(v=vs.60).aspx MSDN: Providing Summary Information]
== Editors' notes ==
+
TODO: Explain the relationship between Compound File format and the format/technology called '''COM Structured Storage''' (or '''OLE Structured Storage''').
+
  
 
[[Category:Document]]
 
[[Category:Document]]
 
[[Category:Microsoft]]
 
[[Category:Microsoft]]

Revision as of 16:25, 15 January 2019

File Format
Name Microsoft Compound File
Ontology
LoCFDD fdd000380, fdd000392
PRONOM fmt/111

Microsoft Compound File is a complex container format used by some versions of Microsoft Office, and other Windows-centric applications. It has features similar to those of a filesystem format.

Its name has many variations, including:

  • Compound File Binary File Format (CFBF or CFB)
  • Microsoft Compound Document File Format
  • OLE Compound Document Format
  • OLE2 Compound Document Format
  • Composite Document File
  • DocFile

The format was not publicly documented by Microsoft until 2008.

It is (or was?) unofficially known as LAOLA File Format.

Contents

Identification

Files begin with signature bytes D0 CF 11 E0 A1 B1 1A E1.

Identifying the specific document type can be difficult. Some, but not all, document types can be identified by the CLSID field in the "root storage" directory entry. This field is usually located at file offset 512×(1 + {the 32-bit integer at offset 48}) + 80.

Some files have a stream named "<U+0005>SummaryInformation" containing metadata, which may include information about the creating application.

Root storage object CLSIDs

The table below lists some of the root storage object CLSIDs that have been observed in this type of file. Use this information at your own risk, as these identifiers can be unreliable.

Microsoft's documentation says this about the CLSID field:

This field contains an object class GUID. [...] If not [all zeroes], the object class GUID can be used as a parameter to start applications.

Although every storage object (think subdirectory) can have a CLSID, this table is only concerned with the file's root storage object.

Note that the CLSIDs are stored as GUIDs in little-endian binary format, so they have a strange byte order.

Root storage object CLSID Format
{00000000-0000-0000-0000-000000000000} Unspecified (could be Thumbs.db, SUO, ...)
{00020810-0000-0000-c000-000000000046} XLS
{00020820-0000-0000-c000-000000000046} XLS
{00020906-0000-0000-c000-000000000046} DOC
{00020d0b-0000-0000-c000-000000000046} Outlook Item File
{00021201-0000-0000-00c0-000000000046} Microsoft Publisher
{0006f046-0000-0000-c000-000000000046} Outlook Item File
{000c1084-0000-0000-c000-000000000046} MSI
{1cdd8c7b-81c0-45a0-9fed-04143144cc1e} MAX (3ds Max)
{18b8d021-b4fd-11d0-a97e-00a0c905410d} MIX (PhotoDraw)
{56616700-c154-11ce-8553-00aa00a1f95b} FlashPix
{56616800-c154-11ce-8553-00aa00a1f95b} MIX (PhotoDraw) or MIX (Picture It!)
{64818d10-4f9b-11cf-86ea-00aa00b929e8} PPT
{c65e63e1-6c0e-11cf-842e-00aa006130ba} Softimage SCN

Related formats

For formats based on this format, see Category:Microsoft Compound File.

Specifications

Programs, libraries, and utilities

Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox