2nd Edition
Copyright 1998-2004 Edward L. Blake
All Rights Reserved
No part of this document may be reproduced in any form, mechanically or digitally, or transmitted or redistributed in any form by any means without the prior written permission from the author, Edward L. Blake. Edward Blake can be contacted through http://www.edwardblake.name/contact
This article is an updated, reformatted, and corrected version of my previous postings on wotsit.org. This article is also better formatted as well.
Disclaimer: Please note that I am not the person, and Im not involved with the one(s), who made the FND format. The information presented here is at most a description of how a FND file looks like and how to read it based on my experimentation and experience.
THE WINDOWS FILE FIND (FND) FORMAT IN PARTIAL DETAIL
It took a while to find some minimal information about the Windows 95/Windows 98 file find format. This shows some of the basics of this file structure. The information presented here could be slightly inaccurate. I was only able to successfully get the basic format of a file which doesn't have its search results saved. The Appendix contains some of the decimal values of a sample FND file, which I used to try to understand the format. (note: In order to use the appendix values, copy and paste them into a fixed width plain text editor without word wrap). Also, Appendix B describes how to use the days specified with the Created\Modified parameters.
Basic Structure for Non-Stored Entry Format (color coded):
|
Header |
32 bytes |
|
Token |
Variable length |
|
Token |
Variable length |
|
Token |
Variable length |
|
. |
|
|
. |
|
|
5 null bytes (Byte value is 0) |
5 bytes |
A usual find-file file (without saving entries, only search by filename) has this structure
Start of Header (Length of each is 1 byte) |
|
|
Offset (not length) |
Description |
|
(0000) 0000h |
Set to 68 |
|
(0001) 0001h |
Set to 70 |
|
(0002) 0002h |
Set to 3 |
|
(0003) 0003h |
Set to Null (0h) |
|
(0004) 0004h |
Flags 0000 0001b (1, 01h) Include subdirectories 0000 1000b (8, 08h) Case Sensitive |
|
(0005) 0005h |
Flags 0000 0001b (1, 01h) Store Entries 0001 0000b (16, 10h) Unknown |
|
(0006) 0006h |
Set to Null (0h) |
|
(0007) 0007h |
Set to Null (0h) |
|
(0008) 0008h |
Reserved (?) set to 255 (FFh) |
|
(0009) 0009h |
Reserved (?) set to 255 (FFh) |
|
(0010) 000Ah |
Reserved (?) set to 16 (10h) |
|
(0011) 000Bh |
Set to Null (0h) |
|
(0012) 000Ch |
32 (20h) |
|
(0013) 000Dh |
Set to Null (0h) |
|
(0014) 000Eh |
Set to Null (0h) |
|
(0015) 000Fh |
Set to Null (0h) |
|
(0016) 0010h |
Number of tokens (both of token types 55 and 48) |
|
(0017) 0011h |
Set to Null (0h) |
|
(0018) 0012h |
Set to Null (0h) |
|
(0019) 0013h |
Set to Null (0h) |
|
(0020) 0014h |
Unknown |
|
(0021) 0015h |
Set to Null (0h) |
|
(0022) 0016h |
Set to Null (0h) |
|
(0023) 0017h |
Set to Null (0h) |
|
(0024) 0018h |
Reserved? Set to 255 (FFh) |
|
(0025) 0019h |
Reserved? Set to 255 (FFh) |
|
(0026) 001Ah |
Reserved? Set to 255 (FFh) |
|
(0027) 001Bh |
Reserved? Set to 255 (FFh) |
|
(0028) 001Ch |
IconState (Icon View) 01h Large Icons 02h Small Icons 03h Listing 04h Details |
|
(0029) 001Dh |
Set to Null (0h) |
|
(0030) 001Eh |
Set to Null (0h) |
|
(0031) 001Fh |
Set to Null (0h) |
End of Header, Start of section(s) |
|
|
Length (not offset!) |
Description |
|
1 byte |
Set to 16 (10h), Signature for filename to be searched |
|
1 byte |
Set to 55 (37h) |
|
1 byte |
Length of string including null (ASCIIZ) |
|
1 byte |
Set to Null (0h) |
|
variable |
Searched filename string |
|
1 byte |
Set to Null (completes ASCIIZ for search string!) |
|
1 byte |
Set to 2 (2h), Signature for folder to searched |
|
1 byte |
Set to 48 (30h) |
|
1 byte |
Length of string including null (ASCIIZ) |
|
1 byte |
Set to Null (0h) |
|
variable |
Searched folder string |
|
1 byte |
Set to Null (completes ASCIIZ for search string!) |
|
One or more sections follow afterwards with this format: |
|
|
1 byte |
Flag\Section Type 00010001b (17, 11h) Unknown 00100000b (32, 20h) Search by OLE registered file formats 00100001b (33, 21h) Text string is to be searched within file 00100010b (34, 22h) File size 00110101b (53, 35h) Created\Modified previous X days 00110111b (55, 37h) Created\Modified previous X months 00111001b (57, 39h) Created\Modified between X and Y (X) 00111010b (58, 39h) Created\Modified between X and Y (Y) |
|
1 byte |
Set to 55 (37h) |
|
1 byte |
Length of string or parameters including null (ASCIIZ) |
|
1 byte |
Set to Null (0h) |
|
variable |
Parameter or string of text. If the flags 3 bytes back were set to:
33 this will be a string to be searched within the files being searched.
32 this will contain the full human-readable name of the OLE registered file format name.
34 this will contain a string of a number. The first number tells if the size is to at least (1) or at most (2). Followed by a space, then the rest of the numbers is the size in bytes to be searched. (example: at least 2k will be encoded as 1 2048
53 this will simply contain a string of the number of days.
55 this will simply contain a string of the number of months.
57 this will simply contain a string of the number of days since May 16, 1972 (Im just as confused as you are on why this date). See Appendix B to see how to convert this into something useful in a high level language.
58 this will simply contain a string of the number of days since May 16, 1972. See Appendix B to see how to convert this into something useful in a high level language.
17 the parameter will only be one byte which will be either 48 or 49 based on either including subfolders is set or not. The value 49 means that subfolders will not be searched.
|
|
1 byte |
Set to Null (completes the ASCIIZ string\parameter) |
|
1 byte |
Set to Null (0h) |
|
1 byte |
Set to Null (0h) |
|
1 byte |
Set to Null (0h) |
|
1 byte |
Set to Null (0h) |
|
1 byte |
Set to Null (0h) |
This file format structure will depend on what operating system and what language (localization settings) is being used. On a NT file find applet, the file format will have additional sections near the end identical to the beginning, with the exception that the text is encoded in Unicode and the signature string NTFF is attached at the end.
Information on many other file formats
Authors Web Site
http://www.edwardblake.name/contact
APPENDIX A RAW UNDOCUMENTED WORK CONTENT
Copy and paste the following into a non-word wrapping plain text editor with a fixed width font:
Files named winfile (Not include subs) - z2
Files of type AdobeAcrobat named winfile - z3
Files of type AdobeAcrobat named winfile (Not include subs) - z4
Files named winfile with hello within - z5
Files named winfile (with at least 200k) - z6
Files named winfile (with at most 200k) - z7
Files named winfile (created\modified opt 1) - z8
Files named winfile (created\modified opt 2) - z9
Files named winfile (created\modified opt 3) - z10
Files named winfile (created\modified opt 2-10) - z11
Files named winfile (created\modified opt 3-10) - z12
Files named winfile (Case sensitive) - z13
Files named winfile (View as large icons) - z14
Files named Wed (Bitmap Files) - z15
Files named winfile (Stored Entries) - z16
DF