Extend pyfwsi to provide support for more shell item types

[lotansery7]

"pyfwsi" it exposes 4 types of shell items: volume, file_entry, network_location and root_folder however it would be beneficial to have support for:

• GUID: Control panel
• Control Panel Category
• Variable: Users property view
• Users property view: Drive letter
• Users Files Folder
• Variable
• Users property view

Is it possible to add support for those shell types as well?

Thanks!

[joachimmetz]

@lotansery7 please share test data that is not copyrighted, given that these "types" you mention vary a lot. Also ShellBags are not the same as Shell Items, however the former uses the latter.

Also what are "Variable" and "Variable: Users property view" ?

See https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc for the list of observed shell item types

[lotansery7]

In UsrClass.zip you can find examples for:

• GUID: Control panel
• Control Panel Category
• Users property view: Drive letter
• Users Files Folder
• Users property view

In NTUSER_BAGMRU.zip you can find examples for:

• Variable: Users property view
• Users property view

I will try to get an example of "Variable" that I can share.

Thank you!

[joachimmetz]

@lotansery7 what is the origin of these files? S-1-5-21-2734969515-1644526556-1039763013-1001 from one of these seems to be referenced in a text book (hence likely to be copyrighted). Looks like it might originate from https://digitalcorpora.org/corpora/scenarios/2018-lone-wolf-scenario/

[lotansery7]

I took it from regipy repo test files

[joachimmetz]

I took it from regipy repo test files

It might be violating the copyright/license of the original material https://digitalcorpora.org/about-digitalcorpora/terms-of-use/

The NT SID is definitely present on the 2018-lone-wolf-scenario image:

/gpt{09931f21-7faf-44a9-81d8-1e73c14b9eaf}/$Recycle.Bin/S-1-5-21-2734969515-1644526556-1039763013-1001/

And looks like UsrClass.dat came from that image

d8e1aca997c137fa2d14160c6c0f50dd13b0b277e65331de5cd8acca6152ba7a    /gpt{09931f21-7faf-44a9-81d8-1e73c14b9eaf}/Users/jcloudy/AppData/Local/Microsoft/Windows/UsrClass.dat

[lotansery7]

Ok I will create a clean sample then

[joachimmetz]

Ok I will create a clean sample then

thx to be explicit I just need to know what the "types" refer to in terms of https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc to see if it is already supported but just need to be exposed via the API/Python bindings or if it is a newly observed one

[lotansery7]

In Usrclass_1.zip you can find examples for:

• GUID: Control panel
• Control Panel Category
• Variable: Users property view

In Usrclass_2.zip you can find examples for:

• GUID: Control panel
• Control Panel Category
• Users Files Folder
• Users property view
• Users property view: Drive letter

In Usrclass_3.zip you can find examples for:

• GUID: Control panel
• Control Panel Category
• Users property view
• Variable

Thanks

[joachimmetz]

@lotansery7 thanks much appreciated, I'll have a look as soon as time permits and might ask some follow up questions. Some and other types are supported by the library (https://github.com/libyal/libfwsi/tree/main/libfwsi) just not yet exposed, adding them should be relatively straightforward. I'll see what other types remain.

[joachimmetz]

• GUID: Control panel => Control panel item
  • Looks like this was referred to as Control panel CLSID in an old version of the libfwsi documentation
  • https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc#38-control-panel-shell-item
  • https://learn.microsoft.com/en-us/windows/win32/shell/controlpanel-canonical-names?redirectedfrom=MSDN
• Control Panel Category
  • https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc#432-control-panel-category-shell-item
  • https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/cc144183(v=vs.85)

[joachimmetz]

"Variable: Users property view", "Users property view", "Users property view: Drive letter" all appear to be the same shell item type namely https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc#47-users-property-view which is either stored "regular" or as "delegate item"

[lotansery7]

Thank you so much! But, can I query on these using "pyfwsi"?

[joachimmetz]

But, can I query on these using "pyfwsi"?

not yet, when there is a new release, more research is needed for some of the shell item types (the other tool might be making assumptions that don't correspond to the actual data)

[joachimmetz]

• "Users Files Folder" is likely a file entry shell item with a "Profile" (dffacdc5-679f-4156-8947-c5c76bc0b67f) delegate folder
• "Users property view" is likely a Users property view shell item with a "Search Folder" (04731b67-d933-450a-90e6-4acd2e9408fe) delegate folder
• "Users property view: Drive letter", is likely a volume shell item with a "Removable Drives" (f5fb2c77-0e2f-4a16-a381-3e560c68bc83) delegate folder
• "Variable: Users property view" is likely a Users property view shell item
• Variable is likely a Users property view shell item with a known folder identifier and without properties

[joachimmetz]

@lotansery7 give libfwsi-experimental-20240225 a try. Without actual documentation what these type names actually mean I can only guess.

[lotansery7]

I tried it, now I see that all the shell items are recognized as "item" type and not "volume\file_entry\network_location\root_folder" as before

[joachimmetz]

@lotansery7 what exactly did you try?

[lotansery7]

[joachimmetz]

The following is working for me https://github.com/libyal/winreg-kb/blob/main/scripts/mru.py#L150 check if you have the right version

[lotansery7]

"users_property_view" looks good! thanks But the "control_panel_category" and "control_panel_item" doesn't give me the details:

[lotansery7]

Also "Variable: Users property view" is not recognize: (example from Usrclass_1.zip)

[joachimmetz]

But the "control_panel_category" and "control_panel_item" doesn't give me the details:

Have a closer look there is an "identifier" attribute now that refers to the category or item identifier (also see https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc#432-control-panel-category-shell-item , https://learn.microsoft.com/en-us/windows/win32/shell/controlpanel-canonical-names?redirectedfrom=MSDN and https://github.com/libyal/libfwsi/blob/main/documentation/Windows%20Shell%20Item%20format.asciidoc#432-control-panel-category-shell-item)

[joachimmetz]

Also "Variable: Users property view" is not recognize: (example from Usrclass_1.zip)

What is "Variable: Users property view"? also see https://github.com/libyal/libfwsi/issues/21#issuecomment-1962337543

This looks like a network location shell item to me

Key path                                : HKEY_CURRENT_USER\SOFTWARE\CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3
Value name                              : 0
Shell item                              : Users Property View
    Property: {0ae54373-43be-4fad-85e4-69dc8633986e}/11 (Unknown)
        Value (0x000b)                      : True
    Property: {b725f130-47ef-101a-a5f1-02608c9eebac}/10 (PKEY_ItemNameDisplay)
        Value (0x001f)                      : vboxsvr
    Property: {debda43a-37b3-4383-91e7-4498da2995ab}/3 (Unknown)
        Value (0x0013)                      : 0

Key path                                : HKEY_CURRENT_USER\SOFTWARE\CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0
Value name                              : 0
Shell item                              : Network Location
    Network location                        : \\vboxsvr\vagrant

Key path                                : HKEY_CURRENT_USER\SOFTWARE\CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0
Value name                              : 1
Shell item                              : Network Location
    Network location                        : \\VBOXSVR\vagrant
    Description                         : VirtualBox Shared Folders

Also "absolute path" in your screenshot is relative ?

Looks like the tool is mixing/convoluting IDL and "file system path"

[lotansery7]

Got it about the control panel, now it works good to me! About the "Users Property View", how did you translated it to "vboxsvr"? I see it like this:

[joachimmetz]

You need to parse the property store data, which is another data format.

[lotansery7]

I see, do you have maybe a code to parse it? Thanks in advanced!

[joachimmetz]

Have a look at the script https://github.com/libyal/winreg-kb/blob/main/scripts/mru.py#L150 I mentioned earlier, it uses a WIP project named libfwps

[lotansery7]

Cool I will try, thanks!

[lotansery7]

• "Users Files Folder" is likely a file entry shell item with a "Profile" (dffacdc5-679f-4156-8947-c5c76bc0b67f) delegate folder
• "Users property view" is likely a Users property view shell item with a "Search Folder" (04731b67-d933-450a-90e6-4acd2e9408fe) delegate folder
• "Users property view: Drive letter", is likely a volume shell item with a "Removable Drives" (f5fb2c77-0e2f-4a16-a381-3e560c68bc83) delegate folder
• "Variable: Users property view" is likely a Users property view shell item
• Variable is likely a Users property view shell item with a known folder identifier and without properties

Thanks the parsing of the property store data is working for me now :)

Now I am trying to parse the "Variable" from Usrclass_3.zip but I have no "delegate_folder_identifier" or "property_store_data": Here I can see it:

[joachimmetz]

Not sure what "variable" applies to in this context. Format wise it is comparable to a users property view without a property store and with the pictures known folder identifier. It has no delegate, currently the known folder identifier is not yet exposed to the Python binding.

libfwsi_users_property_view_values_read_data: class type indicator  : 0x00
libfwsi_users_property_view_values_read_data: unknown1          : 0x00
libfwsi_users_property_view_values_read_data: data size         : 26
libfwsi_users_property_view_values_read_data: data signature        : 0x23febbee
libfwsi_users_property_view_values_read_data: property store size   : 0
libfwsi_users_property_view_values_read_data: identifier size       : 16
libfwsi_users_property_view_values_read_data: identifier data:
00000000: 5d 01 dd 0d 6c b0 d5 45  8c 4c f5 97 13 85 46 39   ]...l..E .L....F9

libfwsi_users_property_view_values_read_data: known folder identifier   : {0DDD015D-B06C-45D5-8C4C-F59713854639}
libfwsi_users_property_view_values_read_data: known folder name     : Unknown
libfwsi_users_property_view_values_read_data: property set data:

libfwsi_users_property_view_values_read_data: unknown1 size     : 0

Shell item:
    Item type                           : Users Property View

[lotansery7]

So as far as I understand this shell item can't be parse for now?

[joachimmetz]

So as far as I understand this shell item can't be parse for now?

it is parsed, it just does not contain a property sheet or delegate item. The thing you cannot access at the moment is the known folder identifier.

[lotansery7]

So as far as I understand this shell item can't be parse for now?

it is parsed, it just does not contain a property sheet or delegate item. The thing you cannot access at the moment is the known folder identifier.

Understood, but the known folder identifier is the one I need to be able to translate it to a readable shell item. For now I can just call it "Unknown". There is maybe an estimated time when it will be supported?

[joachimmetz]

There is maybe an estimated time when it will be supported?

When time permits, this is all best effort. The source is open, feel free to change it to your needs.

The issue is that this part of the format is not well understood. Just came across another variant of users properties views with 1060 bytes of "identifier data".

[lotansery7]

Ok, thank you very much!

[joachimmetz]

Pushed a new release, should be an optional know_folder_identifier property now.

[lotansery7]

Works perfect now, thanks!