Export (0) Print
Expand All

3.1 Shortcut to a File

This section presents a sample of the Shell Link Binary File Format, consisting of a shortcut to a file with the path "C:\test\a.txt".

The following is the hexadecimal representation of the contents of the shell link.

x0

x1

x2

x3

x4

x5

x6

x7

x8

x9

xA

xB

xC

xD

xE

xF

0000

4C

00

00

00

01

14

02

00

00

00

00

00

C0

00

00

00

0010

00

00

00

46

9B

00

08

00

20

00

00

00

D0

E9

EE

F2

0020

15

15

C9

01

D0

E9

EE

F2

15

15

C9

01

D0

E9

EE

F2

0030

15

15

C9

01

00

00

00

00

00

00

00

00

01

00

00

00

0040

00

00

00

00

00

00

00

00

00

00

00

00

BD

00

14

00

0050

1F

50

E0

4F

D0

20

EA

3A

69

10

A2

D8

08

00

2B

30

0060

30

9D

19

00

2F

43

3A

5C

00

00

00

00

00

00

00

00

0070

00

00

00

00

00

00

00

00

00

00

00

46

00

31

00

00

0080

00

00

00

2C

39

69

A3

10

00

74

65

73

74

00

00

32

0090

00

07

00

04

00

EF

BE

2C

39

65

A3

2C

39

69

A3

26

00A0

00

00

00

03

1E

00

00

00

00

F5

1E

00

00

00

00

00

00B0

00

00

00

00

00

74

00

65

00

73

00

74

00

00

00

14

00C0

00

48

00

32

00

00

00

00

00

2C

39

69

A3

20

00

61

00D0

2E

74

78

74

00

34

00

07

00

04

00

EF

BE

2C

39

69

00E0

A3

2C

39

69

A3

26

00

00

00

2D

6E

00

00

00

00

96

00F0

01

00

00

00

00

00

00

00

00

00

00

61

00

2E

00

74

0100

00

78

00

74

00

00

00

14

00

00

00

3C

00

00

00

1C

0110

00

00

00

01

00

00

00

1C

00

00

00

2D

00

00

00

00

0120

00

00

00

3B

00

00

00

11

00

00

00

03

00

00

00

81

0130

8A

7A

30

10

00

00

00

00

43

3A

5C

74

65

73

74

5C

0140

61

2E

74

78

74

00

00

07

00

2E

00

5C

00

61

00

2E

0150

00

74

00

78

00

74

00

07

00

43

00

3A

00

5C

00

74

0160

00

65

00

73

00

74

00

60

00

00

00

03

00

00

A0

58

0170

00

00

00

00

00

00

00

63

68

72

69

73

2D

78

70

73

0180

00

00

00

00

00

00

00

40

78

C7

94

47

FA

C7

46

B3

0190

56

5C

2D

C6

B6

D1

15

EC

46

CD

7B

22

7F

DD

11

94

01A0

99

00

13

72

16

87

4A

40

78

C7

94

47

FA

C7

46

B3

01B0

56

5C

2D

C6

B6

D1

15

EC

46

CD

7B

22

7F

DD

11

94

01C0

99

00

13

72

16

87

4A

00

00

00

00

HeaderSize: (4 bytes, offset 0x0000), 0x0000004C as required.

LinkCLSID: (16 bytes, offset 0x0004), 00021401-0000-0000-C000-000000000046.

LinkFlags: (4 bytes, offset 0x0014), 0x0008009B means the following LinkFlags (section 2.1.1) are set:

  • HasLinkTargetIDList

  • HasLinkInfo

  • HasRelativePath

  • HasWorkingDir

  • IsUnicode

  • EnableTargetMetadata

FileAttributes: (4 bytes, offset 0x0018), 0x00000020, means the following FileAttributesFlags (section 2.1.2) are set:

  • FILE_ATTRIBUTE_ARCHIVE

CreationTime: (8 bytes, offset 0x001C) FILETIME 9/12/08, 8:27:17PM.

AccessTime: (8 bytes, offset 0x0024) FILETIME 9/12/08, 8:27:17PM.

WriteTime: (8 bytes, offset 0x002C) FILETIME 9/12/08, 8:27:17PM.

FileSize: (4 bytes, offset 0x0034), 0x00000000.

IconIndex: (4 bytes, offset 0x0038), 0x00000000.

ShowCommand: (4 bytes, offset 0x003C), SW_SHOWNORMAL(1).

Hotkey: (2 bytes, offset 0x0040), 0x0000.

Reserved: (2 bytes, offset 0x0042), 0x0000.

Reserved2: (4 bytes, offset 0x0044), 0 x00000000.

Reserved3: (4 bytes, offset 0x0048), 0 x00000000.

Because HasLinkTargetIDList is set, a LinkTargetIDList structure (section 2.2) follows:

  • IDListSize: (2 bytes, offset 0x004C), 0x00BD, the size of IDList.

  • IDList: (189 bytes, offset 0x004E) an IDList structure (section 2.2.1) follows:

    • ItemIDList: (187 bytes, offset 0x004E), ItemID structures (section 2.2.2) follow:

      • ItemIDSize: (2 bytes, offset 0x004E), 0x0014

      • Data: (12 bytes, offset 0x0050), <18 bytes of data> [computer]

      • ItemIDSize: (2 bytes, offset 0x0062), 0x0019

      • Data: (23 bytes, offset 0x0064), <23 bytes of data> [c:]

      • ItemIDSize: (2 bytes, offset 0x007B), 0x0046

      • Data: (68 bytes, offset 0x007D), <68 bytes of data> [test]

      • ItemIDSize: (2 bytes, offset 0x00C1), 0x0048

      • Data: (68 bytes, offset 0x00C3), <70 bytes of data> [a.txt]

    • TerminalID: (2 bytes, offset 0x0109), 0x0000 indicates the end of the IDList.

Because HasLinkInfo is set, a LinkInfo structure (section 2.3) follows:

  • LinkInfoSize: (4 bytes, offset 0x010B), 0x0000003C

  • LinkInfoHeaderSize: (4 bytes, offset 0x010F), 0x0000001C as specified in the LinkInfo structure definition.

  • LinkInfoFlags: (4 bytes, offset 0x0113), 0x00000001 VolumeIDAndLocalBasePath is set.

  • VolumeIDOffset: (4 bytes, offset 0x0117), 0x0000001C, references offset 0x0127.

  • LocalBasePathOffset: (4 bytes, offset 0x011B), 0x0000002D, references the character string "C:\test\a.txt".

  • CommonNetworkRelativeLinkOffset: (4 bytes, offset 0x011F), 0x00000000 indicates CommonNetworkRelativeLink is not present.

  • CommonPathSuffixOffset: (4 bytes, offset 0x0123), 0x0000003B, references offset 0x00000146, the character string "" (empty string).

  • VolumeID: (17 bytes, offset 0x0127), because VolumeIDAndLocalBasePath is set, a VolumeID structure (section 2.3.1) follows:

    • VolumeIDSize: (4 bytes, offset 0x0127), 0x00000011 indicates the size of the VolumeID structure.

    • DriveType: (4 bytes, offset 0x012B), DRIVE_FIXED(3).

    • DriveSerialNumber: (4 bytes, offset 0x012F), 0x307A8A81.

    • VolumeLabelOffset: (4 bytes, offset 0x0133), 0x00000010, indicates that Volume Label Offset Unicode is not specified and references offset 0x0137 where the Volume Label is stored.

    • Data: (1 byte, offset 0x0137), "" an empty character string.

  • LocalBasePath: (14 bytes, offset 0x0138), because VolumeIDAndLocalBasePath is set, the character string "c:\test\a.txt" is present.

  • CommonPathSuffix: (1 byte, offset 0x0146), "" an empty character string.

Because HasRelativePath is set, the RELATIVE_PATH StringData structure (section 2.4) follows:

  • CountCharacters: (2 bytes, offset 0x0147), 0x0007 Unicode characters.

  • String (14 bytes, offset 0x0149), the Unicode string: ".\a.txt".

Because HasWorkingDir is set, the WORKING_DIR StringData structure (section 2.4) follows:

  • CountCharacters: (2 bytes, offset 0x0157), 0x0007 Unicode characters.

  • String (14 bytes, offset 0x0159), the Unicode string: "c:\test".

Extra data section: (100 bytes, offset 0x0167), an ExtraData structure (section 2.5) follows:

  • ExtraDataBlock (96 bytes, offset 0x0167), the TrackerDataBlock structure (section 2.5.10) follows:

    • BlockSize: (4 bytes, offset 0x0167), 0x00000060

    • BlockSignature: (4 bytes, offset 0x016B), 0xA000003, which identifies the TrackerDataBlock structure (section 2.5.10).

    • Length: (4 bytes, offset 0x016F), 0x00000058, the required minimum size of this extra data block.

    • Version: (4 bytes, offset 0x0173), 0x00000000, the required version.

    • MachineID: (16 bytes, offset 0x0177), the character string "chris-xps", with zero fill.

    • Droid: (32 bytes, offset 0x0187), 2 GUID values.

    • DroidBirth: (32 bytes, offset 0x01A7), 2 GUID values.

  • TerminalBlock: (4 bytes, offset 0x01C7), 0x00000000 indicates the end of the extra data section.

Show:
© 2016 Microsoft