Scribd
Upload
34 views4 pages

(MS-SHLLINK) - Shortcut To A File

Uploaded by

Kavindu Sahan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
34 views4 pages

(MS-SHLLINK) - Shortcut To A File

Uploaded by

Kavindu Sahan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

9/17/2018 [MS-SHLLINK]: Shortcut to a File

3.1 Shortcut to a File


This section presents a sample of the Shell Link Binary File Format, consisting of a shortcut to a file with the path
"C:\test\a.txt".

The following is the hexadecimal representation of the contents of the shell link.

x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 xA xB xC xD xE xF

0000 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00

0010 00 00 00 46 9B 00 08 00 20 00 00 00 D0 E9 EE F2

0020 15 15 C9 01 D0 E9 EE F2 15 15 C9 01 D0 E9 EE F2

0030 15 15 C9 01 00 00 00 00 00 00 00 00 01 00 00 00

0040 00 00 00 00 00 00 00 00 00 00 00 00 BD 00 14 00

0050 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30

0060 30 9D 19 00 2F 43 3A 5C 00 00 00 00 00 00 00 00

0070 00 00 00 00 00 00 00 00 00 00 00 46 00 31 00 00

0080 00 00 00 2C 39 69 A3 10 00 74 65 73 74 00 00 32

0090 00 07 00 04 00 EF BE 2C 39 65 A3 2C 39 69 A3 26

00A0 00 00 00 03 1E 00 00 00 00 F5 1E 00 00 00 00 00

00B0 00 00 00 00 00 74 00 65 00 73 00 74 00 00 00 14

00C0 00 48 00 32 00 00 00 00 00 2C 39 69 A3 20 00 61

00D0 2E 74 78 74 00 34 00 07 00 04 00 EF BE 2C 39 69

00E0 A3 2C 39 69 A3 26 00 00 00 2D 6E 00 00 00 00 96

00F0 01 00 00 00 00 00 00 00 00 00 00 61 00 2E 00 74

0100 00 78 00 74 00 00 00 14 00 00 00 3C 00 00 00 1C

0110 00 00 00 01 00 00 00 1C 00 00 00 2D 00 00 00 00

0120 00 00 00 3B 00 00 00 11 00 00 00 03 00 00 00 81

https://msdn.microsoft.com/en-us/library/dd871375.aspx 1/4
9/17/2018 [MS-SHLLINK]: Shortcut to a File

0130 8A 7A 30 10 00 00 00 00 43 3A 5C 74 65 73 74 5C

0140 61 2E 74 78 74 00 00 07 00 2E 00 5C 00 61 00 2E

0150 00 74 00 78 00 74 00 07 00 43 00 3A 00 5C 00 74

0160 00 65 00 73 00 74 00 60 00 00 00 03 00 00 A0 58

0170 00 00 00 00 00 00 00 63 68 72 69 73 2D 78 70 73

0180 00 00 00 00 00 00 00 40 78 C7 94 47 FA C7 46 B3

0190 56 5C 2D C6 B6 D1 15 EC 46 CD 7B 22 7F DD 11 94

01A0 99 00 13 72 16 87 4A 40 78 C7 94 47 FA C7 46 B3

01B0 56 5C 2D C6 B6 D1 15 EC 46 CD 7B 22 7F DD 11 94

01C0 99 00 13 72 16 87 4A 00 00 00 00

HeaderSize: (4 bytes, offset 0x0000), 0x0000004C as required.

LinkCLSID: (16 bytes, offset 0x0004), 00021401-0000-0000-C000-000000000046.

LinkFlags: (4 bytes, offset 0x0014), 0x0008009B means the following LinkFlags (section 2.1.1) are set:

HasLinkTargetIDList

HasLinkInfo

HasRelativePath

HasWorkingDir

IsUnicode

EnableTargetMetadata

FileAttributes: (4 bytes, offset 0x0018), 0x00000020, means the following FileAttributesFlags (section 2.1.2) are set:

FILE_ATTRIBUTE_ARCHIVE

CreationTime: (8 bytes, offset 0x001C) FILETIME 9/12/08, 8:27:17PM.

AccessTime: (8 bytes, offset 0x0024) FILETIME 9/12/08, 8:27:17PM.

WriteTime: (8 bytes, offset 0x002C) FILETIME 9/12/08, 8:27:17PM.

FileSize: (4 bytes, offset 0x0034), 0x00000000.

IconIndex: (4 bytes, offset 0x0038), 0x00000000.

https://msdn.microsoft.com/en-us/library/dd871375.aspx 2/4
9/17/2018 [MS-SHLLINK]: Shortcut to a File

ShowCommand: (4 bytes, offset 0x003C), SW_SHOWNORMAL(1).

Hotkey: (2 bytes, offset 0x0040), 0x0000.

Reserved: (2 bytes, offset 0x0042), 0x0000.

Reserved2: (4 bytes, offset 0x0044), 0 x00000000.

Reserved3: (4 bytes, offset 0x0048), 0 x00000000.

Because HasLinkTargetIDList is set, a LinkTargetIDList structure (section 2.2) follows:

IDListSize: (2 bytes, offset 0x004C), 0x00BD, the size of IDList.

IDList: (189 bytes, offset 0x004E) an IDList structure (section 2.2.1) follows:

ItemIDList: (187 bytes, offset 0x004E), ItemID structures (section 2.2.2) follow:

ItemIDSize: (2 bytes, offset 0x004E), 0x0014

Data: (12 bytes, offset 0x0050), <18 bytes of data> [computer]

ItemIDSize: (2 bytes, offset 0x0062), 0x0019

Data: (23 bytes, offset 0x0064), <23 bytes of data> [c:]

ItemIDSize: (2 bytes, offset 0x007B), 0x0046

Data: (68 bytes, offset 0x007D), <68 bytes of data> [test]

ItemIDSize: (2 bytes, offset 0x00C1), 0x0048

Data: (68 bytes, offset 0x00C3), <70 bytes of data> [a.txt]

TerminalID: (2 bytes, offset 0x0109), 0x0000 indicates the end of the IDList.

Because HasLinkInfo is set, a LinkInfo structure (section 2.3) follows:

LinkInfoSize: (4 bytes, offset 0x010B), 0x0000003C

LinkInfoHeaderSize: (4 bytes, offset 0x010F), 0x0000001C as specified in the LinkInfo structure definition.

LinkInfoFlags: (4 bytes, offset 0x0113), 0x00000001 VolumeIDAndLocalBasePath is set.

VolumeIDOffset: (4 bytes, offset 0x0117), 0x0000001C, references offset 0x0127.

LocalBasePathOffset: (4 bytes, offset 0x011B), 0x0000002D, references the character string "C:\test\a.txt".

CommonNetworkRelativeLinkOffset: (4 bytes, offset 0x011F), 0x00000000 indicates


CommonNetworkRelativeLink is not present.

CommonPathSuffixOffset: (4 bytes, offset 0x0123), 0x0000003B, references offset 0x00000146, the character
string "" (empty string).

VolumeID: (17 bytes, offset 0x0127), because VolumeIDAndLocalBasePath is set, a VolumeID structure
(section 2.3.1) follows:

https://msdn.microsoft.com/en-us/library/dd871375.aspx 3/4
9/17/2018 [MS-SHLLINK]: Shortcut to a File

VolumeIDSize: (4 bytes, offset 0x0127), 0x00000011 indicates the size of the VolumeID structure.

DriveType: (4 bytes, offset 0x012B), DRIVE_FIXED(3).

DriveSerialNumber: (4 bytes, offset 0x012F), 0x307A8A81.

VolumeLabelOffset: (4 bytes, offset 0x0133), 0x00000010, indicates that Volume Label Offset Unicode is
not specified and references offset 0x0137 where the Volume Label is stored.

Data: (1 byte, offset 0x0137), "" an empty character string.

LocalBasePath: (14 bytes, offset 0x0138), because VolumeIDAndLocalBasePath is set, the character string
"c:\test\a.txt" is present.

CommonPathSuffix: (1 byte, offset 0x0146), "" an empty character string.

Because HasRelativePath is set, the RELATIVE_PATH StringData structure (section 2.4) follows:

CountCharacters: (2 bytes, offset 0x0147), 0x0007 Unicode characters.

String (14 bytes, offset 0x0149), the Unicode string: ".\a.txt".

Because HasWorkingDir is set, the WORKING_DIR StringData structure (section 2.4) follows:

CountCharacters: (2 bytes, offset 0x0157), 0x0007 Unicode characters.

String (14 bytes, offset 0x0159), the Unicode string: "c:\test".

Extra data section: (100 bytes, offset 0x0167), an ExtraData structure (section 2.5) follows:

ExtraDataBlock (96 bytes, offset 0x0167), the TrackerDataBlock structure (section 2.5.10) follows:

BlockSize: (4 bytes, offset 0x0167), 0x00000060

BlockSignature: (4 bytes, offset 0x016B), 0xA000003, which identifies the TrackerDataBlock structure
(section 2.5.10).

Length: (4 bytes, offset 0x016F), 0x00000058, the required minimum size of this extra data block.

Version: (4 bytes, offset 0x0173), 0x00000000, the required version.

MachineID: (16 bytes, offset 0x0177), the character string "chris-xps", with zero fill.

Droid: (32 bytes, offset 0x0187), 2 GUID values.

DroidBirth: (32 bytes, offset 0x01A7), 2 GUID values.

TerminalBlock: (4 bytes, offset 0x01C7), 0x00000000 indicates the end of the extra data section.

© 2018 Microsoft

https://msdn.microsoft.com/en-us/library/dd871375.aspx 4/4

You might also like