Windows Link File (...
 
Notifications
Clear all

Windows Link File (*.lnk) Analyser

10 Posts
4 Users
0 Likes
1,231 Views
binarybod
(@binarybod)
Posts: 272
Reputable Member
Topic starter
 

Recently uploaded a copy of my Windows Link File Analyser to Google project hosting.

It's a bit rough round the edges yet and only works on *nix systems. Just download the tarball and do
make
sudo make install
make clean

Unlike some analysers this one provides output that is fully consistent with the Microsoft publication MS-SHLLINK.

Some useful examples
lifer -h provides help
lifer linkfile.lnk parses linkfile.lnk and provides a full output
lifer -s linkfile.lnk as above with abbreviated (short) output
lifer -o tsv ./Links/ > links.tsv parses every file in the directory ./Links/ and if it finds a link file, outputs the data as a row in tab separated format. The whole output is directed to the file 'links.tsv' which can easily be opened in a spreadsheet application to review the output.

You'll be surprised at just how much useful information is in these files. Enjoy…

Paul

 
Posted : 13/07/2011 8:02 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

Could you provide a link to the Google page?

Thank you.

-David

 
Posted : 13/07/2011 8:36 pm
binarybod
(@binarybod)
Posts: 272
Reputable Member
Topic starter
 

Oops - basic error 😯

lifer on code.google

Paul

 
Posted : 13/07/2011 9:33 pm
(@kovar)
Posts: 805
Prominent Member
 

Greetings,

Looks good! Now to go find something to try it on….

-David

 
Posted : 13/07/2011 11:41 pm
(@hydrocloricacid)
Posts: 37
Eminent Member
 

excellent work !

I found it worked well and am amazed with how much information it pulls out.

 
Posted : 18/07/2011 8:02 am
binarybod
(@binarybod)
Posts: 272
Reputable Member
Topic starter
 

excellent work !

I found it worked well and am amazed with how much information it pulls out.

That's good news, thank you.

I've been using for a while now and the day after I posted this thread I pulled out a load (about 100) links from a Vista machine and it wouldn't work on any of them - not one - bah!
Back to the drawing board…

Paul

 
Posted : 19/07/2011 7:11 pm
binarybod
(@binarybod)
Posts: 272
Reputable Member
Topic starter
 

Weird…

So I put the links into my 64 bit machine (on which I developed the application) and lo! it works. Ah… must be a 32/64 bit issue but no… put the files into my 32 bit machine and it works too… wha! it just doesn't work in a 32 bit virtual environment (at least that's the current hypothesis).

I wish I was better at this coding malarky!

Paul

 
Posted : 20/07/2011 2:46 am
(@shanenz)
Posts: 14
Active Member
 

Just one "minor" anomaly…

lslnk.pl (Harlan's link parser) and this tool shows different UTC times for the link attributes (the file MAC dates are the same for both tools).
It doesn't seem to take into account daylight savings zones. In the NZST months, both tools are reporting the same UTC time, when in NZDT, the UTC time is 1 hour different. NOTE This appears to only affect the shortcut file MACs, not the target file MACs.

This was done on a mounted,read-only raw hdd image, not a live system.

NZST Starts 1st Sunday in April (UTC + 12)
NZDT Starts last Sunday in Sept (UTC + 13)

lslnk.pl output
XXXXX.lnk 457 bytes
Access Time = Thu Sep 16 062626 2010 (UTC)
Creation Date = Wed Jun 17 000504 2009 (UTC)
Modification Time = Wed Jun 17 000504 2009 (UTC)

MAC Times
Creation Time = Mon Jun 8 065929 2009 (UTC)
Modification Time = Sun Jun 7 095203 2009 (UTC)
Access Time = Sun Jun 7 203000 2009 (UTC)

lifer output
LINK FILE ————– XXXXX.lnk
{stat DATA}
File Size 457 bytes
Last Accessed 2010-09-16 052626 (UTC)
Last Modified 2009-06-16 230504 (UTC)
Last Changed 2009-06-16 230504 (UTC)

{LINK FILE - HEADER}
Creation Time 2009-06-08 065929.2000000 (UTC)
Access Time 2009-06-07 203000.0 (UTC)
Write Time 2009-06-07 095204.0 (UTC)

Now…after seeing the comments in lslnk.pl (using it on a 'nix system, you don't see these little gems until you view the source code)..it's to do with the Win32UTCFileTime perl module…and a bit too heavy for my brainpan to comprehend. Maybe someone could shed some light on this..in laymans words?

I also had a peek at the source for lifer, and didn't see any comments (and the code is very well commented..*tips hat to author*) ref daylight savings, so assume that maybe that bit hasn't been worked out yet?

The upshot is, when using either of these tools, what considerations have to be taken into account when drifting in/out/across daylight savings dates?

 
Posted : 20/07/2011 5:00 am
binarybod
(@binarybod)
Posts: 272
Reputable Member
Topic starter
 

@ShaneNZ

The {stat DATA} section is reporting the file times of the link file itself. just run
stat [link file]and you should see the same time (although with 'stat' you'll get the local time and an offset to UTC, just reverse the offset to get the UTC time and it should be the same as reported by lifer). If this is still wrong then I need to know…

Please note that all other dates, the one's embedded inside the file, are correct, not only that, but in the long format mode, the timestamps are reported in full (to the nearest 100 nanoseconds)

Paul

 
Posted : 20/07/2011 4:19 pm
binarybod
(@binarybod)
Posts: 272
Reputable Member
Topic starter
 

OK, I checked this, and as far as I can tell my tool is providing the right times.

Paul

 
Posted : 25/07/2011 7:52 pm
Share: