MSC File Format (Part 1)

In this article, I will discuss some preliminary attempt to map the format of the file with .MSC extention.

As you may already know, this file is created with MMC (Microsoft Management Console) application.

As far as I know, there are 2 kind of format, the one in XML format, and the other is some form of binary format.

The scope for this article is to discuss the binary format.

For the purpose of this analysis, I copied the existing SQL Server Enterprise Manager.MSC and rename it to testsql.msc.

Next, using the hex editor, I changed the first byte of this file, re-open it with MMC.EXE, and promptly it will give this error :

Close examination as to causes of this error revealed that it is occured after the MMC framework try to open this document as “Structured Storage” format.

In other words, MMC.EXE treated this file as a form of “Structure Storage” just as other file with “Structured Storage” format such as excel, word, etc.

The reason for this error is that, the storage framework checks for its integrity, and the first bytes denotes the signature of Structured Storage file.

Based on Structured Storage Specification (Windows Compound Binary File Format Specification), The first 8-bytes is the signature.

To verify this conjecture, let’s open the MSC binary file and compare it with, say, excel file using hex editor :

MSC File :

Excel File :

The above two file has the same signature, hence, MSC file is a variant of structured storage file, just like excel or word file.

So, in theory, I can dump the content of MSC using the ubiquitous structured storage dump utility to see at least the outline of this structure.

In this case, I am using the stg utility provided by Microsoft.

The result of using stg.exe to view this document :

The signature stream corresponds to version of MSC file. Next, is the tree stream, using the stg.exe to open this stream will look like this :

The first word (0x0002) is the node type, in this case, it is the folder snap in. Based on latest analysis, there are four node types. This will caused the MMC framework to show the folder type root node :

The next word (0x0001) is the node id. This caused the MMC will load the next node after this node.

The next node after the last red rectangle is also in the format of node type + node id. In this example, because I’m using the SQL EM’s MSC, it is the nodes that is shown after the Console Root root folder :

In this case, the node type is 0x0001, this caused the MMC loads the custom snap in that is declared in the nodes storage below :

As you can see, the nodes storage is arranged based on the node id declared in the tree stream above. For example, the node information for node id 0x0001 is obtained by ‘1’ storage of nodes storage, etc.

As I already mentioned, node ID 0x0002 is the custom snap in, and MMC loads it based on the GUID information obtained from the tree stream of this node id storage :

00 01 10 00-16 18-d0 11-8e f5-00 aa 00 62 c5 8f
00100100-1816-11D0-F58E-00AA0062C58F

Using the registry, we can find information about this snap in as :

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmmc.dll.

OK, that’s all for the first part.

Advertisements

3 Responses to “MSC File Format (Part 1)”

  1. Am Says:

    What are the four formats of .msc files?

  2. ekasiswanto Says:

    do you mean the node type ?

  3. Johnny Says:

    derp

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: