An Unofficial Guide to the FND File Format

2nd Edition

No part of this document may be reproduced in any form, mechanically or digitally, or transmitted or redistributed in any form by any means without the prior written permission from the author, Edward L. Blake. Edward Blake can be contacted at blakee@rovoscape.com

This article is an updated, reformatted, and corrected version of my previous postings on wotsit.org. This article is also better formatted as well.

Disclaimer: Please note that I am not the person, and I’m not involved with the one(s), who made the FND format. The information presented here is at most a description of how a FND file looks like and how to read it based on my experimentation and experience.

THE WINDOWS FILE FIND (FND) FORMAT – IN PARTIAL DETAIL

It took a while to find some minimal information about the Windows 95/Windows 98 file find format. This shows some of the basics of this file structure. The information presented here could be slightly inaccurate. I was only able to successfully get the basic format of a file which doesn't have it’s search results saved. The Appendix contains some of the decimal values of a sample FND file, which I used to try to understand the format. (note: In order to use the appendix values, copy and paste them into a fixed width plain text editor without word wrap). Also, Appendix B describes how to use the days specified with the Created\Modified parameters.

Basic Structure for Non-Stored Entry Format (color coded):

Header	32 bytes
Token	Variable length
Token	Variable length
Token	Variable length
.
.
5 null bytes (Byte value is 0)	5 bytes

A usual find-file file (without saving entries, only search by filename) has this structure

Start of Header (Length of each is 1 byte)
Offset (not length)	Description
(0000) 0000h	Set to 68
(0001) 0001h	Set to 70
(0002) 0002h	Set to 3
(0003) 0003h	Set to Null (0h)
(0004) 0004h	Flags 0000 0001b (1, 01h) – Include subdirectories 0000 1000b (8, 08h) – Case Sensitive
(0005) 0005h	Flags 0000 0001b (1, 01h) – Store Entries 0001 0000b (16, 10h) – Unknown
(0006) 0006h	Set to Null (0h)
(0007) 0007h	Set to Null (0h)
(0008) 0008h	Reserved (?) set to 255 (FFh)
(0009) 0009h	Reserved (?) set to 255 (FFh)
(0010) 000Ah	Reserved (?) set to 16 (10h)
(0011) 000Bh	Set to Null (0h)
(0012) 000Ch	32 (20h)
(0013) 000Dh	Set to Null (0h)
(0014) 000Eh	Set to Null (0h)
(0015) 000Fh	Set to Null (0h)
(0016) 0010h	Number of tokens (both of token types “55” and “48”)
(0017) 0011h	Set to Null (0h)
(0018) 0012h	Set to Null (0h)
(0019) 0013h	Set to Null (0h)
(0020) 0014h	Unknown
(0021) 0015h	Set to Null (0h)
(0022) 0016h	Set to Null (0h)
(0023) 0017h	Set to Null (0h)
(0024) 0018h	Reserved? Set to 255 (FFh)
(0025) 0019h	Reserved? Set to 255 (FFh)
(0026) 001Ah	Reserved? Set to 255 (FFh)
(0027) 001Bh	Reserved? Set to 255 (FFh)
(0028) 001Ch	IconState (Icon View) 01h – Large Icons 02h – Small Icons 03h – Listing 04h – Details
(0029) 001Dh	Set to Null (0h)
(0030) 001Eh	Set to Null (0h)
(0031) 001Fh	Set to Null (0h)
End of Header, Start of “section(s)”
Length (not offset!)	Description
1 byte	Set to 16 (10h), Signature for filename to be searched
1 byte	Set to 55 (37h)
1 byte	Length of string including null (ASCIIZ)
1 byte	Set to Null (0h)
variable	Searched filename string
1 byte	Set to Null (completes ASCIIZ for search string!)
1 byte	Set to 2 (2h), Signature for folder to searched
1 byte	Set to 48 (30h)
1 byte	Length of string including null (ASCIIZ)
1 byte	Set to Null (0h)
variable	Searched folder string
1 byte	Set to Null (completes ASCIIZ for search string!)
One or more sections follow afterwards with this format:
1 byte	Flag\Section Type 00010001b (17, 11h) – Unknown 00100000b (32, 20h) – Search by OLE registered file formats 00100001b (33, 21h) – Text string is to be searched within file 00100010b (34, 22h) – File size 00110101b (53, 35h) – Created\Modified previous X days 00110111b (55, 37h) – Created\Modified previous X months 00111001b (57, 39h) – Created\Modified between X and Y (X) 00111010b (58, 39h) – Created\Modified between X and Y (Y)
1 byte	Set to 55 (37h)
1 byte	Length of string or parameters including null (ASCIIZ)
1 byte	Set to Null (0h)
variable	Parameter or string of text. If the flags 3 bytes back were set to: 33 – this will be a string to be searched within the files being searched. 32 – this will contain the full human-readable name of the OLE registered file format name. 34 – this will contain a string of a number. The first number tells if the size is to “at least” (1) or “at most” (2). Followed by a space, then the rest of the numbers is the size in bytes to be searched. (example: “at least 2k” will be encoded as “1 2048” 53 – this will simply contain a string of the number of days. 55 – this will simply contain a string of the number of months. 57 – this will simply contain a string of the number of days since May 16, 1972 (I’m just as confused as you are on why this date). See Appendix B to see how to convert this into something useful in a high level language. 58 – this will simply contain a string of the number of days since May 16, 1972. See Appendix B to see how to convert this into something useful in a high level language. 17 – the parameter will only be one byte which will be either 48 or 49 based on either including subfolders is set or not. The value 49 means that subfolders will not be searched.
1 byte	Set to Null (completes the ASCIIZ string\parameter)
1 byte	Set to Null (0h)
1 byte	Set to Null (0h)
1 byte	Set to Null (0h)
1 byte	Set to Null (0h)
1 byte	Set to Null (0h)

ISSUES ABOUT USING THE FND FORMAT

This file format structure will depend on what operating system and what language (localization settings) is being used. On a NT file find applet, the file format will have additional sections near the end identical to the beginning, with the exception that the text is encoded in Unicode and the signature string “NTFF” is attached at the end.

LINKS

Information on many other file formats

http://www.wotsit.org/

Contacting the author

Email:

Primary Address: blakee@rovoscape.com

APPENDIX A – RAW UNDOCUMENTED WORK CONTENT

Copy and paste the following into a non-word wrapping plain text editor with a fixed width font:

Files named winfile (Not include subs) - z2

Files of type AdobeAcrobat named winfile - z3

Files of type AdobeAcrobat named winfile (Not include subs) - z4

Files named winfile with hello within - z5

Files named winfile (with at least 200k) - z6

Files named winfile (with at most 200k) - z7

Files named winfile (created\modified opt 1) - z8

Files named winfile (created\modified opt 2) - z9

Files named winfile (created\modified opt 3) - z10

Files named winfile (created\modified opt 2-10) - z11

Files named winfile (created\modified opt 3-10) - z12

Files named winfile (Case sensitive) - z13

Files named winfile (View as large icons) - z14

Files named Wed (Bitmap Files) - z15

Files named winfile (Stored Entries) - z16

ÿÿ

=ÿÿÿÿ

7winfile[1]0C:\VB57[1]0

ÿÿ

=ÿÿÿÿ

7winfile[1]0C:\VB57[1]1

ÿÿ

Xÿÿÿÿ

7winfile[1]0C:\VB5 7Adobe Acrobat Document7[1]0

ÿÿ

Xÿÿÿÿ

7winfile[1]0C:\VB5 7Adobe Acrobat Document7[1]1

ÿÿ

Gÿÿÿÿ

7winfile[1]0C:\VB5!7Hello7[1]0

ÿÿ

Jÿÿÿÿ

7winfile[1]0C:\VB57[1]0"7 1 204800

ÿÿ

Jÿÿÿÿ

7winfile[1]0C:\VB57[1]0"7 2 204800

ÿÿ Oÿÿÿÿ

7winfile[1]0C:\VB57[1]0979253:79349

ÿÿ

Cÿÿÿÿ

7winfile[1]0C:\VB57[1]077[1]1

ÿÿ

Cÿÿÿÿ

7winfile[1]0C:\VB57[1]057[1]1

ÿÿ

Dÿÿÿÿ

7winfile[1]0C:\VB57[1]077

ÿÿ

Dÿÿÿÿ

7winfile[1]0C:\VB57[1]057

ÿÿ

=ÿÿÿÿ

7winfile[1]0C:\VB57[1]0

ÿÿ

:ÿÿÿÿ7winfile[1]0

C:\7[1]0

ÿÿ

Gÿÿÿÿ

Wed[1]0

C:\ 7

Bitmap Image7[1]0

ÿÿ

:ÿÿÿÿ

7winfile[1]0

C:\7[1]0FàOÐ ê:i¢Ø+00#C:\î16$Ö|0€WindowsZàOÐ ê:i¢Ø+00#C:\î16$Ö|0€Windows16$â|0€HelpbàOÐ ê:i¢Ø+00#C:\î16$Ö|0€Windows16$ô|2RecentRECENT ‑2_[1]!ey €Winfile.exeB ‑2™m$`± €Winfile.iniB ‑2y!ey €Winfile.cntB ‑29«!ey €Winfile.hlpB<:2{†$2

Files named winfile (2).lnkFILESN~2.LNKB[1]862†$N Files named winfile.lnkFILESN~1.LNKB[1]NL2±†$S

Files named winfile containing text Hello.lnkFILESN~3.LNKB[1]RP2½†$K

Files named winfile containing text Hello (2).lnkFILESN~4.LNKB[1]

Clues:

Tagged Streaming type of file?

48 and 55 seems to be splitters or locators

a =

b =

c =

d =

e +1 = controls including\not including subdirectories

+8 = case sensitive

f +16 = ?

+1 = Store Entries

g =

h =

i =

j =

k =

l =

m =

n = Reserved?

o = Reserved?

p = Reserved?

q = number of sections

r = Reserved?

s = Reserved?

t = Reserved?

u =

v =

w =

x =

y =

z =

a2 =

b2 =

c2 =1 = Large Icons

=2 = Small Icons

=3 = Listing

=4 = Details

g2 =16 = Search Text

j2 =

h2 = 55 Splitter

i2 = Number of bytes plus null in string

k2 = search text starts here - Null Terminated String

l2 = 2 = where to search

m2 = 48 is splitter?

n2 = Number of bytes Plus Null

p2 = where is searched - Null terminated string

q2 =32 = Ole File Format

=33 = Text Searched for within

=17 = ?

u2 = Include Sub Dependant?

r2 = Splitter?

s2 = Number of bytes plus null

w2 =57 = Search by Date-1

=55 = Search by Date-2

=53 = Search by Date-3

=34 = At Least\Most

x2 =55 = Splitter?

y2 = Number of Characters plus null

a3 (for w2=34) ascii values -> 1 or 2 (1=At Least; 2=At most) + Space + At Least\Most value in ascii (divide by 1024 to get in k)

a3 for w2 (2 and 3) = ascii values

Notes: a lot of the sections are padded with nulls

--------------------------------------------------------------------------------------------=============================-----------==================-----------------======================================================================================--

a b c d e f g h i j k l m n o p q r s t u v w x y z a2 b2 c d e f g h i j k l m n o p q r s t u v w x y z a3 b c d e f g

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 3 0 0 0 61 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 17 55 2 0 48 0 0 0 0 0 0

68 70 3 0 0 16 0 0 255 255 16 0 32 0 0 0 3 0 0 0 61 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 17 55 2 0 49 0 0 0 0 0 0

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 4 0 0 0 88 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 32 55 23 0 [ 65 100 111 98 101 32 65 99 114 111 98 97 116 32 68 111 99 117 109 101 110 116 ] 0 17 55 2 0 48 0 0 0 0 0 0

68 70 3 0 0 16 0 0 255 255 16 0 32 0 0 0 4 0 0 0 88 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 32 55 23 0 [ 65 100 111 98 101 32 65 99 114 111 98 97 116 32 68 111 99 117 109 101 110 116 ] 0 17 55 2 0 49 0 0 0 0 0 0

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 4 0 0 0 71 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 33 55 6 0 [ 72 101 108 108 111 ] 0 17 55 2 0 48 0 0 0 0 0 0

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 4 0 0 0 74 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 17 55 2 0 [ 48 ] 0 34 55 9 0 49 32 50 48 52 56 48 48 0 0 0 0 0 0

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 4 0 0 0 74 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 17 55 2 0 [ 48 ] 0 34 55 9 0 50 32 50 48 52 56 48 48 0 0 0 0 0 0

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 5 0 0 0 79 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 17 55 2 0 [ 48 ] 0 57 55 5 0 57 50 53 51 0 58 55 5 0 57 51 52 57 0 0 0 0 0 0

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 4 0 0 0 67 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 17 55 2 0 [ 48 ] 0 55 55 2 0 [ 49 ] 0 0 0 0 0 0

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 4 0 0 0 67 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 17 55 2 0 [ 48 ] 0 53 55 2 0 [ 49 ] 0 0 0 0 0 0

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 4 0 0 0 68 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 17 55 2 0 [ 48 ] 0 55 55 3 0 [ 49 48 ] 0 0 0 0 0 0

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 4 0 0 0 68 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 17 55 2 0 [ 48 ] 0 53 55 3 0 [ 49 48 ] 0 0 0 0 0 0

68 70 3 0 9 16 0 0 255 255 16 0 32 0 0 0 3 0 0 0 61 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 7 0 67 58 92 86 66 53 0 17 55 2 0 [ 48 ] 0 0 0 0 0 0

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 3 0 0 0 58 0 0 0 255 255 255 255 1 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 4 0 67 58 92 0 17 55 2 0 [ 48 ] 0 0 0 0 0 0

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 4 0 0 0 71 0 0 0 255 255 255 255 4 0 0 0 16 55 4 0 87 101 100 0 2 48 4 0 67 58 92 0 32 55 13 0 [ 66 105 116 109 97 112 32 73 109 97 103 101 ] 0 17 55 2 0 48 0 0 0 0 0 0

68 70 3 0 1 17 0 0 255 255 16 0 32 0 0 0 3 0 0 0 58 0 0 0 255 255 255 255 4 0 0 0 16 55 8 0 119 105 110 102 105 108 101 0 2 48 4 0 67 58 92 0 17 55 2 0 [ 48 ] 0

70 0 20 0 31 0 224 79 208 32 234 58 105 16 162 216 8 0 43 48 48 157 25 0 35 67 58 92 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 17 238 23 0 49 0 0 0 0 0 54 36 214 124 48 128 87 105 110 100 111 119 115 0 0 0 0 90 0 20 0 31 0 224 79 208 32 234 58 105 16 162 216 8 0 43 48 48 157 25 0 35 67 58 92 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 17 238 23 0 49 0 0 0 0 0 54 36 214 124 48 128 87 105 110 100 111 119 115 0 0 20 0 49 0 0 0 0 0 54 36 226 124 48 128 72 101 108 112 0 0 0 0 98 0 20 0 31 0 224 79 208 32 234 58 105 16 162 216 8 0 43 48 48 157 25 0 35 67 58 92 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 17 238 23 0 49 0 0 0 0 0 54 36 214 124 48 128 87 105 110 100 111 119 115 0 0 28 0 49 0 0 0 0 0 54 36 244 124 50 0 82 101 99 101 110 116 0 82 69 67 69 78 84 0 0 0 0 0 32 0 30 0 50 0 16 95 2 0 24 33 101 121 32 128 87 105 110 102 105 108 101 46 101 120 101 0 0 66 0 0 0 0 32 0 30 0 50 0 153 0 0 0 109 36 96 177 32 128 87 105 110 102 105 108 101 46 105 110 105 0 0 66 0 0 0 0 32 0 30 0 50 0 121 8 0 0 24 33 101 121 32 128 87 105 110 102 105 108 101 46 99 110 116 0 0 66 1 0 0 0 32 0 30 0 50 0 57 171 0 0 24 33 101 121 32 128 87 105 110 102 105 108 101 46 104 108 112 0 0 66 1 0 0 0 60 0 58 0 50 0 123 1 0 0 134 36 50 4 32 0 70 105 108 101 115 32 110 97 109 101 100 32 119 105 110 102 105 108 101 32 40 50 41 46 108 110 107 0 70 73 76 69 83 78 126 50 46 76 78 75 0 66 2 0 0 0 56 0 54 0 50 0 20 1 0 0 134 36 78 7 32 0 70 105 108 101 115 32 110 97 109 101 100 32 119 105 110 102 105 108 101 46 108 110 107 0 70 73 76 69 83 78 126 49 46 76 78 75 0 66 2 0 0 0 78 0 76 0 50 0 177 1 0 0 134 36 83 4 32 0 70 105 108 101 115 32 110 97 109 101 100 32 119 105 110 102 105 108 101 32 99 111 110 116 97 105 110 105 110 103 32 116 101 120 116 32 72 101 108 108 111 46 108 110 107 0 70 73 76 69 83 78 126 51 46 76 78 75 0 66 2 0 0 0 82 0 80 0 50 0 189 1 0 0 134 36 75 4 32 0 70 105 108 101 115 32 110 97 109 101 100 32 119 105 110 102 105 108 101 32 99 111 110 116 97 105 110 105 110 103 32 116 101 120 116 32 72 101 108 108 111 32 40 50 41 46 108 110 107 0 70 73 76 69 83 78 126 52 46 76 78 75 0 66 2 0 0 0 0 0 0

[z20]

68 70 3 0 1 16 0 0 255 255 16 0 32 0 0 0 3 0 0 0 54 0 0 0 255 255 255 255 4 0 0 0 16 55 4 0 119 105 110 0 2 48 4 0 67 58 92 0 17 55 2 0 [ 48 ] 0 0 0 0 0 0

APPENDIX B – CONVERTING FROM DAYS SINCE MAY 16, 1972

In a high level language such as visual basic, this can easily be accomplished with the DateAdd() function, which expects a number and a date. Here is an example of using the DateAdd function:

RealDate = dateadd("d",9253,#May 16, 1972#)

While every other language may be different, refer to your programming language’s documentation on it’s date libraries and facilities.

An Unofficial Guide to the FND File Format

Start of Header (Length of each is 1 byte)

End of Header, Start of “section(s)”

ISSUES ABOUT USING THE FND FORMAT

LINKS

Contacting the author