Windows thumbnail cache

From Just Solve the File Format Problem
(Difference between revisions)
Jump to: navigation, search
(Format details)
(Software)
Line 30: Line 30:
 
* [https://thumbcacheviewer.github.io/ Thumbcache Viewer]
 
* [https://thumbcacheviewer.github.io/ Thumbcache Viewer]
 
* [http://vinetto.sourceforge.net/ Vinetto]
 
* [http://vinetto.sourceforge.net/ Vinetto]
 +
* {{Deark}}
  
 
== Links ==
 
== Links ==

Revision as of 16:15, 4 December 2016

File Format
Name Windows thumbnail cache
Ontology
Extension(s) .db
PRONOM fmt/682

Windows thumbnail cache (or Thumbs.db format) is a file format used by some versions of Microsoft Windows to store thumbnails of images and certain other file types. Thumbnails may be written to a file named Thumbs.db in the folder containing the image file, or to a file in a central location. The file format is based on Microsoft Compound File format. Apparently the files can be of forensic interest as they sometimes contain references to deleted images.

In versions starting with Vista, separate thumbnail files are usually no longer used, with the thumbnails instead being stored in a centralized database at \Users\%username%\AppData\Local\Microsoft\Windows\Explorer. However, separate Thumbs.db files may still be created on network drives.

Contents

Format details

Thumbs.db format is undocumented, and fairly difficult to decode. The are at least two different major thumbnail versions, which we'll call "original format" and "new format". There are an uncertain number of minor versions. Different thumbnail versions may be combined in the same file. Presumably, this can happen when Windows updates a file created by a different version of Windows.

Files that contain at least one "original format" thumbnail have a special stream named "Catalog", which contains the original filenames, and other information. One of the filenames may be the special name "{A42CD7B6-E9B9-4D02-B7A6-288B71AD28BA}". This is apparently the thumbnail for the folder itself. The thumbnail streams themselves have simple numeric names like "021", which are to be reversed and interpreted as a Catalog ID number (120, in this case).

Thumbnails in "new format" do not use a Catalog file. Instead, the streams have names like "256_79dea834bece3f6b", apparently containing a pixel size and a hash.

In all versions, the thumbnail streams do not contain just the embedded image file. Instead, they start with a header.

There are are at least three different image formats that a thumbnail may use:

  1. Standard JFIF JPEG format
  2. A nonstandard RGBA format based on JPEG
  3. PNG

Identification

There seems to be no simple way to reliably identify a Thumbs.db file as such, just from its contents. Heuristics must be used. See the "Format details" section above.

Software

Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox