Windows thumbnail cache

From Just Solve the File Format Problem
Revision as of 16:32, 21 December 2016 by Jsummers (Talk | contribs)

Jump to: navigation, search
File Format
Name Windows thumbnail cache
Ontology
Extension(s) .db
PRONOM fmt/682

Windows thumbnail cache (or Thumbs.db format) is a file format used by some versions of Microsoft Windows to store thumbnails of images and certain other file types. Thumbnails may be written to a file named Thumbs.db in the folder containing the image file, or to a file in a central location. The file format is based on Microsoft Compound File format. Apparently the files can be of forensic interest as they sometimes contain references to deleted images.

In versions starting with Vista, separate thumbnail files are usually no longer used, with the thumbnails instead being stored in a centralized database at \Users\%username%\AppData\Local\Microsoft\Windows\Explorer. However, separate Thumbs.db files may still be created on network drives.

Contents

Format details

Thumbs.db format is undocumented, and fairly difficult to decode. Knowledge of Microsoft Compound File format is a prerequisite. There are at least two different major thumbnail versions, which we'll call "original format" and "new format". There are an uncertain number of minor versions. Different thumbnail versions may be combined in the same file. Presumably, this can happen when Windows updates a file created by a different version of Windows.

Files that contain at least one "original format" thumbnail have a special stream named "Catalog", which contains the original filenames, and other information. One of the filenames may be the special name "{A42CD7B6-E9B9-4D02-B7A6-288B71AD28BA}". This is apparently the thumbnail for the folder as a whole. The thumbnail streams themselves have simple numeric names like "021", which are to be reversed and interpreted as a Catalog ID number (120, in this example).

Thumbnails in "new format" do not use a Catalog file. Instead, the streams have names like "256_79dea834bece3f6b", apparently containing a pixel size and a hash.

In all versions, the thumbnail streams do not contain just the embedded image file. Instead, they start with a header.

There are are at least three different image formats that a thumbnail may use:

  1. Standard JFIF JPEG format
  2. A nonstandard RGBA format based on JPEG (At least, the component ID numbers suggest that the format is RGBA. Thumbs Viewer can display these images, and its author says it is CMYK.)
  3. PNG

Identification

There seems to be no simple way to reliably identify a Thumbs.db file as such, just from its contents. Heuristics must be used. See the "Format details" section above.

Software

Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox