Application Security Testing: An Integral Part of DevOps
What Is an EMF Spool File?
When an application sends pages to a printer, they are held in an intermediary file that the application can write to and the printer driver can read from simultaneously. This speeds up the print process because control can return to the application before the printer has finished printing the document.
Usually, this spool file is held in the raw printer page definition language (which could be PCL, PostScript, or one of many other options) but in Windows NT, 2000, XP, and 2003 it is possible to make the spooler use a different, more device-independent format knowns a an EMF spool file.
To generate EMF spool files from Windows NT, 200, XP, and 2003, select the printer properties and on the scheduling tab select "Keep printed documents." This will create a .shd and .spl file for each document you print in your spool directory (usually C:\WINNT\system32\spool).
The EMF Spool File Record Types
The spool file is composed of the following record types:
Private Enum SpoolerRecordTypes SRT_EOF = &H0 ' // int32 zero SRT_RESERVED_1 = &H1 '* 1 */ SRT_FONTDATA = &H2 ' 2 Font Data */ SRT_DEVMODE = &H3 ' 3 DevMode */ SRT_FONT2 = &H4 ' 4 Font Data */ SRT_RESERVED_5 = &H5 ' 5 */ SRT_FONT_MM = &H6 ' 6 Font Data (Multiple Master) */ SRT_FONT_SUB1 = &H7 ' 7 Font Data (SubsetFont 1) */ SRT_FONT_SUB2 = &H8 ' 8 Font Data (SubsetFont 2) SRT_RESERVED_9 = &H9 SRT_UNKNOWN = &H10 ' // int unknown... SRT_RESERVED_A = &HA SRT_RESERVED_B = &HB SRT_PAGE = &HC ' 12 Enhanced Meta File (EMF) */ SRT_EOPAGE1 = &HD ' 13 EndOfPage */ SRT_EOPAGE2 = &HE ' 14 EndOfPage */ SRT_EXT_FONT = &HF ' 15 Ext Font Data */ SRT_EXT_FONT2 = &H10 ' 16 Ext Font Data */ SRT_EXT_FONT_MM = &H11 ' 17 Ext Font Data (Multiple Master) SRT_EXT_FONT_SUB1 = &H12 ' 18 Ext Font Data (SubsetFont 1) */ SRT_EXT_FONT_SUB2 = &H13 '* 19 Ext Font Data (SubsetFont 2) */ SRT_EXT_PAGE = &H14 ' 20 Enhanced Meta File? SRT_JOB_INFO = &H10000 ' // int length, wchar jobDescription End Enum
Of these, the most important record types are:
This record contains a Windows standard enhanced metafile, consisting of an EMF header and one or more EMF graphics record structures. The EMF header record gives you the dimensions of the boundary rectangle (the area inside the print margins), the number of graphics records that make up the page, and the file size of this single EMF page.
This record contains the device settings that apply to the rest of the pages in the document (or until another DEVMODE record is encountered that overrides it). The DEVMODE structure holds details such as the number of copies, the page orientation (landscape versus portrait), the paper size and paper source, and so on.
This signifies the end of the spool file records.