The following are two example filenames from the %WINDIR%\WinSxS\Manifests directory:
wow64_microsoft-windows-ntdll_31bf3856ad364e35_6.2.9200.17584_none_bbf51cfcba52b7f7.manifest
amd64_microsoft-windows-ntdll_31bf3856ad364e35_6.2.9200.17584_none_b1a072aa85f1f5fc.manifest
The scheme is obvious except for the last element: processorArchitecture_AssemblyName_publicKeyToken_Version_Language_UNKNOWN.manifest
What is the meaning of the last 16 hexadecimal characters in the WinSxS\Manifests files' names?
Current research effort:
- I can rule out that the characters represent the hexadecimal encoded low- and high-order parts of a FILETIME structure since the resulting time stamps are astronomically large.
- These strings are not found in the registry
- It is not a CRC-64 checksum of the manifest file itself
- These strings are already present in the downloads from Microsoft (I've unpacked a .cab file embedded in a windows update .mum file)
