.cab

Windows Cabinet

A .cab file is a Microsoft Cabinet archive used for compressed software distribution and Windows system updates. FileDex provides reference information only.

Learn more ↓

Archive structure

Header magic bytes

Entries compressed files

Index directory

vnd.ms-cab-compressed1997Proprietary

By FileDex

Not convertible

Cabinet archive extraction requires Microsoft-specific decompression not available in browser WASM.

Common questions

How do I open or extract a .cab file?

On Windows, double-click the .cab file in Explorer to browse its contents, or use the built-in expand command in Command Prompt. On Linux, install the cabextract package from your distribution's repository. On macOS, The Unarchiver or 7-Zip (via Homebrew) can handle .cab extraction.

Why are .cab files inside Windows Update packages?

Microsoft uses .cab as the inner container within .msu update packages because Cabinet compression is natively supported by the Windows servicing stack. The servicing stack can extract, verify, and install cabinet contents without any third-party dependencies. This tight integration also allows delta compression between update versions.

What compression does CAB use and how does it compare to ZIP?

CAB supports three algorithms: MSZIP (similar to deflate used in ZIP), LZX (generally 10-20% better than deflate on typical Windows binaries), and Quantum (rarely used). LZX's ability to compress across file boundaries within a folder gives it an edge over ZIP, which compresses each file independently.

Can a single .cab file span multiple volumes?

Yes. The CAB header includes fields for previous and next cabinet filenames, allowing a logical archive to span multiple physical files. This feature was designed for floppy disk distribution. Modern tools like makecab on Windows and lcab on Linux can create spanning cabinet sets with configurable volume sizes.

What makes .CAB special

Cabinet files are Microsoft's native compressed archive format, integral to Windows software distribution since Windows 95. Microsoft's LZX compression algorithm used inside CAB files was originally developed by Jonathan Forbes and Tomi Poutanen at the University of Waterloo in 1995 and was later licensed by Microsoft.

Continue reading — full technical deep dive

Archive Structure

Each CAB file starts with the four-byte signature MSCF (0x4D 0x53 0x43 0x46) followed by a header containing the total cabinet size, file count, and compression method identifier. Inside, data is organized into folders (compression units) and files. A single folder can span multiple files, and a single file can span multiple folders — this flexibility allows the compressor to exploit redundancy across file boundaries. The supported compression methods are MSZIP (a deflate variant compatible with zlib), LZX (a sliding-window algorithm with tree-based Huffman coding), and Quantum (rarely used, optimized for small archives).

Role in Windows Infrastructure

CAB files are deeply embedded in Windows operations. MSI installers store their payload data inside embedded CAB streams — when you run a .msi package, the Windows Installer service extracts from these internal cabinets. Windows Update packages (.msu files) are themselves archives containing one or more .cab files, each holding the actual update binaries and manifests. The System File Checker (sfc /scannow) references a cabinet store in the WinSxS directory to restore corrupted system files.

Multi-Cabinet Spanning

Large distributions can span multiple .cab files using a chaining mechanism. Each cabinet header contains optional fields for the filename of the previous and next cabinet in the set. During extraction, the tool reads these chain pointers to request the next volume. This spanning capability predates ZIP's multi-part support and was essential in the floppy disk era when a single application might span dozens of 1.44 MB diskettes.

Compression Performance

LZX compression in CAB files operates at dictionary sizes from 32 KB to 2 MB. Larger dictionaries yield better compression ratios for repetitive content like DLL collections but require more memory during extraction. For Windows system packages, Microsoft typically uses LZX with a 2 MB dictionary — achieving compression ratios between 2:1 and 4:1 depending on content type.

Technical reference

Specs CLI Security

MIME Type: application/vnd.ms-cab-compressed
Magic Bytes: 4D 53 43 46 MSCF signature.
Developer: Microsoft
Year Introduced: 1997
Open Standard: No

000000004D534346 MSCF

MSCF signature.

Binary Structure

CAB files begin with magic bytes 4D 53 43 46 00 00 00 00 (MSCF followed by four reserved null bytes). The 36-byte header contains: cabinet size (4 bytes LE), file offset to first data block, version numbers (minor/major), folder count, file count, and flags indicating if this cabinet is part of a spanning set. Data blocks follow, each prefixed with a checksum, compressed size, and uncompressed size.

List and extract CAB archive contents on Windows other

expand -D archive.cab && expand archive.cab -F:* C:\output\

The expand command is built into every Windows version since XP. The -D flag lists all files inside the cabinet without extracting. The second invocation with -F:* extracts all files to the specified output directory.

Extract CAB files on Linux using cabextract other

cabextract -l archive.cab && cabextract -d ./output archive.cab

The cabextract utility handles MSZIP, LZX, and Quantum compression methods. The -l flag lists contents with sizes and timestamps, while -d specifies the extraction directory.

MEDIUM

Attack Vectors

Path traversal via crafted filenames inside the archive can write files outside the intended extraction directory
CAB files embedded in MSI packages can deliver malicious DLLs that execute during installation with elevated privileges
Oversized decompression ratios (zip bomb equivalent) can exhaust disk space or memory during extraction

Mitigation: FileDex does not open, execute, or parse these files. Reference page only.