Libguestfs - Sep 2013 - Re: Hivex - Trailing garbage at the end of hive file

[Forwarding to the proper list]

We use hivex for one of our projects and I see the following diff committed to
the hivex project (source link provided) that ignores trailing garbage.  But
this code has been reverted to no ignore this condition in later version of
hivex

-      /* This error is seemingly common in uncorrupt registry files. */
-      /*
-      fprintf (stderr, "hivex: %s: ignoring trailing garbage at end of
file (at %zu, after %zu pages)\n",
-               filename, off, h->pages);
-      */
+      /* NB: This error is seemingly common in uncorrupt registry files. */
+      if (h->msglvl >= 2)
+        fprintf (stderr, "hivex: %s: ignoring trailing garbage at end of
file (at %zu, after %zu pages)\n",
+                 filename, off, h->pages);
       Break;

http://git.annexia.org/?p=hivex.git;a=commitdiff;h=5439842dc591accbf620a5f76dd6f04ad4d5c971

In your experience, is this a common condition seen in some windows hive files
and is it safe to ignore when this condition is encountered?

Thanks
~ Hari


---------

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines.  Supports shell scripting,
bindings from many languages.  http://libguestfs.org

On Tue, Sep 24, 2013 at 10:14:12PM +0100, Richard W.M. Jones
wrote:
> [Forwarding to the proper list]
>
> We use hivex for one of our projects and I see the following diff
> committed to the hivex project (source link provided) that ignores
> trailing garbage.  But this code has been reverted to no ignore this
> condition in later version of hivex
>
> -      /* This error is seemingly common in uncorrupt registry files. */
> -      /*
> -      fprintf (stderr, "hivex: %s: ignoring trailing garbage at end
of file (at %zu, after %zu pages)\n",
> -               filename, off, h->pages);
> -      */
> +      /* NB: This error is seemingly common in uncorrupt registry files.
*/
> +      if (h->msglvl >= 2)
> +        fprintf (stderr, "hivex: %s: ignoring trailing garbage at end
of file (at %zu, after %zu pages)\n",
> +                 filename, off, h->pages);
>        Break;
> 
>
http://git.annexia.org/?p=hivex.git;a=commitdiff;h=5439842dc591accbf620a5f76dd6f04ad4d5c971
> In your experience, is this a common condition seen in some windows
> hive files and is it safe to ignore when this condition is
> encountered?
I have seen this, rarely, in registry hives.  I don't understand at
all why it would happen, but would welcome known-good hives that
demonstrate the problem.  Remember that the registry format is
completely undocumented, so it's all guesswork :-(

The commit you mention just changes the message so it is printed when
debugging is enabled, but is otherwise the same, so I'm not sure what
precisely the problem is.  It should just print the message (if
debugging is enabled) and continue.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

Is there a reason why a previous version of hivex ignored this condition
while more recent ones throw an error?

I do have some hive files that are failing (I'm yet to validate if they
are good or were corrupted some other way). I will do so and share my
findings


Thanks
~ Hari 

On 9/24/13 5:20 PM, "Richard W.M. Jones" <rjones@redhat.com>
wrote:
>On Tue, Sep 24, 2013 at 10:14:12PM +0100, Richard W.M. Jones wrote:
>> [Forwarding to the proper list]
>>
>> We use hivex for one of our projects and I see the following diff
>> committed to the hivex project (source link provided) that ignores
>> trailing garbage.  But this code has been reverted to no ignore this
>> condition in later version of hivex
>>
>> -      /* This error is seemingly common in uncorrupt registry files.
*/
>> -      /*
>> -      fprintf (stderr, "hivex: %s: ignoring trailing garbage at
end of
>>file (at %zu, after %zu pages)\n",
>> -               filename, off, h->pages);
>> -      */
>> +      /* NB: This error is seemingly common in uncorrupt registry
>>files. */
>> +      if (h->msglvl >= 2)
>> +        fprintf (stderr, "hivex: %s: ignoring trailing garbage at
end
>>of file (at %zu, after %zu pages)\n",
>> +                 filename, off, h->pages);
>>        Break;
>> 
>> 
>>http://git.annexia.org/?p=hivex.git;a=commitdiff;h=5439842dc591accbf620a5
>>f76dd6f04ad4d5c971
>
>> In your experience, is this a common condition seen in some windows
>> hive files and is it safe to ignore when this condition is
>> encountered?
>
>I have seen this, rarely, in registry hives.  I don't understand at
>all why it would happen, but would welcome known-good hives that
>demonstrate the problem.  Remember that the registry format is
>completely undocumented, so it's all guesswork :-(
>
>The commit you mention just changes the message so it is printed when
>debugging is enabled, but is otherwise the same, so I'm not sure what
>precisely the problem is.  It should just print the message (if
>debugging is enabled) and continue.
>
>Rich.
>
>-- 
>Richard Jones, Virtualization Group, Red Hat
>http://people.redhat.com/~rjones
>virt-top is 'top' for virtual machines.  Tiny program with many
>powerful monitoring features, net stats, disk stats, logging, etc.
>http://people.redhat.com/~rjones/virt-top