Hello, As we discussed briefly on IRC about a month ago, HKLM\SYSTEM\MountedDevices can contain greater than 55000 (HIVEX_MAX_VALUES) values if VMWare’s snapshot functionality is frequently used. This is due to an unintended interaction between Windows and VMWare’s snapshot functionality. VMware has a knowledge base article regarding this issue, although it does not directly mention MountedDevices: https://kb.vmware.com/s/article/2006849 The attached patch increases HIVEX_MAX_VALUES in order to enable access to those hives with hivex. -- Matt Coleman Senior Software Engineer Datto, Inc. www.datto.com
Richard W.M. Jones
2020-Aug-14 20:17 UTC
Re: [Libguestfs] [PATCH] Increase HIVEX_MAX_VALUES
On Thu, Aug 13, 2020 at 08:55:14PM -0400, Matt Coleman wrote:> Hello, > > As we discussed briefly on IRC about a month ago, HKLM\SYSTEM\MountedDevices can contain greater than 55000 (HIVEX_MAX_VALUES) values if VMWare’s snapshot functionality is frequently used. This is due to an unintended interaction between Windows and VMWare’s snapshot functionality. > > VMware has a knowledge base article regarding this issue, although it does not directly mention MountedDevices: https://kb.vmware.com/s/article/2006849 > > The attached patch increases HIVEX_MAX_VALUES in order to enable access to those hives with hivex.Applied, thanks! Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org
Possibly Parallel Threads
- increasing HIVEX_MAX_SUBKEYS and HIVEX_MAX_VALUES
- Re: increasing HIVEX_MAX_SUBKEYS and HIVEX_MAX_VALUES
- [PATCH] inspect: get windows drive letters for GPT disks.
- [PATCHv2] inspect: get windows drive letters for GPT disks.
- Re: [PATCH 1/7] Add a minimal hive with "special" keys and values