similar to: hivex from python

On Fri, Oct 04, 2013 at 03:13:47PM +0000, Subramanian, Hari wrote: > Rich, > > Our workflow is something like this: > > 0. Start with a fresh copy of windows server 2k8 > 1. We read the system hive and then write to it a bunch of times > 2. Boot windows > 3. Read from the system hive > > Hivex reports the failure at step #3. I also noticed that the size of the >

Hi Rich, I'm still working on validating whether the trailing zeroes were introduced by hivex or by windows (though I highly doubt it's hivex). But since it's part of a more complex workflow which is not that easy to modify, it's still a work in progress In the meanwhile, I wanted to be sure that ignoring the condition when hivex saw these trailing zeroes was the right solution.

Good afternoon, I am working with the hivex python bindings and having trouble with an assertion failure. The code I run is based on the blog post from 11/28/10 and is: import hivex h = hivex.Hivex("ntuser.dat") r = h.root() key = h.node_get_child(r) The assert failure happens when I call any of the "node" functions, even "node_name()". The error message I get

I'm pleased to announce the next release of hivex, a library and some tools for reading and writing Windows Registry hive files. Man page: http://libguestfs.org/hivex.3.html Source: http://libguestfs.org/download/hivex/ Git repo: http://git.annexia.org/?p=hivex.git;a=summary Fedora pkg: http://koji.fedoraproject.org/koji/taskinfo?taskID=3267857 This release mainly contains bug fixes.

Hivex is a small, self-contained C library for reading and writing Windows Registry "hive" binary files. I'm pleased to announce version 1.3.15 which you can get from: http://download.libguestfs.org/hivex/ Highlights of this release: - Improved performance by using a cache of iconv handles, especially when dumping out large hives (Hilko Hengen). - Add the ‘hivexregedit

This patch adds hivex_node_struct_length and hivex_value_struct_length to the hivex ABI, to report the amount of hive space used for each stored structure. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 12 ++++++++++++ lib/hivex.c | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 0 deletions(-) diff --git

Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 6 ++++++ lib/hivex.c | 6 ++++++ xml/hivexml.c | 9 +++++++++ 3 files changed, 21 insertions(+), 0 deletions(-) diff --git a/generator/generator.ml b/generator/generator.ml index fc7b483..9e53f4e 100755 --- a/generator/generator.ml +++ b/generator/generator.ml @@ -159,6 +159,12

On Tue, Sep 24, 2013 at 10:14:12PM +0100, Richard W.M. Jones wrote: > [Forwarding to the proper list] > > We use hivex for one of our projects and I see the following diff > committed to the hivex project (source link provided) that ignores > trailing garbage. But this code has been reverted to no ignore this > condition in later version of hivex > > - /* This error

Currently 'hivexget' is a very clumsy command line tool which only lets you display a single registry key in a hive file, for example: $ hivexget SOFTWARE '\Microsoft\Windows\TabletPC\TabSetup\' "TabletSetup"=dword:00000000" This is inflexible and got really annoying as I was trying to explore these hive files in preparation for adding write support to hivex.

[Forwarding to the proper list] We use hivex for one of our projects and I see the following diff committed to the hivex project (source link provided) that ignores trailing garbage. But this code has been reverted to no ignore this condition in later version of hivex - /* This error is seemingly common in uncorrupt registry files. */ - /* - fprintf (stderr, "hivex: %s:

This series of patches prepares the way for a later series which will add write support for Windows Registry 'hive' files to our 'hivex' mini library. About hivex: http://libguestfs.org/hivex.3.html About the Windows Registry: Forget it - there are no reliable references. However the Wikipedia page explains some of the top level concepts:

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). This patch adds the node_mtime function to the visitor API. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> ---

Rich, Our workflow is something like this: 0. Start with a fresh copy of windows server 2k8 1. We read the system hive and then write to it a bunch of times 2. Boot windows 3. Read from the system hive Hivex reports the failure at step #3. I also noticed that the size of the registry hive observed in step #3 is the same as step #0. Is it possible that hivex issues write that cause a hive file

Is there a reason why a previous version of hivex ignored this condition while more recent ones throw an error? I do have some hive files that are failing (I'm yet to validate if they are good or were corrupted some other way). I will do so and share my findings Thanks ~ Hari On 9/24/13 5:20 PM, "Richard W.M. Jones" <rjones@redhat.com> wrote: >On Tue, Sep 24, 2013 at

[The bug which this fixes is: https://bugzilla.redhat.com/show_bug.cgi?id=717583 ] ----- Forwarded message from Peter Fokker <peter at berestijn.nl> ----- Date: Thu, 8 Mar 2012 11:37:06 +0100 (CET) From: Peter Fokker <peter at berestijn.nl> To: rjones at redhat.com Cc: Peter Fokker <peter at berestijn.nl> Subject: hivex: patch for read support of "li"-records from

Thanks for providing the SOFTWARE and SYSTEM hives. Firstly the SOFTWARE hive has an unusually large 'nk' node, which required me to increase one of the limits in hivex: https://github.com/libguestfs/hivex/commit/bec3f0bb632c4b84a1dfb73eb6333c2ba9834ffb The SYSTEM hive was even more interesting: $ hivexsh system Welcome to hivexsh, the hivex interactive shell for examining

(Resending since my message from 2 days ago didn't make it to the list. Perhaps because of the log file attachment) Hi Rich, Sorry about the delayed response. I understand that since hive formats are not open, the current tack of warning about the hive file is a better one To respond to you question about "whether it fails", hivexsh is unable to open the hive file and it prints

I tried both hivex-1.2.5 and hivex-1.2.7, same result. The same software hive can be loaded using Windows regedit tool, and had no problem to access the "Classes" key. The other keys under Software (like Microsoft, Wow6432Node, etc.) are OK. Here is the hivexsh output with HIVEX_DEBUG=1 enabled:

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). This patch adds to the hivex ABI: * int64_t hivex_last_modified (hive_h *) * int64_t hivex_node_timestamp (hive_h *,

On Fri, Oct 04, 2013 at 02:12:08PM +0000, Subramanian, Hari wrote: > To respond to you question about "whether it fails", hivexsh is unable to > open the hive file and it prints this message and exits. I've attached the > verbose logs as requested OK, I understand it now. It is in fact failing, setting errno = ENOSYS and returning an error. > This extract from the logs