Menu

#146 regdiff

open
Jarod
Windows (30)
9
2007-05-02
2007-05-02
belimar
No

Running ntfsdiff against hklm on a Windows XP SP2 machine
i.e regdiff -C -c sha1 -o regbasehklm.T "HKEY_LOCAL_MACHINE"

Produces an application error around the time the file size of regbasehklm.T grows to 32mb

regbasehklm.T is incomplete

Running ntfsdiff against a smaller key i.e
regdiff -C -c sha1 -o regbasehku.T "HKEY_USERS"

Does not produce an error and is complete.

using radmind-pc-0.7.0

Discussion

  • belimar

    belimar - 2007-05-02
    • summary: ntfsdiff --> regdiff
     

  • belimar

    belimar - 2007-05-02
    • priority: 5 --> 9
     

  • Jarod

    Jarod - 2007-05-08

    Logged In: YES
    user_id=1300000
    Originator: NO

    Running regdiff on HKLM produced a complete transcript for me (~15MB on a clean install of XP SP2).

    What is the application error? What are the last few (5-10) entries in your regbasehklm.T transcript?

    Potential things that come to mind are a buffer overflow or an undocumented registry type.

     

  • Dustin King

    Dustin King - 2009-02-26

    I've been able to generate problems for keys with extremely long security descriptors. The internal buffer only allowed security descriptor strings (and lines) up to 2k. I've found a security descriptor that was about 16k, and in theory the binary version can be up to 64k. I'm changing the code to allocate 128k for that buffer--that should provide room for a max size dacl to be written out as a string. I don't imagine that anybody will want a security descriptor that long in files that they actually manage, but we want to be able to handle files that need to be reverted back to something reasonable.

     

  • Dustin King

    Dustin King - 2009-02-27

    Fixed in cvs 02-26-2009.

     

Log in to post a comment.