Running ntfsdiff against hklm on a Windows XP SP2 machine
i.e regdiff -C -c sha1 -o regbasehklm.T "HKEY_LOCAL_MACHINE"
Produces an application error around the time the file size of regbasehklm.T grows to 32mb
regbasehklm.T is incomplete
Running ntfsdiff against a smaller key i.e
regdiff -C -c sha1 -o regbasehku.T "HKEY_USERS"
Does not produce an error and is complete.
using radmind-pc-0.7.0
Logged In: YES
user_id=1300000
Originator: NO
Running regdiff on HKLM produced a complete transcript for me (~15MB on a clean install of XP SP2).
What is the application error? What are the last few (5-10) entries in your regbasehklm.T transcript?
Potential things that come to mind are a buffer overflow or an undocumented registry type.
I've been able to generate problems for keys with extremely long security descriptors. The internal buffer only allowed security descriptor strings (and lines) up to 2k. I've found a security descriptor that was about 16k, and in theory the binary version can be up to 64k. I'm changing the code to allocate 128k for that buffer--that should provide room for a max size dacl to be written out as a string. I don't imagine that anybody will want a security descriptor that long in files that they actually manage, but we want to be able to handle files that need to be reverted back to something reasonable.
Fixed in cvs 02-26-2009.