RegistryExplorer: System.ArgumentException: Destination array is not long enough to copy all the items in the collection.

[Whatslp]

Intro: When using Autoruns v14.x (https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns) from Microsoft Sysinternals within WinPE, the registry (SYSTEM + SOFTWARE) becomes unusable. Autoruns -> Files -> Analyse Offline System...

RegistryExplorer was able to reconstruct the deleted keys. This is not from a forensic point of view, more from a recovery perspective.

I can load the registry successfully, but I have several problems. "Associated deleted records" -> right mouse button -> Export -> Key -> To .reg format (recursive) => ROOT_Recursive.reg

** Exception Text ** System.ArgumentException: Destination array is not long enough to copy all the items in the collection. Check array index and length. (Parameter 'value') at Registry.Abstractions.RegistryKey.GetRegFormat(HiveTypeEnum hiveType) at Registry.Other.Helpers.GetRegFormatData(RegistryKey key, HiveTypeEnum hiveType, Boolean recursive) at Registry.Other.Helpers.GetRegFormatData(RegistryKey key, HiveTypeEnum hiveType, Boolean recursive) at Registry.Other.Helpers.GetRegFormatData(RegistryKey key, HiveTypeEnum hiveType, Boolean recursive) at Registry.Other.Helpers.GetRegFormatData(RegistryKey key, HiveTypeEnum hiveType, Boolean recursive) at Registry.Other.Helpers.GetRegFormatData(RegistryKey key, HiveTypeEnum hiveType, Boolean recursive) at Registry.Other.Helpers.GetRegFormatData(RegistryKey key, HiveTypeEnum hiveType, Boolean recursive) at Registry.Other.Helpers.GetRegFormatData(RegistryKey key, HiveTypeEnum hiveType, Boolean recursive) at Registry.Other.Helpers.GetRegFormatData(RegistryKey key, HiveTypeEnum hiveType, Boolean recursive) at Registry.Other.Helpers.GetRegFormatData(RegistryKey key, HiveTypeEnum hiveType, Boolean recursive) at Registry.Other.Helpers.GetRegFormatData(RegistryKey key, HiveTypeEnum hiveType, Boolean recursive) at Registry.Other.Helpers.ExportToReg(String filename, RegistryKey key, HiveTypeEnum hiveType, Boolean recursive) at RegistryExplorer.Forms.Main.ExportRegistryKey(Boolean recursive) in D:\Code\RegistryViewerZ\RegistryViewerZ\Forms\Main.cs:line 449 at RegistryExplorer.Forms.Main.b__65_16(Object ss, ItemClickEventArgs ee) in D:\Code\RegistryViewerZ\RegistryViewerZ\Forms\Main.cs:line 3121 at DevExpress.XtraBars.BarItem.OnClick(BarItemLink link) at DevExpress.XtraBars.BarBaseButtonItem.OnClick(BarItemLink link) at DevExpress.XtraBars.BarButtonItem.OnClick(BarItemLink link) at DevExpress.XtraBars.BarItemLink.OnLinkClick() at DevExpress.XtraBars.BarButtonItemLink.OnLinkClick() at DevExpress.XtraBars.BarButtonItemLink.OnLinkAction(BarLinkAction action, Object actionArgs) at DevExpress.XtraBars.ViewInfo.BarSelectionInfo.ClickLink(BarItemLink link) at DevExpress.XtraBars.ViewInfo.BarSelectionInfo.UnPressLink(BarItemLink link) at DevExpress.XtraBars.Controls.CustomLinksControl.OnMouseUp(MouseEventArgs e) at DevExpress.XtraBars.Controls.CustomPopupBarControl.OnMouseUp(MouseEventArgs e) at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks) at System.Windows.Forms.Control.WndProc(Message& m) at DevExpress.XtraEditors.XtraControl.WndProc(Message& m) at DevExpress.XtraBars.Controls.CustomControl.WndProc(Message& msg) at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m) at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, WM msg, IntPtr wparam, IntPtr lparam) ... ** JIT Debugging **

Next step i tried to export a smaller amount. This is not possible. The tool remembers (internally) the last selected red-coloured entry and ignores black-coloured entries.

Associated deleted records Associated deleted records -> ROOT Associated deleted records -> ROOT\ControlSet001 Associated deleted records -> ROOT\ControlSet001\Control on all entries: right mouse button -> Copy (always grey - not possible) Export -> Key -> To .reg format (recursive) => always ROOT_Recursive.reg

If I select a deleted (red) entry the first time, it remembers this entry and only changes his selection (internally), when i select another deleted entry. I can not go back and export ROOT. I have to restart the program, when I want to export root again. The tool entirely ignores black-coloured entries. right mouse button -> Copy -> Key path Export -> Key -> To .reg format (recursive)

My main goal is to create/restore most of the registry including "Associated deleted records". At the moment I can only export one entry at a time.

Thank you for your great work and sharing! Ronny

[EricZimmerman]

sounds like something is corrupt. not much you can do. why do you think you even need to recover all the stuff from the registry in the first place, re "My main goal is to create/restore most of the registry including "Associated deleted records"?

[Whatslp]

I want to recover as much keys as possible and make the system bootable again. I just want to see, what is posssible. I can see all the deleted keys in the RegistryExplorer, but i can't export them. I tried it with a working registry and could not select the "Associated deleted records" for export. Is this not yet implemented (just to export these records)? In my tests I was able to get the registry working again, if I have enough keys. So for me it is very promising. It's "just" a case study. I want to export as much as possible and ignore any errors, even if the registry itself is corrupt. I can recreate them. I want to be as close to the original registry as possible.

[EricZimmerman]

It's a forensic tool and not a recovery tool. If you can make it work great but that is not the intent of the tool

[Whatslp]

I did more testing and found out, that RegistryExplorer has trouble handling some registry keys. To find out the key i had to use an older version of RegistryExplorer.

3 examples created by Device: Speakers (High Definition Audio Device) that causes an error when I use your program: Windows Registry Editor Version 5.00

;; SYSTEM mounted as HIVE

[HKEY_LOCAL_MACHINE\HIVE\ControlSet001\Control\DeviceClasses{e6327cad-dcec-4949-ae8a-991e976a79d2}##?#SWD#MMDEVAPI#{0.0.0.00000000}.{b5cab90e-5d56-4582-99b9-0a64f6b80752}#{e6327cad-dcec-4949-ae8a-991e976a79d2}#\Properties{1e94c58f-3e40-4ddb-b10c-a86d8b870a31}\0002] @=hex(ffff0004):00,00

[HKEY_LOCAL_MACHINE\HIVE\ControlSet001\Control\DeviceClasses{e6327cad-dcec-4949-ae8a-991e976a79d2}##?#SWD#MMDEVAPI#{0.0.0.00000000}.{b5cab90e-5d56-4582-99b9-0a64f6b80752}#{e6327cad-dcec-4949-ae8a-991e976a79d2}#\Properties{6737016f-5360-48ee-af05-e616c8ff27a7}\0002] @=hex(ffff0004):00,00

[HKEY_LOCAL_MACHINE\HIVE\ControlSet001\Control\DeviceClasses{e6327cad-dcec-4949-ae8a-991e976a79d2}##?#SWD#MMDEVAPI#{0.0.0.00000000}.{b5cab90e-5d56-4582-99b9-0a64f6b80752}#{e6327cad-dcec-4949-ae8a-991e976a79d2}#\Properties{913bc9a7-624b-4a30-96ac-5064a9fc6589}\0002] @=hex(ffff0004):05,00

If you interested in my findings I will continue reporting here. I believe there is some error handling possible with the tool that can avoid this problem I encountered.

[EricZimmerman]

Exporting out as a reg is a convenience feature and not one that is core to its purpose. You could look at the registry project and see if anything can be tweaked

[Whatslp]

I am planning to. Still impressed with the inside of the registry I get out of this project. Thx for that.