search

EricZimmerman / Issues

This is a repository for reporting any issues in any of my software
MIT License
11 stars 3 forks source link

RegistryExplorer: Unable to load SYSTEM hive #96

Closed laurarondelezz closed 5 years ago

laurarondelezz commented 5 years ago

I am using v1.5.1.0. I am unable to load the SYSTEM hive and get the following error:

Sequence contains more than one matching element, Error message: Sequence contains more than one matching element, Stack trace:    at System.Linq.Enumerable.SingleOrDefault[TSource](IEnumerable`1 source, Func`2 predicate)
   at Registry.RegistryHive.ParseHive()
   at System.Threading.Tasks.Task.Execute()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at RegistryExplorer.Forms.Main.<LoadHive>d__46.MoveNext()
EricZimmerman commented 5 years ago

I'd need the hives and transaction logs to look at this. Did it tell you the hive was dirty or no?

How did you extract the hive and log files?

laurarondelezz commented 5 years ago

1) I sent you a mail with the hive and logs. 2) No. 3) I extracted them with X-WAYS.

EricZimmerman commented 5 years ago

Ok we'll just for kicks, mount the e01 with arsenal image mounter, and extract the hives with kape. I've seen xways mess up extraction recently. What version of xways is it?

laurarondelezz commented 5 years ago

I have mounted it with arsenal image mounter and then extracted the hives with kape but still get the same error. I use xways version 19.8 SR7

EricZimmerman commented 5 years ago

Ok. It's down to either a bug or a corruption issue. I'll look.