System.IndexOutOfRangeException when running rla.exe

[mischw]

RECmd version 2.0.0.0

rla version 2.0.0.0

Describe the bug I am trying to run rla.exe on the NTUSER.DAT of the Administrator account. While processing with rla.exe I get an error System.IndexOutOfRangeException. I also tried to run RECmd.exe which does not produce such message. Here are the logs:

.\rla.exe -f ..\Administrator_Profile\NTUSER.DAT --out ..\out\ --debug --trace

[13:27:01.013 INF] rla version 2.0.0.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/RECmd

Note: Enclose all strings containing spaces with double quotes

[13:27:01.024 INF] Command line: -f ..\Administrator_Profile\NTUSER.DAT --out ..\out\ --debug --trace

[13:27:01.025 INF] Processing hive ..\Administrator_Profile\NTUSER.DAT
[13:27:01.035 DBG] Got hive header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[13:27:01.039 DBG] Got transaction log header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[13:27:01.046 DBG] Got transaction log header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[13:27:01.046 WRN] Dropping ..\Administrator_Profile\ntuser.dat.LOG2 because the log's header.PrimarySequenceNumber is less than the hive's header.SecondarySequenceNumber
[13:27:01.047 INF] Single log file available: ..\Administrator_Profile\ntuser.dat.LOG1
[13:27:01.048 INF] Replaying log file: ..\Administrator_Profile\ntuser.dat.LOG1
[13:27:01.050 INF] At least one transaction log was applied. Sequence numbers have been updated to 0x007E. New Checksum: 0xDF9139FB
[13:27:01.052 ERR] There was an error: Index was outside the bounds of the array.
System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at rla.Program.DoWork(String f, String d, String out, Boolean ca, Boolean cn, Boolean nop, Boolean debug, Boolean trace)

[13:27:01.059 INF] Total processing time: 0.034 seconds

RECmd log:

.\RECmd.exe -f ..\Administrator_Profile\NTUSER.DAT --sk TEST123 --debug --trace

[2024-07-27 13:31:16.3148702 INF] RECmd version 2.0.0.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/RECmd

Note: Enclose all strings containing spaces (and all RegEx) with double quotes

[2024-07-27 13:31:16.3245568 INF] Command line: -f ..\Administrator_Profile\NTUSER.DAT --sk TEST123 --debug --trace

[2024-07-27 13:31:16.3265901 DBG] Loading plugin C:\Users\user\Desktop\RECmd\Plugins\RegistryPlugin.7-ZipHistory.dll
[...]

[2024-07-27 13:31:16.3502531 INF] Processing hive ..\Administrator_Profile\NTUSER.DAT
[2024-07-27 13:31:16.3603351 DBG] Got hive header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[2024-07-27 13:31:16.3640695 DBG] Got transaction log header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[2024-07-27 13:31:16.3694608 DBG] Got transaction log header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[2024-07-27 13:31:16.3694747 WRN] Dropping ..\Administrator_Profile\ntuser.dat.LOG2 because the log's header.PrimarySequenceNumber is less than the hive's header.SecondarySequenceNumber
[2024-07-27 13:31:16.3696209 INF] Single log file available: ..\Administrator_Profile\ntuser.dat.LOG1
[2024-07-27 13:31:16.3696366 INF] Replaying log file: ..\Administrator_Profile\ntuser.dat.LOG1
[2024-07-27 13:31:16.3712693 INF] At least one transaction log was applied. Sequence numbers have been updated to 0x007E. New Checksum: 0xDF9139FB
[2024-07-27 13:31:16.3712913 DBG] Got hive header. Embedded file name \Users\Administrator\ntuser.dat. Base Name ntuser.dat
[2024-07-27 13:31:16.3759540 DBG] Header length is smaller than the size of the file.
[2024-07-27 13:31:16.3793292 VRB] Processing hbin at relative offset 0x0 (Absolute offset: 0x1000)

[...]

[2024-07-27 13:31:16.4953274 VRB] Processing hbin at relative offset 0x5E000 (Absolute offset: 0x5F000)
[2024-07-27 13:31:16.4955824 WRN] hbin header incorrect at absolute offset 0x60000!!! Percent done: 75,00 %
[2024-07-27 13:31:16.4956122 DBG] Initial processing complete. Building tree...
[2024-07-27 13:31:16.4962702 DBG] Found root node! Getting subkeys...
[2024-07-27 13:31:16.4964104 DBG] Created root node object. Getting subkeys.
[2024-07-27 13:31:16.5132608 DBG] Hive processing complete!
[2024-07-27 13:31:16.5134652 WRN] Extra, non-zero data found beyond hive length! Check for erroneous data starting at 0x60000!
[2024-07-27 13:31:16.5175140 DBG] Associating deleted keys and values...
[2024-07-27 13:31:16.5186046 DBG] Building tree of key/subkeys for deleted keys
[2024-07-27 13:31:16.5187849 DBG] Associating top level deleted keys to active Registry keys
[2024-07-27 13:31:16.5189370 DBG] Iterating unreferenced VK records
[2024-07-27 13:31:16.5190543 DBG] Flushing record lists...

[2024-07-27 13:31:16.5219721 INF]   Nothing found

To Reproduce I took the NTUSER.DAT from the DC01 Image from here if you want to reproduce.

Expected behavior I wanted rla.exe to write a clean NTUSER.DAT to ..\out\ for further processing.

[bmmojo]

@mischw

In rla.exe you need to include --ca and/or --cn in your command depending on your use case.

rla.exe -d [registry directory] --ca False --cn False --out [output directory] This will export only the ntuser/usrclass hives that need to be replayed (i.e., dirty) into the specified directory.

rla.exe -d [registry directory] --cn False --out [output directory] This will export all the ntuser/usrclass hives regardless of if they need to be replayed into the specified directory.

rla.exe -d [single registry directory] --cn False --nop True [output directory]

rla.exe -d E:\C\Users\johndoe --cn False --nop True C:\output"

This will export only the ntuser/usrclass hive specified but will not recreate the path where the hives were located.

You can also run rla.exe -d C:\Users --out C:\out to find out which user hives are dirty too.

I hope that helps you out!

[EricZimmerman]

Sometimes it just happens. Could be how you pulled the logs, could be a bug. I haven't seen a consistent problem for me to fix tho. Use the nologs switch on the tools and it generally can open things, without the logs of course

[mischw]

@bmmojo Thanks for the suggestion. Unfortunately even with the ca/cn flags I get the error message and the hives are not copied.

@EricZimmerman But how come RECmd is able to open and replay these log files? I assumed RECmd is based on / or shares code with rla. Is that not the case?

[EricZimmerman]

If recmd works so should rla

On Tue, Jul 30, 2024, 4:04 PM Michael @.***> wrote:

@bmmojo https://github.com/bmmojo Thanks for the suggestion. Unfortunately even with the ca/cn flags I get the error message and the hives are not copied.

@EricZimmerman https://github.com/EricZimmerman But how come RECmd is able to open an replay these log files? I assumed RECmd is based on / or shares code with rla. Is that not the case?

— Reply to this email directly, view it on GitHub https://github.com/EricZimmerman/RECmd/issues/59#issuecomment-2259115638, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABARKJTA747OBRI4WVB2KFLZO7WTZAVCNFSM6AAAAABLR2E25KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENJZGEYTKNRTHA . You are receiving this because you were mentioned.Message ID: @.***>

[mischw]

Sorry, I expressed myself incorrectly. According to the logs both, rla and recmd, are actually able to replay the logs fine. The error with rla seems to be after that when the updated hive should be written to file, just before the Saving updated hive to ... which is never reached with rla.

[EricZimmerman]

Sharing the hive and corresponding logs goes a long way to fixing this stuff

[mischw]

In my initial post I provided

• Debug Log of rla
• Debug Log of recmd
• Link to the image containing the hive

For your convenience, here is the extracted hive too. I don't see what else I could possibly provide.

[EricZimmerman]

this should be fixed. was an issue finding the name of the profile, etc. please test rla again

[mischw]

I can confirm it does work now. Thanks!