If the remainingData.Length - actualStart < size condition is met, the deleted item isn't processed. This condition can be true for a valid deleted key/value if its cell has been merged with a preceding one and then the resulting cell is split to hold a subkeys list, so the deleted key/value goes to the slack of this list (i.e., stored after its last item).
Here is an example (this is the SYSTEM hive file from the 2018 Lone Wolf Scenario, without transaction log files applied):
The remnant cell size field for the deleted key in question, which value is 0x00000178, is too large for the cell containing the subkeys list (the actualStart value plus the size value point beyond the end of the cell).
Registry Explorer 2.0.0.0 doesn't recover that key:
Hello.
The bug is here: https://github.com/EricZimmerman/Registry/blob/1a301f3f237e81cbd2738e444c30e10c76214286/Registry/Other/HBinRecord.cs#L325
If the
remainingData.Length - actualStart < size
condition is met, the deleted item isn't processed. This condition can be true for a valid deleted key/value if its cell has been merged with a preceding one and then the resulting cell is split to hold a subkeys list, so the deleted key/value goes to the slack of this list (i.e., stored after its last item).Here is an example (this is the SYSTEM hive file from the 2018 Lone Wolf Scenario, without transaction log files applied):
The remnant cell size field for the deleted key in question, which value is 0x00000178, is too large for the cell containing the subkeys list (the
actualStart
value plus thesize
value point beyond the end of the cell).Registry Explorer 2.0.0.0 doesn't recover that key:
The same key can be recovered using yarp: