search

Invoke-IR / PowerForensics

PowerForensics provides an all in one platform for live disk forensic analysis
MIT License
1.39k stars 274 forks source link

Get-ForensicRegistryKey: Source array was not long enough #103

Open nremezov opened 8 years ago

nremezov commented 8 years ago

While working for some values like - "IBM" "Oracle" Get-ForensicRegistryKey for "Microsoft" value gives error below:

PS C:\Windows\system32> Get-ForensicRegistryKey -HivePath C:\Windows\system32\config\SOFTWARE -Key Microsoft Get-ForensicRegistryKey : Source array was not long enough. Check srcIndex and length, and the array's lower bounds. At line:1 char:1

jaredcatkinson commented 8 years ago

Would you mind posting the value of the $stacktrace variable after each error? Or even better share the reg keys with me at jared@invoke-ir.com (If you are not comfortable with this then $stacktrace will be helpful)

nremezov commented 8 years ago

Can you tell me how can I do that (get value of $stacktrace)?

Nikita

On Tue, Dec 1, 2015 at 7:52 PM, Jared Atkinson notifications@github.com wrote:

Would you mind posting the value of the $stacktrace variable after each error? Or even better share the reg keys with me at jared@invoke-ir.com (If you are not comfortable with this then $stacktrace will be helpful)

— Reply to this email directly or view it on GitHub https://github.com/Invoke-IR/PowerForensics/issues/103#issuecomment-160975792 .

jaredcatkinson commented 8 years ago

at the PowerShell prompt you should just be able to type "$stacktrace". If you could do this for all errors you have reported I'd appreciate it

nremezov commented 8 years ago

PS C:\Windows\system32> $stacktrace at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 len gth, Boolean reliable) at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 len gth) at PowerForensics.Registry.NamedKey.GetSubKeys(Byte[] bytes, String key) in C:\Users\tester\Documents\GitHub\PowerFo rensics\PowerForensics\src\Windows\Registry\Cells\NamedKey.cs:line 264 at PowerForensics.Cmdlets.GetRegistryKeyCommand.ProcessRecord() in C:\Users\tester\Documents\GitHub\PowerForensics\P owerForensics\src\Cmdlets\OperatingSystem\Windows\Get-RegistryKey.cs:line 72 at System.Management.Automation.CommandProcessor.ProcessRecord()

jaredcatkinson commented 8 years ago

Just trying to narrow it down.

Is "Microsoft" listed as a subkey when you run the command "Get-ForensicRegistryKey -HivePath C:\Windows\system32\config\SOFTWARE"?

What language pack is being used on the system?

jaredcatkinson commented 8 years ago

Also are only commands involving the registry affected?

nremezov commented 8 years ago

Is "Microsoft" listed as a subkey when you run the command "Get-ForensicRegistryKey -HivePath C:\Windows\system32\config\SOFTWARE"? Yes, i've tried it as value to search for. Other test values I've tried

On Wed, Dec 2, 2015 at 12:51 AM, Jared Atkinson notifications@github.com wrote:

Just trying to narrow it down.

Is "Microsoft" listed as a subkey when you run the command "Get-ForensicRegistryKey -HivePath C:\Windows\system32\config\SOFTWARE"?

What language pack is being used on the system?

— Reply to this email directly or view it on GitHub https://github.com/Invoke-IR/PowerForensics/issues/103#issuecomment-161060884 .

nremezov commented 8 years ago

Can you clarify question, please.

On Wed, Dec 2, 2015 at 12:53 AM, Jared Atkinson notifications@github.com wrote:

Also are only commands involving the registry affected?

— Reply to this email directly or view it on GitHub https://github.com/Invoke-IR/PowerForensics/issues/103#issuecomment-161061290 .