Open nurajbihari opened 4 years ago
MarkBaggett
commented
4 years ago Id like to help. Based on the error it appears that the file is not a valid ESE database. It would be most helpful if you could record yourself running it and post the gif here.
Here is a screencap to gif package I like. https://www.cockos.com/licecap/
nurajbihari
commented
4 years ago 
I ran them from the command line and from the gui. The drive mounted as F: is from a KAPE vhdx capture I did for testing. I've tried running them from different directories as well but they're currently both in kape's modules directory. I was able to get the kape module to work using srum_dump_csv.exe on the same mounted capture but it looked like there was more info available in srum_dump2.exe so I wanted to try to explore using that.
Let me know what else we can provide or test.
MarkBaggett
commented
4 years ago The error message indicates that they SOFTWARE registry key doesn't have any wireless data. Please try running it again without that argument. Just leave the software key blank.
Mark
MarkBaggett
commented
4 years ago Also, If you prefer the command line then you should really check out ese-analyst. I intende fo rthis product to be a GUI based point and click (run as admin, click "live acquire"). If you want scalability and more control id suggest looking at https://github.com/MarkBaggett/ese-analyst. That isn't to say I wont fix this. I really would like to understand what is happening.
nurajbihari
commented
4 years ago I left out the Software registry from the command it didn't fix the issue. The thing is, that this worked at one point but then it stopped. Also, it's not working in Windows 10 VMware Worksation.
MarkBaggett
commented
4 years ago There are two distinct error messages being printed when you run the program. The first one "Registry key not found" "Microsoft\WLanSvc\Interfaces"
is not a critical error however the program will not be able to pull the names of any wirless connections that you have recorded in the srum.
The second error "pyesedb_table_get_number_of_records" "unable to retrieve number of records" is a critical error. The error indicates that the standard ESE library that I depend upon does can not retrieve the number of records. This is usually caused by file corruption or a dirty table. The dirty table issue is resolved if you let srum-dump extract the data for you using esentutl. If that isn't an option you may need to repair the database.
You could try running "esentutl /p /path/to/srudb.dat/not/locked/by/os /g" to repair the file. Can you confirm the ESE database opens properly with another tools such as: https://www.nirsoft.net/utils/ese_database_view.html
MarkBaggett
commented
4 years ago Hi @nurajbihari Did you try to repair the database and/or use ese_database to view the file to confirm the file is not corrupt? Thanks
MarkBaggett
commented
4 years ago Closing. No response
MRandol
commented
3 years ago Apologies in advance if this is the wrong way to bring this up again.
I am getting a similar error running v2.2 on Win10 Home 2004. The .db file does open using the NirSoft tool and appears ok to my untrained eye. The SOFTWARE registry key file was not used. Here's a copy of the response from the cmd window. The .db file was Auto Extracted and copied to a folder "SRUM" on the desktop.
srum_dump2.2.exe
Traceback (most recent call last):
File "srum_dump2.py", line 584, in
The elevated cmd responses running in the default extracted directories is:
srum_dump2.2.exe
Extracting srum with esentutl.exe
C:\WINDOWS\system32\esentutl.exe /y c:\windows\system32\sru\srudb.dat /vss /d C:\Users\xxxxx\AppData\Local\Temp\tmp3bp_pz0w\srudb.dat
Extracting Registry with esentutl.exe
C:\WINDOWS\system32\esentutl.exe /y c:\windows\system32\config\SOFTWARE /vss /d C:\Users\xxxxx\AppData\Local\Temp\tmp3bp_pz0w\SOFTWARE
Traceback (most recent call last):
File "srum_dump2.py", line 584, in
I did not check the this db file using the NirSoft tool.
I was getting similar errors on another Win10 Home <rev 19xx> machine. Either I'm consistently wrong, or it's repeatable across very different hardware.
srum_dump2.2.exe
Traceback (most recent call last):
File "srum_dump2.py", line 584, in
Hope it helps.
MRandol
commented
3 years ago Just ran the source and it completes fine. The downloadable executable throws the errors.
MarkBaggett
commented
3 years ago Hi @MRandol I apologize for not seeing this until now. Would you mind if I rebuild the EXE and send you a new one to have you test it again?
MRandol
commented
3 years ago No worries. Holidays! Anyway, I got what I needed running the sources. I'd be happy to try the new build. I don't run exe's people send me in the mail, even if I might know them. 😁 No problem downloading from the repo tho'.
Mark
On Wed, Jan 6, 2021, 3:44 PM MarkBaggett notifications@github.com wrote:
Hi @MRandol https://github.com/MRandol I apologize for not seeing this until now. Would you mind if I rebuild the EXE and send you a new one to have you test it again?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/27#issuecomment-755732581, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGTPQGA7LLHUGGZXKWHNRLSYTKUNANCNFSM4LZCFO3Q .
MarkBaggett
commented
3 years ago Again sorry for the delays. I published a new exe in the release. If you wouldn't mind running it to see if it fixes the issue I would appreciate the help.
https://github.com/MarkBaggett/srum-dump/releases/tag/1.2-test
MRandol
commented
3 years ago Looks like the same errors to me. Just running defaults from an elevated command prompt (Win10 Home 2004). Haven't tried just running the sources since they worked before.
srum_dump2_test.exe Traceback (most recent call last): File "srum_dump2.py", line 584, in
File "srum_dump2.py", line 319, in process_srum File "srum_dump2.py", line 319, in OSError: pyesedb_table_get_number_of_records: unable to retrieve number of records. libcdata_btree_insert_value: unable to retrieve split sub node by value. libesedb_page_tree_get_number_of_leaf_values: unable insert leaf page descriptor into tree. libesedb_table_get_number_of_records: unable to retrieve number of leaf values from table page tree. [7700] Failed to execute script srum_dump2
MarkBaggett
commented
3 years ago Darn it. I’m not sure why it breaks when we make it an EXE when you run it. I can’t reproduce it on my side. If you are willing I could try building the EXE with a couple of programs other than pyinstaller and see if we can fix it.
Mark
On Jan 24, 2021, at 6:52 PM, MRandol notifications@github.com wrote:
Looks like the same errors to me. Just running defaults from an elevated command prompt (Win10 Home 2004). Haven't tried just running the sources since they worked before.
srum_dump2_test.exe Traceback (most recent call last): File "srum_dump2.py", line 584, in File "srum_dump2.py", line 319, in process_srum File "srum_dump2.py", line 319, in OSError: pyesedb_table_get_number_of_records: unable to retrieve number of records. libcdata_btree_insert_value: unable to retrieve split sub node by value. libesedb_page_tree_get_number_of_leaf_values: unable insert leaf page descriptor into tree. libesedb_table_get_number_of_records: unable to retrieve number of leaf values from table page tree. [7700] Failed to execute script srum_dump2
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or unsubscribe.
MRandol
commented
3 years ago You mean I get to learn something? Nice!
What are your suggestions?
MarkBaggett
commented
3 years ago I updated the 3rd party modules used by srum-dump and rebuilt the EXE. No real changes were made to the code other than bumping the version number and changing the color scheme so I can easily identify when someone is using an EXE with that has this issue. Version TabBlue is in the release section. I've tested it on a SRUM that was provided to me that consistently cause the program to crash This version doesn't crash on that file any more. I hope that fixed it for everyone else, but it is hard to say. The problem was in one of the module I am using or in the pyinstaller build process. Since I am not changing my code it is hard to say for sure if this fixes it.
MarkBaggett
commented
3 years ago Please try version TanBlue from the releases section.
Getting the following error when trying to run Srum dump from commandline. Got similar error when running it from the GUI as well. Running as Admin.
Traceback (most recent call last): File "srum_dump2.py", line 581, in
File "srum_dump2.py", line 316, in process_srum
File "srum_dump2.py", line 316, in
OSError: pyesedb_table_get_number_of_records: unable to retrieve number of records. libcdata_array_get_entry_by_index: invalid entry index value out of bounds. libfdata_vector_get_element_index_at_offset:
unable to retrieve entry: 2 from mapped ranges array. libfdata_vector_get_element_value_at_offset: unable to retrieve element index at offset: 0x029de000. libesedb_page_tree_read_page: unable to retrieve
page: 10719 at offset: 0x029de000. libesedb_page_tree_read_node: unable to read page: 10719 at offset: 0x029de000. libfdata_btree_read_node: unable to read node at offset: 43900928.
libfdata_btree_read_sub_tree: unable to read node. libfdata_btree_get_number_of_leaf_values: unable to read root node sub tree. libesedb_table_get_number_of_records: unable to retrieve number of leaf
values from table values tree.