Closed jstore closed 7 years ago
The message "Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}" is just a Warning and can be ignored. It means that that table doesn't exist in the SRUM file you are analyzing. If you would like you can just delete the Undocumented Windows 10 tab from the template file and it wont try to analyze that any more.
The message "I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue" occurs when the program is unable to write the output file you specified on the command line to disk. Make sure you have permissions to create the xlsx file that you specified with the output argument.
The small template isn't intended for production. It is just an example of how you can set other attributes up in the template file and change fonts.
Thanks, Mark Baggett
On Tue, Jan 24, 2017 at 12:00 PM, jstore notifications@github.com wrote:
Hmmm... I get following when I use the default template:
Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue. Error : Finished!
And I get this when I use the small template:
Traceback (most recent call last): File "", line 347, in AttributeError: 'NoneType' object has no attribute 'replace'
This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/AAtZDabNMSeyKcdYIxIUeozs5_13d48Qks5rVi4ZgaJpZM4LshQw .
Hi Mark,
I'm running the exe as a local admin and an ouput.xlsx file is created (almost 2 MB), but when I go to open it in Excel 2016 it says, "The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt".
This happens using either template so I thought it was related to the error messages I was seeing.
-Justin
Justin Store Security Architect Michigan Tech University http://www.mtu.edu/ Information Technology http://www.it.mtu.edu/ 906.487.1477
On Tue, Jan 24, 2017 at 12:47 PM, MarkBaggett notifications@github.com wrote:
The message "Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}" is just a Warning and can be ignored. It means that that table doesn't exist in the SRUM file you are analyzing. If you would like you can just delete the Undocumented Windows 10 tab from the template file and it wont try to analyze that any more.
The message "I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue" occurs when the program is unable to write the output file you specified on the command line to disk. Make sure you have permissions to create the xlsx file that you specified with the output argument.
The small template isn't intended for production. It is just an example of how you can set other attributes up in the template file and change fonts.
Thanks, Mark Baggett
On Tue, Jan 24, 2017 at 12:00 PM, jstore notifications@github.com wrote:
Hmmm... I get following when I use the default template:
Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue. Error : Finished!
And I get this when I use the small template:
Traceback (most recent call last): File "", line 347, in AttributeError: 'NoneType' object has no attribute 'replace'
This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/ AAtZDabNMSeyKcdYIxIUeozs5_13d48Qks5rVi4ZgaJpZM4LshQw .
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3#issuecomment-274880483, or mute the thread https://github.com/notifications/unsubscribe-auth/AI7DKFW7a0IZIDLnIEP8pBpFB108GyB7ks5rVjkwgaJpZM4LshQw .
Hi Mark,
I've done some more testing with a different SRUDB.dat file and the tools works as expected.
The original SRUDB.dat file I was using was taken from my Windows 10 machine while using the system. I didn't get any errors about the file being locked or open so I figured it would work.
The second SRUDB.dat file was taken from a Windows 8.1 machine while using the system. I had to disable a couple of services to release the hold on the file.
Assuming you've tested this on Windows 10 SRUDB.dat files, I believe the issue may be related to copying it while in use. Oddly, Windows didn't have any issue with me copying it as long as I was a local admin. I've re-copied the file from my live system and get the same result (corrupt output file).
-Justin
Justin Store Security Architect Michigan Tech University http://www.mtu.edu/ Information Technology http://www.it.mtu.edu/ 906.487.1477
On Tue, Jan 24, 2017 at 12:47 PM, MarkBaggett notifications@github.com wrote:
The message "Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}" is just a Warning and can be ignored. It means that that table doesn't exist in the SRUM file you are analyzing. If you would like you can just delete the Undocumented Windows 10 tab from the template file and it wont try to analyze that any more.
The message "I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue" occurs when the program is unable to write the output file you specified on the command line to disk. Make sure you have permissions to create the xlsx file that you specified with the output argument.
The small template isn't intended for production. It is just an example of how you can set other attributes up in the template file and change fonts.
Thanks, Mark Baggett
On Tue, Jan 24, 2017 at 12:00 PM, jstore notifications@github.com wrote:
Hmmm... I get following when I use the default template:
Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue. Error : Finished!
And I get this when I use the small template:
Traceback (most recent call last): File "", line 347, in AttributeError: 'NoneType' object has no attribute 'replace'
This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/ AAtZDabNMSeyKcdYIxIUeozs5_13d48Qks5rVi4ZgaJpZM4LshQw .
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3#issuecomment-274880483, or mute the thread https://github.com/notifications/unsubscribe-auth/AI7DKFW7a0IZIDLnIEP8pBpFB108GyB7ks5rVjkwgaJpZM4LshQw .
Justin, Thanks for taking my call yesterday and thanks for the feedback. It has been tested extensively on Windows 10.
There is some discussion in the comments on this post about how to grab the file on system where it is locked. I use Volume Shadow copies but the Invoke-NinjaCopy utility is a good option also.
Mark
On Wed, Jan 25, 2017 at 10:36 AM, jstore notifications@github.com wrote:
Hi Mark,
I've done some more testing with a different SRUDB.dat file and the tools works as expected.
The original SRUDB.dat file I was using was taken from my Windows 10 machine while using the system. I didn't get any errors about the file being locked or open so I figured it would work.
The second SRUDB.dat file was taken from a Windows 8.1 machine while using the system. I had to disable a couple of services to release the hold on the file.
Assuming you've tested this on Windows 10 SRUDB.dat files, I believe the issue may be related to copying it while in use. Oddly, Windows didn't have any issue with me copying it as long as I was a local admin. I've re-copied the file from my live system and get the same result (corrupt output file).
-Justin
Justin Store Security Architect Michigan Tech University http://www.mtu.edu/ Information Technology http://www.it.mtu.edu/ 906.487.1477 <(906)%20487-1477>
On Tue, Jan 24, 2017 at 12:47 PM, MarkBaggett notifications@github.com wrote:
The message "Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}" is just a Warning and can be ignored. It means that that table doesn't exist in the SRUM file you are analyzing. If you would like you can just delete the Undocumented Windows 10 tab from the template file and it wont try to analyze that any more.
The message "I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue" occurs when the program is unable to write the output file you specified on the command line to disk. Make sure you have permissions to create the xlsx file that you specified with the output argument.
The small template isn't intended for production. It is just an example of how you can set other attributes up in the template file and change fonts.
Thanks, Mark Baggett
On Tue, Jan 24, 2017 at 12:00 PM, jstore notifications@github.com wrote:
Hmmm... I get following when I use the default template:
Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue. Error : Finished!
And I get this when I use the small template:
Traceback (most recent call last): File "", line 347, in AttributeError: 'NoneType' object has no attribute 'replace'
This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/ AAtZDabNMSeyKcdYIxIUeozs5_13d48Qks5rVi4ZgaJpZM4LshQw .
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/ 3#issuecomment-274880483, or mute the thread https://github.com/notifications/unsubscribe-auth/ AI7DKFW7a0IZIDLnIEP8pBpFB108GyB7ks5rVjkwgaJpZM4LshQw .
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3#issuecomment-275140647, or mute the thread https://github.com/notifications/unsubscribe-auth/AAtZDXczPRJFgVwh3qrnhgUcz-zFRmf-ks5rV2v2gaJpZM4LshQw .
Thanks Mark,
I saw that, but didn't think it would be required if the OS didn't complain.
Thanks for following up,
-Justin
Justin Store Security Architect Michigan Tech University http://www.mtu.edu/ Information Technology http://www.it.mtu.edu/ 906.487.1477
On Wed, Jan 25, 2017 at 11:05 AM, MarkBaggett notifications@github.com wrote:
Justin, Thanks for taking my call yesterday and thanks for the feedback. It has been tested extensively on Windows 10.
There is some discussion in the comments on this post about how to grab the file on system where it is locked. I use Volume Shadow copies but the Invoke-NinjaCopy utility is a good option also.
Mark
On Wed, Jan 25, 2017 at 10:36 AM, jstore notifications@github.com wrote:
Hi Mark,
I've done some more testing with a different SRUDB.dat file and the tools works as expected.
The original SRUDB.dat file I was using was taken from my Windows 10 machine while using the system. I didn't get any errors about the file being locked or open so I figured it would work.
The second SRUDB.dat file was taken from a Windows 8.1 machine while using the system. I had to disable a couple of services to release the hold on the file.
Assuming you've tested this on Windows 10 SRUDB.dat files, I believe the issue may be related to copying it while in use. Oddly, Windows didn't have any issue with me copying it as long as I was a local admin. I've re-copied the file from my live system and get the same result (corrupt output file).
-Justin
Justin Store Security Architect Michigan Tech University http://www.mtu.edu/ Information Technology http://www.it.mtu.edu/ 906.487.1477 <(906)%20487-1477>
On Tue, Jan 24, 2017 at 12:47 PM, MarkBaggett notifications@github.com wrote:
The message "Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5}" is just a Warning and can be ignored. It means that that table doesn't exist in the SRUM file you are analyzing. If you would like you can just delete the Undocumented Windows 10 tab from the template file and it wont try to analyze that any more.
The message "I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue" occurs when the program is unable to write the output file you specified on the command line to disk. Make sure you have permissions to create the xlsx file that you specified with the output argument.
The small template isn't intended for production. It is just an example of how you can set other attributes up in the template file and change fonts.
Thanks, Mark Baggett
On Tue, Jan 24, 2017 at 12:00 PM, jstore notifications@github.com wrote:
Hmmm... I get following when I use the default template:
Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue. Error : Finished!
And I get this when I use the small template:
Traceback (most recent call last): File "", line 347, in AttributeError: 'NoneType' object has no attribute 'replace'
This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/ AAtZDabNMSeyKcdYIxIUeozs5_13d48Qks5rVi4ZgaJpZM4LshQw .
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/ 3#issuecomment-274880483, or mute the thread https://github.com/notifications/unsubscribe-auth/ AI7DKFW7a0IZIDLnIEP8pBpFB108GyB7ks5rVjkwgaJpZM4LshQw .
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/ 3#issuecomment-275140647, or mute the thread https://github.com/notifications/unsubscribe-auth/ AAtZDXczPRJFgVwh3qrnhgUcz-zFRmf-ks5rV2v2gaJpZM4LshQw .
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/MarkBaggett/srum-dump/issues/3#issuecomment-275149664, or mute the thread https://github.com/notifications/unsubscribe-auth/AI7DKFCkhuiCStgfWiJbK_rokrOBcqXQks5rV3LSgaJpZM4LshQw .
This and similar issues all appear to be related to corrupt srudb.dat files as a result of file system locks. I am closing the ticket. Please let me know if any further attention is required.
Hmmm... I get following when I use the default template:
Unable to find table Undocumented Windows 10 Table {97C2CE28-A37B-4920-B1E9-8B76CD341EC5} I was unable to write the output file. Do you have an old version open? If not this is probably a path or permissions issue. Error : Finished!
And I get this when I use the small template:
Traceback (most recent call last): File "", line 347, in
AttributeError: 'NoneType' object has no attribute 'replace'
This is running on a Windows 10 Enterprise v1607 with a copy of the SRUDB.dat file from the same machine.