Closed giomke closed 6 years ago
Thanks for reporting that. I need a little more information to fix it / reproduce the problem. That particular block of code is actually from Google's Rapid Response framework.
https://github.com/google/grr/blob/master/grr/parsers/wmi_parser.py
So I'm guessing the error is occurring because I'm not validating you pulled valid user SID's from SRUM. This could be because your copy of the SRUM database was corrupt or a few other possibilities. I assume you are passing a -o SOFTWARE registry key. Does it work when you don't?
I get the same error. I did pass it the SOFTWARE hive but get the same error without it. I am able to open the SRUM DB in ESEDatabaseview. I extracted it off a live system using robocopy /B. I was attempting to use FGET.exe originally but was seeing some weird issues where it wasn't successfully grabbing the entire file.
What if you try it without the software option?
Mark
On May 19, 2018, at 3:55 PM, Mike Cary notifications@github.com wrote:
I get the same error. I did pass it the SOFTWARE hive but get the same error without it. I am able to open the SRUM DB in ESEDatabaseview. I extracted it off a live system using robocopy /B. I was attempting to use FGET.exe originally but was seeing some weird issues where it wasn't successfully grabbing the entire file.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Yep I get the same error without the software option.
On May 19, 2018, at 7:13 PM, MarkBaggett notifications@github.com<mailto:notifications@github.com> wrote:
What if you try it without the software option?
Mark
On May 19, 2018, at 3:55 PM, Mike Cary notifications@github.com<mailto:notifications@github.com> wrote:
I get the same error. I did pass it the SOFTWARE hive but get the same error without it. I am able to open the SRUM DB in ESEDatabaseview. I extracted it off a live system using robocopy /B. I was attempting to use FGET.exe originally but was seeing some weird issues where it wasn't successfully grabbing the entire file.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/MarkBaggett/srum-dump/issues/7#issuecomment-390438824, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AR18uklZSuLJg7TERQts4e-HCc_8WLYbks5t0Kb-gaJpZM4Twn_n.
Any chance that you can share a copy of your srum file with me?
Mark
On May 19, 2018, at 7:29 PM, Mike Cary notifications@github.com wrote:
Yep I get the same error without the software option.
On May 19, 2018, at 7:13 PM, MarkBaggett notifications@github.com<mailto:notifications@github.com> wrote:
What if you try it without the software option?
Mark
On May 19, 2018, at 3:55 PM, Mike Cary notifications@github.com<mailto:notifications@github.com> wrote:
I get the same error. I did pass it the SOFTWARE hive but get the same error without it. I am able to open the SRUM DB in ESEDatabaseview. I extracted it off a live system using robocopy /B. I was attempting to use FGET.exe originally but was seeing some weird issues where it wasn't successfully grabbing the entire file.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/MarkBaggett/srum-dump/issues/7#issuecomment-390438824, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AR18uklZSuLJg7TERQts4e-HCc_8WLYbks5t0Kb-gaJpZM4Twn_n. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Sure where should I send it?
Lo127001 at gmail dot com please
Mark
On May 20, 2018, at 7:40 PM, Mike Cary notifications@github.com wrote:
Sure where should I send it?
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Thanks. That is extremely helpful. The issue is that sometimes SRUM records a SID of all 0's
(Pdb) p rec_entry OrderedDict([('IdType', 3), ('IdIndex', 38127), ('IdBlob', '0000000000000000')])
When I pass that data off to the Google Rapid Response function it raises that error. I'm putting the call to the GRR function in a try: except: block. That will prevent the error although I am not sure why SRUM is recording SID's of all 0's.
Here is the new code to fix it. beginning on line 130. I'll post an update shortly. elif rec_entry['IdType']==3: try: user_blob = BinarySIDtoStrSID(rec_entry['IdBlob'].decode("hex")) except: user_blob = 'None'
id_lookup[rec_entry['IdIndex']] = user_blob
Great news. Thanks Mark!
I think the update I just pushed this morning will resolve this issue. Thank you for reporting it and sending me the files needed to troubleshoot it.
Mark Baggett
Posting here just to say thank you - this was extremely helpful and good timing to prompt an update of the srum-dump on the Windows SIFT workstation being used in the Sans.org class I'm taking right now online.
Was attempting to validate some of these steps against some of our known good enterprise system images and was getting this error.
After update:
"User SID not found : OrderedDict([(b'IdType', 3), (b'IdIndex', 670), (b'IdBlob', b'0000000000000000')]) local variable 'sid_str' referenced before assignment"
Informational message, did not stop the program from completing successfully - Thanks again!