search

libyal / winevt-kb

Windows Event Log Knowledge Base
Apache License 2.0
18 stars 5 forks source link

Traceback with McAfee DLLs mfeapfk.sys #2

Closed jahrome closed 9 years ago

jahrome commented 9 years ago

Seems like the issue is on McAfee side since it specifies a directory path instead of the full path :

C:\Program Files\Common Files\McAfee\SystemCore\\
Traceback (most recent call last):
  File "extract.py", line 1089, in <module>
    if not Main():
  File "extract.py", line 1070, in Main
    extractor.ExtractEventLogMessageStrings(output_writer)
  File "extract.py", line 475, in ExtractEventLogMessageStrings
    message_file = self._OpenMessageResourceFile(message_filename)
  File "extract.py", line 409, in _OpenMessageResourceFile
    file_object = resolver.Resolver.OpenFileObject(path_spec)
  File "/usr/lib/python2.7/site-packages/dfvfs/resolver/resolver.py", line 106, in OpenFileObject
    file_object = resolver_helper.OpenFileObject(path_spec, resolver_context)
  File "/usr/lib/python2.7/site-packages/dfvfs/resolver/os_resolver_helper.py", line 47, in OpenFileObject
    file_object.open(path_spec=path_spec)
  File "/usr/lib/python2.7/site-packages/dfvfs/file_io/os_file_io.py", line 113, in open
    self._file_object = open(location, mode=mode)
IOError: [Errno 21] Is a directory: u'/mnt/nbd2p2/Program Files/Common Files/McAfee/SystemCore'
$ regfmount /mnt/nbd2p2/Windows/System32/config/SYSTEM /mnt/tmp0
$ cat "/mnt/tmp0/ControlSet001/services/eventlog/System/mfeapfk.sys/(values)/EventMessageFile"
C:\Program Files\Common Files\McAfee\SystemCore\\

The same for mfeavfk.sys, mferkdet.sys

joachimmetz commented 9 years ago

Thx, I'll have a look when time permits.

joachimmetz commented 9 years ago

The script should no longer throw a traceback when it encounters a directory, though it would be useful to determine what the behavior of Event Viewer is in these cases. Can you check if it shows the formatted strings in Event Viewer then I would suspect that it defaults to the service name in case of a directory.

jahrome commented 9 years ago

Unfortunately there is no such messages on my test machine but I'll come back on this as soon as I encounter those message.

joachimmetz commented 9 years ago

the extract script now tries to detect a directory and then tries to add the event log provider source.