orlikoski
commented
7 years ago Were you running it as administrator?
Closed dnides closed 5 years ago
orlikoski
commented
7 years ago Were you running it as administrator?
Lansatac
commented
7 years ago Interesting, Is there anything unusual about the drive you're trying to collect from?
dnides
commented
7 years ago Yes, admin.
dnides
commented
7 years ago Not really. Not sure it matters but i am on a macbook, running bootcamp, booted into x64 win10. and yes running as admin.
Lansatac
commented
7 years ago Does it work if you use --force-native?
dnides
commented
7 years ago C:\Users\test\Downloads>CyLR.exe --force-native
File or folder 'C:\Windows\SchedLgU.Txt' does not exist
Folder 'C:\Windows\System32\config\Journal' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0\RNAP69J0.YO1\XDJWDC0O.PAH\manifests' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0\RNAP69J0.YO1\XDJWDC0O.PAH' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0\RNAP69J0.YO1' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL\production\temp' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\0' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\1024' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\CloudAPCache\MicrosoftAccount' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\CloudAPCache' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History' exists but contains no files
Error occured while collecting files:
System.UnauthorizedAccessException: Access to the path 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5' is denied.
at System.IO.Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileSystemEnumerableIterator1.CommonInit() at System.IO.FileSystemEnumerableIterator1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler`1 resultHandler, Boolean checkHost)
at System.IO.DirectoryInfo.InternalGetDirectories(String searchPattern, SearchOption searchOption)
at CyLR.read.NativeFileSystem.2.MoveNext() at System.Collections.Generic.List1..ctor(IEnumerable1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable1 source)
at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable`1 paths)
at CyLR.Program.Main(String[] args)
orlikoski
commented
7 years ago System.UnauthorizedAccessException: Access to the path 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5' is denied.
That is interesting as that shouldn't happen while running in an administrator command shell. Just to confirm, you did something like the following to open an administrator command shell:
orlikoski
commented
7 years ago My questions are not meant to be derogatory, we simply have to rule out all of these things. Lansatac will work with you on this going forward. If it's due to the macbook/bootcamp combo then we'd love your help and feedback in getting it sorted.
Thanks for letting us know!
dnides
commented
7 years ago no worries, yes using admin :-)
StephenHinck
commented
7 years ago I was able to run 1.3.1 from an admin CMD on my MBP in bootcamp with no issues, so likely not MBP/Bootcamp related.
dnides
commented
7 years ago win10 x64? weird
StephenHinck
commented
7 years ago Yes, running Win10x64.
orlikoski
commented
7 years ago Another person tested it and although it failed initially (wasn't running as admin), he did get it to work when running it as admin (not using --force-native).
Their setup is: Windows 10 V. 1511 Build 10586.753 MacBook Pro model number a1502, 13"
dnides
commented
7 years ago any noticeable differences?
Apple APPLE SSD AP0512 SCSI Disk Device Disk ID: {DB2D1234-CC91-1234-8553-7C5B23F7FE55} Type : SCSI Status : Online Path : 0 Target : 0 LUN ID : 0 Location Path : PCIROOT(0)#PCI(1C04)#PCI(0000)#SCSI(P00T00L00) Current Read-only State : No Read-only : No Boot Disk : Yes Pagefile Disk : Yes Hibernation File Disk : No Crashdump Disk : Yes Clustered Disk : No
Volume ### Ltr Label Fs Type Size Status Info
Volume 0 C BOOTCAMP NTFS Partition 421 GB Healthy Boot Volume 1 EFI FAT32 Partition 300 MB Healthy System Volume 2 NTFS Partition 348 MB Healthy Hidden
DISKPART> detail volume
Disk ### Status Size Free Dyn Gpt
Read-only : No Hidden : No No Default Drive Letter: No Shadow Copy : No Offline : No BitLocker Encrypted : Yes Installable : Yes
Volume Capacity : 421 GB Volume Free Space : 90 GB
DISKPART>
C:\Users\dnides\Downloads>fsutil fsinfo ntfsinfo c: NTFS Volume Serial Number : 0x1a102736102717f1 NTFS Version : 3.1 LFS Version : 2.0 Number Sectors : 0x00000000069605ef Total Clusters : 0x00000000069605ef Free Clusters : 0x000000000169ed69 Total Reserved : 0x0000000000001420 Bytes Per Sector : 4096 Bytes Per Physical Sector : 4096 Bytes Per Cluster : 4096 Bytes Per FileRecord Segment : 4096 Clusters Per FileRecord Segment : 1 Mft Valid Data Length : 0x0000000053300000 Mft Start Lcn : 0x00000000000c0000 Mft2 Start Lcn : 0x0000000000000002 Mft Zone Start : 0x000000000240bbc0 Mft Zone End : 0x00000000024183e0 Max Device Trim Extent Count : 256 Max Device Trim Byte Count : 0xffffffff Max Volume Trim Extent Count : 62 Max Volume Trim Byte Count : 0x40000000 Resource Manager Identifier : 22AC220B-1234-11E5-B239-EAAA92FDD4FD
C:\Users\dnides\Downloads>
Lansatac
commented
7 years ago Curious. If you are willing, could you install mono and then download this program (on windows): https://gist.github.com/Lansatac/06c9be1526065315941cb0b617969b59
Then run: mcs Program.cs Program.exe
I'd be curious to see what that outputs.
Does it always fail on the same file?
dnides
commented
7 years ago C:\Program Files (x86)\Mono\bin>"c:\users\dnides\Downloads\Program.exe" Drive C:\ Drive type: Fixed Volume label: BOOTCAMP File system: NTFS
C:\Program Files (x86)\Mono\bin>
Lansatac
commented
7 years ago Thanks for your help so far. I think I'll have some changes for this tomorrow. If they don't fix things, they'll hopefully tell me what the problem is.
dnides
commented
7 years ago any luck?
Lansatac
commented
7 years ago If you could try 1.3.2 for me and let me know what results it gives both in the normal case and with --force-native on, I'd appreciate it.
dnides
commented
7 years ago c:\Users\dnides\Downloads>CyLR.exe
Failed to create a filesystem for drive 'C'
Error occured while collecting files:
System.ArgumentOutOfRangeException: Non-negative number required.
Parameter name: length
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable)
at System.Array.Copy(Array sourceArray, Int64 sourceIndex, Array destinationArray, Int64 destinationIndex, Int64 length)
at RawDiskLib.RawDiskStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at DiscUtils.Utilities.ReadFully(Stream stream, Byte[] buffer, Int32 offset, Int32 length)
at DiscUtils.Utilities.ReadFully(Stream stream, Int32 count)
at DiscUtils.Ntfs.NtfsFileSystem..ctor(Stream stream)
at CyLR.read.RawFileSystem.GetSystem(String path)
at CyLR.read.RawFileSystem.2.MoveNext() at System.Collections.Generic.List1..ctor(IEnumerable1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable1 source)
at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable`1 paths)
at CyLR.Program.Main(String[] args)
dnides
commented
7 years ago c:\Users\dnides\Downloads>CyLR.exe --force-native File or folder 'C:\Windows\SchedLgU.Txt' does not exist Folder 'C:\Windows\System32\config\Journal' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0\RNAP69J0.YO1\XDJWDC0O.PAH\manifests' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0\RNAP69J0.YO1\XDJWDC0O.PAH' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0\RNAP69J0.YO1' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL\production\temp' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\0' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\1024' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\CloudAPCache\MicrosoftAccount' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\CloudAPCache' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History' exists but contains no files Failed to read files in 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5' due to insufficient privilages. Failed to read files in 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5' due to insufficient privilages. Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\7KRI0PC9' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\CJP5RECR' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\U40NG8JF' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\YSNSVP27' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PRICache' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages\microsoft.windows.fontdrvhost\AC\INetCache' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages\microsoft.windows.fontdrvhost\AC\INetCookies' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages\microsoft.windows.fontdrvhost\AC\INetHistory' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages\microsoft.windows.fontdrvhost\AC\Temp' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages\microsoft.windows.fontdrvhost\AC' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages\microsoft.windows.fontdrvhost' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Local' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\LocalLow' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile\AppData' exists but contains no files Folder 'C:\Windows\System32\config\systemprofile' exists but contains no files File or folder 'C:\Windows\System32\LogFiles\W3SVC1' does not exist Collecting File: C:\Windows\System32\drivers\etc\hosts Collecting File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini Error: The process cannot access the file 'C:\Windows\System32\config\RegBack\DEFAULT' because it is being used by another process. Collecting File: C:\Windows\System32\config\RegBack\DEFAULT.LOG1 Collecting File: C:\Windows\System32\config\RegBack\DEFAULT.LOG2 Error: The process cannot access the file 'C:\Windows\System32\config\RegBack\SAM' because it is being used by another process. Collecting File: C:\Windows\System32\config\RegBack\SAM.LOG1 Collecting File: C:\Windows\System32\config\RegBack\SAM.LOG2 Error: The process cannot access the file 'C:\Windows\System32\config\RegBack\SECURITY' because it is being used by another process. Collecting File: C:\Windows\System32\config\RegBack\SECURITY.LOG1 Collecting File: C:\Windows\System32\config\RegBack\SECURITY.LOG2 Error: The process cannot access the file 'C:\Windows\System32\config\RegBack\SOFTWARE' because it is being used by another process. Collecting File: C:\Windows\System32\config\RegBack\SOFTWARE.LOG1 Collecting File: C:\Windows\System32\config\RegBack\SOFTWARE.LOG2 Error: The process cannot access the file 'C:\Windows\System32\config\RegBack\SYSTEM' because it is being used by another process. Collecting File: C:\Windows\System32\config\RegBack\SYSTEM.LOG1 Collecting File: C:\Windows\System32\config\RegBack\SYSTEM.LOG2 Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\SearchIndexer.exe.3640.dmp Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log' because it is being used by another process. Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS0000C.log Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat' because it is being used by another process. Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NGenTask.exe.log Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log' because it is being used by another process. Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V0100010.log Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01res00001.jrs Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrs Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCacheLock.dat' because it is being used by another process. Collecting File: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0515FA6D4CD0403D38FE78556C2AFD2D Collecting File: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0EAC1979C5D21DF9C16B8EDD074B9474 Collecting File: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 Collecting File: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7336CDD19CCF55A1BEEA70FD753D6007 Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-GenericRoaming%4Admin.evtx Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-GroupPolicy%4Operational.evtx' because it is being used by another process. Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Help%4Operational.evtx Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-HomeGroup Control Panel%4Operational.evtx' because it is being used by another process. Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-HomeGroup Listener Service%4Operational.evtx Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-HomeGroup Provider Service%4Operational.evtx Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-HotspotAuth%4Operational.evtx' because it is being used by another process. Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-IdCtrls%4Operational.evtx Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-IKE%4Operational.evtx' because it is being used by another process. Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-International%4Operational.evtx Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-International-RegionalOptionsControlPanel%4Operational.evtx Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Iphlpsvc%4Operational.evtx Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-KdsSvc%4Operational.evtx Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-ApphelpCache%4Operational.evtx Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx' because it is being used by another process. Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-IO%4Operational.evtx Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx' because it is being used by another process. Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Known Folders API Service.evtx' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-LiveId%4Operational.evtx' because it is being used by another process. Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-WMI-Activity%4Operational.evtx' because it is being used by another process. Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-WorkFolders%4Operational.evtx Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-WorkFolders%4WHC.evtx' because it is being used by another process. Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Workplace Join%4Admin.evtx Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-WPD-ClassInstaller%4Operational.evtx Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-WPD-CompositeClassDriver%4Operational.evtx Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-WPD-MTPClassDriver%4Operational.evtx Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-WWAN-SVC-Events%4Operational.evtx Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel.evtx' because it is being used by another process. Collecting File: C:\Windows\System32\winevt\logs\Microsoft-WS-Licensing%4Admin.evtx Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\OAlerts.evtx' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Security.evtx' because it is being used by another process. Collecting File: C:\Windows\System32\winevt\logs\Setup.evtx Collecting File: C:\Windows\System32\winevt\logs\SMSApi.evtx Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\System.evtx' because it is being used by another process. Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Windows PowerShell.evtx' because it is being used by another process. Collecting File: C:\Windows\Prefetch\ReadyBoot\ReadyBoot.etl Collecting File: C:\Windows\Prefetch\ACRORD32.EXE-41B0A0C7.pf Collecting File: C:\Windows\Prefetch\ACRORD32.EXE-41B0A0C8.pf Collecting File: C:\Windows\Prefetch\ADOBEARM.EXE-813E932C.pf Collecting File: C:\Windows\Prefetch\AM_DELTA_PATCH_1.235.2586.0.E-6ED8690D.pf Collecting File: C:\Windows\Prefetch\AM_DELTA_PATCH_1.235.2629.0.E-C1637103.pf Collecting File: C:\Windows\Prefetch\AM_DELTA_PATCH_1.235.2715.0.E-BE29AAA7.pf Collecting File: C:\Windows\Prefetch\AM_DELTA_PATCH_1.235.2855.0.E-F0263D40.pf Collecting File: C:\Windows\Prefetch\AM_DELTA_PATCH_1.235.3027.0.E-A4F36DD8.pf Collecting File: C:\Windows\Prefetch\AM_DELTA_PATCH_1.235.3101.0.E-C915B6A5.pf Collecting File: C:\Windows\Prefetch\NGENTASK.EXE-4DB88ADA.pf Collecting File: C:\Windows\Prefetch\NGENTASK.EXE-CD4E002C.pf Collecting File: C:\Windows\Prefetch\NOTEPAD++.EXE-E7DBD7BD.pf Collecting File: C:\Windows\Prefetch\NOTEPAD.EXE-B28CC291.pf Collecting File: C:\Windows\Prefetch\NOTEPAD.EXE-F0516D55.pf Collecting File: C:\Windows\Prefetch\WINLOGON.EXE-0D9AB72B.pf Collecting File: C:\Windows\Prefetch\WINRAR.EXE-E031DE56.pf Collecting File: C:\Windows\Prefetch\WINWORD.EXE-52205F6D.pf Collecting File: C:\Windows\Prefetch\WINWORD.EXE-AF921654.pf Collecting File: C:\Windows\Prefetch\WLANEXT.EXE-AD1A4F51.pf Collecting File: C:\Windows\Prefetch\WMIADAP.EXE-7D63BB4C.pf Collecting File: C:\Windows\Prefetch\WMIPRVSE.EXE-BB49B536.pf Collecting File: C:\Windows\Prefetch\WMPLAYER.EXE-B0AD61F0.pf Collecting File: C:\Windows\Prefetch\WORDPAD.EXE-505FE0CE.pf Collecting File: C:\Windows\Prefetch\WUAPIHOST.EXE-6D06E4D6.pf Collecting File: C:\Windows\Prefetch\WUAUCLT.EXE-4A7CF88B.pf Collecting File: C:\Windows\Prefetch\WUSA.EXE-883637F2.pf Collecting File: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job Collecting File: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-455609181-2581757210-169921877-1001.job Collecting File: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-455609181-2581757210-169921877-1001.job Collecting File: C:\Windows\Tasks\SA.DAT Error: Access to the path 'C:\$MFT' is denied. Extraction complete. 0:00:01.3377992 elapsed
dnides
commented
7 years ago Not sure, I'll have to look into that. If I had to guess I would say yes. Looking at below it is referenced in volume 2 but not zero where windows is installed. That said I think I read somewhere that native efi is default for windows on this hardware. You have any suggestions on ho to confirm?
Volume 0 C BOOTCAMP NTFS Partition 421 GB Healthy Boot Volume 1 EFI FAT32 Partition 300 MB Healthy System Volume 2 NTFS Partition 348 MB Healthy Hidden
Sent from my iPhone
On Feb 21, 2017, at 9:31 PM, Jason Yegge notifications@github.com wrote:
Are you booting using EFI by any chance? If so, can you try it without?
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or mute the thread.
Lansatac
commented
7 years ago Well, that's weird. Without a local repro I'm going to have difficulty doing much more. We might try contacting the author of RawDiskLib, as that's the library that is having the non-native error. I'm not sure why you would get errors like this one "Failed to read files in 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5' due to insufficient privilages." as an administrator. There may be something odd about the permissions on that folder.
dnides
commented
7 years ago whats the difference between the normal and native export options? yes we should ask the RawDiskLib author whats up.
also curious why did you ask about EFI?
On Wed, Feb 22, 2017 at 8:50 AM, Jason Yegge notifications@github.com wrote:
Well, that's weird. Without a local repro I'm going to have difficulty doing much more. We might try contacting the author of RawDiskLib, as that's the library that is having the non-native error. I'm not sure why you would get errors like this one "Failed to read files in 'C:\Windows\System32\config\systemprofile\AppData\Local\ Microsoft\Windows\INetCache\Content.IE5' due to insufficient privilages." as an administrator. There may be something odd about the permissions on that folder.
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/rough007/CyLR/issues/50#issuecomment-281690256, or mute the thread https://github.com/notifications/unsubscribe-auth/AB2aZ3dp6IVUM7QJMx757vsdthWasHkvks5rfEsigaJpZM4MEs3p .
Lansatac
commented
7 years ago The normal path uses RawDiskLib to do raw disk reads, bypassing the OS. Native utilizes the OS level calls to access the files. Using the OS calls results in all of the "it is being used by another process." errors because Windows has locked the files, but the Raw reads bypass those locks.
I asked about EFI because it's a FAT32 partition. The system currently only supports NTFS drives. I don't know enough about how bootcamp and EFI work under the hood to know if that's somehow related to the RawDiskLib error, but it's the only thing that stands out to me at the moment.
dnides
commented
7 years ago Thanks, the native vs rawdisklib makes perfect sense. Hence for various reasons, like the one you mentioned, I would expect the native not to work on all files and see errors. Hopefully we can get to the bottom of the RawDiskLib issue.
On Wed, Feb 22, 2017 at 10:22 AM, Jason Yegge notifications@github.com wrote:
The normal path uses RawDiskLib to do raw disk reads, bypassing the OS. Native utilizes the OS level calls to access the files. Using the OS calls results in all of the "it is being used by another process." errors because Windows has locked the files, but the Raw reads bypass those locks.
I asked about EFI because it's a FAT32 partition. The system currently only supports NTFS drives. I don't know enough about how bootcamp and EFI work under the hood to know if that's somehow related to the RawDiskLib error, but it's the only thing that stands out to me at the moment.
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/rough007/CyLR/issues/50#issuecomment-281719570, or mute the thread https://github.com/notifications/unsubscribe-auth/AB2aZ3TOeCPr_CpxhX5sdShBmaYiOkSPks5rfGDOgaJpZM4MEs3p .
Lansatac
commented
7 years ago Do you have any experience with C# development? We'd love to see exactly what those variables are when it fails, but we'd need it running in the IDE to see.
dnides
commented
7 years ago If you outline the steps high level I can have one of my colleagues assist that is more familiar then me. I only know Python guy :-/
Sent from my iPhone
On Feb 22, 2017, at 3:09 PM, Jason Yegge notifications@github.com wrote:
Do you have any experience with C# development? We'd love to see exactly what those variables are when it fails, but we'd need it running in the IDE to see.
— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or mute the thread.
dnides
commented
7 years ago Did you ever make any progress on this? I am at the sans summit.
Lansatac
commented
7 years ago I'd narrowed it down to a few possibilities and I was trying to find a repro case before life intervened. I'll see if I can't make progress on this soon.
Lansatac
commented
7 years ago OK, I've finally managed to get some time for digging into this further. I've created a branch at https://github.com/Lansatac/CyLR/tree/investigation/issue50 that will hopefully give us some more information. If you could run this version of the utility I've built, I hope it will fail with some more definitive information. CyLR.zip
Lansatac
commented
7 years ago @dnides, any chance you could spare some time to try this out for us? We'd love to get this solved for you!
dnides
commented
6 years ago Using latest version
C:\Users\dnides\Documents\Release\Beta>CyLR.exe
Failed to create a filesystem for drive 'C'
Error occured while collecting files:
System.ArgumentOutOfRangeException: Non-negative number required.
Parameter name: length
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable)
at RawDiskLib.RawDiskStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at DiscUtils.Utilities.ReadFully(Stream stream, Byte[] buffer, Int32 offset, Int32 length)
at DiscUtils.Utilities.ReadFully(Stream stream, Int32 count)
at DiscUtils.Ntfs.NtfsFileSystem..ctor(Stream stream)
at CyLR.read.RawFileSystem.GetSystem(String path)
at CyLR.read.RawFileSystem.2.MoveNext() at System.Collections.Generic.List1..ctor(IEnumerable1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable1 source)
at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable`1 paths)
at CyLR.Program.Main(String[] args)
annabelsandford
commented
2 years ago This has never been fixed, right?
I tried running it and got an error. On x64 win10.
C:\Users\test\Downloads>CyLR.exe Error occured while collecting files: System.ArgumentOutOfRangeException: Non-negative number required. Parameter name: length at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable) at System.Array.Copy(Array sourceArray, Int64 sourceIndex, Array destinationArray, Int64 destinationIndex, Int64 length) at RawDiskLib.RawDiskStream.Read(Byte[] buffer, Int32 offset, Int32 count) at DiscUtils.Utilities.ReadFully(Stream stream, Byte[] buffer, Int32 offset, Int32 length) at DiscUtils.Utilities.ReadFully(Stream stream, Int32 count) at DiscUtils.Ntfs.NtfsFileSystem..ctor(Stream stream) at CyLR.read.RawFileSystem.GetSystem(String path) at CyLR.read.RawFileSystem.cIterator0.MoveNext()
at System.Linq.Enumerable.d 16
2.MoveNext() at System.Collections.Generic.List1..ctor(IEnumerable1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable1 source) at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable`1 paths) at CyLR.Program.Main(String[] args)