Missing registry values when using printkey

[GoogleCodeExporter]

I tried dumps from several Windows 7 (64 Bit) machines and got only the 
following output.

1. example:
E:\Viren_MalWare_usw\Debugging\Volatility-64Bit>vol.py -f 
..\Viren_Mem_Dumps\Dieter
soft\Windows NT\CurrentVersion\Winlogon"
Volatile Systems Volatility Framework 2.1_alpha
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: User Specified
Key name: Winlogon (S)
Last updated: 2012-05-12 20:56:47

Subkeys:
  (S) GPExtensions
  (V) AutoLogonChecked

Values:
REG_SZ        ReportBootOk    : (S) 1
REG_SZ        PreCreateKnownFolders : (S) {A520A1A4-1780-4FF6-BD18-167343C5AF16}
REG_SZ        VMApplet        : (S) SystemPropertiesPerformance.exe /pagefile
REG_SZ        Background      : (S) 0 0 0
REG_SZ        DebugServerCommand : (S) no
REG_SZ        LegalNoticeCaption : (S)
REG_DWORD     PasswordExpiryWarning : (S) 5
REG_SZ        ShutdownWithoutLogon : (S) 0
REG_DWORD     DisableCAD      : (S) 1
REG_DWORD     ShutdownFlags   : (S) 39
REG_SZ        DefaultUserName : (S) Dieter

2. example
E:\Viren_MalWare_usw\Debugging\Volatility-64Bit>vol.py -f 
..\Viren_Mem_Dumps\HUH-WIN7-1-2.img --pr
Windows NT\CurrentVersion\Winlogon"
Volatile Systems Volatility Framework 2.1_alpha
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: User Specified
Key name: Winlogon (S)
Last updated: 2012-05-17 11:03:00

Subkeys:
  (S) GPExtensions
  (S) Notify
  (V) AutoLogonChecked

Values:
REG_SZ        ReportBootOk    : (S) 1
REG_SZ        PreCreateKnownFolders : (S) {A520A1A4-1780-4FF6-BD18-167343C5AF16}
REG_SZ        VMApplet        : (S) SystemPropertiesPerformance.exe /pagefile
REG_SZ        Background      : (S) 0 0 0
REG_SZ        DebugServerCommand : (S) no
REG_SZ        LegalNoticeCaption : (S)
REG_DWORD     PasswordExpiryWarning : (S) 5
REG_SZ        ShutdownWithoutLogon : (S) 0
REG_DWORD     DisableCAD      : (S) 1
REG_DWORD     ShutdownFlags   : (S) 43
REG_SZ        DefaultUserName : (S) Asus

On both machines i'm missing the left values for "Userinit", "Shell" and so 
on.. 

I'm using Windows 7 SP1 X64 Ultimate (CPU Intel Core i7 2670QM)

Sincerely,
Holger

Original issue reported on code.google.com by Fa.DEM...@googlemail.com on 20 May 2012 at 5:35

[GoogleCodeExporter]

Sorry, here the complete command.
It was cutted 

E:\Viren_MalWare_usw\Debugging\Volatility-64Bit>vol.py -f 
..\Viren_Mem_Dumps\HUH-WIN7-1-2.img --profile=Win7SP1x64 printkey -o 
0xfffff8a000b8f010 -K "Microsoft\
Windows NT\CurrentVersion\Winlogon"

Original comment by Fa.DEM...@googlemail.com on 20 May 2012 at 5:41

[GoogleCodeExporter]

Hi there, 

So Windows 2000 was the only OS that reads and maintains full hives in memory. 
Everything starting with Windows XP only keeps keys that are read frequently or 
read recently. Since the Userinit value etc of the Winlogon key is only read 
once at boot time, its probably paged out by the time you sample memory. 

For more information see, BDG's blog post and DFRWS paper:

http://moyix.blogspot.com/2007/09/challenges-in-carving-registry-hives.html 
http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf

Both of the resources explain that memory contains valuable registry data that 
is never on disk (i.e. the volatile hives), however don't expect to find 100% 
of hive data that *is* on disk in memory. It makes sense if you think about it, 
hive files can be hundreds of MBs, most of which is never accessed during 
normal computer use, so it's just a big waste to store everything in memory. 

I'm gonna mark this invalid, but feel free to reopen if you have reason to 
believe the Userinit and Shell values *do* exist in the memory dump and just 
aren't being shown by the plugins. 

Original comment by michael.hale@gmail.com on 22 May 2012 at 2:19

• Changed state: Invalid