search

strozfriedberg / sidr

Search Index Database Reporter
Other
88 stars 6 forks source link

Crash on Windows Server 2025 Database file #7

Open reece394 opened 6 days ago

reece394 commented 6 days ago

When trying to parse the Windows.db file with sidr unfortunately it produces an error and does not output files. When opening with an SQLITE database viewer it doesn't appear to have any issues. This occurs if it is collected from a fully shut down system as well as a live system. Below is the debug trace. I suspect that the format has slightly changed somewhere hence the errors.

C:\Users\TestUser\Documents\sidr\target\debug>sidr -f csv C:\\Server20253
Processing ESE db: C:\\Server20253\D\programdata\microsoft\search\data\applications\windows\Windows.db
sqlite_get_hostname() failed: Empty field System_ComputerName. Will use 'Unknown' as a hostname.
C:\Users\TestUser\Documents\sidr\target\debug\Unknown_File_Report_20241017_184557.844403300.csv
C:\Users\TestUser\Documents\sidr\target\debug\Unknown_Internet_History_Report_20241017_184557.844737300.csv
C:\Users\TestUser\Documents\sidr\target\debug\Unknown_Activity_History_Report_20241017_184557.844903900.csv

thread 'main' panicked at C:\Users\Administrator\.cargo\git\checkouts\ese_parser-b1822da59468068b\b007503\lib\src\ese_parser.rs:530:45:
called `Result::unwrap()` on an `Err` value: TryFromSliceError(())
stack backtrace:
   0:     0x7ff6ab4abd1d - std::backtrace_rs::backtrace::dbghelp64::trace
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\..\..\backtrace\src\backtrace\dbghelp64.rs:91
   1:     0x7ff6ab4abd1d - std::backtrace_rs::backtrace::trace_unsynchronized
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\..\..\backtrace\src\backtrace\mod.rs:66
   2:     0x7ff6ab4abd1d - std::sys::backtrace::_print_fmt
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\sys\backtrace.rs:65
   3:     0x7ff6ab4abd1d - std::sys::backtrace::impl$0::print::impl$0::fmt
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\sys\backtrace.rs:40
   4:     0x7ff6ab4bde29 - core::fmt::rt::Argument::fmt
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\core\src\fmt\rt.rs:173
   5:     0x7ff6ab4bde29 - core::fmt::write
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\core\src\fmt\mod.rs:1182
   6:     0x7ff6ab4a8f41 - std::io::Write::write_fmt<std::sys::pal::windows::stdio::Stderr>
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\io\mod.rs:1827
   7:     0x7ff6ab4adac7 - std::panicking::default_hook::closure$1
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\panicking.rs:269
   8:     0x7ff6ab4ad6b9 - std::panicking::default_hook
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\panicking.rs:296
   9:     0x7ff6ab4ae202 - std::panicking::rust_panic_with_hook
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\panicking.rs:800
  10:     0x7ff6ab4ae046 - std::panicking::begin_panic_handler::closure$0
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\panicking.rs:674
  11:     0x7ff6ab4ac40f - std::sys::backtrace::__rust_end_short_backtrace<std::panicking::begin_panic_handler::closure_env$0,never$>
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\sys\backtrace.rs:168
  12:     0x7ff6ab4adc26 - std::panicking::begin_panic_handler
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\panicking.rs:665
  13:     0x7ff6ab5b6444 - core::panicking::panic_fmt
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\core\src\panicking.rs:74
  14:     0x7ff6ab5b68a0 - core::result::unwrap_failed
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\core\src\result.rs:1679
  15:     0x7ff6ab346ee7 - enum2$<core::result::Result<array$<u8,8>,core::array::TryFromSliceError> >::unwrap
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\core\src\result.rs:1102
  16:     0x7ff6ab346ee7 - ese_parser_lib::ese_parser::impl$12::from_bytes
                               at C:\Users\Administrator\.cargo\git\checkouts\ese_parser-b1822da59468068b\b007503\lib\src\ese_parser.rs:530
  17:     0x7ff6ab2c0277 - sidr::sqlite::sqlite_dump_file_record
                               at C:\Users\TestUser\Documents\sidr\src\sqlite.rs:158
  18:     0x7ff6ab2b4ce8 - sidr::sqlite::sqlite_generate_report::closure$0
                               at C:\Users\TestUser\Documents\sidr\src\sqlite.rs:113
  19:     0x7ff6ab2bfaf9 - sidr::sqlite::sqlite_generate_report
                               at C:\Users\TestUser\Documents\sidr\src\sqlite.rs:124
  20:     0x7ff6ab2c9ba9 - sidr::dump
                               at C:\Users\TestUser\Documents\sidr\src\main.rs:46
  21:     0x7ff6ab2ca166 - sidr::dump
                               at C:\Users\TestUser\Documents\sidr\src\main.rs:32
  22:     0x7ff6ab2ca166 - sidr::dump
                               at C:\Users\TestUser\Documents\sidr\src\main.rs:32
  23:     0x7ff6ab2ca166 - sidr::dump
                               at C:\Users\TestUser\Documents\sidr\src\main.rs:32
  24:     0x7ff6ab2ca166 - sidr::dump
                               at C:\Users\TestUser\Documents\sidr\src\main.rs:32
  25:     0x7ff6ab2ca166 - sidr::dump
                               at C:\Users\TestUser\Documents\sidr\src\main.rs:32
  26:     0x7ff6ab2ca166 - sidr::dump
                               at C:\Users\TestUser\Documents\sidr\src\main.rs:32
  27:     0x7ff6ab2ca166 - sidr::dump
                               at C:\Users\TestUser\Documents\sidr\src\main.rs:32
  28:     0x7ff6ab2ca8c0 - sidr::main
                               at C:\Users\TestUser\Documents\sidr\src\main.rs:125
  29:     0x7ff6ab2cca73 - core::ops::function::FnOnce::call_once<enum2$<core::result::Result<tuple$<>,simple_error::SimpleError> > (*)(),tuple$<> >
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\core\src\ops\function.rs:250
  30:     0x7ff6ab2cf9e6 - std::sys::backtrace::__rust_begin_short_backtrace<enum2$<core::result::Result<tuple$<>,simple_error::SimpleError> > (*)(),enum2$<core::result::Result<tuple$<>,simple_error::SimpleError> > >
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\std\src\sys\backtrace.rs:152
  31:     0x7ff6ab2d3ff6 - std::rt::lang_start::closure$0<enum2$<core::result::Result<tuple$<>,simple_error::SimpleError> > >
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\std\src\rt.rs:162
  32:     0x7ff6ab4a38f9 - std::rt::lang_start_internal::closure$2
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\rt.rs:141
  33:     0x7ff6ab4a38f9 - std::panicking::try::do_call
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\panicking.rs:557
  34:     0x7ff6ab4a38f9 - std::panicking::try
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\panicking.rs:521
  35:     0x7ff6ab4a38f9 - std::panic::catch_unwind
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\panic.rs:350
  36:     0x7ff6ab4a38f9 - std::rt::lang_start_internal
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c/library\std\src\rt.rs:141
  37:     0x7ff6ab2d3fca - std::rt::lang_start<enum2$<core::result::Result<tuple$<>,simple_error::SimpleError> > >
                               at /rustc/eeb90cda1969383f56a2637cbd3037bdf598841c\library\std\src\rt.rs:161
  38:     0x7ff6ab2cbd69 - main
  39:     0x7ff6ab5b3f20 - invoke_main
                               at D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
  40:     0x7ff6ab5b3f20 - __scrt_common_main_seh
                               at D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
  41:     0x7ffa8f3f4ed0 - BaseThreadInitThunk
  42:     0x7ffa9054e39b - RtlUserThreadStart
juliapaluch commented 2 days ago

Can you please email me a copy of the database that's causing the panic?

juliapaluch commented 1 day ago

Thanks for reporting! Looks like Microsoft changed up some of the Property IDs in Server 2025, which we probably shouldn't be hardcoding anyway. Will push up a fix soon.