search

williballenthin / python-registry

Pure Python parser for Windows Registry hives.
Apache License 2.0
425 stars 103 forks source link

Unknown Type Exception (Unknown VK Record type 0x12, 0x13, 0x19 ...) and Unicode Errors #84

Open bitranox opened 5 years ago

bitranox commented 5 years ago

python-registry is awesome !

I only have a some errors on reading the values on some keys, trying to read out the complete registry.

Operating System is Windows 10 , Version 1809 (Build 17763.55) python-registry Version is 1.2.0 hives were saved with reg save .... as Admininstrator when I try to access the values with regedit, I get "access denied" the logfile with exception tracebacks, keys and value names is attached !

I get multiple errors (but all other values I can read from the hives) like : Registry.RegistryParse.UnknownTypeException: Unknown Type Exception (Unknown VK Record type 0x12 at 0x585bc4) Registry.RegistryParse.UnknownTypeException: Unknown Type Exception (Unknown VK Record type 0x13 at 0x881264) Registry.RegistryParse.UnknownTypeException: Unknown Type Exception (Unknown VK Record type 0x19 at 0xd841a4)

UnicodeDecodeError: 'utf-16-le' codec can't decode byte 0x00 in position 244: truncated data

It is a very useful and great tool You created - it would be nice if You would be able to clean out those errors (or did I do something wrong ?)

yours sincerely

Robert Vienna, Austria

myapp.log

williballenthin commented 5 years ago

hey @bitranox thanks for the kind words.

Are you able to share the raw registry hive? This will help me determine if its an issue of registry hive corruption, or unsupported feature.

bitranox commented 5 years ago

sure, I will send You a download link for the hives yours sincerely Robert Vienna, Austria

bitranox commented 5 years ago

Willi, did You receive my email ? and here my "fingerprint" software, using python-registry : https://github.com/bitranox/fingerprint yours sincerely Robert

msuhanov commented 5 years ago

  1. The UnknownTypeException exception is related to these issues: https://github.com/williballenthin/python-registry/issues/62 and https://github.com/williballenthin/python-registry/issues/14 (TL;DR: it's okay for values to have unusual value types, you can catch the exception and fetch the raw bytes).

  2. I was able to reproduce the UnicodeDecodeError exception using my own test data. It looks like the data isn't UTF-16LE in that case:

00000000  31 00 37 00 30 00 7B 0A-20 20 20 22 44 61 74 61  1.7.0.{.   "Data
00000010  62 61 73 65 49 6E 73 74-61 6E 63 65 49 64 22 20  baseInstanceId" 
00000020  3A 20 31 30 39 30 32 2C-0A 20 20 20 22 53 65 71  : 10902,.   "Seq
00000030  75 65 6E 63 65 22 20 3A-20 37 30 2C 0A 20 20 20  uence" : 70,.   
00000040  22 61 63 74 69 76 69 74-79 53 74 6F 72 65 49 64  "activityStoreId
00000050  22 20 3A 20 22 43 35 34-35 34 37 34 45 2D 43 31  " : "C545474E-C1
00000060  34 41 2D 41 31 39 36 2D-34 31 39 34 2D 43 46 35  4A-A196-4194-CF5
00000070  35 41 45 43 35 45 44 37-38 22 2C 0A 20 20 20 22  5AEC5ED78",.   "
00000080  66 69 6C 74 65 72 22 20-3A 20 7B 0A 20 20 20 20  filter" : {.    
00000090  20 20 22 65 78 63 6C 75-64 65 44 65 6C 65 74 65    "excludeDelete
000000A0  64 22 20 3A 20 66 61 6C-73 65 2C 0A 20 20 20 20  d" : false,.    
000000B0  20 20 22 69 73 52 65 61-64 46 69 6C 74 65 72 22    "isReadFilter"
000000C0  20 3A 20 30 2C 0A 20 20-20 20 20 20 22 75 73 65   : 0,.      "use
000000D0  72 41 63 74 69 6F 6E 53-74 61 74 65 46 69 6C 74  rActionStateFilt
000000E0  65 72 22 20 3A 20 30 0A-20 20 20 7D 0A 7D 0A 00  er" : 0.   }.}..
000000F0  00

Thus, an attempt to decode it results in this exception: UnicodeDecodeError: 'utf-16-le' codec can't decode byte 0x00 in position 240: truncated data