Hello.
The bug is here:
|
if (Math.Abs(size) <= 3 || remainingData.Length - actualStart < size) |
If the remainingData.Length - actualStart < size condition is met, the deleted item isn't processed. This condition can be true for a valid deleted key/value if its cell has been merged with a preceding one and then the resulting cell is split to hold a subkeys list, so the deleted key/value goes to the slack of this list (i.e., stored after its last item).
Here is an example (this is the SYSTEM hive file from the 2018 Lone Wolf Scenario, without transaction log files applied):
The remnant cell size field for the deleted key in question, which value is 0x00000178, is too large for the cell containing the subkeys list (the actualStart value plus the size value point beyond the end of the cell).
Registry Explorer 2.0.0.0 doesn't recover that key:
The same key can be recovered using yarp:
Hello.
The bug is here:
Registry/Registry/Other/HBinRecord.cs
Line 325 in 1a301f3
If the
remainingData.Length - actualStart < sizecondition is met, the deleted item isn't processed. This condition can be true for a valid deleted key/value if its cell has been merged with a preceding one and then the resulting cell is split to hold a subkeys list, so the deleted key/value goes to the slack of this list (i.e., stored after its last item).Here is an example (this is the SYSTEM hive file from the 2018 Lone Wolf Scenario, without transaction log files applied):
The remnant cell size field for the deleted key in question, which value is 0x00000178, is too large for the cell containing the subkeys list (the
actualStartvalue plus thesizevalue point beyond the end of the cell).Registry Explorer 2.0.0.0 doesn't recover that key:
The same key can be recovered using yarp:
