[The bug which this fixes is:
https://bugzilla.redhat.com/show_bug.cgi?id=717583 ]
----- Forwarded message from Peter Fokker <peter(a)berestijn.nl> -----
Date: Thu, 8 Mar 2012 11:37:06 +0100 (CET)
From: Peter Fokker <peter(a)berestijn.nl>
To: rjones(a)redhat.com
Cc: Peter Fokker <peter(a)berestijn.nl>
Subject: hivex: patch for read support of "li"-records from "ri"
intermediate
User-Agent: SquirrelMail/1.4.9a
Richard,
Thank you for creating the hivex-library. Studying your source code helped
me a great deal to better understand the internals of the Windows Registry.
However, while I was browsing a real-world SOFTWARE-hive (XP, SP3) I
could not browse to the '\Classes' key. Instead I got this (debug)-message:
get_children: returning ENOTSUP because ri-record offset does not
point to lf/lh (0x49020)
I tracked this issue down and I discovered that the intermediate
"ri"-record may not only contain offsets to "lf" and "lh"
but to
"li"-records too.
Attached is a patch against hivex.c v1.3.3 that recognises
"li"-records referenced from "ri"-records. For me this fixed the
issue
with browsing the '\Classes' key.
Note that I have not fixed the related problem of rewriting
"li"-records when inserting a new subkey or deleting an
existing one. This sure would cause problems when I were to
add/delete a subkey to/from '\Classes'.
I would very much appreciate it if would be so kind to take a look at
my patch, allthough I cannot blame you if you immediately dump this
unsollicited message+patch from some random stranger from The Netherlands.
Kind regards,
--Peter Fokker
--
Peter Fokker <peter(a)berestijn.nl>
Ingenieursbureau PSD +31 35 695 29 99 / +31 644 238 568
Stargardlaan 7 1404 BC Bussum, The Netherlands
----- End forwarded message -----
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
libguestfs lets you edit virtual machines. Supports shell scripting,
bindings from many languages.
http://libguestfs.org