On Fri, Jun 21, 2013 at 06:28:14PM +0200, Hilko Bengen wrote:
* Richard W.M. Jones:
> ACK to this patch as it only affects the deprecated hivex_value_dword
> and hivex_value_qword functions, making them a little bit more useful.
I didn't see anything about those functions being "deprecated". What did
I miss?
I notice it's not documented (except perhaps in my head!)
However, it's a good idea not to use those functions, but instead to
use 'hivex_value_value' and then convert the value yourself. Probably
you shouldn't pay any attention (except advisory) to the type field
from the registry.
hivex_value_string can also be a minefield for the same reason.
Although most strings in REG_SZ fields in the registry are strings and
are encoded as UCS-2 (or UTF-16 if the programmer was awake), nothing
enforces this in Windows and you'll find registries that contain
UTF-8, binary data, garbage, etc in what should be string fields (or
strings in fields which are not typed as strings).
There's not much that hivex can really do about this. The contents of
the registry are simply not well-specified.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/