On Wed, Jun 19, 2013 at 06:57:33PM +0200, Hilko Bengen wrote:
I recenetly came across a Windows XP image, where one REG_QWORD
value
(HKLM\Software\Microsoft\Windows\CurrentVersion\Group
Policy\State\Machine\Scripts\Shutdown\0\0\ExecTime)
would be displayed by hivexsh but hivex_value_qword() would return -1.
It turned out that the data length of this value was 16 bytes instead
of 8.
There is no problem in simply interpreting the first 4 (DWORD) or
8 (QWORD) bytes -- if there are enough bytes to be interpreted.
Yeah .. turns out that the type field in hives is mostly useless and
occasionally harmful. It bears no relationship to what the field
might actually contain.
ACK to this patch as it only affects the deprecated hivex_value_dword
and hivex_value_qword functions, making them a little bit more useful.
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v