[The bug which this fixes is: https://bugzilla.redhat.com/show_bug.cgi?id=717583 ] ----- Forwarded message from Peter Fokker <peter(a)berestijn.nl&gt; ----- Date: Thu, 8 Mar 2012 11:37:06 +0100 (CET) From: Peter Fokker <peter(a)berestijn.nl&gt; To: rjones(a)redhat.com Cc: Peter Fokker <peter(a)berestijn.nl&gt; Subject: hivex: patch for read support of "li"-records from "ri" intermediate User-Agent: SquirrelMail/1.4.9a Richard, Thank you for creating the hivex-library. Studying your source code helped me a great deal to better understand the internals of the Windows Registry. However, while I was browsing a real-world SOFTWARE-hive (XP, SP3) I could not browse to the '\Classes' key. Instead I got this (debug)-message: get_children: returning ENOTSUP because ri-record offset does not point to lf/lh (0x49020) I tracked this issue down and I discovered that the intermediate "ri"-record may not only contain offsets to "lf" and "lh" but to "li"-records too. Attached is a patch against hivex.c v1.3.3 that recognises "li"-records referenced from "ri"-records. For me this fixed the issue with browsing the '\Classes' key. Note that I have not fixed the related problem of rewriting "li"-records when inserting a new subkey or deleting an existing one. This sure would cause problems when I were to add/delete a subkey to/from '\Classes'. I would very much appreciate it if would be so kind to take a look at my patch, allthough I cannot blame you if you immediately dump this unsollicited message+patch from some random stranger from The Netherlands. Kind regards, --Peter Fokker -- Peter Fokker <peter(a)berestijn.nl&gt; Ingenieursbureau PSD +31 35 695 29 99 / +31 644 238 568 Stargardlaan 7 1404 BC Bussum, The Netherlands ----- End forwarded message ----- -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org