Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

python-registry encounters an unknown type while parsing the SAM hive #14

Closed
williballenthin opened this issue Feb 17, 2012 · 1 comment
Closed

python-registry encounters an unknown type while parsing the SAM hive #14

williballenthin opened this issue Feb 17, 2012 · 1 comment

Comments

@williballenthin
Copy link
Owner

When processing a Registry key in the SAM hive, python-registry may throw an exception:

"Registry.RegistryParse.UnknownTypeException: Unknown Type Exception(Unknown VK Record type 0x3e9 at 0x36dc)"

This exception will not be handled by python-registry, and should be caught by a user's program. Here is the reasoning:

The key is mentioned on page 4 of the following paper (the author did
some of the best original research in understanding the Registry):

http://sentinelchicken.com/data/TheWindowsNTRegistryFileFormat.pdf

Basically, Microsoft and some third parties hijack the TYPE field of one
of the Registry data structures and store data in specific instances,
instead. One such case is storing the user ID in the SAM. The
python-registry code is failing because it does not account for this
arbitrary data in the TYPE field. Fortunately, you can still access the
ID in the current version.

A RegistryValue is backed by the lower level VKRecord structure, which
you can access as RegistryValue._vkrecord. You can interpret the integer
result of the method VKRecord.data_type() as the data of the Registry
value. You should only do this in the few specific cases where the file
format is broken. I don't know if this this is documented anywhere,
unfortunately.

Very explicitly, the user ID key stored in the SAM can be accessed as
follows:

k = r.open("\SAM\Domains\Account\Users\Names\Administrator")
userid = k.value("(default)")._vkrecord.data_type()

This code snippet accesses the VKRecord that backs the RegistryValue for
the default value of the Administrator key. userid is an integer
read directly from the binary data, from the field that usually contains
the data type of the Registry value. Instead, the field is overloaded
with the alternate meaning.
@williballenthin
Copy link
Owner Author

As mentioned, python-registry will continue to throw this exception when an unusual TYPE value is encountered. A user's script account for the possibility that another developer has overloaded the TYPE field in the Registry. This bug report is submitted mainly for documentation.

@williballenthin williballenthin mentioned this issue Oct 3, 2013
Closed
@msuhanov msuhanov mentioned this issue Nov 6, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@williballenthin