You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Basically, Microsoft and some third parties hijack the TYPE field of one
of the Registry data structures and store data in specific instances,
instead. One such case is storing the user ID in the SAM. The
python-registry code is failing because it does not account for this
arbitrary data in the TYPE field. Fortunately, you can still access the
ID in the current version.
A RegistryValue is backed by the lower level VKRecord structure, which
you can access as RegistryValue._vkrecord. You can interpret the integer
result of the method VKRecord.data_type() as the data of the Registry
value. You should only do this in the few specific cases where the file
format is broken. I don't know if this this is documented anywhere,
unfortunately.
Very explicitly, the user ID key stored in the SAM can be accessed as
follows:
k = r.open("\SAM\Domains\Account\Users\Names\Administrator")
userid = k.value("(default)")._vkrecord.data_type()
This code snippet accesses the VKRecord that backs the RegistryValue for
the default value of the Administrator key. userid is an integer
read directly from the binary data, from the field that usually contains
the data type of the Registry value. Instead, the field is overloaded
with the alternate meaning.
The text was updated successfully, but these errors were encountered:
As mentioned, python-registry will continue to throw this exception when an unusual TYPE value is encountered. A user's script account for the possibility that another developer has overloaded the TYPE field in the Registry. This bug report is submitted mainly for documentation.
When processing a Registry key in the SAM hive, python-registry may throw an exception:
"Registry.RegistryParse.UnknownTypeException: Unknown Type Exception(Unknown VK Record type 0x3e9 at 0x36dc)"
This exception will not be handled by python-registry, and should be caught by a user's program. Here is the reasoning:
The key is mentioned on page 4 of the following paper (the author did
some of the best original research in understanding the Registry):
http://sentinelchicken.com/data/TheWindowsNTRegistryFileFormat.pdf
Basically, Microsoft and some third parties hijack the TYPE field of one
of the Registry data structures and store data in specific instances,
instead. One such case is storing the user ID in the SAM. The
python-registry code is failing because it does not account for this
arbitrary data in the TYPE field. Fortunately, you can still access the
ID in the current version.
A RegistryValue is backed by the lower level VKRecord structure, which
you can access as RegistryValue._vkrecord. You can interpret the integer
result of the method VKRecord.data_type() as the data of the Registry
value. You should only do this in the few specific cases where the file
format is broken. I don't know if this this is documented anywhere,
unfortunately.
Very explicitly, the user ID key stored in the SAM can be accessed as
follows:
k = r.open("\SAM\Domains\Account\Users\Names\Administrator")
userid = k.value("(default)")._vkrecord.data_type()
This code snippet accesses the VKRecord that backs the RegistryValue for
the
default
value of the Administrator key.userid
is an integerread directly from the binary data, from the field that usually contains
the data type of the Registry value. Instead, the field is overloaded
with the alternate meaning.
The text was updated successfully, but these errors were encountered: