Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does not correctly parse Win8 FILETIME value types #31

Closed
williballenthin opened this issue Apr 16, 2014 · 5 comments
Closed

Does not correctly parse Win8 FILETIME value types #31

williballenthin opened this issue Apr 16, 2014 · 5 comments
Labels
Bug

Comments

@williballenthin
Copy link
Owner

As reported by @woanware.

data type: 4294901776 or 0xFFFF0010

WIN8\SYSTEM\CCS\Enum\USBStor\XXXXXX\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064

The values byte data should be "OD936B116FCBCE01"

I know that the actual value is a FILETIME value stored as byte array. The path comes from this posting:

http://www.swiftforensics.com/2013/11/windows-8-new-registry-artifacts-part-1.html

My parser identifies the value at the offset 0x517E94 (5340820) where as the python-registry library identifies the value at 0x517E7C (5340796).
@williballenthin
Copy link
Owner Author

Potentially relevant links:

@williballenthin
Copy link
Owner Author

Interesting to note there are many other "new" value types:

testing/issue31 - [master●] » python test.py SYSTEM | sort | uniq -c | sort -nr
  36051 RegSZ
  14609 RegDWord
   8343 RegBin
   3010 Unknown type: 0xffff0012
   2125 RegExpandSZ
   2025 RegMultiSZ
   1260 RegQWord
   1173 Unknown type: 0xffff0007
   1122 Unknown type: 0xffff0011
   1022 Unknown type: 0xffff0010
    690 RegNone
    508 Unknown type: 0xffff2012
    225 Unknown type: 0xffff1003
    139 Unknown type: 0x20001
    136 Unknown type: 0xffff000d
     99 Unknown type: 0x20004
     72 Unknown type: 0xffff0019
     63 Unknown type: 0xffff0009
     45 Unknown type: 0xffff0013
     36 RegResourceRequirementsList
     31 Unknown type: 0xffff0005
     27 RegResourceList
     18 Unknown type: 0x40007
     17 Unknown type: 0x20003
     10 Unknown type: 0xffff0006
      9 Unknown type: 0xffff0003
      4 Unknown type: 0xffff000f
      4 Unknown type: 0x200000
      2 Unknown type: 0x100000
      1 Unknown type: 0xffff100d
      1 Unknown type: 0xffff0017

Perhaps the upper two bytes are used for something else, now. Lower two bytes may correspond to the DEVPROP fields described by ReactOS.

Regedit doesn't yet understand these value types.
Regedit doesn't yet understand these value types.

@woanware
Copy link
Contributor

woanware commented Jul 2, 2014

Looking on the MSDN page below shows that you can work out the DEV_PROP_TYPE by using a bitwise "AND" and the "DEVPROP_MASK_TYPE", which is 0x00000FFF. So my data type value was 0xFFFF0010 and after performing the bitwise "AND" results in 10, which is data type DEVPROP_TYPE_FILETIME, which is the data type I would expect in the data offset:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff543550(v=vs.85).aspx

@woanware woanware mentioned this issue Jul 3, 2014
Merged
@woanware
Copy link
Contributor

woanware commented Jul 3, 2014

The differences in the offsets were a red-herring, further debugging revealed that the parsing needed is similar to that of the type BIN, with further processing to create the DateTime object. I have created a PULL request which adds a RegFileTime type and parsing capability

@williballenthin
Copy link
Owner Author

Closed in 634fd42

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@williballenthin @woanware