Reg to hive convert add extra ,00,00 on some value data hex #5
Comments
|
Hello, Thank you for this bug report! It was indeed a bug. Actually, the Win32 API function that writes a registry value ( This is not desirable in this program, so I replaced the call to that function with the system call This should be fixed in version 1.4. |
salsifis
referenced
this issue
Jan 13, 2025
RegSetValueEx has sometimes expectations about the format of the registry values, and will change the binary data transparently. This is unwanted in our scope so we use ntdll function directly. Fixes #4
|
Hello @fpe1, Could you try the version 1.4 and did it solve the issue? Should you not answer within a week I will probably close the ticket. |
|
Hello @salsifis |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I used HiveSwarming_x86 v1.3 to convert a whole windows 10 SYSTEM hive (REG keys to hive) and then I compared the result with the original SYSTEM hive and I found on few value data entries it add extra ,00,00 at the end of the value data hex. I don't know if this is an issue but you can check my test reg files and test it.
For example I converted this registry key .reg to hive:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afunix\Parameters\Winsock\0]
"szProtocol"=hex(2):41,00,46,00,5f,00,55,00,4e,00,49,00,58,00
Then the result hive file if add it to registry or if convert it back hive to .reg is:
Windows Registry Editor Version 5.00
[(HiveRoot)]
"szProtocol"=hex(2):41,00,46,00,5f,00,55,00,4e,00,49,00,58,00,00,00
So it added extra ,00,00 at the end of the data value hex.
I attached archive with 3 reg file test.reg and the result.reg after the convertion so you can test it.
testREG.zip
The text was updated successfully, but these errors were encountered: