Skip to content
This repository has been archived by the owner on Jun 10, 2024. It is now read-only.

Unable to process SYSTEM hive for Windows 10 18003 Build 17134.1 #20

Open
mbevilacqua opened this issue Jan 11, 2019 · 5 comments
Open

Unable to process SYSTEM hive for Windows 10 18003 Build 17134.1 #20

mbevilacqua opened this issue Jan 11, 2019 · 5 comments

Comments

@mbevilacqua
Copy link

[+] Reading binary file: /SYSTEM...
[-] Got an unrecognized magic value of 0x66676572... bailing
[-] No Shim Cache entries found...
@AliPurdy
Copy link

I'm experiencing the a similar error:

[+] Reading registry hive: SYSTEM...
[-] Got an unrecognized magic value of 0x34... bailing
[-] No Shim Cache entries found...

A commercial tool has read the ShimCache so I know there are entries.

@mbevilacqua mbevilacqua mentioned this issue Jan 28, 2019
Open
@BirdHacks
Copy link

@AliPurdy

Update to the latest version. 0x34 is the magic value for Windows 10 after the Creators update.

@BirdHacks
Copy link

BirdHacks commented Mar 3, 2019
edited
Loading

@mbevilacqua It looks like you're trying to parse a hive file as a registry file. Try using -i instead of -r.

@mbevilacqua
Copy link
Author

mbevilacqua commented Mar 9, 2019
edited
Loading

definitely parsing a hive as I have no reg export but I retried just in case and it works. Not sure if there was an update in between or I thumbed it while testing but thanks!

@BirdHacks
Copy link

BirdHacks commented Mar 16, 2019
edited
Loading

@mbevilacqua yw. 0x66676572 are the first four bytes of a hive file (ascii 'regf' in little endian). That's why I think it isn't a registry file. The files from C:\Windows\System32\config* are hive files.

@adavism this can probably be closed.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mbevilacqua @BirdHacks @AliPurdy