YARP issue #74
Comments
|
Hello. I'm the author of the yarp library. Based on the screenshot you posted, it seems there is an issue with an input file, not with the library. Can you upload a sample hive file (including transaction log files) to investigate the problem? |
|
hello @msuhanov , Thanks for the reply. I unfortunately cannot share the sample hive file. I used velociraptor to copy the file. yes it did come from a live system. is it perhaps how YARP was implemented? Not sure if it was clear in my second screenshot, but I was able to get regipy to parse out the same hive that YARP was unable to. I'm no expert when it comes to parsers, but since I was able to parse the hive with regipy and not YARP thats what make me think it was YARP. What do you think? Thanks |
There is a format violation within the file. A tool can refuse to parse the file, or report the violation and parse what it can, or silently ignore the violation and extract as much data as possible (this is also limited to the implementation, which can extract less data than expected by the user). The yarp-print tool can handle damaged and truncated primary files if no related transaction log files are available (or when the It is unclear what happened in your case. Velociraptor had at least one issue that could result in damaged files being produced.
Can you run the yarp-print tool manually against the file in question? (I recommend using the latest version.) (Under the Windows operating system, execute "set PYTHONIOENCODING=utf-8" in the same cmd session before running the tool.) |
Hello,
I've run into a few registry hives where kuiper will list a yarp issue, example for ntuser.dat
I manually run yarp on the same ntuser.dat and get this:
I ran regipy on it and it printed with no issues https://github.com/mkorman90/regipy
Not sure if a yarp setting needs to be change or maybe use regipy instead
The text was updated successfully, but these errors were encountered: