Bug 1230414

Summary: Windows inspection fails with hivex_close: do_hivex_close: you must call 'hivex-open' first to initialize the hivex handle
Product: Red Hat Enterprise Linux 7 Reporter: Richard W.M. Jones <rjones>
Component: libguestfsAssignee: Richard W.M. Jones <rjones>
Status: CLOSED DUPLICATE QA Contact: Virtualization Bugs <virt-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: leiwang, linl, ptoscano, wshi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-06 10:28:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1288337, 1301891    

Description Richard W.M. Jones 2015-06-10 20:57:03 UTC
Description of problem:

If a Windows guest is running and writing to the hive, then
the hive may contain unflushed hbins which appear to be blank
(from the point of view of libguestfs).  This can cause virt-win-reg
to fail with this error:

# virt-win-reg guest 'HKLM\SYSTEM'
hivex_close: do_hivex_close: you must call 'hivex-open' first to initialize the
hivex handle at /usr/bin/virt-win-reg line 296.

In fact any tool which does inspection would fail in the same way.

We should add some kind of "ROBUST" open flag to hivex so it
ignores these errors (it would be mutually exclusive with
opening hives for writes).

Version-Release number of selected component (if applicable):

libguestfs 1.28.1

How reproducible:

100%

Steps to Reproduce:
1. Start with a Windows guest, and place an overlay on top:

$ qemu-img create -f qcow2 -b windows.img

2. Open the overlay for writing:

$ guestfish -a overlay.qcow2 -i

3. Get the size of the existing SYSTEM hive:

><fs> filesize /Windows/System32/config/SYSTEM
17252352

4. Write a blank page at the end of the hive.  This corrupts
the hive, but it gives the same effect as Windows extending
the hive:

><fs> emacs /Windows/System32/config/SYSTEM

At this point, very carefully search to the end of the file,
then backwards to the final string "hbin" in the file, and
overwrite that string with exactly 4 spaces.  The file size
should not be changed after doing this:

><fs> filesize /Windows/System32/config/SYSTEM
17252352

5. Exit guestfish and then run a tool such as virt-win-reg on
the file:

$ virt-win-reg overlay.qcow2 HKLM\\SYSTEM
hivex_close: do_hivex_close: you must call 'hivex-open' first to initialize the hivex handle at /usr/bin/virt-win-reg line 296.

Additional info:

This bug has been encountered before, and we thought it was
fixed.  See bug 888059 and discussion upstream here:
https://www.redhat.com/archives/libguestfs/2012-December/thread.html#00079

Comment 3 Richard W.M. Jones 2016-07-06 10:28:26 UTC

*** This bug has been marked as a duplicate of bug 1311890 ***