Red Hat Bugzilla – Bug 1296624
editing a large hive gives "Numerical result out of range"
Last modified: 2016-01-14 07:31:06 EST
Description of problem:
When libhivex to traverse large registry hives (~ 83 MB), such as C:\Windows\System32\config\SOFTWARE, libhivex generates a "Numerical result out of range" error and aborts.
Version-Release number of selected component:
always with large hives (tested with 83 MB hive)
Steps to Reproduce:
1. Take a hive large hive from C:\Windows\System32\config from an actively used Windows system. Your best bet is probably SOFTWARE.
2. Run the following command:
hivexml SOFTWARE > SOFTWARE.xml
The program aborts with exit code 1 and output:
hivex_visit: SOFTWARE: Numerical result out of range
The XML file is incomplete (in my case it had reached a size of 102 MB).
The program should completely dump the hive into the XML file without aborting or giving an error message.
I tested traversing the same SOFTWARE hive using ntpasswd's reged -x (export feature). This was sucessful. I was also able to apply the changes I wanted to apply without any issues. For that reason, I have a hunch that the hive format has been extended again in Windows 7.
The ntpasswd project refers to a document written by a German that helped them achieve full support for hive files up to Windows 8.1. I thought it may be of help to libhivex as well. See http://pogostick.net/~pnh/ntpasswd/editor.html and http://pogostick.net/~pnh/ntpasswd/WinReg.txt .
Version 1.3.11 is over a year old. Please try a newer version.
"Numerical result of out range" is ERANGE, and the meaning (as
described in hivex(3)) is that a field in the registry is too
hivex has a number of compiled-in limits:
designed to stop malformed hives from exploiting the host. A valid
but unusual hive can hit these limits.
The only way to increase these is to recompile hivex. However I
don't know which particular limit you are hitting - you'll need to
run hivex with debugging enabled to determine that.
We have already increased these limits since 1.3.11, in response
to finding valid hives which used larger numbers of keys etc. so running
a newer version of hivex may not hit the limit at all.
BTW we already support hivex up to and including Windows 8.1 (and
beyond). You don't need to keep posting those links.
That was it. The new version handles the same large hive without a hitch.
Thanks for the info about the compiled-in limits and their purpose and the link to the code. That helps me understand the complexity of the possible issues better.
Thanks, too, for mentioning the hive versions supported. That was something I couldn't get from the documentation at http://libguestfs.org/. Sorry for the spam.