Bug 1296624 - editing a large hive gives "Numerical result out of range"
Summary: editing a large hive gives "Numerical result out of range"
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libguestfs
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Richard W.M. Jones
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-07 16:46 UTC by Sebastian J. Bronner
Modified: 2016-01-14 12:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-14 12:31:06 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Sebastian J. Bronner 2016-01-07 16:46:45 UTC 
Description of problem:
=======================

When libhivex to traverse large registry hives (~ 83 MB), such as C:\Windows\System32\config\SOFTWARE, libhivex generates a "Numerical result out of range" error and aborts.

Version-Release number of selected component:
=============================================

libhivex-bin 1.3.11
libhivex0 1.3.11

How reproducible:
=================

always with large hives (tested with 83 MB hive)

Steps to Reproduce:
===================

1. Take a hive large hive from C:\Windows\System32\config from an actively used Windows system. Your best bet is probably SOFTWARE.

2. Run the following command:
   hivexml SOFTWARE > SOFTWARE.xml

Actual results:
===============

The program aborts with exit code 1 and output:
hivex_visit: SOFTWARE: Numerical result out of range

The XML file is incomplete (in my case it had reached a size of 102 MB).

Expected results:
=================

The program should completely dump the hive into the XML file without aborting or giving an error message.

Additional info:
================

I tested traversing the same SOFTWARE hive using ntpasswd's reged -x (export feature). This was sucessful. I was also able to apply the changes I wanted to apply without any issues. For that reason, I have a hunch that the hive format has been extended again in Windows 7.

The ntpasswd project refers to a document written by a German that helped them achieve full support for hive files up to Windows 8.1. I thought it may be of help to libhivex as well. See http://pogostick.net/~pnh/ntpasswd/editor.html and http://pogostick.net/~pnh/ntpasswd/WinReg.txt .
Comment 1 Richard W.M. Jones 2016-01-07 16:55:30 UTC 
Version 1.3.11 is over a year old.  Please try a newer version.

"Numerical result of out range" is ERANGE, and the meaning (as
described in hivex(3)) is that a field in the registry is too
large.

hivex has a number of compiled-in limits:

https://github.com/libguestfs/hivex/blob/master/lib/hivex-internal.h#L325-L329

designed to stop malformed hives from exploiting the host. A valid
but unusual hive can hit these limits.

The only way to increase these is to recompile hivex.  However I
don't know which particular limit you are hitting - you'll need to
run hivex with debugging enabled to determine that.

We have already increased these limits since 1.3.11, in response
to finding valid hives which used larger numbers of keys etc. so running
a newer version of hivex may not hit the limit at all.

BTW we already support hivex up to and including Windows 8.1 (and
beyond).  You don't need to keep posting those links.
Comment 2 Sebastian J. Bronner 2016-01-14 12:31:06 UTC 
That was it. The new version handles the same large hive without a hitch.

Thanks for the info about the compiled-in limits and their purpose and the link to the code. That helps me understand the complexity of the possible issues better.

Thanks, too, for mentioning the hive versions supported. That was something I couldn't get from the documentation at http://libguestfs.org/. Sorry for the spam.
Note You need to log in before you can comment on or make changes to this bug.