Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1648523

Summary: Hivex key collation disagrees with Windows so sometimes keys are missing after import
Product: Red Hat Enterprise Linux 7 Reporter: Richard W.M. Jones <rjones>
Component: hivexAssignee: Richard W.M. Jones <rjones>
Status: CLOSED WONTFIX QA Contact: YongkuiGuo <yoguo>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.7CC: 593749519, extras-qa, linl, ptoscano, rjones, yoguo
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Windows   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1648520 Environment:
Last Closed: 2019-05-13 10:11:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1648520    
Bug Blocks:    

Description Richard W.M. Jones 2018-11-10 10:19:13 UTC 
+++ This bug was initially created as a clone of Bug #1648520 +++

Found one special case that two keys created using the lib compiled with vc, one of them missing(the shorter one) when mount with windows regedit.exe. the attachment is the sample.

--- Additional comment from Richard W.M. Jones on 2018-11-10 04:30:40 EST ---

Hivex refuses to open this file:

$ hivexsh -d test1.reg 
hivex: hivex_open: created handle 0x55d64a255dd0
hivex: hivex_open: returning EINVAL because: test1.reg: file is too small to be a Windows NT Registry hive file
hivexsh: failed to open hive file: test1.reg: Invalid argument

How did you create it?

--- Additional comment from Richard W.M. Jones on 2018-11-10 04:52:31 EST ---

The registry is:

[HKEY_LOCAL_MACHINE\SYSTEM\1\CurrentControlSet\Services\VSS\Diag\Lovelace(__?GLOBALROOT_Device_HarddiskVolume3)]

[HKEY_LOCAL_MACHINE\SYSTEM\1\CurrentControlSet\Services\VSS\Diag\Lovelace(C:_)]

--- Additional comment from Richard W.M. Jones on 2018-11-10 05:15:59 EST ---

To test this I created a new hive called 'bz1648520' by this method:

(1) Copy hivex/images/minimal (from hivex source) to bz1648520

(2) Edit it using hivexsh:

$ hivexsh -w bz1648520
bz1648520\> add Lovelace(__?GLOBALROOT_Device_HarddiskVolume3)
bz1648520\> add Lovelace(C:_)
bz1648520\> ls
Lovelace(__?GLOBALROOT_Device_HarddiskVolume3)
Lovelace(C:_)
bz1648520\> commit

(3) Load the hive into a temporary Windows VM:

$ virt-builder windows-6.2-server --upload bz1648520:/bz1648520 

(4) Boot Windows VM and open the hive in regedit:

$ qemu-system-x86_64 -nodefconfig -nodefaults -display gtk -vga qxl -machine accel=kvm:tcg -cpu host                    -m 2048 -drive file=windows-6.2-server.img,format=raw,if=ide

C:\regedit

Create a new temporary registry key anywhere in the tree.

Select File -> Import -> File of type *.* -> C:\bz1648520

Only one key appears in Windows ("Lovelace(__?GLOBALROOT_Device_HarddiskVolume3)").
The other key is missing.

I'm pretty sure this is caused by our key collation order being wrong.

--- Additional comment from Richard W.M. Jones on 2018-11-10 05:17:58 EST ---

ie. It's something to do with:

https://github.com/libguestfs/hivex/blob/be51757920b56a77e2e63247f9a8409ce994d33c/lib/write.c#L664

Our ordering probably doesn't match Windows's ordering.
Comment 2 YongkuiGuo 2018-11-12 09:54:17 UTC 
Reproduced with package:
hivex-1.3.10-6.9.el7

Steps:
1. Download the hivex source code, then copy hivex/images/minimal to hivex-test

2. Edit it using hivexsh:
$ hivexsh -w hivex-test
hivex-test\> add Lovelace(__?GLOBALROOT_Device_HarddiskVolume3)
hivex-test\> add Lovelace(C:_)
hivex-test\> ls
Lovelace(__?GLOBALROOT_Device_HarddiskVolume3)
Lovelace(C:_)
hivex-test\> commit

3. Load the hive into a Windows VM:
# virt-customize -a Win7-32-hvm.raw --upload hivex-test:/hivex-test

4. Boot Windows VM and open the hive in regedit:
Start the program 'regedit' at the bottom left corner, and create a new temporary registry key anywhere in the tree. Then select File -> Import -> File of type *.* -> C:\hivex-test. There is only key appears in Windows ("Lovelace(__?GLOBALROOT_Device_HarddiskVolume3)").
Comment 3 Richard W.M. Jones 2019-05-13 10:11:45 UTC 
No more work is planning on hivex after RHEL 7.7.  There is already a bug filed
for this issue in RHEL 8 (bug 1648524).  Therefore I am closing this.