AppCompatCacheParser icon indicating copy to clipboard operation
AppCompatCacheParser copied to clipboard

Published 20 hours ago verified publisher icon EricZimmerman

Offset and length were out of bounds for the array error

Open YamatoSecurity opened this issue 10 months ago • 1 comments

I get this error when running:

Replaying log file: xxxxx
There was an error: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
System.ArgumentException: Offset and length were out of bounds for the array or count is greater than the number of elements from index to the end of the source collection.
   at System.Buffer.BlockCopy(Array src, Int32 srcOffset, Array dst, Int32 dstOffset, Int32 count)
   at Registry.TransactionLog.UpdateHiveBytes(Byte[] hiveBytes)
   at Registry.RegistryHive.ProcessTransactionLogs(List`1 logFileInfos, Boolean updateExistingData)
   at Registry.RegistryHive.ProcessTransactionLogs(List`1 logFiles, Boolean updateExistingData)
   at AppCompatCache.AppCompatCache..ctor(String filename, Int32 controlSet, Boolean noLogs) in D:\Code\AppCompatCacheParser\AppCompatCache\AppCompatCache.cs:line 277
   at AppCompatCacheParser.Program.DoWork(String f, String csv, String csvf, Int32 c, Boolean t, String dt, Boolean nl, Boolean debug, Boolean trace)

It does work when I specify --nl though:

[07:45:50.818 DBG] Got hive header. Embedded file name SYSTEM. Base Name system
[07:45:50.833 WRN] Registry hive is dirty and transaction logs were found in the same directory, but --nl was provided. Data may be missing! Continuing anyways...
[07:45:50.854 WRN] Sequence numbers do not match! Hive is dirty and the transaction logs should be reviewed for relevant data!
[07:45:51.123 DBG] Initial processing complete. Building tree...
[07:45:51.141 DBG] Found root node! Getting subkeys...
[07:45:51.154 DBG] Created root node object. Getting subkeys.
[07:45:51.625 DBG] Hive processing complete!
[07:45:51.648 DBG] Associating deleted keys and values...
[07:45:51.677 DBG] Building tree of key/subkeys for deleted keys
[07:45:51.691 DBG] Associating top level deleted keys to active Registry keys
[07:45:51.702 DBG] Iterating unreferenced VK records
[07:45:51.716 DBG] Flushing record lists...
[07:45:51.755 DBG] **** Found 1 ids to process
[07:45:51.770 DBG] **** Processing id 1
[07:45:51.780 DBG] **** Looking for AppCompatcache value
[07:45:51.790 DBG] **** Found AppCompatcache value
[07:45:51.852 DBG] **** Signature s , Sig num 0x34
[07:45:51.937 DBG] **** Found 1 caches
[07:45:51.948 INF] Found 321 cache entries for Windows10C_11 in ControlSet001

YamatoSecurity avatar Apr 12 '24 22:04 YamatoSecurity

Not much you can do but run it with nl

I don't know why that happens sometimes with the offset error.

If you can share the hive and logs I can look

EricZimmerman avatar Apr 12 '24 22:04 EricZimmerman