RegistryPlugins icon indicating copy to clipboard operation
RegistryPlugins copied to clipboard
verified publisher icon EricZimmerman

LastVisitedPidlMRU and OpenSavePidlMRU Issue with FTP Share on Windows Store WordPad MSIX

Open reece394 opened this issue 5 months ago • 2 comments

When testing the Windows Store Project Centennial/ Desktop Bridge version of Windows WordPad I was trying surface more registry keys for the DFIRBatch file. Whilst doing this research I mounted an ftp share using ftp://cygwin.mirror.rafal.ca using the Open dialog box, and then proceeded to open the robots.txt file. When opening the resulting User.dat file in Registry Explorer the OpenSavePidlMRU produces the following error:

Errors: Key: *, Value name: 17, message: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter 'startIndex'), Key: txt, Value name: 2, message: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter 'startIndex')

LastVisitedPidlMRU also produces a similar error

Errors: Key: LastVisitedPidlMRU, Value name: 12, message: Index was out of range. Must be non-negative and less than the size of the collection. (Parameter 'startIndex')

Attached is the User.dat file to assist in troubleshooting. I would attempt to fix it myself but currently my knowledge isn't to the level of being able to manually parse these properly yet.

User.zip

reece394 avatar Jul 16 '25 18:07 reece394

Image

There is no issue with the data parsing logic in ShellBag0x61.cs.

The error occurs at the following line:

https://github.com/EricZimmerman/RegistryPlugins/blob/eba8a84a052796d9e70622c9ff2e5abf87b53d71/RegistryPlugin.LastVisitedPidlMRU/ShellItems/ShellBag0x61.cs#L96-L100

dataSize is not used, removing this line resolves the issue.

Image

Applying the same fix to OpenSavePidlMRU could resolve the issue, but the file name appear broken.

Image

https://github.com/EricZimmerman/RegistryPlugins/blob/eba8a84a052796d9e70622c9ff2e5abf87b53d71/RegistryPlugin.OpenSavePidlMRU/OpenSavePidlMRU.cs#L125-L140

Each data block is added to the shellItemsRaw list based on its size. However, it seems that the analysis is being performed with incorrect ShellItems.

hyuunnn avatar Jul 28 '25 08:07 hyuunnn

Thanks for tracing this issue! Interesting that there is a quirk with the ShellItems.

reece394 avatar Aug 09 '25 00:08 reece394