Unable to process SYSTEM hive for Windows 10 18003 Build 17134.1

[mbevilacqua]

[+] Reading binary file: /SYSTEM... [-] Got an unrecognized magic value of 0x66676572... bailing [-] No Shim Cache entries found...

[AliPurdy]

I'm experiencing the a similar error:

[+] Reading registry hive: SYSTEM... [-] Got an unrecognized magic value of 0x34... bailing [-] No Shim Cache entries found...

A commercial tool has read the ShimCache so I know there are entries.

[BirdHacks]

@AliPurdy

Update to the latest version. 0x34 is the magic value for Windows 10 after the Creators update.

[BirdHacks]

@mbevilacqua It looks like you're trying to parse a hive file as a registry file. Try using -i instead of -r.

[mbevilacqua]

definitely parsing a hive as I have no reg export but I retried just in case and it works. Not sure if there was an update in between or I thumbed it while testing but thanks!

[BirdHacks]

@mbevilacqua yw. 0x66676572 are the first four bytes of a hive file (ascii 'regf' in little endian). That's why I think it isn't a registry file. The files from C:\Windows\System32\config* are hive files.

@adavism this can probably be closed.