Shellbags Explorer ...
 
Notifications
Clear all

Shellbags Explorer question

tibbs66
(@tibbs66)
Junior Member

Hi, I've been doing some extensive testing of the Shellbags Explorer tool and have come across an issue and was wondering if anyone can help. When I did testing with folders on the C drive of a computer I received no error messages however now that I've moved to testing folders on USB devices, I'm receiving error messages and not getting any results being shown in the tool. What I've done so far in regards to prepping the USB device is wipe and format it. Then I copied a folder from the C drive of the computer to the root of the USB device (D:) using windows explorer and copy/paste method. No shellbags are being created for this folder, at least they aren't showing up on the tool. I am also getting this error message:

'Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0' not found in '\Microsoft\Windows\UsrClass.dat': BagPath: Local Settings\Software\Microsoft\Windows\Shell\BagMRU, Slot #: 0, Raw bytes: 14-00-1F-58-0D-1A-2C-F0-21-BE-50-43-88-B0-73-67-FC-96-EF-3C-00-00, Error message: 'Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0' not found in '\Microsoft\Windows\UsrClass.dat', Stacktrace: at ShellBagsParser.RawRegistryData.LoadRawRegistryData(RegistryHive registry, String bagPath) in D:\Code\ShellBagsExplorer\ShellBags\RawRegistryData.cs:line 95
at ShellBagsParser.RawRegistryData.LoadRawRegistryData(RegistryHive registry, String bagPath) in D:\Code\ShellBagsExplorer\ShellBags\RawRegistryData.cs:line 438

 

Because the error message is showing D: in it, I'm assuming it has something to do with the D drive but I don't know what it means or how I can fix it. Does anyone have any ideas, thoughts on what is going on and how I can resolve this so that shellbag entries show up for the USB device in the Shellbags Explorer tool?

 

L

Quote
Topic starter Posted : 24/02/2021 4:48 pm
EricZimmerman
(@ericzimmerman)
Active Member

Hello. I'm the author of that tool.

 

What version are you using and can you send me the test hive?

 

It is much better for you to file an issue on my GitHub page as I don't regularly check these forums. I only know about it because somebody passed it along to me

 

Eric Zimmerman

ReplyQuote
Posted : 25/02/2021 2:43 am
tibbs66
(@tibbs66)
Junior Member

@ericzimmerman I am using version 1.4.0.0. I run as admin. I use the option Load Active Registry as when I attempt to load the exported usrClass.dat file with the Load Offline Hive, nothing populates in the tool. 

ReplyQuote
Topic starter Posted : 25/02/2021 1:22 pm
EricZimmerman
(@ericzimmerman)
Active Member

How did you extract the hives from the system? Did you include the logs?

 

Here is what the issue is:

in BagMru, there are values, 0,1,2,3,4,5 and so on

under BagMru, there are SUBKEYS also named the same (or should be).

 

In your case, it sees the VALUE of 0, the 14-00-1F-58 stuff, but when it came time to look for the SUBKEY of 0, it was not there.

 

as to WHY this is the case, i do not know.

 

Now, with that in mind, if you send me the exported hives and logs i can add support for throwing a warning when this case happens vs an error.

 

People will just need to be aware, and ill make it clear, that ALL shell items under that particular path are also NOT going to be be available.

ReplyQuote
Posted : 25/02/2021 1:26 pm
tibbs66
(@tibbs66)
Junior Member

@ericzimmerman ok, I will send you exported .dat files if that is what you need. Is this correct? Regarding logs, what logs do you need and where can I find them?

ReplyQuote
Topic starter Posted : 25/02/2021 2:50 pm
EricZimmerman
(@ericzimmerman)
Active Member

I mean the Registry Transaction logs.

 

you can email me the logs and hives at my usual address, or submit the issue here:

 

Issues · EricZimmerman/Issues (github.com)

ReplyQuote
Posted : 25/02/2021 2:54 pm
EricZimmerman
(@ericzimmerman)
Active Member

the Registry logs are in the same directory as the hives, same name, but end with LOG1 and LOG2

ReplyQuote
Posted : 26/02/2021 7:07 pm
tibbs66
(@tibbs66)
Junior Member

@ericzimmerman I will get those sent to you soon. I've had something come up that needs my full attention first. Sending you the files is on my " to do" list. 

ReplyQuote
Topic starter Posted : 01/03/2021 3:51 pm
Share: