Hi, I've been doing some extensive testing of the Shellbags Explorer tool and have come across an issue and was wondering if anyone can help. When I did testing with folders on the C drive of a computer I received no error messages however now that I've moved to testing folders on USB devices, I'm receiving error messages and not getting any results being shown in the tool. What I've done so far in regards to prepping the USB device is wipe and format it. Then I copied a folder from the C drive of the computer to the root of the USB device (D:) using windows explorer and copy/paste method. No shellbags are being created for this folder, at least they aren't showing up on the tool. I am also getting this error message:
'Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0' not found in '\Microsoft\Windows\UsrClass.dat': BagPath: Local Settings\Software\Microsoft\Windows\Shell\BagMRU, Slot #: 0, Raw bytes: 14-00-1F-58-0D-1A-2C-F0-21-BE-50-43-88-B0-73-67-FC-96-EF-3C-00-00, Error message: 'Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0' not found in '\Microsoft\Windows\UsrClass.dat', Stacktrace: at ShellBagsParser.RawRegistryData.LoadRawRegistryData(RegistryHive registry, String bagPath) in D:\Code\ShellBagsExplorer\ShellBags\RawRegistryData.cs:line 95
at ShellBagsParser.RawRegistryData.LoadRawRegistryData(RegistryHive registry, String bagPath) in D:\Code\ShellBagsExplorer\ShellBags\RawRegistryData.cs:line 438
Â
Because the error message is showing D: in it, I'm assuming it has something to do with the D drive but I don't know what it means or how I can fix it. Does anyone have any ideas, thoughts on what is going on and how I can resolve this so that shellbag entries show up for the USB device in the Shellbags Explorer tool?
Â
L
Hello. I'm the author of that tool.
Â
What version are you using and can you send me the test hive?
Â
It is much better for you to file an issue on my GitHub page as I don't regularly check these forums. I only know about it because somebody passed it along to me
Â
Eric Zimmerman
@ericzimmerman I am using version 1.4.0.0. I run as admin. I use the option Load Active Registry as when I attempt to load the exported usrClass.dat file with the Load Offline Hive, nothing populates in the tool.Â
How did you extract the hives from the system? Did you include the logs?
Â
Here is what the issue is:
in BagMru, there are values, 0,1,2,3,4,5 and so on
under BagMru, there are SUBKEYS also named the same (or should be).
Â
In your case, it sees the VALUE of 0, the 14-00-1F-58 stuff, but when it came time to look for the SUBKEY of 0, it was not there.
Â
as to WHY this is the case, i do not know.
Â
Now, with that in mind, if you send me the exported hives and logs i can add support for throwing a warning when this case happens vs an error.
Â
People will just need to be aware, and ill make it clear, that ALL shell items under that particular path are also NOT going to be be available.
@ericzimmerman ok, I will send you exported .dat files if that is what you need. Is this correct? Regarding logs, what logs do you need and where can I find them?
I mean the Registry Transaction logs.
Â
you can email me the logs and hives at my usual address, or submit the issue here:
Â
the Registry logs are in the same directory as the hives, same name, but end with LOG1 and LOG2
@ericzimmerman I will get those sent to you soon. I've had something come up that needs my full attention first. Sending you the files is on my " to do" list.Â