Exception errors
Closed this issue · 9 comments
- When opening the app, no analysis method is pre-selected
- Selecting an edb & clicking open you get Exception error:
Exception Text:
System.IO.IOException: An attempt was made to move the file pointer before the beginning of the file. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.SeekCore(Int64 offset, SeekOrigin origin) at System.IO.FileStream.Seek(Int64 offset, SeekOrigin origin) at WinSearchDBAnalyzer.EDBParser.Table.parseBranchPage(Int32 pageNumber) in \WinSearchDBAnalyzer\EDBParser\Table.cs:line 190 at WinSearchDBAnalyzer.EDBParser.Table.parseBranchPage(Int32 pageNumber) in \WinSearchDBAnalyzer\EDBParser\Table.cs:line 196 at WinSearchDBAnalyzer.EDBParser.Table.init() in \WinSearchDBAnalyzer\EDBParser\Table.cs:line 231 at WinSearchDBAnalyzer.EDBParser.MSysObjects.makeTables() in \WinSearchDBAnalyzer\EDBParser\MSysObjects.cs:line 68 at WinSearchDBAnalyzer.EDBParser.EDBParserManager.makeTable() in WinSearchDBAnalyzer\EDBParser\EDBParserManager.cs:line 243 at WinSearchDBAnalyzer.MainForm.openRecovery(String fileName) in \WinSearchDBAnalyzer\MainForm.cs:line 360 at WinSearchDBAnalyzer.FormOpen.analyzeFile() in \WinSearchDBAnalyzer\FormOpen.cs:line 218 at System.Windows.Forms.Control.OnClick(EventArgs e) at System.Windows.Forms.Button.OnClick(EventArgs e) at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent) at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks) at System.Windows.Forms.Control.WndProc(Message& m) at System.Windows.Forms.ButtonBase.WndProc(Message& m) at System.Windows.Forms.Button.WndProc(Message& m) at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
- Trying to load a 'live' windows.edb throws Exception error too:
Exception Text:
System.ArgumentNullException: Value cannot be null. Parameter name: ptr at System.Runtime.InteropServices.Marshal.GetDelegateForFunctionPointer(IntPtr ptr, Type t) at WinSearchDBAnalyzer.FormOpen.extractFileDoWork(Object sender, DoWorkEventArgs e) in \WinSearchDBAnalyzer\FormOpen.cs:line 239 at System.ComponentModel.BackgroundWorker.OnDoWork(DoWorkEventArgs e) at System.ComponentModel.BackgroundWorker.WorkerThreadStart(Object argument)
After executing administrator privileges, did you extract the windows.edb file, save it in a local folder, and proceed with analysis?
When looking at the log you sent, it seems that you specified the windows.edb file you are using.
After executing administrator privileges, did you extract the windows.edb file, save it in a local folder, and proceed with analysis?
When looking at the log you sent, it seems that you specified the windows.edb file you are using.
Yes, tried both (live & already extracted). Source is Win10 v2004 if that helps.
@kacos2000 Is the size of the extracted edb file more than 2GB?
Yep (3,5Gb)
oops - closed by mistake
Any ideas what triggers the problem? I have the same issue, the DB is bigger than 2GB, does the size make any difference?
Any ideas what triggers the problem? I have the same issue, the DB is bigger than 2GB, does the size make any difference?
I suspect that the problem is the .NET API limitation on the file stream size > 2Gb.
Workaround in PowerShell was to read the file in chunks instead of in one go ..
Any ideas what triggers the problem? I have the same issue, the DB is bigger than 2GB, does the size make any difference?
I suspect that the problem is the .NET API limitation on the file stream size > 2Gb.
Workaround in PowerShell was to read the file in chunks instead of in one go ..
Nah, the code in the files Table.cs and HexReader.cs uses int values for the offset instead of long values, which is why the maximum allowed filesize is 2,147,483,647 bytes. This can be easily fixed by converting the offsets from int to long. Make sure that when calculating the offset, one of the values on the right hand side is cast to an integer. I have attached the adjusted files and I will try to create a fork to this project that fixes this.