Re: [Vol-users] No shimcache data found
Jamie Levy
19 Jun
2013
19 Jun
'13
4:46 p.m.
It appears that is the case. If you have the hive from disk you could
verify that the data is there, but wasn't accessible from the memory
sample. If it is missing in the registry from disk then that would be
a different story.
All the best,
-gleeda
On Wed, Jun 19, 2013 at 3:22 PM, Brian Keefer <chort(a)effu.se> wrote:
So in this case it comes back with:
Values:
REG_BINARY AppCompatCache : (S)
and that's it. That would indicate that portion of the hive is swapped out?
--
chort
On Jun 19, 2013, at 10:04 AM, Jamie Levy wrote:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
The key/data is probably paged out, it happens
sometimes. You can
verify if there is anything there by examining the keys manually.
First you should find the CurrentControlSet (or you can look at all of
them if you don't know) and then use printkey (assuming controlset is
ControlSet001):
$ python vol.py -f [sample] --profile=Win7SP1x64 printkey -K
"ControlSet001\Control\Session Manager\AppCompatCache"
Let me know if you find something.
All the best,
-gleeda
On Wed, Jun 19, 2013 at 12:30 PM, Brian Keefer <chort(a)effu.se> wrote:
I look at mostly Win7/64 systems and have always
found shimcache data in memory images before. In the last several weeks only about 50% of
the images I looked at had it. I'm running a 2.3 alpha build from a month or two ago
(have been all this time).
While not strictly a Volatility issue, could someone explain under what circumstances the
data wouldn't be available? I'm not a Windows internals expert (yet, I have part 1
and part 2 on my bookshelf, waiting...)
Thanks!
--
chort
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92