Comments (34)
orlikoski
commented on August 25, 2024
Were you running it as administrator?
from cylr.
Lansatac
commented on August 25, 2024
Interesting, Is there anything unusual about the drive you're trying to collect from?
from cylr.
dnides
commented on August 25, 2024
Yes, admin.
from cylr.
dnides
commented on August 25, 2024
Not really. Not sure it matters but i am on a macbook, running bootcamp, booted into x64 win10. and yes running as admin.
from cylr.
Lansatac
commented on August 25, 2024
Does it work if you use --force-native?
from cylr.
dnides
commented on August 25, 2024
C:\Users\test\Downloads>CyLR.exe --force-native
File or folder 'C:\Windows\SchedLgU.Txt' does not exist
Folder 'C:\Windows\System32\config\Journal' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0\RNAP69J0.YO1\XDJWDC0O.PAH\manifests' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0\RNAP69J0.YO1\XDJWDC0O.PAH' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0\RNAP69J0.YO1' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL\production\temp' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\0' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\1024' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\CloudAPCache\MicrosoftAccount' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\CloudAPCache' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History' exists but contains no files
Error occured while collecting files:
System.UnauthorizedAccessException: Access to the path 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileSystemEnumerableIterator1.CommonInit() at System.IO.FileSystemEnumerableIterator1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler1 resultHandler, Boolean checkHost) at System.IO.DirectoryInfo.InternalGetDirectories(String searchPattern, SearchOption searchOption) at CyLR.read.NativeFileSystem.<GetFilesFromDir>c__Iterator1.MoveNext() at CyLR.read.NativeFileSystem.<GetFilesFromDir>c__Iterator1.MoveNext() at CyLR.read.NativeFileSystem.<GetFilesFromDir>c__Iterator1.MoveNext() at CyLR.read.NativeFileSystem.<GetFilesFromDir>c__Iterator1.MoveNext() at CyLR.read.NativeFileSystem.<GetFilesFromDir>c__Iterator1.MoveNext() at CyLR.read.NativeFileSystem.<GetFilesFromDir>c__Iterator1.MoveNext() at CyLR.read.NativeFileSystem.<GetFilesFromDir>c__Iterator1.MoveNext() at CyLR.read.NativeFileSystem.<GetFilesFromDir>c__Iterator1.MoveNext() at CyLR.read.NativeFileSystem.<GetFilesFromPath>c__Iterator0.MoveNext() at System.Linq.Enumerable.<SelectManyIterator>d__162.MoveNext()
at System.Collections.Generic.List1..ctor(IEnumerable1 collection)
at System.Linq.Enumerable.ToList[TSource](IEnumerable1 source) at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable1 paths)
at CyLR.Program.Main(String[] args)
from cylr.
orlikoski
commented on August 25, 2024
System.UnauthorizedAccessException: Access to the path 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5' is denied.
That is interesting as that shouldn't happen while running in an administrator command shell. Just to confirm, you did something like the following to open an administrator command shell:
from cylr.
orlikoski
commented on August 25, 2024
My questions are not meant to be derogatory, we simply have to rule out all of these things. Lansatac will work with you on this going forward. If it's due to the macbook/bootcamp combo then we'd love your help and feedback in getting it sorted.
Thanks for letting us know!
from cylr.
dnides
commented on August 25, 2024
no worries, yes using admin :-)
from cylr.
StephenHinck
commented on August 25, 2024
I was able to run 1.3.1 from an admin CMD on my MBP in bootcamp with no issues, so likely not MBP/Bootcamp related.
from cylr.
dnides
commented on August 25, 2024
win10 x64? weird
from cylr.
StephenHinck
commented on August 25, 2024
Yes, running Win10x64.
from cylr.
orlikoski
commented on August 25, 2024
Another person tested it and although it failed initially (wasn't running as admin), he did get it to work when running it as admin (not using --force-native).
Their setup is:
Windows 10 V. 1511 Build 10586.753
MacBook Pro model number a1502, 13"
from cylr.
dnides
commented on August 25, 2024
any noticeable differences?
Apple APPLE SSD AP0512 SCSI Disk Device
Disk ID: {DB2D1234-CC91-1234-8553-7C5B23F7FE55}
Type : SCSI
Status : Online
Path : 0
Target : 0
LUN ID : 0
Location Path : PCIROOT(0)#PCI(1C04)#PCI(0000)#SCSI(P00T00L00)
Current Read-only State : No
Read-only : No
Boot Disk : Yes
Pagefile Disk : Yes
Hibernation File Disk : No
Crashdump Disk : Yes
Clustered Disk : No
Volume ### Ltr Label Fs Type Size Status Info
Volume 0 C BOOTCAMP NTFS Partition 421 GB Healthy Boot
Volume 1 EFI FAT32 Partition 300 MB Healthy System
Volume 2 NTFS Partition 348 MB Healthy Hidden
DISKPART> detail volume
Disk ### Status Size Free Dyn Gpt
- Disk 0 Online 465 GB 0 B *
Read-only : No
Hidden : No
No Default Drive Letter: No
Shadow Copy : No
Offline : No
BitLocker Encrypted : Yes
Installable : Yes
Volume Capacity : 421 GB
Volume Free Space : 90 GB
DISKPART>
C:\Users\dnides\Downloads>fsutil fsinfo ntfsinfo c:
NTFS Volume Serial Number : 0x1a102736102717f1
NTFS Version : 3.1
LFS Version : 2.0
Number Sectors : 0x00000000069605ef
Total Clusters : 0x00000000069605ef
Free Clusters : 0x000000000169ed69
Total Reserved : 0x0000000000001420
Bytes Per Sector : 4096
Bytes Per Physical Sector : 4096
Bytes Per Cluster : 4096
Bytes Per FileRecord Segment : 4096
Clusters Per FileRecord Segment : 1
Mft Valid Data Length : 0x0000000053300000
Mft Start Lcn : 0x00000000000c0000
Mft2 Start Lcn : 0x0000000000000002
Mft Zone Start : 0x000000000240bbc0
Mft Zone End : 0x00000000024183e0
Max Device Trim Extent Count : 256
Max Device Trim Byte Count : 0xffffffff
Max Volume Trim Extent Count : 62
Max Volume Trim Byte Count : 0x40000000
Resource Manager Identifier : 22AC220B-1234-11E5-B239-EAAA92FDD4FD
C:\Users\dnides\Downloads>
from cylr.
Lansatac
commented on August 25, 2024
Curious. If you are willing, could you install mono and then download this program (on windows):
https://gist.github.com/Lansatac/06c9be1526065315941cb0b617969b59
Then run:
mcs Program.cs
Program.exe
I'd be curious to see what that outputs.
Does it always fail on the same file?
from cylr.
dnides
commented on August 25, 2024
C:\Program Files (x86)\Mono\bin>"c:\users\dnides\Downloads\Program.exe"
Drive C:
Drive type: Fixed
Volume label: BOOTCAMP
File system: NTFS
C:\Program Files (x86)\Mono\bin>
from cylr.
Lansatac
commented on August 25, 2024
Thanks for your help so far.
I think I'll have some changes for this tomorrow. If they don't fix things, they'll hopefully tell me what the problem is.
from cylr.
dnides
commented on August 25, 2024
any luck?
from cylr.
Lansatac
commented on August 25, 2024
If you could try 1.3.2 for me and let me know what results it gives both in the normal case and with --force-native on, I'd appreciate it.
from cylr.
dnides
commented on August 25, 2024
c:\Users\dnides\Downloads>CyLR.exe
Failed to create a filesystem for drive 'C'
Error occured while collecting files:
System.ArgumentOutOfRangeException: Non-negative number required.
Parameter name: length
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable)
at System.Array.Copy(Array sourceArray, Int64 sourceIndex, Array destinationArray, Int64 destinationIndex, Int64 length)
at RawDiskLib.RawDiskStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at DiscUtils.Utilities.ReadFully(Stream stream, Byte[] buffer, Int32 offset, Int32 length)
at DiscUtils.Utilities.ReadFully(Stream stream, Int32 count)
at DiscUtils.Ntfs.NtfsFileSystem..ctor(Stream stream)
at CyLR.read.RawFileSystem.GetSystem(String path)
at CyLR.read.RawFileSystem.c__Iterator0.MoveNext()
at System.Linq.Enumerable.d__162.MoveNext() at System.Collections.Generic.List1..ctor(IEnumerable1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable1 source)
at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable`1 paths)
at CyLR.Program.Main(String[] args)
from cylr.
dnides
commented on August 25, 2024
c:\Users\dnides\Downloads>CyLR.exe --force-native
File or folder 'C:\Windows\SchedLgU.Txt' does not exist
Folder 'C:\Windows\System32\config\Journal' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0\RNAP69J0.YO1\XDJWDC0O.PAH\manifests' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0\RNAP69J0.YO1\XDJWDC0O.PAH' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0\RNAP69J0.YO1' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps\2.0' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Apps' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL\production\temp' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\IdentityCRL' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Vault' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\0' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\1024' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\CloudAPCache\MicrosoftAccount' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\CloudAPCache' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History' exists but contains no files
Failed to read files in 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5' due to insufficient privilages.
Failed to read files in 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5' due to insufficient privilages.
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\7KRI0PC9' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\CJP5RECR' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\U40NG8JF' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\YSNSVP27' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PRICache' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages\microsoft.windows.fontdrvhost\AC\INetCache' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages\microsoft.windows.fontdrvhost\AC\INetCookies' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages\microsoft.windows.fontdrvhost\AC\INetHistory' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages\microsoft.windows.fontdrvhost\AC\Temp' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages\microsoft.windows.fontdrvhost\AC' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages\microsoft.windows.fontdrvhost' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local\Packages' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Local' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\LocalLow' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Vault' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData\Roaming' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile\AppData' exists but contains no files
Folder 'C:\Windows\System32\config\systemprofile' exists but contains no files
File or folder 'C:\Windows\System32\LogFiles\W3SVC1' does not exist
Collecting File: C:\Windows\System32\drivers\etc\hosts
Collecting File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
Error: The process cannot access the file 'C:\Windows\System32\config\RegBack\DEFAULT' because it is being used by another process.
Collecting File: C:\Windows\System32\config\RegBack\DEFAULT.LOG1
Collecting File: C:\Windows\System32\config\RegBack\DEFAULT.LOG2
Error: The process cannot access the file 'C:\Windows\System32\config\RegBack\SAM' because it is being used by another process.
Collecting File: C:\Windows\System32\config\RegBack\SAM.LOG1
Collecting File: C:\Windows\System32\config\RegBack\SAM.LOG2
Error: The process cannot access the file 'C:\Windows\System32\config\RegBack\SECURITY' because it is being used by another process.
Collecting File: C:\Windows\System32\config\RegBack\SECURITY.LOG1
Collecting File: C:\Windows\System32\config\RegBack\SECURITY.LOG2
Error: The process cannot access the file 'C:\Windows\System32\config\RegBack\SOFTWARE' because it is being used by another process.
Collecting File: C:\Windows\System32\config\RegBack\SOFTWARE.LOG1
Collecting File: C:\Windows\System32\config\RegBack\SOFTWARE.LOG2
Error: The process cannot access the file 'C:\Windows\System32\config\RegBack\SYSTEM' because it is being used by another process.
Collecting File: C:\Windows\System32\config\RegBack\SYSTEM.LOG1
Collecting File: C:\Windows\System32\config\RegBack\SYSTEM.LOG2
Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\SearchIndexer.exe.3640.dmp
Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk
Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log' because it is being used by another process.
Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS0000C.log
Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs
Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs
Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat' because it is being used by another process.
Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NGenTask.exe.log
Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log
Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log' because it is being used by another process.
Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V0100010.log
Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01res00001.jrs
Collecting File: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01res00002.jrs
Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCacheLock.dat' because it is being used by another process.
Collecting File: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0515FA6D4CD0403D38FE78556C2AFD2D
Collecting File: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0EAC1979C5D21DF9C16B8EDD074B9474
Collecting File: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Collecting File: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7336CDD19CCF55A1BEEA70FD753D6007
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-GenericRoaming%4Admin.evtx
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-GroupPolicy%4Operational.evtx' because it is being used by another process.
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Help%4Operational.evtx
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-HomeGroup Control Panel%4Operational.evtx' because it is being used by another process.
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-HomeGroup Listener Service%4Operational.evtx
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-HomeGroup Provider Service%4Operational.evtx
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-HotspotAuth%4Operational.evtx' because it is being used by another process.
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-IdCtrls%4Operational.evtx
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-IKE%4Operational.evtx' because it is being used by another process.
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-International%4Operational.evtx
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-International-RegionalOptionsControlPanel%4Operational.evtx
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Iphlpsvc%4Operational.evtx
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-KdsSvc%4Operational.evtx
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-ApphelpCache%4Operational.evtx
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx' because it is being used by another process.
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-IO%4Operational.evtx
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx' because it is being used by another process.
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-WDI%4Operational.evtx
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-Known Folders API Service.evtx' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-LiveId%4Operational.evtx' because it is being used by another process.
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-MemoryDiagnostics-Results%4Debug.evtx
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Wired-AutoConfig%4Operational.evtx
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-WLAN-AutoConfig%4Operational.evtx' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-WMI-Activity%4Operational.evtx' because it is being used by another process.
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-WorkFolders%4Operational.evtx
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-Windows-WorkFolders%4WHC.evtx' because it is being used by another process.
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-Workplace Join%4Admin.evtx
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-WPD-ClassInstaller%4Operational.evtx
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-WPD-CompositeClassDriver%4Operational.evtx
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-WPD-MTPClassDriver%4Operational.evtx
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-Windows-WWAN-SVC-Events%4Operational.evtx
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel.evtx' because it is being used by another process.
Collecting File: C:\Windows\System32\winevt\logs\Microsoft-WS-Licensing%4Admin.evtx
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\OAlerts.evtx' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Security.evtx' because it is being used by another process.
Collecting File: C:\Windows\System32\winevt\logs\Setup.evtx
Collecting File: C:\Windows\System32\winevt\logs\SMSApi.evtx
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\System.evtx' because it is being used by another process.
Error: The process cannot access the file 'C:\Windows\System32\winevt\logs\Windows PowerShell.evtx' because it is being used by another process.
Collecting File: C:\Windows\Prefetch\ReadyBoot\ReadyBoot.etl
Collecting File: C:\Windows\Prefetch\ACRORD32.EXE-41B0A0C7.pf
Collecting File: C:\Windows\Prefetch\ACRORD32.EXE-41B0A0C8.pf
Collecting File: C:\Windows\Prefetch\ADOBEARM.EXE-813E932C.pf
Collecting File: C:\Windows\Prefetch\AM_DELTA_PATCH_1.235.2586.0.E-6ED8690D.pf
Collecting File: C:\Windows\Prefetch\AM_DELTA_PATCH_1.235.2629.0.E-C1637103.pf
Collecting File: C:\Windows\Prefetch\AM_DELTA_PATCH_1.235.2715.0.E-BE29AAA7.pf
Collecting File: C:\Windows\Prefetch\AM_DELTA_PATCH_1.235.2855.0.E-F0263D40.pf
Collecting File: C:\Windows\Prefetch\AM_DELTA_PATCH_1.235.3027.0.E-A4F36DD8.pf
Collecting File: C:\Windows\Prefetch\AM_DELTA_PATCH_1.235.3101.0.E-C915B6A5.pf
Collecting File: C:\Windows\Prefetch\NGENTASK.EXE-4DB88ADA.pf
Collecting File: C:\Windows\Prefetch\NGENTASK.EXE-CD4E002C.pf
Collecting File: C:\Windows\Prefetch\NOTEPAD++.EXE-E7DBD7BD.pf
Collecting File: C:\Windows\Prefetch\NOTEPAD.EXE-B28CC291.pf
Collecting File: C:\Windows\Prefetch\NOTEPAD.EXE-F0516D55.pf
Collecting File: C:\Windows\Prefetch\WINLOGON.EXE-0D9AB72B.pf
Collecting File: C:\Windows\Prefetch\WINRAR.EXE-E031DE56.pf
Collecting File: C:\Windows\Prefetch\WINWORD.EXE-52205F6D.pf
Collecting File: C:\Windows\Prefetch\WINWORD.EXE-AF921654.pf
Collecting File: C:\Windows\Prefetch\WLANEXT.EXE-AD1A4F51.pf
Collecting File: C:\Windows\Prefetch\WMIADAP.EXE-7D63BB4C.pf
Collecting File: C:\Windows\Prefetch\WMIPRVSE.EXE-BB49B536.pf
Collecting File: C:\Windows\Prefetch\WMPLAYER.EXE-B0AD61F0.pf
Collecting File: C:\Windows\Prefetch\WORDPAD.EXE-505FE0CE.pf
Collecting File: C:\Windows\Prefetch\WUAPIHOST.EXE-6D06E4D6.pf
Collecting File: C:\Windows\Prefetch\WUAUCLT.EXE-4A7CF88B.pf
Collecting File: C:\Windows\Prefetch\WUSA.EXE-883637F2.pf
Collecting File: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
Collecting File: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-455609181-2581757210-169921877-1001.job
Collecting File: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-455609181-2581757210-169921877-1001.job
Collecting File: C:\Windows\Tasks\SA.DAT
Error: Access to the path 'C:$MFT' is denied.
Extraction complete. 0:00:01.3377992 elapsed
from cylr.
dnides
commented on August 25, 2024
Not sure, I'll have to look into that. If I had to guess I would say yes. Looking at below it is referenced in volume 2 but not zero where windows is installed. That said I think I read somewhere that native efi is default for windows on this hardware. You have any suggestions on ho to confirm?
Volume 0 C BOOTCAMP NTFS Partition 421 GB Healthy Boot
Volume 1 EFI FAT32 Partition 300 MB Healthy System
Volume 2 NTFS Partition 348 MB Healthy Hidden
…Sent from my iPhone
On Feb 21, 2017, at 9:31 PM, Jason Yegge ***@***.***> wrote:
Are you booting using EFI by any chance? If so, can you try it without?
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.
from cylr.
Lansatac
commented on August 25, 2024
Well, that's weird. Without a local repro I'm going to have difficulty doing much more.
We might try contacting the author of RawDiskLib, as that's the library that is having the non-native error.
I'm not sure why you would get errors like this one "Failed to read files in 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5' due to insufficient privilages." as an administrator. There may be something odd about the permissions on that folder.
from cylr.
dnides
commented on August 25, 2024
whats the difference between the normal and native export options? yes we
should ask the RawDiskLib author whats up.
also curious why did you ask about EFI?
…On Wed, Feb 22, 2017 at 8:50 AM, Jason Yegge ***@***.***> wrote:
Well, that's weird. Without a local repro I'm going to have difficulty
doing much more.
We might try contacting the author of RawDiskLib, as that's the library
that is having the non-native error.
I'm not sure why you would get errors like this one "Failed to read files
in 'C:\Windows\System32\config\systemprofile\AppData\Local\
Microsoft\Windows\INetCache\Content.IE5' due to insufficient privilages."
as an administrator. There may be something odd about the permissions on
that folder.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#50 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AB2aZ3dp6IVUM7QJMx757vsdthWasHkvks5rfEsigaJpZM4MEs3p>
.
from cylr.
Lansatac
commented on August 25, 2024
The normal path uses RawDiskLib to do raw disk reads, bypassing the OS. Native utilizes the OS level calls to access the files.
Using the OS calls results in all of the "it is being used by another process." errors because Windows has locked the files, but the Raw reads bypass those locks.
I asked about EFI because it's a FAT32 partition. The system currently only supports NTFS drives. I don't know enough about how bootcamp and EFI work under the hood to know if that's somehow related to the RawDiskLib error, but it's the only thing that stands out to me at the moment.
from cylr.
dnides
commented on August 25, 2024
Thanks, the native vs rawdisklib makes perfect sense. Hence for various
reasons, like the one you mentioned, I would expect the native not to work
on all files and see errors. Hopefully we can get to the bottom of the
RawDiskLib issue.
…On Wed, Feb 22, 2017 at 10:22 AM, Jason Yegge ***@***.***> wrote:
The normal path uses RawDiskLib to do raw disk reads, bypassing the OS.
Native utilizes the OS level calls to access the files.
Using the OS calls results in all of the "it is being used by another
process." errors because Windows has locked the files, but the Raw reads
bypass those locks.
I asked about EFI because it's a FAT32 partition. The system currently
only supports NTFS drives. I don't know enough about how bootcamp and EFI
work under the hood to know if that's somehow related to the RawDiskLib
error, but it's the only thing that stands out to me at the moment.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#50 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AB2aZ3TOeCPr_CpxhX5sdShBmaYiOkSPks5rfGDOgaJpZM4MEs3p>
.
from cylr.
Lansatac
commented on August 25, 2024
Do you have any experience with C# development? We'd love to see exactly what those variables are when it fails, but we'd need it running in the IDE to see.
from cylr.
dnides
commented on August 25, 2024
If you outline the steps high level I can have one of my colleagues assist that is more familiar then me. I only know Python guy :-/
…Sent from my iPhone
On Feb 22, 2017, at 3:09 PM, Jason Yegge ***@***.***> wrote:
Do you have any experience with C# development? We'd love to see exactly what those variables are when it fails, but we'd need it running in the IDE to see.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub, or mute the thread.
from cylr.
dnides
commented on August 25, 2024
Did you ever make any progress on this? I am at the sans summit.
from cylr.
Lansatac
commented on August 25, 2024
I'd narrowed it down to a few possibilities and I was trying to find a repro case before life intervened. I'll see if I can't make progress on this soon.
from cylr.
Lansatac
commented on August 25, 2024
OK, I've finally managed to get some time for digging into this further. I've created a branch at https://github.com/Lansatac/CyLR/tree/investigation/issue50 that will hopefully give us some more information. If you could run this version of the utility I've built, I hope it will fail with some more definitive information.
CyLR.zip
from cylr.
Lansatac
commented on August 25, 2024
@dnides, any chance you could spare some time to try this out for us? We'd love to get this solved for you!
from cylr.
dnides
commented on August 25, 2024
Using latest version
C:\Users\dnides\Documents\Release\Beta>CyLR.exe
Failed to create a filesystem for drive 'C'
Error occured while collecting files:
System.ArgumentOutOfRangeException: Non-negative number required.
Parameter name: length
at System.Array.Copy(Array sourceArray, Int32 sourceIndex, Array destinationArray, Int32 destinationIndex, Int32 length, Boolean reliable)
at RawDiskLib.RawDiskStream.Read(Byte[] buffer, Int32 offset, Int32 count)
at DiscUtils.Utilities.ReadFully(Stream stream, Byte[] buffer, Int32 offset, Int32 length)
at DiscUtils.Utilities.ReadFully(Stream stream, Int32 count)
at DiscUtils.Ntfs.NtfsFileSystem..ctor(Stream stream)
at CyLR.read.RawFileSystem.GetSystem(String path)
at CyLR.read.RawFileSystem.d__1.MoveNext()
at System.Linq.Enumerable.d__162.MoveNext() at System.Collections.Generic.List1..ctor(IEnumerable1 collection) at System.Linq.Enumerable.ToList[TSource](IEnumerable1 source)
at CyLR.Program.CreateArchive(Arguments arguments, Stream archiveStream, IEnumerable`1 paths)
at CyLR.Program.Main(String[] args)
from cylr.
annabelsandford
commented on August 25, 2024
This has never been fixed, right?
from cylr.
Related Issues (20)
- Publishing the App for Mac and Linux HOT 3
- Cylr on Windows Server 2003 HOT 1
- Executing Cylr on Windows 2008 and Windows 8 HOT 1
- FR - Ability to run CyLR Remotely HOT 1
- No CyLR.exe upon download HOT 1
- Possibilities to include memory acquisition features? HOT 2
- Version 3.0.0.0??? HOT 2
- Problem of collecting some folders due to a permissions issue HOT 3
- Drive letter choices HOT 3
- Scanning of unwanted paths HOT 2
- SFTP transfer issues
- Collecting forensic evidence
- CyLR Collecting Issue
- Possibilities to output collection to bodyfile instead of zip HOT 1
- [Windows] Add support for "C:\Windows\Installer\" path
- Mac: Unable to enumerate and Access is denied error (despite enabling full disk access) HOT 6
- Mac acquisition: missing some key directories and information
- Exception in windows 10 if users left in ProfileList
- Sending Files via HTTP insted of SFTP
- Tar Extract
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cylr.