From 1ad0e719b9ea4162b768129b055ffb1bc8595531 Mon Sep 17 00:00:00 2001 From: Matthieu Gras Date: Fri, 13 Sep 2024 01:21:09 +0200 Subject: [PATCH] Support for multi-values and large pages --- fixtures/WindowsEdb.golden | 40 +++--- fixtures/ntds.dit.golden | 6 +- go.mod | 18 ++- parser/catalog.go | 278 ++++++++++++++++++++++++++----------- parser/compression.go | 74 +++++----- parser/context.go | 26 ++++ parser/ese_gen.go | 57 ++++---- parser/ese_profile.json | 11 +- parser/utils.go | 6 + 9 files changed, 329 insertions(+), 187 deletions(-) diff --git a/fixtures/WindowsEdb.golden b/fixtures/WindowsEdb.golden index 939715a..cc7bb81 100644 --- a/fixtures/WindowsEdb.golden +++ b/fixtures/WindowsEdb.golden @@ -1,13 +1,13 @@ -{"ScopeID":5,"DocumentID":2,"SDID":7,"LastModified":"Adg0nLMPLig=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":1,"Priority":30,"FileName":"Users","CalculatedPropertyFlags":1245184} -{"ScopeID":8,"DocumentID":1,"SDID":63,"LastModified":"Adg0nLM6HXM=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":30,"FileName":"Start Menu","CalculatedPropertyFlags":1245184} -{"ScopeID":9,"DocumentID":3,"SDID":90,"LastModified":"Adg0nLM3uco=","TransactionFlags":-1879015067,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":44,"FileName":"desktop.ini","CalculatedPropertyFlags":1245184} -{"ScopeID":9,"DocumentID":4,"SDID":1,"LastModified":"Adg0t/WR0Ts=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":30,"FileName":"Programs","CalculatedPropertyFlags":1245184} -{"ScopeID":10,"DocumentID":594,"SDID":817,"LastModified":"Adg0t/N1Nv0=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":30,"FileName":"7-Zip","CalculatedPropertyFlags":1245184} -{"ScopeID":10,"DocumentID":5,"SDID":1,"LastModified":"Adg0nLM3ub0=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":30,"FileName":"Accessibility","CalculatedPropertyFlags":1245184} -{"ScopeID":10,"DocumentID":6,"SDID":1,"LastModified":"Adg0nLM3ub0=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":30,"FileName":"Accessories","CalculatedPropertyFlags":1245184} -{"ScopeID":10,"DocumentID":7,"SDID":1,"LastModified":"Adg0nLM6HXM=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":30,"FileName":"Administrative Tools","CalculatedPropertyFlags":1245184} -{"ScopeID":10,"DocumentID":8,"SDID":90,"LastModified":"Adg0nLM6HYA=","TransactionFlags":-1878949531,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":44,"FileName":"desktop.ini","CalculatedPropertyFlags":1245184} -{"ScopeID":10,"DocumentID":604,"SDID":828,"LastModified":"Adg0t/TI2Po=","TransactionFlags":-1878949531,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":38,"FileName":"Everything.lnk","RunTime":1915904,"LastRequestedRunTime":692480,"CalculatedPropertyFlags":1114112} +{"ScopeID":5,"DocumentID":2,"SDID":7,"LastModified":"Adg0nLMPLig=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":1,"Priority":30,"FileName":"Users","CalculatedPropertyFlags":4864} +{"ScopeID":8,"DocumentID":1,"SDID":63,"LastModified":"Adg0nLM6HXM=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":30,"FileName":"Start Menu","CalculatedPropertyFlags":4864} +{"ScopeID":9,"DocumentID":3,"SDID":90,"LastModified":"Adg0nLM3uco=","TransactionFlags":-1879015067,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":44,"FileName":"desktop.ini","CalculatedPropertyFlags":4864} +{"ScopeID":9,"DocumentID":4,"SDID":1,"LastModified":"Adg0t/WR0Ts=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":30,"FileName":"Programs","CalculatedPropertyFlags":4864} +{"ScopeID":10,"DocumentID":594,"SDID":817,"LastModified":"Adg0t/N1Nv0=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":30,"FileName":"7-Zip","CalculatedPropertyFlags":4864} +{"ScopeID":10,"DocumentID":5,"SDID":1,"LastModified":"Adg0nLM3ub0=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":30,"FileName":"Accessibility","CalculatedPropertyFlags":4864} +{"ScopeID":10,"DocumentID":6,"SDID":1,"LastModified":"Adg0nLM3ub0=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":30,"FileName":"Accessories","CalculatedPropertyFlags":4864} +{"ScopeID":10,"DocumentID":7,"SDID":1,"LastModified":"Adg0nLM6HXM=","TransactionFlags":-2143286922,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":30,"FileName":"Administrative Tools","CalculatedPropertyFlags":4864} +{"ScopeID":10,"DocumentID":8,"SDID":90,"LastModified":"Adg0nLM6HYA=","TransactionFlags":-1878949531,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":44,"FileName":"desktop.ini","CalculatedPropertyFlags":4864} +{"ScopeID":10,"DocumentID":604,"SDID":828,"LastModified":"Adg0t/TI2Po=","TransactionFlags":-1878949531,"TransactionExtendedFlags":707406378,"CrawlNumberCrawled":6,"StartAddressIdentifier":0,"Priority":38,"FileName":"Everything.lnk","RunTime":7484,"LastRequestedRunTime":2705,"CalculatedPropertyFlags":4352} {"Scope":2,"Parent":1,"Name":"file:"} {"Scope":3,"Parent":2,"Name":"C:"} {"Scope":4,"Parent":3,"Name":"/"} @@ -18,13 +18,13 @@ {"Scope":9,"Parent":8,"Name":"Start Menu/"} {"Scope":10,"Parent":9,"Name":"Programs/"} {"Scope":11,"Parent":10,"Name":"Windows PowerShell/"} -{"WorkID":1,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"mf6Lg8M02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":8209,"15F-System_DateModified":"qIqyyd6s1QE=","16F-System_DateCreated":"OwVnyN6s1QE=","17F-System_DateAccessed":"mf6Lg8M02AE=","0F-InvertedOnlyMD5":"FDSYOylCiDiD1Qq+R+1dGQ==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":1536,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu","4365-System_DateImported":"00007b76c9deacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"00007b76c9deacd501","4456-System_Kind":"0166006f006c00640065007200","4678-System_ThumbnailCacheId":"005d50e0046f5791ae","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Windows","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Start Menu","4371-System_Document_DateCreated":"00007b76c9deacd501","4373-System_Document_DateSaved":"00a88ab2c9deacd501","4442-System_ItemName":"Start Menu","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"Windows (C:\\ProgramData\\Microsoft)","4444-System_ItemNameDisplayWithoutExtension":"Start Menu","4403-System_FolderNameDisplay":"Start Menu","4448-System_ItemPathDisplayNarrow":"Start Menu (C:\\ProgramData\\Microsoft\\Windows)","4450-System_ItemType":"Directory","11-System_FileName":"Start Menu","4565-System_ParsingName":"Start Menu","4623-System_SFGAOFlags":2147581696,"0-InvertedOnlyPids":"0128126512"} -{"WorkID":2,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"aMHDgsM02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":17,"15F-System_DateModified":"Jy4Ps5w02AE=","16F-System_DateCreated":"NupuOt2s1QE=","17F-System_DateAccessed":"fBTfYMM02AE=","0F-InvertedOnlyMD5":"ypd+qi9AePG3aH7GAt4pOg==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":1536,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\","4447-System_ItemPathDisplay":"C:\\Users","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/Users","4365-System_DateImported":"0000c54d3bddacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"0000c54d3bddacd501","4456-System_Kind":"0166006f006c00640065007200","4678-System_ThumbnailCacheId":"00127d8401f8de1365","4637-System_Search_Store":"file","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Users","4371-System_Document_DateCreated":"0000c54d3bddacd501","4373-System_Document_DateSaved":"00272e0fb39c34d801","4442-System_ItemName":"Users","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"C:\\","4444-System_ItemNameDisplayWithoutExtension":"Users","4403-System_FolderNameDisplay":"Users","4448-System_ItemPathDisplayNarrow":"Users (C:)","4450-System_ItemType":"Directory","11-System_FileName":"Users","4565-System_ParsingName":"Users","4623-System_SFGAOFlags":2147577600,"0-InvertedOnlyPids":"0128126512"} -{"WorkID":3,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"QEtVtJw02AE=","13F-System_Size":"rgAAAAAAAAA=","14F-System_FileAttributes":38,"15F-System_DateModified":"hR42e96s1QE=","16F-System_DateCreated":"qIqyyd6s1QE=","17F-System_DateAccessed":"VC+qs5w02AE=","0F-InvertedOnlyMD5":"XMWOf3f2TkH5lHqZGUodMA==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":1536,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\desktop.ini","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/desktop.ini","4365-System_DateImported":"00851e367bdeacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"00851e367bdeacd501","4678-System_ThumbnailCacheId":"00acb038f43a56d02d","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Start Menu","5-System_ItemTypeText":"Configuration settings","4443-System_ItemNameDisplay":"desktop.ini","4392-System_FileExtension":".ini","4371-System_Document_DateCreated":"00851e367bdeacd501","4373-System_Document_DateSaved":"00851e367bdeacd501","4442-System_ItemName":"desktop.ini","4441-System_ItemFolderPathDisplayNarrow":"Start Menu (C:\\ProgramData\\Microsoft\\Windows)","4444-System_ItemNameDisplayWithoutExtension":"desktop","4448-System_ItemPathDisplayNarrow":"desktop (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4450-System_ItemType":".ini","11-System_FileName":"desktop.ini","4565-System_ParsingName":"desktop.ini","4623-System_SFGAOFlags":1485928192,"0-InvertedOnlyPids":"0128126512"} -{"WorkID":4,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"mf6Lg8M02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":8209,"15F-System_DateModified":"OtGR9bc02AE=","16F-System_DateCreated":"OwVnyN6s1QE=","17F-System_DateAccessed":"mf6Lg8M02AE=","0F-InvertedOnlyMD5":"yxF0v7m0HrxDNMrCEdGpdw==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":1536,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs","4365-System_DateImported":"00007b76c9deacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"00007b76c9deacd501","4456-System_Kind":"0166006f006c00640065007200","4678-System_ThumbnailCacheId":"0054419e5fa362c41b","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Start Menu","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Programs","4371-System_Document_DateCreated":"00007b76c9deacd501","4373-System_Document_DateSaved":"003ad191f5b734d801","4442-System_ItemName":"Programs","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"Start Menu (C:\\ProgramData\\Microsoft\\Windows)","4444-System_ItemNameDisplayWithoutExtension":"Programs","4403-System_FolderNameDisplay":"Programs","4448-System_ItemPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4450-System_ItemType":"Directory","11-System_FileName":"Programs","4565-System_ParsingName":"Programs","4623-System_SFGAOFlags":2147581696,"0-InvertedOnlyPids":"0128126512"} -{"WorkID":5,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"mf6Lg8M02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":17,"15F-System_DateModified":"wSd+fZYZ2AE=","16F-System_DateCreated":"OwVnyN6s1QE=","17F-System_DateAccessed":"6DwqYMM02AE=","0F-InvertedOnlyMD5":"H3selZLYBm1zEZC5QwELHQ==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":1536,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows Ease of Access","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Accessibility","4365-System_DateImported":"00007b76c9deacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"00007b76c9deacd501","4456-System_Kind":"0166006f006c00640065007200","4678-System_ThumbnailCacheId":"00bc904acd85f6e765","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Programs","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Windows Ease of Access","4371-System_Document_DateCreated":"00007b76c9deacd501","4373-System_Document_DateSaved":"00c1277e7d9619d801","4442-System_ItemName":"Windows Ease of Access","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4444-System_ItemNameDisplayWithoutExtension":"Windows Ease of Access","4403-System_FolderNameDisplay":"Windows Ease of Access","4448-System_ItemPathDisplayNarrow":"Windows Ease of Access (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs)","4450-System_ItemType":"Directory","11-System_FileName":"Accessibility","4565-System_ParsingName":"Accessibility","4623-System_SFGAOFlags":2147581696,"0-InvertedOnlyPids":"0128126512"} -{"WorkID":6,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"mf6Lg8M02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":17,"15F-System_DateModified":"wSd+fZYZ2AE=","16F-System_DateCreated":"OwVnyN6s1QE=","17F-System_DateAccessed":"uY2Jg8M02AE=","0F-InvertedOnlyMD5":"AD7FjIHjAaZX/H/BKimYbA==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":1536,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows Accessories","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Accessories","4365-System_DateImported":"00007b76c9deacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"00007b76c9deacd501","4456-System_Kind":"0166006f006c00640065007200","4678-System_ThumbnailCacheId":"00b24761032a3aceed","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Programs","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Windows Accessories","4371-System_Document_DateCreated":"00007b76c9deacd501","4373-System_Document_DateSaved":"00c1277e7d9619d801","4442-System_ItemName":"Windows Accessories","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4444-System_ItemNameDisplayWithoutExtension":"Windows Accessories","4403-System_FolderNameDisplay":"Windows Accessories","4448-System_ItemPathDisplayNarrow":"Windows Accessories (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs)","4450-System_ItemType":"Directory","11-System_FileName":"Accessories","4565-System_ParsingName":"Accessories","4623-System_SFGAOFlags":2147581696,"0-InvertedOnlyPids":"0128126512"} -{"WorkID":7,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"mf6Lg8M02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":8209,"15F-System_DateModified":"wSd+fZYZ2AE=","16F-System_DateCreated":"OwVnyN6s1QE=","17F-System_DateAccessed":"6DwqYMM02AE=","0F-InvertedOnlyMD5":"eGtgwBZlaRIhzGXUG0RuDA==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":1536,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows Administrative Tools","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Administrative Tools","4365-System_DateImported":"00007b76c9deacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"00007b76c9deacd501","4456-System_Kind":"0166006f006c00640065007200","4678-System_ThumbnailCacheId":"0017ac7b179ee27c42","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Programs","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Windows Administrative Tools","4371-System_Document_DateCreated":"00007b76c9deacd501","4373-System_Document_DateSaved":"00c1277e7d9619d801","4442-System_ItemName":"Windows Administrative Tools","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4444-System_ItemNameDisplayWithoutExtension":"Windows Administrative Tools","4403-System_FolderNameDisplay":"Windows Administrative Tools","4448-System_ItemPathDisplayNarrow":"Windows Administrative Tools (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs)","4450-System_ItemType":"Directory","11-System_FileName":"Administrative Tools","4565-System_ParsingName":"Administrative Tools","4623-System_SFGAOFlags":2147581696,"0-InvertedOnlyPids":"0128126512"} -{"WorkID":8,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"QEtVtJw02AE=","13F-System_Size":"kAEAAAAAAAA=","14F-System_FileAttributes":38,"15F-System_DateModified":"4OV4WJYZ2AE=","16F-System_DateCreated":"qIqyyd6s1QE=","17F-System_DateAccessed":"VC+qs5w02AE=","0F-InvertedOnlyMD5":"XMWOf3f2TkH5lHqZGUodMA==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":1536,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/desktop.ini","4365-System_DateImported":"0000a8a7cadeacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"0000a8a7cadeacd501","4678-System_ThumbnailCacheId":"00819de12d69c35c06","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Programs","5-System_ItemTypeText":"Configuration settings","4443-System_ItemNameDisplay":"desktop.ini","4392-System_FileExtension":".ini","4371-System_Document_DateCreated":"0000a8a7cadeacd501","4373-System_Document_DateSaved":"00e0e578589619d801","4442-System_ItemName":"desktop.ini","4441-System_ItemFolderPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4444-System_ItemNameDisplayWithoutExtension":"desktop","4448-System_ItemPathDisplayNarrow":"desktop (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs)","4450-System_ItemType":".ini","11-System_FileName":"desktop.ini","4565-System_ParsingName":"desktop.ini","4623-System_SFGAOFlags":1485928192,"0-InvertedOnlyPids":"0128126512"} -{"WorkID":9,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"cNqytpw02AE=","13F-System_Size":"LQkAAAAAAAA=","14F-System_FileAttributes":37,"15F-System_DateModified":"vI0BLd6s1QE=","16F-System_DateCreated":"vI0BLd6s1QE=","17F-System_DateAccessed":"CvKus5w02AE=","0F-InvertedOnlyMD5":"UvS/gkm1224IJypRZDhpBw==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":1536,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Settings.lnk","4633-System_Search_LastIndexedTotalTime":-1.2882297539194267e-231,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Immersive Control Panel.lnk","4396-System_FileOwner":"NT AUTHORITY\\SYSTEM","4365-System_DateImported":"00bc8d012ddeacd501","4465-System_Link_TargetParsingPath":"C:\\Windows\\System32\\Control.exe","4466-System_Link_TargetSFGAOFlags":1073837824,"4681-System_Tile_SmallLogoPath":"Images\\Logo.png","4679-System_Tile_Background":2872267008,"4559-System_NotUserContent":false,"4429-System_IsAttachment":false,"4625-System_Search_AutoSummary":"Change settings and customize the functionality of your computer","4431-System_IsEncrypted":false,"4438-System_ItemDate":"00bc8d012ddeacd501","4456-System_Kind":"0313ecb47b0d80cbdf6779b80d","4678-System_ThumbnailCacheId":"00d517ef9af79d1395","4702-System_VolumeId":"{1d26cf00-5824-a464-4c90-4ba338227e6f}","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Programs","5-System_ItemTypeText":"Shortcut","4173-System_Comment":"Change settings and customize the functionality of your computer","4443-System_ItemNameDisplay":"Settings.lnk","4392-System_FileExtension":".lnk","4371-System_Document_DateCreated":"00bc8d012ddeacd501","4373-System_Document_DateSaved":"00bc8d012ddeacd501","4442-System_ItemName":"Settings.lnk","4457-System_KindText":"Link; Program","4441-System_ItemFolderPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4444-System_ItemNameDisplayWithoutExtension":"Settings","4146-System_AppUserModel_PackageFamilyName":"windows.immersivecontrolpanel_cw5n1h2txyewy","4184-System_ComputerName":"DESKTOP-TMKU40H","4448-System_ItemPathDisplayNarrow":"Settings (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs)","4450-System_ItemType":".lnk","11-System_FileName":"Immersive Control Panel.lnk","4565-System_ParsingName":"Immersive Control Panel.lnk","4623-System_SFGAOFlags":1091663616,"0-InvertedOnlyPids":"017011731128126512"} -{"WorkID":10,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"mf6Lg8M02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":8208,"15F-System_DateModified":"qIqyyd6s1QE=","16F-System_DateCreated":"OwVnyN6s1QE=","17F-System_DateAccessed":"6DwqYMM02AE=","0F-InvertedOnlyMD5":"Cd3SVK2junbvG2lIvYqX+g==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":1536,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Maintenance","4365-System_DateImported":"00007b76c9deacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"00007b76c9deacd501","4456-System_Kind":"0166006f006c00640065007200","4678-System_ThumbnailCacheId":"00f2976f2cea073c89","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Programs","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Maintenance","4371-System_Document_DateCreated":"00007b76c9deacd501","4373-System_Document_DateSaved":"00a88ab2c9deacd501","4442-System_ItemName":"Maintenance","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4444-System_ItemNameDisplayWithoutExtension":"Maintenance","4403-System_FolderNameDisplay":"Maintenance","4448-System_ItemPathDisplayNarrow":"Maintenance (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs)","4450-System_ItemType":"Directory","11-System_FileName":"Maintenance","4565-System_ParsingName":"Maintenance","4623-System_SFGAOFlags":2147581696,"0-InvertedOnlyPids":"0128126512"} +{"WorkID":1,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"mf6Lg8M02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":8209,"15F-System_DateModified":"qIqyyd6s1QE=","16F-System_DateCreated":"OwVnyN6s1QE=","17F-System_DateAccessed":"mf6Lg8M02AE=","0F-InvertedOnlyMD5":"FDSYOylCiDiD1Qq+R+1dGQ==","4434-System_IsFolder":true,"4397-System_FilePlaceholderStatus":6,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu","4365-System_DateImported":"007b76c9deacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"007b76c9deacd501","4456-System_Kind":"66006f006c00640065007200","4678-System_ThumbnailCacheId":"5d50e0046f5791ae","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Windows","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Start Menu","4371-System_Document_DateCreated":"007b76c9deacd501","4373-System_Document_DateSaved":"a88ab2c9deacd501","4442-System_ItemName":"Start Menu","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"Windows (C:\\ProgramData\\Microsoft)","4444-System_ItemNameDisplayWithoutExtension":"Start Menu","4403-System_FolderNameDisplay":"Start Menu","4448-System_ItemPathDisplayNarrow":"Start Menu (C:\\ProgramData\\Microsoft\\Windows)","4450-System_ItemType":"Directory","11-System_FileName":"Start Menu","4565-System_ParsingName":"Start Menu","4623-System_SFGAOFlags":1887437183,"0-InvertedOnlyPids":"28126512"} +{"WorkID":2,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"aMHDgsM02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":17,"15F-System_DateModified":"Jy4Ps5w02AE=","16F-System_DateCreated":"NupuOt2s1QE=","17F-System_DateAccessed":"fBTfYMM02AE=","0F-InvertedOnlyMD5":"ypd+qi9AePG3aH7GAt4pOg==","4434-System_IsFolder":true,"4397-System_FilePlaceholderStatus":6,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\","4447-System_ItemPathDisplay":"C:\\Users","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/Users","4365-System_DateImported":"00c54d3bddacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"00c54d3bddacd501","4456-System_Kind":"66006f006c00640065007200","4678-System_ThumbnailCacheId":"127d8401f8de1365","4637-System_Search_Store":"file","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Users","4371-System_Document_DateCreated":"00c54d3bddacd501","4373-System_Document_DateSaved":"272e0fb39c34d801","4442-System_ItemName":"Users","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"C:\\","4444-System_ItemNameDisplayWithoutExtension":"Users","4403-System_FolderNameDisplay":"Users","4448-System_ItemPathDisplayNarrow":"Users (C:)","4450-System_ItemType":"Directory","11-System_FileName":"Users","4565-System_ParsingName":"Users","4623-System_SFGAOFlags":1887437167,"0-InvertedOnlyPids":"28126512"} +{"WorkID":3,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"QEtVtJw02AE=","13F-System_Size":"rgAAAAAAAAA=","14F-System_FileAttributes":38,"15F-System_DateModified":"hR42e96s1QE=","16F-System_DateCreated":"qIqyyd6s1QE=","17F-System_DateAccessed":"VC+qs5w02AE=","0F-InvertedOnlyMD5":"XMWOf3f2TkH5lHqZGUodMA==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":6,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\desktop.ini","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/desktop.ini","4365-System_DateImported":"851e367bdeacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"851e367bdeacd501","4678-System_ThumbnailCacheId":"acb038f43a56d02d","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Start Menu","5-System_ItemTypeText":"Configuration settings","4443-System_ItemNameDisplay":"desktop.ini","4392-System_FileExtension":".ini","4371-System_Document_DateCreated":"851e367bdeacd501","4373-System_Document_DateSaved":"851e367bdeacd501","4442-System_ItemName":"desktop.ini","4441-System_ItemFolderPathDisplayNarrow":"Start Menu (C:\\ProgramData\\Microsoft\\Windows)","4444-System_ItemNameDisplayWithoutExtension":"desktop","4448-System_ItemPathDisplayNarrow":"desktop (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4450-System_ItemType":".ini","11-System_FileName":"desktop.ini","4565-System_ParsingName":"desktop.ini","4623-System_SFGAOFlags":1079546231,"0-InvertedOnlyPids":"28126512"} +{"WorkID":4,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"mf6Lg8M02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":8209,"15F-System_DateModified":"OtGR9bc02AE=","16F-System_DateCreated":"OwVnyN6s1QE=","17F-System_DateAccessed":"mf6Lg8M02AE=","0F-InvertedOnlyMD5":"yxF0v7m0HrxDNMrCEdGpdw==","4434-System_IsFolder":true,"4397-System_FilePlaceholderStatus":6,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs","4365-System_DateImported":"007b76c9deacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"007b76c9deacd501","4456-System_Kind":"66006f006c00640065007200","4678-System_ThumbnailCacheId":"54419e5fa362c41b","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Start Menu","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Programs","4371-System_Document_DateCreated":"007b76c9deacd501","4373-System_Document_DateSaved":"3ad191f5b734d801","4442-System_ItemName":"Programs","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"Start Menu (C:\\ProgramData\\Microsoft\\Windows)","4444-System_ItemNameDisplayWithoutExtension":"Programs","4403-System_FolderNameDisplay":"Programs","4448-System_ItemPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4450-System_ItemType":"Directory","11-System_FileName":"Programs","4565-System_ParsingName":"Programs","4623-System_SFGAOFlags":1887437183,"0-InvertedOnlyPids":"28126512"} +{"WorkID":5,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"mf6Lg8M02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":17,"15F-System_DateModified":"wSd+fZYZ2AE=","16F-System_DateCreated":"OwVnyN6s1QE=","17F-System_DateAccessed":"6DwqYMM02AE=","0F-InvertedOnlyMD5":"H3selZLYBm1zEZC5QwELHQ==","4434-System_IsFolder":true,"4397-System_FilePlaceholderStatus":6,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows Ease of Access","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Accessibility","4365-System_DateImported":"007b76c9deacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"007b76c9deacd501","4456-System_Kind":"66006f006c00640065007200","4678-System_ThumbnailCacheId":"bc904acd85f6e765","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Programs","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Windows Ease of Access","4371-System_Document_DateCreated":"007b76c9deacd501","4373-System_Document_DateSaved":"c1277e7d9619d801","4442-System_ItemName":"Windows Ease of Access","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4444-System_ItemNameDisplayWithoutExtension":"Windows Ease of Access","4403-System_FolderNameDisplay":"Windows Ease of Access","4448-System_ItemPathDisplayNarrow":"Windows Ease of Access (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs)","4450-System_ItemType":"Directory","11-System_FileName":"Accessibility","4565-System_ParsingName":"Accessibility","4623-System_SFGAOFlags":1887437183,"0-InvertedOnlyPids":"28126512"} +{"WorkID":6,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"mf6Lg8M02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":17,"15F-System_DateModified":"wSd+fZYZ2AE=","16F-System_DateCreated":"OwVnyN6s1QE=","17F-System_DateAccessed":"uY2Jg8M02AE=","0F-InvertedOnlyMD5":"AD7FjIHjAaZX/H/BKimYbA==","4434-System_IsFolder":true,"4397-System_FilePlaceholderStatus":6,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows Accessories","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Accessories","4365-System_DateImported":"007b76c9deacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"007b76c9deacd501","4456-System_Kind":"66006f006c00640065007200","4678-System_ThumbnailCacheId":"b24761032a3aceed","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Programs","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Windows Accessories","4371-System_Document_DateCreated":"007b76c9deacd501","4373-System_Document_DateSaved":"c1277e7d9619d801","4442-System_ItemName":"Windows Accessories","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4444-System_ItemNameDisplayWithoutExtension":"Windows Accessories","4403-System_FolderNameDisplay":"Windows Accessories","4448-System_ItemPathDisplayNarrow":"Windows Accessories (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs)","4450-System_ItemType":"Directory","11-System_FileName":"Accessories","4565-System_ParsingName":"Accessories","4623-System_SFGAOFlags":1887437183,"0-InvertedOnlyPids":"28126512"} +{"WorkID":7,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"mf6Lg8M02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":8209,"15F-System_DateModified":"wSd+fZYZ2AE=","16F-System_DateCreated":"OwVnyN6s1QE=","17F-System_DateAccessed":"6DwqYMM02AE=","0F-InvertedOnlyMD5":"eGtgwBZlaRIhzGXUG0RuDA==","4434-System_IsFolder":true,"4397-System_FilePlaceholderStatus":6,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Windows Administrative Tools","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Administrative Tools","4365-System_DateImported":"007b76c9deacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"007b76c9deacd501","4456-System_Kind":"66006f006c00640065007200","4678-System_ThumbnailCacheId":"17ac7b179ee27c42","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Programs","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Windows Administrative Tools","4371-System_Document_DateCreated":"007b76c9deacd501","4373-System_Document_DateSaved":"c1277e7d9619d801","4442-System_ItemName":"Windows Administrative Tools","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4444-System_ItemNameDisplayWithoutExtension":"Windows Administrative Tools","4403-System_FolderNameDisplay":"Windows Administrative Tools","4448-System_ItemPathDisplayNarrow":"Windows Administrative Tools (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs)","4450-System_ItemType":"Directory","11-System_FileName":"Administrative Tools","4565-System_ParsingName":"Administrative Tools","4623-System_SFGAOFlags":1887437183,"0-InvertedOnlyPids":"28126512"} +{"WorkID":8,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"QEtVtJw02AE=","13F-System_Size":"kAEAAAAAAAA=","14F-System_FileAttributes":38,"15F-System_DateModified":"4OV4WJYZ2AE=","16F-System_DateCreated":"qIqyyd6s1QE=","17F-System_DateAccessed":"VC+qs5w02AE=","0F-InvertedOnlyMD5":"XMWOf3f2TkH5lHqZGUodMA==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":6,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\desktop.ini","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/desktop.ini","4365-System_DateImported":"00a8a7cadeacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"00a8a7cadeacd501","4678-System_ThumbnailCacheId":"819de12d69c35c06","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Programs","5-System_ItemTypeText":"Configuration settings","4443-System_ItemNameDisplay":"desktop.ini","4392-System_FileExtension":".ini","4371-System_Document_DateCreated":"00a8a7cadeacd501","4373-System_Document_DateSaved":"e0e578589619d801","4442-System_ItemName":"desktop.ini","4441-System_ItemFolderPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4444-System_ItemNameDisplayWithoutExtension":"desktop","4448-System_ItemPathDisplayNarrow":"desktop (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs)","4450-System_ItemType":".ini","11-System_FileName":"desktop.ini","4565-System_ParsingName":"desktop.ini","4623-System_SFGAOFlags":1079546231,"0-InvertedOnlyPids":"28126512"} +{"WorkID":9,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"cNqytpw02AE=","13F-System_Size":"LQkAAAAAAAA=","14F-System_FileAttributes":37,"15F-System_DateModified":"vI0BLd6s1QE=","16F-System_DateCreated":"vI0BLd6s1QE=","17F-System_DateAccessed":"CvKus5w02AE=","0F-InvertedOnlyMD5":"UvS/gkm1224IJypRZDhpBw==","4434-System_IsFolder":false,"4397-System_FilePlaceholderStatus":6,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Settings.lnk","4633-System_Search_LastIndexedTotalTime":0.015625,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Immersive Control Panel.lnk","4396-System_FileOwner":"NT AUTHORITY\\SYSTEM","4365-System_DateImported":"bc8d012ddeacd501","4465-System_Link_TargetParsingPath":"C:\\Windows\\System32\\Control.exe","4466-System_Link_TargetSFGAOFlags":1077936503,"4681-System_Tile_SmallLogoPath":"Images\\Logo.png","4679-System_Tile_Background":4289409873,"4559-System_NotUserContent":true,"4429-System_IsAttachment":false,"4625-System_Search_AutoSummary":"Change settings and customize the functionality of your computer","4431-System_IsEncrypted":false,"4438-System_ItemDate":"bc8d012ddeacd501","4456-System_Kind":"6c0069006e006b000000700072006f006700720061006d00","4678-System_ThumbnailCacheId":"d517ef9af79d1395","4702-System_VolumeId":"{241d26cf-6458-4ca4-904b-a338227e6fb6}","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Programs","5-System_ItemTypeText":"Shortcut","4173-System_Comment":"Change settings and customize the functionality of your computer","4443-System_ItemNameDisplay":"Settings.lnk","4392-System_FileExtension":".lnk","4371-System_Document_DateCreated":"bc8d012ddeacd501","4373-System_Document_DateSaved":"bc8d012ddeacd501","4442-System_ItemName":"Settings.lnk","4457-System_KindText":"Link; Program","4441-System_ItemFolderPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4444-System_ItemNameDisplayWithoutExtension":"Settings","4146-System_AppUserModel_PackageFamilyName":"windows.immersivecontrolpanel_cw5n1h2txyewy","4184-System_ComputerName":"DESKTOP-TMKU40H","4448-System_ItemPathDisplayNarrow":"Settings (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs)","4450-System_ItemType":".lnk","11-System_FileName":"Immersive Control Panel.lnk","4565-System_ParsingName":"Immersive Control Panel.lnk","4623-System_SFGAOFlags":1078006135,"0-InvertedOnlyPids":"7011731128126512"} +{"WorkID":10,"27F-System_Search_Rank":707406378,"4631F-System_Search_GatherTime":"mf6Lg8M02AE=","13F-System_Size":"KioqKioqKio=","14F-System_FileAttributes":8208,"15F-System_DateModified":"qIqyyd6s1QE=","16F-System_DateCreated":"OwVnyN6s1QE=","17F-System_DateAccessed":"6DwqYMM02AE=","0F-InvertedOnlyMD5":"Cd3SVK2junbvG2lIvYqX+g==","4434-System_IsFolder":true,"4397-System_FilePlaceholderStatus":6,"4624-System_Search_AccessCount":0,"4440-System_ItemFolderPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs","4447-System_ItemPathDisplay":"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance","4633-System_Search_LastIndexedTotalTime":0,"33-System_ItemUrl":"file:C:/ProgramData/Microsoft/Windows/Start Menu/Programs/Maintenance","4365-System_DateImported":"007b76c9deacd501","4429-System_IsAttachment":false,"4431-System_IsEncrypted":false,"4438-System_ItemDate":"007b76c9deacd501","4456-System_Kind":"66006f006c00640065007200","4678-System_ThumbnailCacheId":"f2976f2cea073c89","4637-System_Search_Store":"file","3-System_ItemFolderNameDisplay":"Programs","5-System_ItemTypeText":"File folder","4443-System_ItemNameDisplay":"Maintenance","4371-System_Document_DateCreated":"007b76c9deacd501","4373-System_Document_DateSaved":"a88ab2c9deacd501","4442-System_ItemName":"Maintenance","4457-System_KindText":"Folder","4441-System_ItemFolderPathDisplayNarrow":"Programs (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)","4444-System_ItemNameDisplayWithoutExtension":"Maintenance","4403-System_FolderNameDisplay":"Maintenance","4448-System_ItemPathDisplayNarrow":"Maintenance (C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs)","4450-System_ItemType":"Directory","11-System_FileName":"Maintenance","4565-System_ParsingName":"Maintenance","4623-System_SFGAOFlags":1887437183,"0-InvertedOnlyPids":"28126512"} diff --git a/fixtures/ntds.dit.golden b/fixtures/ntds.dit.golden index ebbcf32..1949dd6 100644 --- a/fixtures/ntds.dit.golden +++ b/fixtures/ntds.dit.golden @@ -1,5 +1,5 @@ {"DNT_col":1,"PDNT_col":707406378,"OBJ_col":1,"RDNtyp_col":707406378,"cnt_col":1,"ab_cnt_col":0,"ATTm589825":"$NOT_AN_OBJECT1$","ATTk589826":"01000000000000000000000000000000"} {"DNT_col":2,"PDNT_col":0,"OBJ_col":1,"RDNtyp_col":707406378,"cnt_col":3,"ab_cnt_col":0,"time_col":3038287259199220266,"NCDNT_col":707406378,"IsVisibleInAB":0,"Ancestors_col":"02000000","ATTb49":2,"ATTb131108":3,"ATTc0":65536,"ATTm589825":"$ROOT_OBJECT$","ATTj131073":3,"ATTq131091":0,"ATTl131074":0,"ATTp131353":"0100000000000000","ATTk589826":"00000000000000000000000000000000"} -{"DNT_col":6,"PDNT_col":2030,"OBJ_col":1,"RDNtyp_col":3,"cnt_col":2,"ab_cnt_col":0,"time_col":13013628273,"NCDNT_col":2030,"IsVisibleInAB":42,"recycle_time_col":3038287259199220266,"Ancestors_col":"02000000d6070000d7070000d8070000ee07000006000000","ATTc590021":10,"ATTm131532":"organization","ATTm131298":"Organization","ATTl591181":0,"ATTc131098":10,"ATTi590342":0,"ATTi131241":1,"ATTc590020":2883624,"ATTm131266":"Organization","ATTb49":6,"ATTc0":50334980,"ATTk589827":"0100000000000000180000000000000000000000010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000003000000010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000001000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000002000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000015000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000016000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f2060000000000001a000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000a9000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000c2000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000e2000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000019010200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000072010200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000cc010200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000001000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000094000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000aa000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000c3000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000c4000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000c5000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000e0000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000077010900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000006020900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f2060000000000000e030900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f2060000000000000f030900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000","ATTc131094":65540,"ATTk589972":"a37a96bfe60dd011a28500aa003049e2","ATTc131093":65536,"ATTm590048":"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)","ATTi589994":0,"ATTq131192":1778,"ATTl131075":13013628277,"ATTm589825":"Organization","ATTb590607":6,"ATTj131442":1,"ATTm3":"Organization","ATTj131073":4,"ATTq131091":1778,"ATTl131074":13013628277,"ATTp131353":"0700000000000000","ATTk589826":"2d5641aa2856e348be148245aef718a2","ATTc590019":655366,"ATTb590606":1486,"ATTj590199":16} -{"DNT_col":8,"PDNT_col":2030,"OBJ_col":1,"RDNtyp_col":3,"cnt_col":3,"ab_cnt_col":0,"time_col":13013628273,"NCDNT_col":2030,"IsVisibleInAB":42,"recycle_time_col":3038287259199220266,"Ancestors_col":"02000000d6070000d7070000d8070000ee07000008000000","ATTm131532":"nTDSDSA","ATTm131298":"NTDS-DSA","ATTl591181":0,"ATTc131098":3,"ATTi590342":1,"ATTi131241":1,"ATTc590020":3801142,"ATTm131266":"NTDS-DSA","ATTb49":8,"ATTc0":50334980,"ATTk589827":"0100000000000000170000000000000000000000010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000003000000010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000001000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000002000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000015000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000016000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e1060000000000001a000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000a9000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000c2000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000e2000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000019010200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000072010200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000cc010200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000001000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000094000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000aa000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000c3000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000c4000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000e0000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000077010900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000006020900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e1060000000000000e030900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e1060000000000000f030900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000","ATTc131094":1507375,"ATTk589972":"abfff8f09111d011a06000aa006c33ed","ATTc131093":1507377,"ATTm590048":"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)","ATTi589994":1,"ATTq131192":1761,"ATTl131075":13013628277,"ATTm589825":"NTDS-DSA","ATTb590607":8,"ATTj131442":1,"ATTm3":"NTDS-DSA","ATTj131073":4,"ATTq131091":1761,"ATTl131074":13013628277,"ATTp131353":"0700000000000000","ATTk589826":"6455d6804b5ca5448d2a4a97d2fd3080","ATTc590019":167776516,"ATTb590606":1486,"ATTj590199":16} -{"DNT_col":10,"PDNT_col":2030,"OBJ_col":1,"RDNtyp_col":3,"cnt_col":3,"ab_cnt_col":0,"time_col":13013628273,"NCDNT_col":2030,"IsVisibleInAB":42,"recycle_time_col":3038287259199220266,"Ancestors_col":"02000000d6070000d7070000d8070000ee0700000a000000","ATTc590021":3,"ATTm131532":"dMD","ATTm131298":"DMD","ATTl591181":0,"ATTc131098":3,"ATTi590342":1,"ATTi131241":1,"ATTc590020":1179662,"ATTm131266":"DMD","ATTb49":10,"ATTc0":50334980,"ATTk589827":"0100000000000000180000000000000000000000010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000003000000010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000001000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000002000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000015000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000016000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a673050600000000000005060000000000001a000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000a9000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000c2000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000e2000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000019010200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000072010200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000cc010200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000001000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000094000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000aa000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000c3000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000c4000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000c5000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000e0000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000077010900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000006020900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a673050600000000000005060000000000000e030900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a673050600000000000005060000000000000f030900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000","ATTc131094":196617,"ATTk589972":"8f7a96bfe60dd011a28500aa003049e2","ATTc131093":65536,"ATTm590048":"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)","ATTi589994":1,"ATTq131192":1541,"ATTl131075":13013628276,"ATTm589825":"DMD","ATTb590607":10,"ATTj131442":1,"ATTm3":"DMD","ATTj131073":4,"ATTq131091":1541,"ATTl131074":13013628276,"ATTp131353":"0700000000000000","ATTk589826":"d31faf81b16f6742b8cc3a2c3f4aac41","ATTc590019":655372,"ATTb590606":1486,"ATTj590199":16} +{"DNT_col":6,"PDNT_col":2030,"OBJ_col":1,"RDNtyp_col":3,"cnt_col":2,"ab_cnt_col":0,"time_col":13013628273,"NCDNT_col":2030,"IsVisibleInAB":42,"recycle_time_col":3038287259199220266,"Ancestors_col":"02000000d6070000d7070000d8070000ee07000006000000","ATTc590021":10,"ATTm131532":"organization","ATTm131298":"Organization","ATTl591181":0,"ATTc131098":10,"ATTi590342":0,"ATTi131241":1,"ATTc590020":[15,27,23,25,7,19,18,16,17,28,26,14,34,8,9,20,22,21,35,24],"ATTm131266":"Organization","ATTb49":6,"ATTc0":[196621,65536],"ATTk589827":"0100000000000000180000000000000000000000010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000003000000010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000001000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000002000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000015000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000016000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f2060000000000001a000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000a9000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000c2000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000e2000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000019010200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000072010200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000cc010200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000001000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000094000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000aa000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000c3000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000c4000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000c5000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000e0000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000077010900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f20600000000000006020900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f2060000000000000e030900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f2060000000000000f030900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673f206000000000000f206000000000000","ATTc131094":65540,"ATTk589972":"a37a96bfe60dd011a28500aa003049e2","ATTc131093":65536,"ATTm590048":"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)","ATTi589994":0,"ATTq131192":1778,"ATTl131075":13013628277,"ATTm589825":"Organization","ATTb590607":6,"ATTj131442":1,"ATTm3":"Organization","ATTj131073":4,"ATTq131091":1778,"ATTl131074":13013628277,"ATTp131353":"0700000000000000","ATTk589826":"2d5641aa2856e348be148245aef718a2","ATTc590019":[655427,65538,65539],"ATTb590606":1486,"ATTj590199":16} +{"DNT_col":8,"PDNT_col":2030,"OBJ_col":1,"RDNtyp_col":3,"cnt_col":3,"ab_cnt_col":0,"time_col":13013628273,"NCDNT_col":2030,"IsVisibleInAB":42,"recycle_time_col":3038287259199220266,"Ancestors_col":"02000000d6070000d7070000d8070000ee07000008000000","ATTm131532":"nTDSDSA","ATTm131298":"NTDS-DSA","ATTl591181":0,"ATTc131098":3,"ATTi590342":1,"ATTi131241":1,"ATTc590020":[131108,590311,131086,131087,131187,590343,590477,591283,591644,591660,591533,591544,131531,590131,590431,590497,591650,590339,591749,591750,591752,591748,591783,591784,591785,591849,591885],"ATTm131266":"NTDS-DSA","ATTb49":8,"ATTc0":[196621,65536],"ATTk589827":"0100000000000000170000000000000000000000010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000003000000010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000001000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000002000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000015000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000016000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e1060000000000001a000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000a9000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000c2000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000e2000200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000019010200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000072010200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000cc010200010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000001000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000094000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000aa000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000c3000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000c4000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000e0000900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000077010900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e10600000000000006020900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e1060000000000000e030900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e1060000000000000f030900010000002a34741503000000f41b2d9efcb40c41af70a3eaad80a673e106000000000000e106000000000000","ATTc131094":1507375,"ATTk589972":"abfff8f09111d011a06000aa006c33ed","ATTc131093":1507377,"ATTm590048":"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)","ATTi589994":1,"ATTq131192":1761,"ATTl131075":13013628277,"ATTm589825":"NTDS-DSA","ATTb590607":8,"ATTj131442":1,"ATTm3":"NTDS-DSA","ATTj131073":4,"ATTq131091":1761,"ATTl131074":13013628277,"ATTp131353":"0700000000000000","ATTk589826":"6455d6804b5ca5448d2a4a97d2fd3080","ATTc590019":[655377,65540],"ATTb590606":1486,"ATTj590199":16} +{"DNT_col":10,"PDNT_col":2030,"OBJ_col":1,"RDNtyp_col":3,"cnt_col":3,"ab_cnt_col":0,"time_col":13013628273,"NCDNT_col":2030,"IsVisibleInAB":42,"recycle_time_col":3038287259199220266,"Ancestors_col":"02000000d6070000d7070000d8070000ee0700000a000000","ATTc590021":3,"ATTm131532":"dMD","ATTm131298":"DMD","ATTl591181":0,"ATTc131098":3,"ATTi590342":1,"ATTi131241":1,"ATTc590020":[131670,591540,591264,590362,591182,590305,591879],"ATTm131266":"DMD","ATTb49":10,"ATTc0":[196621,65536],"ATTk589827":"0100000000000000180000000000000000000000010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000003000000010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000001000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000002000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000015000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000016000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a673050600000000000005060000000000001a000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000a9000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000c2000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000e2000200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000019010200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000072010200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000cc010200010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000001000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000094000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000aa000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000c3000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000c4000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000c5000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000e0000900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000077010900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a6730506000000000000050600000000000006020900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a673050600000000000005060000000000000e030900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a673050600000000000005060000000000000f030900010000002934741503000000f41b2d9efcb40c41af70a3eaad80a67305060000000000000506000000000000","ATTc131094":196617,"ATTk589972":"8f7a96bfe60dd011a28500aa003049e2","ATTc131093":65536,"ATTm590048":"D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)","ATTi589994":1,"ATTq131192":1541,"ATTl131075":13013628276,"ATTm589825":"DMD","ATTb590607":10,"ATTj131442":1,"ATTm3":"DMD","ATTj131073":4,"ATTq131091":1541,"ATTl131074":13013628276,"ATTp131353":"0700000000000000","ATTk589826":"d31faf81b16f6742b8cc3a2c3f4aac41","ATTc590019":655372,"ATTb590606":1486,"ATTj590199":16} diff --git a/go.mod b/go.mod index c8041b9..c21e125 100644 --- a/go.mod +++ b/go.mod @@ -1,15 +1,25 @@ module www.velocidex.com/golang/go-ese -go 1.13 +go 1.18 require ( github.com/Velocidex/ordereddict v0.0.0-20220107075049-3dbe58412844 github.com/alecthomas/assert v1.0.0 - github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect - github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect github.com/davecgh/go-spew v1.1.1 github.com/sebdah/goldie v1.0.0 github.com/stretchr/testify v1.7.0 - golang.org/x/sys v0.1.0 // indirect gopkg.in/alecthomas/kingpin.v2 v2.2.6 ) + +require ( + github.com/Velocidex/yaml/v2 v2.2.8 // indirect + github.com/alecthomas/colour v0.1.0 // indirect + github.com/alecthomas/repr v0.0.0-20210801044451-80ca428c5142 // indirect + github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect + github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect + github.com/mattn/go-isatty v0.0.14 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/sergi/go-diff v1.2.0 // indirect + golang.org/x/sys v0.1.0 // indirect + gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect +) diff --git a/parser/catalog.go b/parser/catalog.go index 597e35f..eae8bb5 100644 --- a/parser/catalog.go +++ b/parser/catalog.go @@ -3,6 +3,8 @@ package parser import ( + bytes2 "bytes" + "encoding/binary" "encoding/hex" "errors" "fmt" @@ -29,6 +31,7 @@ type ColumnSpec struct { Type string Flags uint32 SpaceUsage int64 + CodePage uint32 } type Table struct { @@ -92,7 +95,7 @@ func (self *Table) tagToRecord(value *Value, header *PageHeader) *ordereddict.Di result := ordereddict.NewDict() - var taggedItems map[uint32][]byte + var taggedItems map[uint32]TaggedValue reader := value.Reader() @@ -221,7 +224,7 @@ func (self *Table) tagToRecord(value *Value, header *PageHeader) *ordereddict.Di // Flags can be given as the first char or in the // column definition. - result.Set(column.Name, ParseLongText(data[:n], column.Flags)) + result.Set(column.Name, ParseLongText(data[:n], column.CodePage)) } } @@ -315,115 +318,121 @@ func (self *Table) tagToRecord(value *Value, header *PageHeader) *ordereddict.Di buf, pres := taggedItems[column.Identifier] if pres { - reader := &BufferReaderAt{buf} switch column.Type { case "Binary": - result.Set(column.Name, hex.EncodeToString(buf)) + result.Set(column.Name, self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return hex.EncodeToString(bytes) + })) case "Long Binary": - // If the buf is key size (4 or 8 bytes) then we - // can look it up in the LV cache. Otherwise it is - // stored literally. - if len(buf) == 4 || len(buf) == 8 { - data, pres := self.LongValueLookup.GetLid(buf) - if pres { - buf = data - } + parsedValue := self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return hex.EncodeToString(bytes) + }) + if parsedValue != nil { + result.Set(column.Name, parsedValue) } - result.Set(column.Name, hex.EncodeToString(buf)) - case "Long Text": - // If the buf is key size (4 or 8 bytes) then we - // can look it up in the LV cache. Otherwise it is - // stored literally. - if len(buf) == 4 || len(buf) == 8 { - data, pres := self.LongValueLookup.GetLid(buf) - if pres { - buf = data - } + parsedValue := self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return ParseLongText(bytes, column.CodePage) + }) + if parsedValue != nil { + result.Set(column.Name, parsedValue) } - // Flags can be given as the first char or in the - // column definition. - result.Set(column.Name, ParseLongText(buf, column.Flags)) - case "Boolean": if column.SpaceUsage == 1 { - result.Set(column.Name, ParseUint8(reader, 0) > 0) + result.Set(column.Name, self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return bytes[0] > 0 + })) } case "Signed byte": if column.SpaceUsage == 1 { - result.Set(column.Name, ParseUint8(reader, 0)) + result.Set(column.Name, self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return bytes[0] + })) } case "Signed short": if column.SpaceUsage == 2 { - result.Set(column.Name, ParseInt16(reader, 0)) + result.Set(column.Name, self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return int16(binary.LittleEndian.Uint16(bytes)) + })) } case "Unsigned short": if column.SpaceUsage == 2 { - result.Set(column.Name, ParseUint16(reader, 0)) + result.Set(column.Name, self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return binary.LittleEndian.Uint16(bytes) + })) } case "Signed long": if column.SpaceUsage == 4 { - result.Set(column.Name, ParseInt32(reader, 0)) + result.Set(column.Name, self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return int32(binary.LittleEndian.Uint32(bytes)) + })) } case "Unsigned long": if column.SpaceUsage == 4 { - result.Set(column.Name, ParseUint32(reader, 0)) + result.Set(column.Name, self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return binary.LittleEndian.Uint32(bytes) + })) } case "Single precision FP": if column.SpaceUsage == 4 { - result.Set(column.Name, math.Float32frombits( - ParseUint32(reader, 0))) + result.Set(column.Name, self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return math.Float32frombits(binary.LittleEndian.Uint32(bytes)) + })) } case "Double precision FP": if column.SpaceUsage == 8 { - result.Set(column.Name, math.Float64frombits( - ParseUint64(reader, 0))) + result.Set(column.Name, self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return math.Float64frombits(binary.LittleEndian.Uint64(bytes)) + })) } case "DateTime": if column.SpaceUsage == 8 { - switch column.Flags { - case 1: - // A more modern way of encoding - result.Set(column.Name, WinFileTime64(reader, 0)) - - case 0: - // Some hair brained time serialization method - // https://docs.microsoft.com/en-us/windows/win32/extensible-storage-engine/jet-coltyp - - value_int := ParseUint64(reader, 0) - days_since_1900 := math.Float64frombits(value_int) - - // In python time.mktime((1900,1,1,0,0,0,0,365,0)) - result.Set(column.Name, - time.Unix(int64(days_since_1900*24*60*60)+ - -2208988800, 0).UTC()) - - default: - // We have no idea - result.Set(column.Name, ParseUint64(reader, 0)) - } + result.Set(column.Name, self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + switch column.Flags { + case 1: + // A more modern way of encoding + return WinFileTime64Bin(bytes) + + case 0: + // Some hair brained time serialization method + // https://docs.microsoft.com/en-us/windows/win32/extensible-storage-engine/jet-coltyp + + value_int := binary.LittleEndian.Uint64(bytes) + days_since_1900 := math.Float64frombits(value_int) + + // In python time.mktime((1900,1,1,0,0,0,0,365,0)) + return time.Unix(int64(days_since_1900*24*60*60)+ + -2208988800, 0).UTC() + default: + // We have no idea + return binary.LittleEndian.Uint64(bytes) + } + })) } case "Long long", "Currency": if column.SpaceUsage == 8 { - result.Set(column.Name, ParseUint64(reader, 0)) + result.Set(column.Name, self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return binary.LittleEndian.Uint64(bytes) + })) } case "GUID": if column.SpaceUsage == 16 { - result.Set(column.Name, - self.Header.Profile.GUID(reader, 0).AsString()) + result.Set(column.Name, self.ParseTaggedValueWithPrimitiveDecoder(self.ctx, buf, func(bytes []byte) any { + return self.Header.Profile.GUID(bytes2.NewReader(bytes), 0).AsString() + })) } default: @@ -467,26 +476,128 @@ type tagBuffer struct { } /* - Tagged values are used to store sparse values. +Tagged values are used to store sparse values. - They consist of an array of RecordTag, each RecordTag has an - Identifier and an offset to the start of its data. The length of the - data in each record is determine by the start of the next record. +They consist of an array of RecordTag, each RecordTag has an +Identifier and an offset to the start of its data. The length of the +data in each record is determine by the start of the next record. - Example: +Example: - 00000050 00 01 0c 40 a4 01 21 00 a5 01 23 00 01 6c 00 61 |...@..!...#..l.a| - 00000060 00 62 00 5c 00 64 00 63 00 2d 00 31 00 24 00 00 |.b.\.d.c.-.1.$..| - 00000070 00 3d 00 f9 00 |.=...| +00000050 00 01 0c 40 a4 01 21 00 a5 01 23 00 01 6c 00 61 |...@..!...#..l.a| +00000060 00 62 00 5c 00 64 00 63 00 2d 00 31 00 24 00 00 |.b.\.d.c.-.1.$..| +00000070 00 3d 00 f9 00 |.=...| - Slice is 0x50-0x75 00010c40a4012100a5012300016c00610062005c00640063002d003100240000003d00f900 - Consumed 0x15 bytes of TAGGED space from 0xc to 0x21 for tag 0x100 - Consumed 0x2 bytes of TAGGED space from 0x21 to 0x23 for tag 0x1a4 - Consumed 0x2 bytes of TAGGED space from 0x23 to 0x25 for tag 0x1a5 +Slice is 0x50-0x75 00010c40a4012100a5012300016c00610062005c00640063002d003100240000003d00f900 +Consumed 0x15 bytes of TAGGED space from 0xc to 0x21 for tag 0x100 +Consumed 0x2 bytes of TAGGED space from 0x21 to 0x23 for tag 0x1a4 +Consumed 0x2 bytes of TAGGED space from 0x23 to 0x25 for tag 0x1a5 */ -func ParseTaggedValues(ctx *ESEContext, buffer []byte) map[uint32][]byte { - result := make(map[uint32][]byte) +type TaggedValue struct { + bHeader byte + data []byte +} + +func (self *Table) ParseMultiValue(buffer []byte, parseFn func([]byte) any, fLongValue bool, fCompressed bool) []any { + /* + 1. Only the first element of a multi-value can be compressed + 2. A long value in a multi-value can be compressed iff it is not separated + 3. If a long value in a multi-value is neither compressed nor separated it is considered an intrinsic multi-value + */ + var multiValues []any + var maskIb uint16 = 0x7fff + numberOfMvs := int(binary.LittleEndian.Uint16(buffer[0:2])&maskIb) / 2 + for imv := 0; imv < numberOfMvs; imv++ { + mv1 := binary.LittleEndian.Uint16(buffer[2*imv : 2*imv+2]) + ib1 := int(mv1 & maskIb) + var ib2 int + if imv == numberOfMvs-1 { + ib2 = len(buffer) + } else { + ib2 = int(binary.LittleEndian.Uint16(buffer[2*(imv+1):2*(imv+1)+2]) & maskIb) + } + data := buffer[ib1:ib2] + fSeparatedInstance := (mv1 & 0x8000) != 0 + if Debug && fCompressed && imv == 0 && fSeparatedInstance { + fmt.Printf("long value compressed AND separated, something has gone wrong\n") + } + var newData any + if fLongValue { + if fCompressed && imv == 0 { + d := DecompressLongValue(data) + if d != nil { + newData = parseFn(d) + } + } + if fSeparatedInstance { + d, pres := self.LongValueLookup.GetLid(data) + if pres && d != nil { + newData = parseFn(d) + } + } + } else { + newData = parseFn(data) + } + if newData != nil { + multiValues = append(multiValues, newData) + } + } + return multiValues +} +func ParseTwoValue(buffer []byte, parseFn func([]byte) any) []any { + var twoValues []any + lenFstValue := int(buffer[0]) + twoValues = append(twoValues, parseFn(buffer[1:1+lenFstValue])) + twoValues = append(twoValues, parseFn(buffer[1+lenFstValue:])) + return twoValues +} + +func (self *Table) ParseTaggedValueWithPrimitiveDecoder(ctx *ESEContext, value TaggedValue, parseFn func([]byte) any) any { + /* + 1. Multi-values have at least 3 values + 2. Two-values have exactly two values + 3. Two-values can not contain long values + 4. Only long values can be compressed or separated + */ + fLongValue := (value.bHeader & 0x1) != 0 + fSeparated := (value.bHeader & 0x4) != 0 + fCompressed := (value.bHeader & 0x2) != 0 + fMultiValues := (value.bHeader & 0x8) != 0 + fTwoValues := (value.bHeader & 0x10) != 0 + switch { + case fMultiValues && fTwoValues: + return ParseTwoValue(value.data, parseFn) + case fMultiValues: + return self.ParseMultiValue(value.data, parseFn, fLongValue, fCompressed) + case fSeparated: + newData, pres := self.LongValueLookup.GetLid(value.data) + if pres { + if fCompressed { + newData = DecompressLongValue(newData) + } + if newData != nil { + return parseFn(newData) + } else { + return nil + } + } + return nil + default: // optionally compressed intrinsic long value, or value without special flags + data := value.data + if fCompressed { + data = DecompressLongValue(data) + } + if data != nil { + return parseFn(data) + } else { + return nil + } + } +} + +func ParseTaggedValues(ctx *ESEContext, buffer []byte) map[uint32]TaggedValue { + result := make(map[uint32]TaggedValue) if len(buffer) < 2 { return result } @@ -496,15 +607,17 @@ func ParseTaggedValues(ctx *ESEContext, buffer []byte) map[uint32][]byte { tags := []tagBuffer{} // Tags go from 0 to the start of the first tag's data - for offset := int64(0); offset < int64(first_record.DataOffset()); offset += 4 { + for offset := int64(0); offset < int64(ctx.GetTaggedValueOffset(first_record.TagData())); offset += 4 { record_tag := ctx.Profile.RecordTag(reader, offset) if Debug { fmt.Printf("RecordTag %v\n", record_tag.DebugString()) + fmt.Printf("Tag flags are %x\n", ctx.GetTaggedValueFlags(record_tag.TagData())) + fmt.Printf("Tag offset is %x\n", ctx.GetTaggedValueOffset(record_tag.TagData())) } tags = append(tags, tagBuffer{ identifier: uint32(record_tag.Identifier()), - start: record_tag.DataOffset(), - flags: record_tag.Flags(), + start: uint64(ctx.GetTaggedValueOffset(record_tag.TagData())), + flags: uint64(ctx.GetTaggedValueFlags(record_tag.TagData())), }) } @@ -517,7 +630,9 @@ func ParseTaggedValues(ctx *ESEContext, buffer []byte) map[uint32][]byte { end = tags[idx+1].start } - if tag.flags > 0 { + var headerByte byte + if (!ctx.IsSmallPage() && ctx.IsExtendedPageRevision()) || (tag.flags&0x4000) != 0 { + headerByte = buffer[start] start += 1 } @@ -533,7 +648,10 @@ func ParseTaggedValues(ctx *ESEContext, buffer []byte) map[uint32][]byte { end = start } - result[tag.identifier] = buffer[start:end] + result[tag.identifier] = TaggedValue{ + bHeader: headerByte, + data: buffer[start:end], + } if Debug { fmt.Printf("Consumed %#x bytes of TAGGED space from %#x to %#x for tag %#x\n", end-start, start, end, tag.identifier) @@ -632,6 +750,7 @@ func (self *Catalog) __addItem(header *PageHeader, id int64, value *Value) error Type: column.ColumnType().Name, Flags: column.ColumnFlags(), SpaceUsage: int64(column.SpaceUsage()), + CodePage: column.CodePage(), }) case "CATALOG_TYPE_INDEX": @@ -756,7 +875,6 @@ func (self *Catalog) Dump(options DumpOptions) string { func ReadCatalog(ctx *ESEContext) (*Catalog, error) { result := &Catalog{ctx: ctx, Tables: ordereddict.NewDict()} - err := WalkPages(ctx, CATALOG_PAGE_NUMBER, result.__addItem) if err != nil { return nil, err diff --git a/parser/compression.go b/parser/compression.go index 0606c7d..ae02a47 100644 --- a/parser/compression.go +++ b/parser/compression.go @@ -7,15 +7,7 @@ import ( "strings" ) -const ( - // Flags on the record header - COMPRESSION = 0x02 - INLINE_STRING = 0x01 - INLINE_STRING_2 = 0x08 - LZMA_COMPRESSION = 0x18 // Not supported -) - -func Decompress7BitCompression(buf []byte) string { +func Decompress7BitCompression(buf []byte) []byte { result := make([]byte, 0, (len(buf)+5)*8/7) value_16bit := uint16(0) @@ -43,46 +35,44 @@ func Decompress7BitCompression(buf []byte) string { bit_index = 0 } } - - return strings.Split(string(result), "\x00")[0] + return result } -func ParseLongText(buf []byte, flag uint32) string { - if len(buf) < 2 { - return "" - } - - // fmt.Printf("Column Flags %v\n", flag) - leading_byte := buf[0] - if leading_byte != 0 && leading_byte != 1 && leading_byte != 8 && - leading_byte != 3 && leading_byte != 0x18 { - return strings.Split( - UTF16BytesToUTF8(buf, binary.LittleEndian), "\x00")[0] - - } - // fmt.Printf("Inline Flags %v\n", flag) - - // Lzxpress compression - not supported right now. - if leading_byte == 0x18 { +func DecompressLongValue(buf []byte) []byte { + compression_flag := buf[0] >> 3 + switch { + case compression_flag == 0x1: + return Decompress7BitCompression(buf) + case compression_flag == 0x2: + decompressed := Decompress7BitCompression(buf) + decompressedUTF16 := make([]byte, len(decompressed)*2) + // Technically not needed but simplifies the calling code since the column codepage is Unicode + for i := range decompressed { + decompressedUTF16[2*i] = decompressed[i] + } + return decompressedUTF16 + case compression_flag == 0x3: fmt.Printf("LZXPRESS compression not supported currently\n") - return strings.Split(string(buf), "\x00")[0] + return nil + default: + fmt.Printf("Unknown compression flag: %d\n", compression_flag) + return nil } +} - // The following is either 7 bit compressed or utf16 encoded. Its - // hard to figure out which it is though because there is no - // consistency in the flags. We do our best to guess!! - var result string - if len(buf) >= 3 && buf[2] == 0 { - // Probably UTF16 encoded - result = UTF16BytesToUTF8(buf[1:], binary.LittleEndian) - +func ParseLongText(buf []byte, cp uint32) string { + //cp == 0 is interpreted as ASCII (see upstream) + if cp == 0 || cp == 1252 { + return strings.Split(string(buf), "\x00")[0] + } else if cp == 1200 { + new_buf := UTF16BytesToUTF8(buf, binary.LittleEndian) + return strings.Split(new_buf, "\x00")[0] } else { - // Probably 7bit compressed - result = Decompress7BitCompression(buf[1:]) + if Debug { + fmt.Printf("Unexpected code page: %d for value %x\n", cp, buf) + } + return "" } - - //fmt.Printf("returned %v\n", result) - return strings.Split(result, "\x00")[0] } func ParseText(reader io.ReaderAt, offset int64, len int64, flags uint32) string { diff --git a/parser/context.go b/parser/context.go index 6332869..15f3ed4 100644 --- a/parser/context.go +++ b/parser/context.go @@ -49,3 +49,29 @@ func (self *ESEContext) GetPage(id int64) *PageHeader { self.Reader, (id+1)*self.PageSize), } } + +func (self *ESEContext) IsSmallPage() bool { + return self.PageSize <= 8192 +} + +func (self *ESEContext) MaskIb() uint16 { + var offsetMask uint16 + if self.IsExtendedPageRevision() && !self.IsSmallPage() { + offsetMask = 0x7fff + } else { + offsetMask = 0x1fff + } + return offsetMask +} + +func (self *ESEContext) IsExtendedPageRevision() bool { + return self.Revision >= 0x11 +} + +func (self *ESEContext) GetTaggedValueOffset(tagData uint16) uint16 { + return tagData & self.MaskIb() +} + +func (self *ESEContext) GetTaggedValueFlags(tagData uint16) uint16 { + return tagData & (^self.MaskIb()) +} diff --git a/parser/ese_gen.go b/parser/ese_gen.go index 73906ad..f5986de 100644 --- a/parser/ese_gen.go +++ b/parser/ese_gen.go @@ -118,8 +118,7 @@ type ESEProfile struct { Off_PageHeader__AvailablePageTag int64 Off_PageHeader__Flags int64 Off_RecordTag_Identifier int64 - Off_RecordTag_DataOffset int64 - Off_RecordTag_Flags int64 + Off_RecordTag_TagData int64 Off_Tag__ValueSize int64 Off_Tag__ValueOffset int64 Off_Tag_Flags_ int64 @@ -128,7 +127,7 @@ type ESEProfile struct { func NewESEProfile() *ESEProfile { // Specific offsets can be tweaked to cater for slight version mismatches. - self := &ESEProfile{0,4,8,12,0,4,8,12,0,4,8,12,0,4,0,2,4,0,0,0,4,6,10,10,10,10,0,1,2,0,-2,0,0,0,4,8,12,0,0,0,4,8,232,12,16,24,236,0,4,6,8,0,1,2,3,4,5,4,12,0,4,0,8,0,2,4,0,0,0,0,0,8,16,20,24,28,32,34,36,0,2,2,0,2,2,2} + self := &ESEProfile{0,4,8,12,0,4,8,12,0,4,8,12,0,4,0,2,4,0,0,0,4,6,10,10,10,10,0,1,2,0,-2,0,0,0,4,8,12,0,0,0,4,8,232,12,16,24,236,0,4,6,8,0,1,2,3,4,5,4,12,0,4,0,8,0,2,4,0,0,0,0,0,8,16,20,24,28,32,34,36,0,2,0,2,2,2} return self } @@ -1064,6 +1063,10 @@ func (self *PageHeader_) Flags() *Flags { names := make(map[string]bool) + if value & 128 != 0 { + names["Long"] = true + } + if value & 1 != 0 { names["Root"] = true } @@ -1088,10 +1091,6 @@ func (self *PageHeader_) Flags() *Flags { names["Index"] = true } - if value & 128 != 0 { - names["Long"] = true - } - return &Flags{Value: uint64(value), Names: names} } @@ -1122,20 +1121,13 @@ func (self *RecordTag) Identifier() uint16 { return ParseUint16(self.Reader, self.Profile.Off_RecordTag_Identifier + self.Offset) } -func (self *RecordTag) DataOffset() uint64 { - value := ParseUint16(self.Reader, self.Profile.Off_RecordTag_DataOffset + self.Offset) - return (uint64(value) & 0x1fff) >> 0x0 -} - -func (self *RecordTag) Flags() uint64 { - value := ParseUint16(self.Reader, self.Profile.Off_RecordTag_Flags + self.Offset) - return (uint64(value) & 0xffff) >> 0xe +func (self *RecordTag) TagData() uint16 { + return ParseUint16(self.Reader, self.Profile.Off_RecordTag_TagData + self.Offset) } func (self *RecordTag) DebugString() string { result := fmt.Sprintf("struct RecordTag @ %#x:\n", self.Offset) result += fmt.Sprintf(" Identifier: %#0x\n", self.Identifier()) - result += fmt.Sprintf(" DataOffset: %#0x\n", self.DataOffset()) - result += fmt.Sprintf(" Flags: %#0x\n", self.Flags()) + result += fmt.Sprintf(" TagData: %#0x\n", self.TagData()) return result } @@ -1241,7 +1233,8 @@ func ParseArray_byte(profile *ESEProfile, reader io.ReaderAt, offset int64, coun } func ParseInt16(reader io.ReaderAt, offset int64) int16 { - data := make([]byte, 2) + var buf [2]byte + data := buf[:] _, err := reader.ReadAt(data, offset) if err != nil { return 0 @@ -1250,7 +1243,8 @@ func ParseInt16(reader io.ReaderAt, offset int64) int16 { } func ParseInt32(reader io.ReaderAt, offset int64) int32 { - data := make([]byte, 4) + var buf [4]byte + data := buf[:] _, err := reader.ReadAt(data, offset) if err != nil { return 0 @@ -1259,7 +1253,8 @@ func ParseInt32(reader io.ReaderAt, offset int64) int32 { } func ParseInt64(reader io.ReaderAt, offset int64) int64 { - data := make([]byte, 8) + var buf [8]byte + data := buf[:] _, err := reader.ReadAt(data, offset) if err != nil { return 0 @@ -1268,7 +1263,8 @@ func ParseInt64(reader io.ReaderAt, offset int64) int64 { } func ParseUint16(reader io.ReaderAt, offset int64) uint16 { - data := make([]byte, 2) + var buf [2]byte + data := buf[:] _, err := reader.ReadAt(data, offset) if err != nil { return 0 @@ -1277,7 +1273,8 @@ func ParseUint16(reader io.ReaderAt, offset int64) uint16 { } func ParseUint32(reader io.ReaderAt, offset int64) uint32 { - data := make([]byte, 4) + var buf [4]byte + data := buf[:] _, err := reader.ReadAt(data, offset) if err != nil { return 0 @@ -1286,7 +1283,8 @@ func ParseUint32(reader io.ReaderAt, offset int64) uint32 { } func ParseUint64(reader io.ReaderAt, offset int64) uint64 { - data := make([]byte, 8) + var buf [8]byte + data := buf[:] _, err := reader.ReadAt(data, offset) if err != nil { return 0 @@ -1295,16 +1293,18 @@ func ParseUint64(reader io.ReaderAt, offset int64) uint64 { } func ParseUint8(reader io.ReaderAt, offset int64) byte { - result := make([]byte, 1) - _, err := reader.ReadAt(result, offset) + var buf [1]byte + data := buf[:] + _, err := reader.ReadAt(data, offset) if err != nil { return 0 } - return result[0] + return data[0] } func ParseTerminatedString(reader io.ReaderAt, offset int64) string { - data := make([]byte, 1024) + var buf [1024]byte + data := buf[:] n, err := reader.ReadAt(data, offset) if err != nil && err != io.EOF { return "" @@ -1327,7 +1327,8 @@ func ParseString(reader io.ReaderAt, offset int64, length int64) string { func ParseTerminatedUTF16String(reader io.ReaderAt, offset int64) string { - data := make([]byte, 1024) + var buf [1024]byte + data := buf[:] n, err := reader.ReadAt(data, offset) if err != nil && err != io.EOF { return "" diff --git a/parser/ese_profile.json b/parser/ese_profile.json index 319c04a..8156e09 100644 --- a/parser/ese_profile.json +++ b/parser/ese_profile.json @@ -194,16 +194,7 @@ "RecordTag": [4, { "Identifier": [0, ["unsigned short"]], - "DataOffset": [2, ["BitField", { - "target": "unsigned short", - "start_bit": 0, - "end_bit": 13 - }]], - "Flags": [2, ["BitField", { - "target": "unsigned short", - "start_bit": 14, - "end_bit": 16 - }]] + "TagData": [2, ["unsigned short"]] }], "Misc": [0, { diff --git a/parser/utils.go b/parser/utils.go index 5d820c7..2d98db1 100644 --- a/parser/utils.go +++ b/parser/utils.go @@ -1,6 +1,7 @@ package parser import ( + "encoding/binary" "io" "time" ) @@ -10,6 +11,11 @@ func WinFileTime64(reader io.ReaderAt, offset int64) time.Time { return time.Unix((value/10000000)-11644473600, 0).UTC() } +func WinFileTime64Bin(bytes []byte) time.Time { + value := int64(binary.LittleEndian.Uint64(bytes)) + return time.Unix((value/10000000)-11644473600, 0).UTC() +} + func IsSmallPage(page_size int64) bool { return page_size <= 1024*8 }