Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > RootkitRevealer Usage
  New Posts New Posts RSS Feed - Error dumping Software hive
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Error dumping Software hive

 Post Reply Post Reply Page  12>
Author
Message
BenListening View Drop Down
Newbie
Newbie


Joined: 09 January 2006
Location: United States
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote BenListening Quote  Post ReplyReply Direct Link To This Post Topic: Error dumping Software hive
    Posted: 09 January 2006 at 4:27pm
hello folks.
I am trying to run RKR v1.6
I am a full administrator on my machine.
I have fast user switching disabled.
Machine is a dell w/XP home SP2.
I have tried from every account and
safe mode but the RKR error is always,
"SOFTWARE   0 bytes    Error dumping hive: The system cannot find the file specified."

can anybody tell me what file is missing?

Is there a manual way to move a copy of the reg hive to RKR?

Thanks.

hmmmm.....ain't never smelled THAT before.
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 09 January 2006 at 5:46pm
It's been reported that this may somehow be due to having insufficient rights to the directory containing the RKR exe. Try unzipping into a different directory, say C:\RKR, and running from there.
Gil
Back to Top
BenListening View Drop Down
Newbie
Newbie


Joined: 09 January 2006
Location: United States
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote BenListening Quote  Post ReplyReply Direct Link To This Post Posted: 10 January 2006 at 4:14pm
well, namrehto....I tried your suggestion (thank you), and "SOFTWARE   0 bytes    Error dumping hive: The system cannot find the file specified." is still displayed in the results. RKR will still do a software scan, but it's comparing to an incomplete hive dump, as far as I can tell.
Before my latest attempt I :
- turned off every conceivable process using procexp v 9.25,
- physically disconnected from the internet
- shutdown ZoneAlarm Free
- disabled AVG free
- made sure MS security was disabled
- ran RKR from C://
- sat quietly while RKR ran.....still not right.

is it possible RKR needs a process that I have turned off?
hmmmm.....ain't never smelled THAT before.
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 11 January 2006 at 3:48am
Quote ran RKR from C://

From the root folder? Try creating a folder below, say C:\RKR, and run from that. Bit of a long shot, but worth a try. 

If that doesn't work, try with v1.56 to be found on this thread.
Gil
Back to Top
BenListening View Drop Down
Newbie
Newbie


Joined: 09 January 2006
Location: United States
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote BenListening Quote  Post ReplyReply Direct Link To This Post Posted: 11 January 2006 at 4:21pm
well, not excactly from C://
I ran RKR v1.6 from C:\RootkitRevealer 1.6\
I ran RKR v1.55 from C:\RKR 1.55\
and I ran RKR v1.56 from C:\RKR 1.56\ today.....
all gave the error :
"SOFTWARE   0 bytes    Error dumping hive: The system cannot find the file specified."

something is keeping RKR from seeing the whole software registry,
what could it be???
I also saw something about a possible missing MS dll somewhere in the forums. Only I cannot find that thread now.
If it's a dll, I can find dlls at DLLDump and install it.
hmmmm.....ain't never smelled THAT before.
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 12 January 2006 at 4:48am
Frustrating. If you're willing, the next step would be to use Filemon and see if there is an obvious reason why the registry save is failing. In order to filter Filemon's output to something manageable it's suggested you:

1/ start Process Explorer
2/ start RKR but don't click Scan yet
3/ using PE locate the randomly named RKR service, double-click to open Properties, go to the Image tab and use ctrl-C to copy the process name
4/ start Filemon, open the filter dialog and paste the RKR service name into 'include', then begin capture
5/ click Scan in RKR
6/ when RKR moves on to the 'Enumerating' phase, stop Filemon capture and save its output to file

[edit]as an alternative to running PE you can locate the temp copy of the RKR service in ...\local settings\temp (you can get there easily via Start->Programs->Run->%TEMP%) and copy the exe's name from there[/edit]

[edit 13 Jan]To further filter the Filemon trace - in addition to pasting the name of the RKR service exe into 'include' - uncheck the 'log successes' box, leaving other boxes checked.[/edit]


Edited by namrehto
Gil
Back to Top
BenListening View Drop Down
Newbie
Newbie


Joined: 09 January 2006
Location: United States
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote BenListening Quote  Post ReplyReply Direct Link To This Post Posted: 18 January 2006 at 3:35pm
Hello,...I'm back.
I did a capture using Filmon, while RKR was dumping the hive. I did the capture when RKR started enumerating. I do not know what all of the "NOT FOUNDs" mean, but here it is :
6500    1:23:02 PM    RootkitRevealer:1380    QUERY INFORMATION    C:\DOCUME~1\Greg\LOCALS~1\Temp\DBUUBJW.exe    NOT FOUND    Attributes: Error   
6694    1:23:02 PM    SERVICES.EXE:568    OPEN    C:\DOCUME~1\Greg\LOCALS~1\Temp\DBUUBJW.exe.Manifest &nb sp;  NOT FOUND    Options: Open  Access: All   
6696    1:23:02 PM    SERVICES.EXE:568    OPEN    C:\DOCUME~1\Greg\LOCALS~1\Temp\DBUUBJW.exe.Config   ;  NOT FOUND    Options: Open  Access: All   
6742    1:23:02 PM    DBUUBJW.exe:1672    OPEN    C:\WINDOWS\Prefetch\DBUUBJW.EXE-0CB20A4F.pf    ; NOT FOUND    Options: Open  Access: All   
6744    1:23:02 PM    DBUUBJW.exe:1672    QUERY INFORMATION    C:\DOCUME~1\Greg\LOCALS~1\Temp\DBUUBJW.exe.Local\   ;  NOT FOUND    Attributes: Error   
6749    1:23:02 PM    DBUUBJW.exe:1672    QUERY INFORMATION    C:\DOCUME~1\Greg\LOCALS~1\Temp\PSAPI.DLL    NOT FOUND    Attributes: Error   
6766    1:23:02 PM    DBUUBJW.exe:1672    QUERY INFORMATION    C:\DOCUME~1\Greg\LOCALS~1\Temp\LPK.DLL    NOT FOUND    Attributes: Error   
6770    1:23:02 PM    DBUUBJW.exe:1672    QUERY INFORMATION    C:\DOCUME~1\Greg\LOCALS~1\Temp\USP10.dll    NOT FOUND    Attributes: Error   
6792    1:23:02 PM    DBUUBJW.exe:1672    OPEN    C:\WINDOWS\WindowsShell.Config    NOT FOUND    Options: Open  Access: All   
6840    1:23:02 PM    DBUUBJW.exe:1672    OPEN    C:\WINDOWS\system32\SHELL32.dll.124.Manifest  &nbs p; NOT FOUND    Options: Open  Access: All   
6841    1:23:02 PM    DBUUBJW.exe:1672    OPEN    C:\WINDOWS\system32\SHELL32.dll.124.Config    NOT FOUND    Options: Open  Access: All   
6885    1:23:02 PM    DBUUBJW.exe:1672    QUERY INFORMATION    C:\DOCUME~1\Greg\LOCALS~1\Temp\DBUUBJW.exe.Local\   ;  NOT FOUND    Attributes: Error   
6888    1:23:02 PM    DBUUBJW.exe:1672    QUERY INFORMATION    C:\DOCUME~1\Greg\LOCALS~1\Temp\DBUUBJW.exe    BUFFER OVERFLOW    FileNameInformation   
7424    1:23:12 PM    SVCHOST.EXE:832    OPEN    C:\WINDOWS\Prefetch\DBUUBJW.EXE-0CB20A4F.pf    ; NOT FOUND    Options: Open  Access: All   
52408    1:26:13 PM    DBUUBJW.exe:1672    QUERY INFORMATION    C:\WINDOWS\SYSTEM32\OGJUMXN    NOT FOUND    Attributes: Error   
52409    1:26:13 PM    DBUUBJW.exe:1672    OPEN    C:\WINDOWS\SYSTEM32\OGJUMXN    NOT FOUND    Options: Open  Access: All   
52473    1:26:41 PM    DBUUBJW.exe:1672    QUERY INFORMATION    C:\WINDOWS\SYSTEM32\WUWCYCON    NOT FOUND    Attributes: Error   
52474    1:26:41 PM    DBUUBJW.exe:1672    OPEN    C:\WINDOWS\SYSTEM32\WUWCYCON    NOT FOUND    Options: Open  Access: All   
54107    1:26:53 PM    DBUUBJW.exe:1672    QUERY INFORMATION    C:\WINDOWS\system32\CJGJYCVY    NOT FOUND    Attributes: Error   
54108    1:26:53 PM    DBUUBJW.exe:1672    QUERY INFORMATION    C:\DOCUME~1\Greg\LOCALS~1\Temp\cmd.exe    NOT FOUND    Attributes: Error   
54126    1:26:53 PM    DBUUBJW.exe:1672    OPEN    C:\WINDOWS\AppPatch\systest.sdb    NOT FOUND    Options: Open  Access: All   
54170    1:26:53 PM    DBUUBJW.exe:1672    OPEN    C:\WINDOWS\system32\cmd.exe.Manifest    NOT FOUND    Options: Open  Access: All   

hmmmm.....ain't never smelled THAT before.
Back to Top
BenListening View Drop Down
Newbie
Newbie


Joined: 09 January 2006
Location: United States
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote BenListening Quote  Post ReplyReply Direct Link To This Post Posted: 18 January 2006 at 4:24pm
I have just learned that the The hives themselves are stored in the C:\Windows\system32\config and
C:\Documents and Settings\{username} files.
I am unable to surf to system32 from C:\Windows, but I can plug the directory, "C:\Windows\system32" into the address bar of Windows
Explorer and see system32 files.
Do you think this could be the result of some kind of security measures? Or from the removal of viruses?
Does this mean some programs cannot get to sys32?
Last month I had to remove Symantec AntiVirus™ Corporate Edition Server/Client Gold (mfg only) because it stopped updating. I do not
know why the corprate edition was on here, this is a home PC and not a server, but it was very difficult to remove.
I also just removed a whole host of adware/spyware, random letter viruses and TSPY_SMALL.SN (Rotue) virus.
Is system32 supossed to be capitolized? Or does it not matter, usually, "I see it "SYSTEM32".
hmmmm.....ain't never smelled THAT before.
Back to Top
namrehto View Drop Down
Senior Member
Senior Member


Joined: 23 June 2005
Location: Scotland
Status: Offline
Points: 3876
Post Options Post Options   Thanks (0) Thanks(0)   Quote namrehto Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2006 at 3:28am
When you tried to locate system32 from C:\Windows, did you make sure you had the options to view hidden files checked and "hide operating system files" unchecked? Obviously Windows can get to system32 or your system wouldn't boot. BTW it doesn't matter about system32 or SYSTEM32 (caps).

As for your Filemon log, firstly NOT FOUND is a common message as the operating system frequently looks in all locations in the %PATH% variable for files. Much of your log relates to creating and starting the random-named RKR service DBUUBJW.exe. The NOT FOUNDs in system32 starting with C:\WINDOWS\SYSTEM32\OGJUMXN look like the temp files for the hive dumps and the Enumerating C: stage, so nothing odd there. As far as I can see there's nothing obvious which explains your "Error dumping hive".
Gil
Back to Top
BenListening View Drop Down
Newbie
Newbie


Joined: 09 January 2006
Location: United States
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote BenListening Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2006 at 11:53am
yes, "hide operating system files" is unchecked and all other hidden folders & files are visible in system32.

 Just as an experiment yesterday, I did just what your not supposed to do, and opened a few files and folders while RKR was enumerating.......
RKR saw every single change I made after the hive dump.
Which made me wonder, is it possible RKR is giving the "Error dumping hive"......in error??

And, is there a way to find out what exactly the file is, that RKR cannot find?

Should I try running it from my sys32 folder?
(I think I will)

thank you
hmmmm.....ain't never smelled THAT before.
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down