From 8f4cb9970196d268edca38fe38d3c94685ae0c41 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Tue, 19 Nov 2024 21:29:21 +0100 Subject: [PATCH] fix(processors): Skip hidden registry keys If the registry value is found within the hidden key, skip reading the value as it would inevitably fail. --- internal/etw/processors/registry_windows.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/internal/etw/processors/registry_windows.go b/internal/etw/processors/registry_windows.go index 671f91bba..4b9f3eb63 100644 --- a/internal/etw/processors/registry_windows.go +++ b/internal/etw/processors/registry_windows.go @@ -124,6 +124,11 @@ func (r *registryProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, erro return e, nil } + // values within hidden keys cannot be read + if strings.HasSuffix(keyName, "\\") { + return e, nil + } + rootkey, subkey := key.Format(keyName) if rootkey != key.Invalid { typ, val, err := rootkey.ReadValue(subkey)