0

My goal is to read or copy in memory the following file:

C:\Windows\appcompat\Programs\Amcache.hve

With a rust code similar to this one:

let mut test = match File::open("C:\\Windows\\appcompat\\Programs\\Amcache.hve".to_string()) {
    Ok(file) => file,
    Err(err) => {
        eprintln!("An error occured during the opening of \'{}\'.", err);
        std::process::exit(0)
    }
};

As expected, I get an error "The process cannot access the file because it is being used by another process. (os error 32)" because it's a protected file. My final goal is to read it and parse it with the crate nt_hive to get forensics information about program execution.

Is there a way to copy/read it properly with a code that have admin privileges?

I have tried many crate, read some blogs but I don't find any useful information. I wonder if using winapi change something ...?

Update

I have found a way to reach my purpose. I will use a low level crate for NTFS. thanks all for your support

Jerome
  • 15
  • 4
  • "being used by another process" means that another process has locked this file, you'll have to find out which process and stop it. – cafce25 Apr 01 '23 at 12:20
  • side notes: you might want to use raw string literals like this `r"C:\Windows\appcompat\Programs\Amcache.hve"` with Windows paths since they require less escaping, you also don't need to convert the string slice `to_string` because `File::open` works with string slices too. – cafce25 Apr 01 '23 at 12:22
  • I assume that's the system use it "permanently". I know that the tool Registry explorer can read it when it's not possible with my code. For both we have admin right. I'm just asking how it is possible to do this. Can we "force" to get access to the file, must we use a special crate, can we create a kind of snapshot of the file to read it ? – Jerome Apr 01 '23 at 15:22
  • No, you cannot *"force"* access (unless you're willing to accept data corruption). A sharing violation is not an issue you can resolve with more privileges. You'll have to find out *which* access mode is in violation with the file's share mode. The code in question requests *all* accesses, clearly more than you'd need for copying a file. See [`OpenOptions::open`](https://doc.rust-lang.org/std/fs/struct.OpenOptions.html#method.open) instead (and possibly the OS-specific `OpenOptionsExt` structure). – IInspectable Apr 01 '23 at 15:51
  • `let _file = OpenOptions::new().read(true).open(filename).unwrap()` return the same error unfortunately. – Jerome Apr 02 '23 at 05:32

0 Answers0