fix(processors): Skip hidden registry keys

If the registry value is found within the hidden key, skip reading the value as it would inevitably fail.
rabbitstack · Nov 21, 2024 · f7e8dc5 · f7e8dc5
1 parent e5e91ca
commit f7e8dc5
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/internal/etw/processors/registry_windows.go b/internal/etw/processors/registry_windows.go
@@ -124,6 +124,11 @@ func (r *registryProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, erro
 			return e, nil
 		}
 
+		// values within hidden keys cannot be read
+		if strings.HasSuffix(keyName, "\\") {
+			return e, nil
+		}
+
 		rootkey, subkey := key.Format(keyName)
 		if rootkey != key.Invalid {
 			typ, val, err := rootkey.ReadValue(subkey)