Skip to content

Bugfix: Fix incorrect tag-count/reserved-tag handling in GetPageValues#30

Open
Che4ter wants to merge 1 commit into
Velocidex:masterfrom
baseVISION:fix/srum-ctag-reserved
Open

Bugfix: Fix incorrect tag-count/reserved-tag handling in GetPageValues#30
Che4ter wants to merge 1 commit into
Velocidex:masterfrom
baseVISION:fix/srum-ctag-reserved

Conversation

@Che4ter

@Che4ter Che4ter commented Jul 3, 2026

Copy link
Copy Markdown

On Windows 11 25H2 (OS Build 26200.8655), Velociraptor's SRUM collection started failing with:

parse_ese: Unable to open file C:\Windows\System32\sru\SRUDB.dat:
Page 2326537 exceeds max page 16913

The available page tag field (PGHDR.itagState) packs itagMicFree (low 12 bits, real tag count) and ctagReserved (next 3 bits, number of reserved tags at the start of the page) unconditionally, regardless of page size or format revision - not only on 32KiB pages as previously assumed. GetPageValues was reading the unmasked raw value as the tag count on this build, producing a garbage tag offset that decoded to an out-of-range child page number and surfaced as the error above.

This also fixes the tag-slot skip to scale with ctagReserved (which can be up to 7 per CPAGE) instead of always skipping exactly one slot, and guards against ctagReserved being larger than itagMicFree.

See https://github.com/microsoft/Extensible-Storage-Engine/blob/main/dev/ese/src/inc/cpage.hxx

Testing

Verified against:

  • The existing test suite (all golden fixtures pass except
    TestWindowsQmgr, which fails identically on unmodified master,
    pre-existing and unrelated to this change).
  • Three real-world SRUDB.dat samples from Windows 11 25H2 machines
    Parsing now succeeds end-to-end with no "exceeds max page" errors.

Note on this fix

I ran into this bug during day-to-day DFIR work and traced it as far as the failing artefact/error message, but diagnosing the actual
root cause in the ESE tag-packing format and writing the fix itself was done with AI assistance (Claude/Anthropic) as this went deeper into the ESE binary format internals than I could confidently do myself.
I've reviewed and tested the change, but wanted to mention that this PR contains AI generated code.

On Windows 11 25H2 (OS Build 26200.8655), Velociraptor's SRUM
collection started failing with:

    parse_ese: Unable to open file C:\Windows\System32\sru\SRUDB.dat:
    Page 2326537 exceeds max page 16913

The available page tag field (PGHDR.itagState) packs itagMicFree
(low 12 bits, real tag count) and ctagReserved (next 3 bits, number
of reserved tags at the start of the page) unconditionally, regardless
of page size or format revision - not only on 32KiB pages as
previously assumed. GetPageValues was reading the unmasked raw value
as the tag count on this build, producing a garbage tag offset that
decoded to an out-of-range child page number and surfaced as the
error above.

This also fixes the tag-slot skip to scale with ctagReserved (which
can be up to 7 per CPAGE) instead of always skipping exactly one
slot, and guards against ctagReserved being larger than itagMicFree.

See https://github.com/microsoft/Extensible-Storage-Engine/blob/main/dev/ese/src/inc/cpage.hxx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant