@jgstew
I’ll be submitting an RFE for “unicode file” and “unicode string” inspectors.
This is partly related to my attempts at reading a Registry.pol file. The file contains a large amount of UNICODE text, and an attempt to read lines from it results in something like
q: lines of native file "c:\windows\system32\grouppolicy\machine\registry.pol"
A: PReg%01%00%00%00[%00S%00o%00f%00t%00w%00a%00r%00e%00\%00M%00i%00c%00r%00o%00s%00o%00f%00t%00\%00w%00c%00m%00s%00v%00c%00\%00w%00i%00f%00i%00n%00e%00t%00w%00o%00r%00k%00m%00a%00n%00a%00g%00e%00r%00\%00c%00o%00n%00f%00i%00g%00%00%00;%00A%00u%00t%00o%00C%00o%00n%00n%00e%00c%00t%00A%00l%00l%00o%00w%00e%00d%00O%00E%00M%00%00%00;%00%04%00%00%00;%00%04%00%00%00;%00%00%00%00%00]%00[%00S%00o%00f%00t%00w%00a%00r%00e%00\%00M%00i%00c%00r%00o%00s%00o%00f%00t%00\%00W%00i%00n%00d%00o%00w%00s%00\%00C%00u%00r%00r%00e%00n%00t%00V%00e%00r%00s%00i%00o%00n%00\%00P%00o%00l%00i%00c%00i%00e%00s%00\%00C%00r%00e%00d%00U%00I%00%00%00;%00E%00n%00u%00m%00e%00r%00a%00t%00e%00A%00d%00m%00i%00n%00i%00s%00t%00r%00a%00t%00o%00r%00s%00%00%00;%00%04%00%00%00;%00%04%00%00%00;%00%00%00%00%00]%00[%00S%00o%00f%00t%00w%00a%00r%00
That can be made slightly more intelligible by removing the NULL bytes - but there are also NULL bytes as part of the binary values, and this doesn’t account for them:
q: concatenation of substrings separated by "%00" of lines of native file "c:\windows\system32\grouppolicy\machine\registry.pol"
A: PReg%01[Software\Microsoft\wcmsvc\wifinetworkmanager\config;AutoConnectAllowedOEM;%04;%04;][Software\Microsoft\Windows\CurrentVersion\Policies\CredUI;EnumerateAdministrators;%04;%04;][Software\Microsoft\Windows\CurrentVersion\Policies\Explorer;NoDriveTypeAutoRun;%04;%04;ÿ]
But to search for a string within that content, we have to keep the NULL bytes in our string. We also have to keep the NULL characters when using the <file content>
inspector.
I’d like to have an inspector for "unicode file of " and "unicode string ". Intent would be to allow operations like
q: exists native file "c:\windows\system32\grouppolicy\registry.pol" whose (content of (unicode file of it) contains unicode string "[Software\Microsoft\wcmsvc\wifinetworkmanager\config;AutoConnectAllowedOEM;%04;%04;]")
RFE submitted: http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=110558