Skip to content

Commit 33d4a67

Browse files
rabbitstackrabbitstack
committed
fix(processors): Overwrite KCB handle
1 parent ae6e263 commit 33d4a67

File tree

1 file changed

+1
-3
lines changed

1 file changed

+1
-3
lines changed

internal/etw/processors/registry_windows.go

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -87,9 +87,7 @@ func (r *registryProcessor) processEvent(e *kevent.Kevent) (*kevent.Kevent, erro
8787
switch e.Type {
8888
case ktypes.RegKCBRundown, ktypes.RegCreateKCB:
8989
khandle := e.Kparams.MustGetUint64(kparams.RegKeyHandle)
90-
if _, ok := r.keys[khandle]; !ok {
91-
r.keys[khandle], _ = e.Kparams.GetString(kparams.RegPath)
92-
}
90+
r.keys[khandle] = e.Kparams.MustGetString(kparams.RegPath)
9391
kcbCount.Add(1)
9492
case ktypes.RegDeleteKCB:
9593
khandle := e.Kparams.MustGetUint64(kparams.RegKeyHandle)

0 commit comments

Comments
 (0)