fix(event): Correct registry string value parsing

rabbitstack · rabbitstack · commit 7a6d0c115702 · 2025-12-29T20:44:49.000+01:00
diff --git a/pkg/event/param_windows.go b/pkg/event/param_windows.go
@@ -29,6 +29,8 @@ import (
 	"time"
 	"unsafe"
 
+	"github.com/rabbitstack/fibratus/pkg/util/utf16"
+
 	"github.com/rabbitstack/fibratus/pkg/event/params"
 	"github.com/rabbitstack/fibratus/pkg/fs"
 	htypes "github.com/rabbitstack/fibratus/pkg/handle/types"
@@ -531,10 +533,10 @@ func (e *Event) produceParams(evt *etw.EventRecord) {
 		e.AppendParam(params.RegPath, params.Key, filepath.Join(keyName, valueName))
 		e.AppendEnum(params.RegValueType, valueType, key.RegistryValueTypes)
 
-		if len(capturedData) > 0 {
+		if len(b) > 0 {
 			switch valueType {
 			case registry.SZ, registry.MULTI_SZ, registry.EXPAND_SZ:
-				e.AppendParam(params.RegData, params.UnicodeString, string(capturedData))
+				e.AppendParam(params.RegData, params.UnicodeString, utf16.BytesToString(b, binary.LittleEndian))
 			case registry.BINARY:
 				e.AppendParam(params.RegData, params.Binary, b)
 			case registry.DWORD:
diff --git a/pkg/util/utf16/utf16.go b/pkg/util/utf16/utf16.go
@@ -22,6 +22,7 @@
 package utf16
 
 import (
+	"encoding/binary"
 	"unicode/utf8"
 )
 
@@ -58,3 +59,16 @@ func Decode(p []uint16) string {
 	}
 	return string(s)
 }
+
+// BytesToString converts the UTF16-encoded byte buffer to string.
+func BytesToString(b []byte, o binary.ByteOrder) string {
+	utf := make([]uint16, 0, len(b)/2)
+	for i := 0; i+1 < len(b); i += 2 {
+		u := o.Uint16(b[i:])
+		if u == 0 {
+			break // stop at null terminator
+		}
+		utf = append(utf, u)
+	}
+	return Decode(utf)
+}
