The minor version of a hive isn't used when parsing values

[msuhanov]

This issue is related to #7.

Windows doesn't support big data records when the minor version of the hive format is equal to or less than 3. For example, if a hive has the minor version set to 3, and there is a large value stored in this hive, and the value begins with the db string, then python-registry will treat such a value like the big data structure, but Windows will treat the value literally.

Example:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "Registry/Registry.py", line 160, in value
    return self._vkrecord.data()
  File "Registry/RegistryParse.py", line 1024, in data
    d = self.raw_data()
  File "Registry/RegistryParse.py", line 923, in raw_data
    ret = d.child().large_data(data_length)
  File "Registry/RegistryParse.py", line 713, in large_data
    cell = HBINCell(self._buf, off, self)
  File "Registry/RegistryParse.py", line 501, in __init__
    self._size = self.unpack_int(0x0)
  File "Registry/RegistryParse.py", line 212, in unpack_int
    return struct.unpack_from(str("<i"), self._buf, self._offset + offset)[0]

The hive is attached.
test-db.zip

[EricZimmerman]

this is a case where you have to take the version # into account as well as the value's size before following down the big data path (i.e. the db list structure that acts as a data run of sorts)

[msuhanov]

I guess that we need to implement a named tuple to track (using boolean fields) what features are supported in the hive, and pass this tuple to the constructor of a class used to parse a specific registry structure. Or implement another way of passing information from the REGFBlock to subsequent classes.