Get-ForensicFileRecord broken by Windows 11? #168
Description
Hello. Get-ForensicFileRecord seems to fail on many paths under C:\Windows on Windows 11. So far in my testing, it works on files elsewhere (such as in C:\Program Files), and on the C:\Windows directory itself.
Those same commands succeed on Windows 10 (scroll down). Do you know what might be wrong? I'd be happy to provide more information to help debug this.
PS C:\Windows\System32> cmd /c ver
Microsoft Windows [Version 10.0.22000.918]
PS C:\Windows\System32> Get-Item C:\Windows
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/4/2022 5:36 PM Windows
PS C:\Windows\System32> Get-ForensicFileRecord -path "C:\Windows"
FullName : C:\\Windows
Name : Windows
SequenceNumber : 1
RecordNumber : 1492
ParentSequenceNumber : 5
ParentRecordNumber : 5
Directory : True
Deleted : False
ModifiedTime : 9/4/2022 9:36:44 PM
AccessedTime : 9/12/2022 10:19:42 PM
ChangedTime : 9/4/2022 9:36:44 PM
BornTime : 6/5/2021 12:01:25 PM
FNModifiedTime : 6/30/2021 9:47:02 PM
FNAccessedTime : 6/30/2021 9:47:02 PM
FNChangedTime : 6/30/2021 9:47:02 PM
FNBornTime : 6/30/2021 9:47:02 PM
PS C:\Windows\System32> Get-Item C:\Windows\System32
Directory: C:\Windows
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/12/2022 3:18 PM System32
PS C:\Windows\System32> Get-ForensicFileRecord -path "C:\Windows\System32"
Get-ForensicFileRecord : Path C:\Windows\System32 not found.
At line:1 char:1
+ Get-ForensicFileRecord -path "C:\Windows\System32"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ForensicFileRecord], Exception
+ FullyQualifiedErrorId : System.Exception,PowerForensics.Cmdlets.GetFileRecordCommand
PS C:\Windows\System32> Get-Item C:\Windows\System32\kernel32.dll
Directory: C:\Windows\System32
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/4/2022 5:27 PM 786520 kernel32.dll
PS C:\Windows\System32> Get-ForensicFileRecord -path "C:\Windows\System32\kernel32.dll"
Get-ForensicFileRecord : Path C:\Windows\System32\kernel32.dll not found.
At line:1 char:1
+ Get-ForensicFileRecord -path "C:\Windows\System32\kernel32.dll"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-ForensicFileRecord], Exception
+ FullyQualifiedErrorId : System.Exception,PowerForensics.Cmdlets.GetFileRecordCommandHere are those same commands on Windows 10:
PS C:\WINDOWS\system32> cmd /c ver
Microsoft Windows [Version 10.0.19043.1889]
PS C:\WINDOWS\system32> Get-Item C:\Windows
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/26/2022 1:01 PM Windows
PS C:\WINDOWS\system32> Get-ForensicFileRecord -path "C:\Windows"
FullName : C:\\Windows
Name : Windows
SequenceNumber : 2
RecordNumber : 308097
ParentSequenceNumber : 5
ParentRecordNumber : 5
Directory : True
Deleted : False
ModifiedTime : 8/26/2022 8:01:04 PM
AccessedTime : 9/12/2022 10:21:47 PM
ChangedTime : 8/26/2022 8:01:04 PM
BornTime : 12/7/2019 9:03:44 AM
FNModifiedTime : 3/16/2021 11:20:55 PM
FNAccessedTime : 3/17/2021 1:11:58 PM
FNChangedTime : 3/16/2021 11:20:55 PM
FNBornTime : 12/7/2019 9:03:44 AM
PS C:\WINDOWS\system32> Get-Item C:\Windows\System32
Directory: C:\Windows
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/12/2022 3:19 PM System32
PS C:\WINDOWS\system32> Get-ForensicFileRecord -path "C:\Windows\System32"
FullName : C:\\Windows\System32
Name : System32
SequenceNumber : 2
RecordNumber : 309833
ParentSequenceNumber : 2
ParentRecordNumber : 308097
Directory : True
Deleted : False
ModifiedTime : 9/12/2022 10:19:50 PM
AccessedTime : 9/12/2022 10:21:47 PM
ChangedTime : 9/12/2022 10:19:50 PM
BornTime : 12/7/2019 9:03:44 AM
FNModifiedTime : 3/16/2021 10:56:02 PM
FNAccessedTime : 3/16/2021 10:56:02 PM
FNChangedTime : 3/16/2021 10:56:02 PM
FNBornTime : 3/16/2021 10:56:02 PM
PS C:\WINDOWS\system32> Get-Item C:\Windows\System32\kernel32.dll
Directory: C:\Windows\System32
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/18/2022 9:20 AM 766000 kernel32.dll
PS C:\WINDOWS\system32> Get-ForensicFileRecord -path "C:\Windows\System32\kernel32.dll"
FullName : C:\\Windows\WinSxS\amd64_microsoft-windows-kernel32_31bf3856ad364e35_10.0.19041.1889_none_0844957b0bac060e\kernel32.dll
Name : kernel32.dll
SequenceNumber : 1
RecordNumber : 651723
ParentSequenceNumber : 1
ParentRecordNumber : 651865
Directory : False
Deleted : False
ModifiedTime : 8/18/2022 4:20:53 PM
AccessedTime : 9/12/2022 10:21:19 PM
ChangedTime : 8/26/2022 8:01:16 PM
BornTime : 8/18/2022 4:20:53 PM
FNModifiedTime : 8/18/2022 4:20:53 PM
FNAccessedTime : 8/18/2022 4:20:53 PM
FNChangedTime : 8/18/2022 4:20:53 PM
FNBornTime : 8/18/2022 4:20:53 PM