!reg extension on 64bit VM (MS hyper-v), dumping registry key values

boobooba

Hi community!

I have a feeling that !reg extension works strange on my vm. So what I want is to get an immediate address of a key value. So I go through all the chores of !reg from getting KCB for the reg key, through dumping the kye hive etc, and eventually I get to the point where I have kvalue at hand:

` !reg valuelist 0xffff9782f04f6000 00000000028cf9ac

Dumping ValueList of Key <AeDebug> :

[Idx]   [ValAddr]       [ValueName]                   
[   0]  00000000028cfa04     UserDebuggerHotKey 
[   1]  00000000028cfa44     Debugger   
[   2]  00000000028cfad4     Auto   

 Use '!reg kvalue <ValAddr>' to dump the value

!reg kvalue 00000000028cfa44

Signature: CM_KEY_VALUE_SIGNATURE (kv)
Name      : Debugger {compressed}
DataLength: 6c
Data      : 28aea60  [cell index]
Type      : 1

!reg cellindex 0xffff9782f04f6000 28aea60

Map = ffff9782f0ff7000 Type = 0 Table = 14 Block = ae Offset = a60
MapTable     = ffff9782f108b000 
MapEntry     = ffff9782f108c050 
BinAddress = 00000000028cf001, BlockOffset = 0000000000000000
BlockAddress = 00000000028cf000 

pcell:  00000000028cfa64

`

Now, that pcell doesn't look like a legitimate address does it? Needless to say when I try dumping it i get question marks of uncommitted memory.

Has anybody been there too? What do I do wrong?

Thank you!