Rdump crashes on field type `command` with the JSON adapter

[respondersGY]

uv pip install dissect==3.19
wget https://files.dissect.tools/images/MSEDGEWIN10_20220708124036.tar
uv run target-query -t MSEDGEWIN10_20220708124036.tar -f runkeys | uv run rdump -w runkeys.json

head -n 2 runkeys.json
{"_type": "recorddescriptor", "_data": ["windows/registry/run", [["string", "hostname"], ["string", "domain"], ["datetime", "ts"], ["wstring", "name"], ["command", "command"], ["string", "key"], ["string", "regf_hive_path"], ["string", "regf_key_path"], ["string", "username"], ["string", "user_id"], ["string", "user_group"], ["string", "user_home"]]]}
{"hostname": "MSEDGEWIN10", "domain": null, "ts": "2019-03-19T13:25:12.164986+00:00", "name": "SecurityHealth", "command": {"executable": "%windir%\\system32\\SecurityHealthSystray.exe", "args": []}, "key": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "regf_hive_path": "sysvol/windows/system32/config/SOFTWARE", "regf_key_path": "Microsoft\\Windows\\CurrentVersion\\Run", "username": null, "user_id": null, "user_group": null, "user_home": null, "_source": "MSEDGEWIN10_20220708124036.tar", "_classification": null, "_generated": "2025-07-07T10:36:02.723781+00:00", "_version": 1, "_type": "record", "_recorddescriptor": ["windows/registry/run", 3070007400]}


uv run rdump runkeys.json  -vv
2025-07-07T10:37:39.698750Z [debug    ] Creating <class 'flow.record.adapter.text.TextWriter'> for 'text://?' with args {'clobber': True} [flow.record.base]
2025-07-07T10:37:39.698950Z [debug    ] Record stream with selector: None [flow.record.stream]
2025-07-07T10:37:39.699104Z [debug    ] Creating <class 'flow.record.adapter.jsonfile.JsonfileReader'> for 'jsonfile://runkeys.json' with args {} [flow.record.base]
2025-07-07T10:37:39.699698Z [error    ] rdump encountered a fatal error: Expected a value of type 'str' not <class 'dict'> [flow.record.tools.rdump]

The function expects a string as the full command but with JSON adapter the value is a dict whereby the command is splitted into executable and args

flow.record/flow/record/fieldtypes/__init__.py

Lines 746 to 747 in c67f778

	if not isinstance(value, str):
	raise TypeError(f"Expected a value of type 'str' not {type(value)}")

In [1]: value
Out[1]: {'executable': '%windir%\\system32\\SecurityHealthSystray.exe', 'args': []}

In [2]: type(value)
Out[2]: dict

[Schamper]

The command type was accidentally turned into a dictionary when it was added, #130 aims to resolve this but has been on the backburner for a while already.

@Miauwkeru pinging.

[respondersGY]

@Miauwkeru note that the PR #130 does not fix this issue.

uv run --with "git+https://github.com/JSCU-CNI/flow.record.git@fix/flatten-command-type" rdump runkeys.json -vv    
2025-07-07 16:22:30,939 DEBUG Creating <class 'flow.record.adapter.text.TextWriter'> for 'text://?' with args {'clobber': True}
2025-07-07 16:22:30,939 DEBUG Record stream with selector: None
2025-07-07 16:22:30,939 DEBUG Creating <class 'flow.record.adapter.jsonfile.JsonfileReader'> for 'jsonfile://runkeys.json' with args {}
2025-07-07 16:22:30,940 WARNING Exception in <flow.record.adapter.jsonfile.JsonfileReader object at 0x1056bc050> for 'runkeys.json': ValueError("Expected a value of type 'str' not <class 'dict'>") -- skipping to next reader

[Miauwkeru]

I am working on a fix for this!

[respondersGY]

@Miauwkeru are you working on this?

[JSCU-CNI]

note that the PR #130 does not fix this issue.

It does, however you'd have to re-run your target-query ... | rdump -w command (in a venv with #130) to make sure the command fields are not serialized as dictionaries.

[respondersGY]

Thanks my bad, it fixes the issue.

[respondersGY]

Duplicate of #132

[respondersGY]

@Miauwkeru can you take a look at #130?