When launch NTFSinfo with this config (below) and compare with sigcheck result (command "sigcheck -h -e -a -c c:\windows\system32"), the "OriginalFileName" dont display on ORC NTFS info result.
<?xml version="1.0"?>
<ntfsinfo walker="MFT" resurrect="yes">
<location>*</location>
<columns>
<default>ComputerName,VolumeID,Default,ExtendedAttribute,RecordInUse,SecDescrID,ADS,FirstBytes,OriginalFileName,ProductName,FullName,File,FileNameCreationDate,FileNameLastAccessDate,FileNameLastAttrModificationDate,FileNameLastModificationDate,LastAccessDate,LastAttrChangeDate,LastModificationDate,Owner,OwnerId,OwnerSid,SizeInBytes</default>
<add SizeLT="10M" Ext=".docx,.zip,.7z,.ace,.cmd,.bat,.ps1,.chm,.application,.appref-ms,.pdf,.jar,.js,.jse,.rtf,.doc,.xls,.xslx,.ini,.inf,.hta,.hlp,.reg,.tmp,.lnk,.scf,.sdb,.url,vba,.vbs,.vbe,.jnlp,.ppt,.pptx,.swf">MD5,SHA1,SHA256</add>
<omit SizeGT="10M">MD5,SHA1,SHA256,PeMD5,PeSHA1,PeSHA256,Authenticode,TimeStamp,AuthenticodeStatus,AuthenticodeCA</omit>
<add HasPE="">AuthenticodeCA,AuthenticodeStatus,MD5,SHA1,SHA256,PeMD5,PeSHA1,PeSHA256,Authenticode,TimeStamp</add>
</columns>
</ntfsinfo>
NTFSInfo v10.0.16
NTFS File system enumeration
ERROR (Paramètre incorrec, hr=0x80070057): Ignored criteria SizeLT, critera already defined
Start time : 12/01/2020 19:15:46.384 (UTC)
Computer : MSEDGEWIN10
Operating System : Microsoft Windows 10 (build 17763), 64-bit
Walker used : MFT
FileInfo archive : C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo.7z (encoding=UTF8)
AttrInfo : Empty
I30Info archive : C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_i30Info.7z (encoding=UTF8)
Timeline : Empty
SecDescr archive : C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_SecDesc.7z (encoding=UTF8)
CSV Columns :
ComputerName VolumeID File
ParentName FullName Extension
SizeInBytes Attributes CreationDate
LastModificationDate LastAccessDate LastAttrChangeDate
FileNameCreationDate FileNameLastModificationDate FileNameLastAccessDate
FileNameLastAttrModificationDate USN FRN
ParentFRN ExtendedAttribute ADS
FilenameID DataID RecordInUse
MD5 SHA1 FirstBytes
OwnerId ProductName OriginalFileName
TimeStamp FilenameFlags SHA256
PeSHA1 PeSHA256 SecDescrID
AuthenticodeStatus AuthenticodeSigner AuthenticodeSignerThumbprint
AuthenticodeCA AuthenticodeCAThumbprint PeMD5
FilenameIndex DataIndex SnapshotID
SignedHash
Default columns :
ComputerName VolumeID File
ParentName FullName Extension
SizeInBytes Attributes CreationDate
LastModificationDate LastAccessDate LastAttrChangeDate
FileNameCreationDate FileNameLastModificationDate FileNameLastAccessDate
FileNameLastAttrModificationDate USN FRN
ParentFRN ExtendedAttribute ADS
FilenameID DataID RecordInUse
FirstBytes OwnerId ProductName
OriginalFileName FilenameFlags SecDescrID
FilenameIndex DataIndex SnapshotID
Filters:
if file is smaller than 10485760 bytes include columns:
MD5 SHA1 SHA256
if file has valid PE header include columns:
MD5 SHA1 TimeStamp
SHA256 PeSHA1 PeSHA256
AuthenticodeStatus AuthenticodeSigner AuthenticodeSignerThumbprint
AuthenticodeCA AuthenticodeCAThumbprint PeMD5
SignedHash
if file is bigger than 10485760 bytes exclude columns:
MD5 SHA1 TimeStamp
SHA256 PeSHA1 PeSHA256
AuthenticodeStatus AuthenticodeSigner AuthenticodeSignerThumbprint
AuthenticodeCA AuthenticodeCAThumbprint PeMD5
SignedHash
Volumes, Folders to parse:
DiskInterfaceVolume : \\.\SCSI#Disk&Ven_QEMU&Prod_HARDDISK#4&2749002f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},offset=1048576,size=42947575808,sector=512 - NTFS - Valid (serial : 0xa8b4a72fb4a6fec6) *
"C:\"
"\windows\system32"
Parsing \\.\SCSI#Disk&Ven_QEMU&Prod_HARDDISK#4&2749002f&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},offset=1048576,size=42947575808,sector=512: "C:\"
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_i30Info.7z started
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_SecDesc.7z started
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo.7z started
ERROR (hr=0x90090006): Failed to fixup $INDEX_ALLOCATION header
ERROR (hr=0x90090006): Failed to read from $INDEX_ALLOCATION
.................................................
.............................................. Done!
WARNING: Heap still maintains 78 entries
Archive: File NTFSInfo_00000000_DiskInterface_0xa8b4a72fb4a6fec6_.csv added
Archive: File I30Info_00000000_DiskInterface_0xa8b4a72fb4a6fec6_.csv added
Archive: File SecDescr_00000000_DiskInterface_0xa8b4a72fb4a6fec6_.csv added
Archive: File volstats.csv added
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo.7z is complete
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_i30Info.7z is complete
Archive: C:\Users\IEUser\AppData\Local\Temp\WorkingTemp\NTFSInfo_SecDesc.7z is complete
Lines processed : 26341
Finish time : 12/01/2020 19:21:47.767 (UTC)
Elapsed time : 6 min(s), 1 sec(s), 391 msecs
Information : 3 errors occurred during program execution
I copy result on sethc.exe file (below).
"c:\windows\system32\sethc.exe","Signed","23:22 14/09/2018","Microsoft Windows","Microsoft Corporation","Accessibility shortcut keys","Microsoft� Windows� Operating System","10.0.17763.1","10.0.17763.1 (WinBuild.160101.0800)","64-bit","10.0.17763.1","sethc.exe","sethc.exe","� Microsoft Corporation. All rights reserved.","n/a","6.858","F00FAB17E7FE21D930AA4A6CABD2381F","F8DF7CD7482FCF621924C97BBB44DF380CC612BB","1B79622D2009F259A2197E4B66DDF43121F8DB3F","A9BBDBB6038AB7CDB3E52BE9477526818AA9E2183C22C8CB2201548717E222F1","746D48A2FC0198E20C6ABCB301ED5C0FFEBDE33D0C0C890044EC98C9EE5E21EC","3C1A53A9971C1924A1A24E822BFFC8E3"
"MSEDGEWIN10",0xA8B4A72FB4A6FEC6,"sethc.exe","\Windows\System32\","\Windows\System32\sethc.exe",".exe",299520,"A....N.......",2018-09-15 07:28:43.201,2018-09-15 07:28:43.201,2020-12-01 17:17:01.549,2019-03-19 19:41:55.255,2019-03-19 19:41:55.238,2019-03-19 19:41:55.255,2019-03-19 19:41:55.238,2019-03-19 19:41:55.255,0x0000000000000000,0x0001000000009DDA,0x0001000000000DC3,"$CI.CATALOGHINT;",,5,4,Y,,F00FAB17E7FE21D930AA4A6CABD2381F,F8DF7CD7482FCF621924C97BBB44DF380CC612BB,4D5A90000300000004000000FFFF0000,0,,,,,,,,2100-06-05 01:47:25.000,,,,0,746D48A2FC0198E20C6ABCB301ED5C0FFEBDE33D0C0C890044EC98C9EE5E21EC,1B79622D2009F259A2197E4B66DDF43121F8DB3F,A9BBDBB6038AB7CDB3E52BE9477526818AA9E2183C22C8CB2201548717E222F1,456,,,CatalogSignedVerified,"Microsoft Windows","ae9c1ae54763822eec42474983d8b635116c8452","Microsoft Root Certificate Authority 2010","3b1efd3a66ea28b16697394703a72ca340a05bd5",89ADFB6E88C52B80F42DB3780ADAF259,1,0,{00000000-0000-0000-0000-000000000000},,,,,
Please, can you fix this problem.
Thanks.