Issue with remapping using overlay accessor #4610
Description
I recently used the Windows.Collectors.Remapping artifact to generate a remapping for a collection that I earlier made using KapeTargets, i.e.:
velociraptor artifacts collect -v Windows.Collectors.Remapping --args "ZipPath=$(pwd)/my_collection.zip" --args "WriteRemappingPath=$(pwd)/remapping.yaml"
I then attempted to parse the resident SRUM files using the Windows.Forensics.SRUM artifact and the generated remapping file like:
VELOCIRAPTOR_CONFIG=$(pwd)/remapping.yaml velociraptor artifacts collect -v Windows.Forensics.SRUM
However the result did not yield any output:
[INFO] 2026-01-06T09:11:46Z _ __ __ _ __
[INFO] 2026-01-06T09:11:46Z | | / /__ / /___ _____(_)________ _____ / /_____ _____
[INFO] 2026-01-06T09:11:46Z | | / / _ \/ / __ \/ ___/ / ___/ __ `/ __ \/ __/ __ \/ ___/
[INFO] 2026-01-06T09:11:46Z | |/ / __/ / /_/ / /__/ / / / /_/ / /_/ / /_/ /_/ / /
[INFO] 2026-01-06T09:11:46Z |___/\___/_/\____/\___/_/_/ \__,_/ .___/\__/\____/_/
[INFO] 2026-01-06T09:11:46Z /_/
[INFO] 2026-01-06T09:11:46Z Digging deeper! https://www.velocidex.com
[INFO] 2026-01-06T09:11:46Z This is Velociraptor 0.75.5 built on 2025-12-04T06:52:56Z (e2729d3)
[INFO] 2026-01-06T09:11:46Z No embedded config - you can pack one with the `config repack` command
[INFO] 2026-01-06T09:11:46Z Loading config from env VELOCIRAPTOR_CONFIG (__REDACTED__)
[INFO] 2026-01-06T09:11:46Z Starting Org Manager service.
[INFO] 2026-01-06T09:11:46Z Starting services for Org <root> (root)
[INFO] 2026-01-06T09:11:46Z Starting Journal service for Org <root> (root).
[INFO] 2026-01-06T09:11:46Z Starting the notification service for Org <root> (root).
[INFO] 2026-01-06T09:11:46Z Installing Dummy inventory_service. Will download tools to temp directory.
[INFO] 2026-01-06T09:11:46Z Starting repository manager for Org <root> (root)
[INFO] 2026-01-06T09:11:46Z Loaded 421 built in artifacts in 109.347542ms
[INFO] 2026-01-06T09:11:46Z Starting collection of Windows.Forensics.SRUM/Upload
[INFO] 2026-01-06T09:11:46Z Query skipped due to precondition
[DEBUG] 2026-01-06T09:11:46Z Query Stats: {"RowsScanned":2,"PluginsCalled":3,"FunctionsCalled":4,"ProtocolSearch":6,"ScopeCopy":11}
[INFO] 2026-01-06T09:11:46Z Starting collection of Windows.Forensics.SRUM/Network Usage
[INFO] 2026-01-06T09:11:46Z Starting collection of Windows.Forensics.SRUM/Execution Stats
[INFO] 2026-01-06T09:11:46Z Starting collection of Windows.Forensics.SRUM/Application Resource Usage
[INFO] 2026-01-06T09:11:46Z Starting collection of Windows.Forensics.SRUM/Network Connections
[INFO] 2026-01-06T09:11:46Z parse_ese: Unable to open file C:\Windows\System32\sru\SRUDB.dat\C:\Windows\System32\sru\SRUDB.dat\C:\Windows\System32\sru\SRUDB.dat\C:\Windows\System32\sru\SRUDB.dat: Unsupported ESE file: Magic is 0 should be 0x89abcdef
[INFO] 2026-01-06T09:11:46Z parse_ese: Unable to open file C:\Windows\System32\sru\SRUDB.dat\C:\Windows\System32\sru\SRUDB.dat\C:\Windows\System32\sru\SRUDB.dat\C:\Windows\System32\sru\SRUDB.dat: Unsupported ESE file: Magic is 0 should be 0x89abcdef
[INFO] 2026-01-06T09:11:46Z parse_ese: Unable to open file C:\Windows\System32\sru\SRUDB.dat\C:\Windows\System32\sru\SRUDB.dat\C:\Windows\System32\sru\SRUDB.dat\C:\Windows\System32\sru\SRUDB.dat: Unsupported ESE file: Magic is 0 should be 0x89abcdef
[INFO] 2026-01-06T09:11:46Z parse_ese: Unable to open file C:\Windows\System32\sru\SRUDB.dat\C:\Windows\System32\sru\SRUDB.dat\C:\Windows\System32\sru\SRUDB.dat\C:\Windows\System32\sru\SRUDB.dat: Unsupported ESE file: Magic is 0 should be 0x89abcdef
[DEBUG] 2026-01-06T09:11:46Z Query Stats: {"RowsScanned":4,"PluginsCalled":2,"FunctionsCalled":3,"ProtocolSearch":72,"ScopeCopy":12}
[DEBUG] 2026-01-06T09:11:46Z Query Stats: {"RowsScanned":4,"PluginsCalled":2,"FunctionsCalled":3,"ProtocolSearch":72,"ScopeCopy":12}
[DEBUG] 2026-01-06T09:11:46Z Query Stats: {"RowsScanned":4,"PluginsCalled":2,"FunctionsCalled":3,"ProtocolSearch":72,"ScopeCopy":12}
[DEBUG] 2026-01-06T09:11:46Z Query Stats: {"RowsScanned":4,"PluginsCalled":2,"FunctionsCalled":3,"ProtocolSearch":72,"ScopeCopy":12}
[INFO] 2026-01-06T09:11:46Z Collection completed in 97.905416ms Seconds
[DEBUG] 2026-01-06T09:11:46Z Query Stats: {"RowsScanned":0,"PluginsCalled":1,"FunctionsCalled":1,"ProtocolSearch":0,"ScopeCopy":4}
[INFO] 2026-01-06T09:11:46Z Exiting notification service for Org <root> (root)!
I noted the following remapping snippet in my remapping.yaml file for the auto accessor (which is used in the SRUM artifact):
- type: mount
scope: |2
LET OVERLAY_ACCESSOR_DELEGATES <= dict(
accessor="collector",
paths=[
"{\"DelegateAccessor\":\"file\",\"DelegatePath\":\"__REDACTED__/my_collection.zip\",\"Path\":\"/uploads/auto/C%3A\"}",
"{\"DelegateAccessor\":\"file\",\"DelegatePath\":\"__REDACTED__/my_collection.zip\",\"Path\":\"/uploads/ntfs/%5C%5C.%5CC%3A\"}",
"{\"DelegateAccessor\":\"file\",\"DelegatePath\":\"__REDACTED__/my_collection.zip\",\"Path\":\"/uploads/auto/%5C%5C.%5CC%3A\"}"
])
from:
path_type: zip
accessor: overlay
"on":
accessor: auto
prefix: 'C:'
path_type: windowsI manually replaced the remapping for the auto accessor with the following:
- type: mount
description: 'Mount the directory C/* on the C: drive (NTFS)'
from:
accessor: collector
prefix: |
{
"DelegateAccessor": "file",
"DelegatePath": "__REDACTED__/my_collection.zip",
"Path": "/uploads/auto/C%3A"
}
path_type: zip
"on":
accessor: auto
prefix: 'C:'
path_type: windowsAfter this change, the SRUM artifact yielded results correctly.
This made me think there might be something wrong with the overlay remapping? Or am I missing something?
EDIT: below the velo version details
version: 0.75.5
commit: e2729d3
build_time: "2025-12-04T06:52:56Z"
ci_build_url: https://github.com/Velocidex/velociraptor/actions/runs/19920293745
compiler: go1.25.4
system: darwin
architecture: amd64