registry...

Thomas Wolff Mon, 07 Sep 2020 00:54:14 -0700

Am 07.09.2020 um 09:05 schrieb Brian Inglis:

On 2020-09-06 23:34, L A Walsh wrote:

In directory
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog
I wanted to list all the ".dll"s that handled various types of
events.


I tried
/bin/grep -Pr '\.dll'

but got a load of bogus error messages:

/bin/grep: Group: Is a directory
/bin/grep: ImagePath: Is a directory
/bin/grep: Description: Is a directory
/bin/grep: ObjectName: Is a directory
....

---
looking at ImagePath:

ll ImagePath

-r--r----- 1 65 Sep  6 22:06 ImagePath

read -r x <ImagePath
echo $x

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

---
Doesn't look like a directory.
So, bug in 'grep'?

I'm hoping this isn't limited to my machine...

You remember that the /proc/registry.../ entries are only the keys, subkeys, and
values names, not the data contained in them.

You are doing the equivalent of:

$ fgrep -r .dll
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/
2> /dev/null

producing nothing but error messages.

I reproduced Lindas observation (although not in the folder shementioned which does not exist here) and in fact there is aninconsistency between `grep -r` reporting "Is a directory" for entriesthat are not marked as directory by `ls`:

.pwd
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Appinfo/Parameters
.ls -l
insgesamt 0
-r--r----- 1 SYSTEM SYSTEM 34 27. Nov 2019  ServiceDll
-r--r----- 1 SYSTEM SYSTEM  4 27. Nov 2019  ServiceDllUnloadOnStop
.grep -r .
grep: ServiceDll: Is a directory
grep: ServiceDllUnloadOnStop: Is a directory

I checked whether `opendir` marks the d_type fields wrong in the /procfilesystem but that's not it.

Thomas


What you probably want to do is check for the keys, subkeys, and values data
containing .dll names, which is best performed with find and regtool:

$ find
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/
-type d -print0 | xargs -0 -l1 regtool list -v | fgrep .dll
DisplayNameFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll"
EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll"
EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\ieframe.dll"
CategoryMessageFile (REG_EXPAND_SZ) = 
"%SystemRoot%\System32\drivers\ati2erec.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll"
...[90]...
EventMessageFile (REG_SZ) = "C:\Windows\SysWOW64\msvbvm60.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll"
EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\sdengin2.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll"
EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wsepno.dll"
EventMessageFile (REG_SZ) =
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\ntvdm64.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wshext.dll"

or you could use the Windows reg command directly for more verbose results:

$ reg query
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application
/s /d /f "*.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application
     DisplayNameFile    REG_EXPAND_SZ    %SystemRoot%\system32\wevtapi.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET
Runtime
     EventMessageFile    REG_SZ    C:\Windows\System32\mscoree.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET
Runtime Optimization Service
     EventMessageFile    REG_SZ    C:\Windows\System32\mscoree.dll

...[104]...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WMI.NET
 Provider
Extension
     EventMessageFile    REG_SZ
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Wow64
Emulation Layer
     EventMessageFile    REG_EXPAND_SZ    %SystemRoot%\System32\ntvdm64.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WSH
     EventMessageFile    REG_EXPAND_SZ    %SystemRoot%\System32\wshext.dll

End of search: 110 match(es) found.


--
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

Re: Weird behavior in 'grep'ing for string in /proc/registry...

Reply via email to