Re: Weird behavior in 'grep'ing for string in /proc/registry...

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

From: Thomas Wolff <towo@towo.net>
To: cygwin@cygwin.com
Subject: Re: Weird behavior in 'grep'ing for string in /proc/registry...
Date: Mon, 7 Sep 2020 09:53:58 +0200	[thread overview]
Message-ID: <ddc33d3b-3caf-447e-fbd1-e53192eb55bc@towo.net> (raw)
In-Reply-To: <758d674d-7501-56ea-7246-894e5c877778@SystematicSw.ab.ca>

Am 07.09.2020 um 09:05 schrieb Brian Inglis:
> On 2020-09-06 23:34, L A Walsh wrote:
>> In directory
>> /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog
>> I wanted to list all the ".dll"s that handled various types of
>> events.
>>
>> I tried
>> /bin/grep -Pr '\.dll'
>>
>> but got a load of bogus error messages:
>>
>> /bin/grep: Group: Is a directory
>> /bin/grep: ImagePath: Is a directory
>> /bin/grep: Description: Is a directory
>> /bin/grep: ObjectName: Is a directory
>> ....
>>
>> ---
>> looking at ImagePath:
>>> ll ImagePath
>> -r--r----- 1 65 Sep  6 22:06 ImagePath
>>> read -r x <ImagePath
>>> echo $x
>> C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
>>
>> ---
>> Doesn't look like a directory.
>> So, bug in 'grep'?
>>
>> I'm hoping this isn't limited to my machine...
> You remember that the /proc/registry.../ entries are only the keys, subkeys, and
> values names, not the data contained in them.
>
> You are doing the equivalent of:
>
> $ fgrep -r .dll
> /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/
> 2> /dev/null
>
> producing nothing but error messages.
I reproduced Lindas observation (although not in the folder she 
mentioned which does not exist here) and in fact there is an 
inconsistency between `grep -r` reporting "Is a directory" for entries 
that are not marked as directory by `ls`:
.pwd
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Appinfo/Parameters
.ls -l
insgesamt 0
-r--r----- 1 SYSTEM SYSTEM 34 27. Nov 2019  ServiceDll
-r--r----- 1 SYSTEM SYSTEM  4 27. Nov 2019  ServiceDllUnloadOnStop
.grep -r .
grep: ServiceDll: Is a directory
grep: ServiceDllUnloadOnStop: Is a directory

I checked whether `opendir` marks the d_type fields wrong in the /proc 
filesystem but that's not it.
Thomas

>
> What you probably want to do is check for the keys, subkeys, and values data
> containing .dll names, which is best performed with find and regtool:
>
> $ find
> /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/
> -type d -print0 | xargs -0 -l1 regtool list -v | fgrep .dll
> DisplayNameFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll"
> EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll"
> EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll"
> CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll"
> CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll"
> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\ieframe.dll"
> CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll"
> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll"
> ...[90]...
> EventMessageFile (REG_SZ) = "C:\Windows\SysWOW64\msvbvm60.dll"
> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll"
> EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\sdengin2.dll"
> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
> CategoryMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll"
> EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll"
> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wsepno.dll"
> EventMessageFile (REG_SZ) =
> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll"
> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\ntvdm64.dll"
> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wshext.dll"
>
> or you could use the Windows reg command directly for more verbose results:
>
> $ reg query
> HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application
> /s /d /f "*.dll"
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application
>      DisplayNameFile    REG_EXPAND_SZ    %SystemRoot%\system32\wevtapi.dll
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET
> Runtime
>      EventMessageFile    REG_SZ    C:\Windows\System32\mscoree.dll
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET
> Runtime Optimization Service
>      EventMessageFile    REG_SZ    C:\Windows\System32\mscoree.dll
>
> ...[104]...
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WMI.NET Provider
> Extension
>      EventMessageFile    REG_SZ
> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Wow64
> Emulation Layer
>      EventMessageFile    REG_EXPAND_SZ    %SystemRoot%\System32\ntvdm64.dll
>
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WSH
>      EventMessageFile    REG_EXPAND_SZ    %SystemRoot%\System32\wshext.dll
>
> End of search: 110 match(es) found.
>

next prev parent reply	other threads:[~2020-09-07  7:53 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-07  5:34 L A Walsh
2020-09-07  7:05 ` Brian Inglis
2020-09-07  7:53   ` Thomas Wolff [this message]
2020-09-07 19:15     ` Brian Inglis
2020-09-07 20:51     ` Corinna Vinschen
2020-09-07 21:34       ` cygwin1.dll: uname_x not found L A Walsh
2020-09-08  7:18         ` Corinna Vinschen
2020-09-08 18:28           ` L A Walsh
2020-09-08 18:47             ` Thomas Wolff
2020-09-08 19:21               ` Corinna Vinschen
2020-09-08 19:21             ` Corinna Vinschen
2020-09-08 19:25               ` Corinna Vinschen
2020-09-07 14:02   ` Bug in 'grep'ing for string in /proc/registry L A Walsh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ddc33d3b-3caf-447e-fbd1-e53192eb55bc@towo.net \
    --to=towo@towo.net \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).