From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) by sourceware.org (Postfix) with ESMTPS id 13976385783C for ; Mon, 7 Sep 2020 07:53:59 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 13976385783C Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=towo.net Authentication-Results: sourceware.org; spf=none smtp.mailfrom=towo@towo.net Received: from [192.168.178.45] ([95.90.245.244]) by mrelayeu.kundenserver.de (mreue108 [212.227.15.183]) with ESMTPSA (Nemesis) id 1N9Mh8-1kZrco3EzE-015GPo for ; Mon, 07 Sep 2020 09:53:58 +0200 Subject: Re: Weird behavior in 'grep'ing for string in /proc/registry... To: cygwin@cygwin.com References: <5F55C670.7030004@tlinx.org> <758d674d-7501-56ea-7246-894e5c877778@SystematicSw.ab.ca> From: Thomas Wolff X-Tagtoolbar-Keys: D20200907095358609 Message-ID: Date: Mon, 7 Sep 2020 09:53:58 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <758d674d-7501-56ea-7246-894e5c877778@SystematicSw.ab.ca> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K1:dQRCL+DqrWsqEj5C8JKpgHNjxOZS6AGVUvTTjHEQFzfBWffIe2b gJZndNsGAyTFpYXfW3GV0NDmiD+b68A0gUl7TgE5nIhECxOD3Nxe+RuAHyzTrKiGjvN4+rA AveQlVqx7AKG5W6CNfdEZEXDaOLMvWEM9or1fH6cJ2cWmmQty4gpcf9+jkg2mdrmkkn1BlK kW9PRF8HQ4VSgGZMOX3Vw== X-UI-Out-Filterresults: notjunk:1;V03:K0:dWPdYDHQgJA=:6tqFhDiJMdupGyT1giGHbs QORfAjYsWfa5B1f4hj9PUYXdYrVy+2lukDHM2cVbpPfbjh1Qo6QLCyhGWA6Z9d32Hgp4MiXoy d8sLL3C0vFOOe7nvvKkSeN1NxE52T0dDrM4n1KeSqz8Qt+C7hdezoWRzE8ngTffKo+c+GxWxW XEBJJGwmgUBrSvjbNRqKG/JJVgZKtnV4qvZY+f/JhYc06ffiUoF3GLkW0XTxjpd1VyKVrgCj6 vxcnpbVzS4+gVCIjdUMaP+wJFneZ2MwOrwP7Y86EPonKqetMEsrHpkwFjxmxWV/TgzUh/SbWG oCyjeNwbCpp79W2ZrStw3OOkjfojEtRBM7SUTc6L2Yx4FDIy8IcURLNO/W8iJx9fLDj+V3BId Bi/fA2tYOE/iKeml9aoh8Hqq5HOQzpHDc99eKs6o7MyD1Thjv58G3WPl+m872KK2S7EZ1GTBB Joe/irhyRhzMCeM0SBe+RIzJ3rYeLxt2OmYSn4JWV0qwhCEG8ghfjQhYhbBuF4fnWW2f8SsUB sw99JyCeySTNYUkX0S1Ws4K/Ut/4l8yEir6arnr/AYMVlUYdBmUC7PZBMKKmnndncxXbyqa9l 0LVJnStWzWAgAQJ7OtNA439z68JxzLt69strh+uQzhUzhd7S8qhfFnaaFIidHPUHLP5GCOnec ah7tMDD75abZgV3e/Ow2qajcMDoHnOnh8vLgMHVkwZUficHDM5Wok8LpBOSzB0xi5rn911n9Q Rkuw4cq34R1ZaM8nPzoRd0UMWBZr5ciE03Lg7iln0o4yonUkXwZAI291GHH+5VZ0zDxlXVTkJ PrxtXNlgL3tXfRuIzcIeQddsaMl84C55/kN8mA+txdMrUJwjo6GTsqLnC5WvAFa7ddESOvV X-Spam-Status: No, score=0.7 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_ABUSEAT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Sep 2020 07:54:01 -0000 Am 07.09.2020 um 09:05 schrieb Brian Inglis: > On 2020-09-06 23:34, L A Walsh wrote: >> In directory >> /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog >> I wanted to list all the ".dll"s that handled various types of >> events. >> >> I tried >> /bin/grep -Pr '\.dll' >> >> but got a load of bogus error messages: >> >> /bin/grep: Group: Is a directory >> /bin/grep: ImagePath: Is a directory >> /bin/grep: Description: Is a directory >> /bin/grep: ObjectName: Is a directory >> .... >> >> --- >> looking at ImagePath: >>> ll ImagePath >> -r--r----- 1 65 Sep 6 22:06 ImagePath >>> read -r x >> echo $x >> C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted >> >> --- >> Doesn't look like a directory. >> So, bug in 'grep'? >> >> I'm hoping this isn't limited to my machine... > You remember that the /proc/registry.../ entries are only the keys, subkeys, and > values names, not the data contained in them. > > You are doing the equivalent of: > > $ fgrep -r .dll > /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/ > 2> /dev/null > > producing nothing but error messages. I reproduced Lindas observation (although not in the folder she mentioned which does not exist here) and in fact there is an inconsistency between `grep -r` reporting "Is a directory" for entries that are not marked as directory by `ls`: .pwd /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Appinfo/Parameters .ls -l insgesamt 0 -r--r----- 1 SYSTEM SYSTEM 34 27. Nov 2019  ServiceDll -r--r----- 1 SYSTEM SYSTEM  4 27. Nov 2019  ServiceDllUnloadOnStop .grep -r . grep: ServiceDll: Is a directory grep: ServiceDllUnloadOnStop: Is a directory I checked whether `opendir` marks the d_type fields wrong in the /proc filesystem but that's not it. Thomas > > What you probably want to do is check for the keys, subkeys, and values data > containing .dll names, which is best performed with find and regtool: > > $ find > /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/ > -type d -print0 | xargs -0 -l1 regtool list -v | fgrep .dll > DisplayNameFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll" > EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll" > EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll" > CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll" > CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll" > EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll" > EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll" > EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\ieframe.dll" > CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll" > EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll" > ...[90]... > EventMessageFile (REG_SZ) = "C:\Windows\SysWOW64\msvbvm60.dll" > EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll" > EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\sdengin2.dll" > EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll" > CategoryMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll" > EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll" > EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wsepno.dll" > EventMessageFile (REG_SZ) = > "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll" > EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\ntvdm64.dll" > EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wshext.dll" > > or you could use the Windows reg command directly for more verbose results: > > $ reg query > HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application > /s /d /f "*.dll" > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application > DisplayNameFile REG_EXPAND_SZ %SystemRoot%\system32\wevtapi.dll > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET > Runtime > EventMessageFile REG_SZ C:\Windows\System32\mscoree.dll > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET > Runtime Optimization Service > EventMessageFile REG_SZ C:\Windows\System32\mscoree.dll > > ...[104]... > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WMI.NET Provider > Extension > EventMessageFile REG_SZ > C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Wow64 > Emulation Layer > EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\ntvdm64.dll > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WSH > EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\wshext.dll > > End of search: 110 match(es) found. >