Questions about unsupported registry hive (perfmon data)

[dunham at captech.com]

According to MSDN, NT exports perfmon data via a HKEY_PERFORMANCE_DATA
registry hive.  I'd like to be able to access this data from Linux, so
I looked into the source of samba - it looks like it would be a matter
of copying the HKLM code and filling in some magic numbers.  (The RPC
for opening the PERFORMANCE_DATA tree, and the other "magic number" in
the open command packet.)

I've captured an enumeration of this registry tree with tcpdump.  The
relevent part of the open packet is:

HKEY_PERFORMANCE_DATA

Data: (4 bytes)
[000] 26 00 04 40                                       &..@ 
Name=
Data: (16 bytes)
[000] 5C 00 50 00 49 00 50 00  45 00 5C 00 00 00 8C FB  \.P.I.P. E.\.....
Data Data: (36 bytes)
[000] 05 00 00 03 10 00 00 00  24 00 00 00 01 00 00 00  ........ $.......
[010] 0C 00 00 00 00 00 03 00  F8 F6 12 00 A0 87 01 00  ........ ........
[020] 00 00 00 02                                       .... 

HKEY_LOCAL_MACHINE

Data: (4 bytes)
[000] 26 00 05 08                                       &... 
Name=\PIPE\
Data: (2 bytes)
[000] 00 00                                             .. 
Data Data: (36 bytes)
[000] 05 00 00 03 10 00 00 00  24 00 00 00 02 00 00 00  ........ $.......
[010] 0C 00 00 00 00 00 02 00  01 00 00 00 E0 84 00 00  ........ ........
[020] 00 00 00 02                                       .... 


So, the RPC command is 0x03 and the magic number is A0 87 (network
byte order).  But I don't know if the other differences are
significant. If I change the HKLM code to use these numbers, I get:

  REG_ENUM_VALUE: NT_STATUS_UNEXPECTED_MM_CREATE_ERR

on an enum of HKLM.  


So, I guess my questions are: is anybody working on this, and does
anyone have any ideas on how to make this work?

(BTW, to get a good packet dump of an enum, run perfmon.exe, do
"Edit/Add to Chart", type a different machine name in and press
return.)


Please CC me on any responses.

Thanks,

Steve Dunham
dunham at debian.org