Questions about unsupported registry hive (perfmon data)

[Luke Kenneth Casson Leighton]

On Fri, 4 Feb 2000 dunham at captech.com wrote:

> 
> According to MSDN, NT exports perfmon data via a HKEY_PERFORMANCE_DATA
> registry hive.  I'd like to be able to access this data from Linux, so
> I looked into the source of samba - it looks like it would be a matter
> of copying the HKLM code and filling in some magic numbers.  (The RPC
> for opening the PERFORMANCE_DATA tree, and the other "magic number" in
> the open command packet.)
> 
> I've captured an enumeration of this registry tree with tcpdump.  The
> relevent part of the open packet is:
> 
> HKEY_PERFORMANCE_DATA
> 
> Data: (4 bytes)
> [000] 26 00 04 40                                       &..@ 
> Name=
> Data: (16 bytes)
> [000] 5C 00 50 00 49 00 50 00  45 00 5C 00 00 00 8C FB  \.P.I.P. E.\.....
> Data Data: (36 bytes)

dce/rpc pdu - opcode 0x3.

> [000] 05 00 00 03 10 00 00 00  24 00 00 00 01 00 00 00  ........ $.......
> [010] 0C 00 00 00 00 00 03 00  

pointer. pointer.

                                 F8 F6 12 00 A0 87 01 00  ........
........

sec_access rights - requested SEC_ACCESS_MAXIMUM_ALLOWED

> [020] 00 00 00 02                                       .... 

> So, the RPC command is 0x03 and the magic number is A0 87 (network
> byte order).  But I don't know if the other differences are
> significant. If I change the HKLM code to use these numbers, I get:

iit's intel byte order, not network byte order.

you're opening a previously unknown registry hive, and you've identified
the opcode to do it (0x03).


send me a patch that cut/pastes REG_OPEN_Q_HKCR to oh, i dunno...
REG_OPEN_Q_HKPD (for performance data) and create all associated functions
in parse_prs.c, right through to rpcclient's cmd_reg.c.