Questions about unsupported registry hive (perfmon data)
Luke Kenneth Casson Leighton
lkcl at samba.org
Thu Feb 3 19:53:08 GMT 2000
On Fri, 4 Feb 2000 dunham at captech.com wrote:
>
> According to MSDN, NT exports perfmon data via a HKEY_PERFORMANCE_DATA
> registry hive. I'd like to be able to access this data from Linux, so
> I looked into the source of samba - it looks like it would be a matter
> of copying the HKLM code and filling in some magic numbers. (The RPC
> for opening the PERFORMANCE_DATA tree, and the other "magic number" in
> the open command packet.)
>
> I've captured an enumeration of this registry tree with tcpdump. The
> relevent part of the open packet is:
>
> HKEY_PERFORMANCE_DATA
>
> Data: (4 bytes)
> [000] 26 00 04 40 &..@
> Name=
> Data: (16 bytes)
> [000] 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 8C FB \.P.I.P. E.\.....
> Data Data: (36 bytes)
dce/rpc pdu - opcode 0x3.
> [000] 05 00 00 03 10 00 00 00 24 00 00 00 01 00 00 00 ........ $.......
> [010] 0C 00 00 00 00 00 03 00
pointer. pointer.
F8 F6 12 00 A0 87 01 00 ........
........
sec_access rights - requested SEC_ACCESS_MAXIMUM_ALLOWED
> [020] 00 00 00 02 ....
> So, the RPC command is 0x03 and the magic number is A0 87 (network
> byte order). But I don't know if the other differences are
> significant. If I change the HKLM code to use these numbers, I get:
iit's intel byte order, not network byte order.
you're opening a previously unknown registry hive, and you've identified
the opcode to do it (0x03).
send me a patch that cut/pastes REG_OPEN_Q_HKCR to oh, i dunno...
REG_OPEN_Q_HKPD (for performance data) and create all associated functions
in parse_prs.c, right through to rpcclient's cmd_reg.c.
More information about the samba-technical
mailing list