Questions about unsupported registry hive (perfmon data)

dunham at cse.msu.edu dunham at cse.msu.edu
Thu Feb 3 23:42:02 GMT 2000 

dunham at captech.com writes:

> According to MSDN, NT exports perfmon data via a HKEY_PERFORMANCE_DATA
> registry hive.  I'd like to be able to access this data from Linux, so
> I looked into the source of samba - it looks like it would be a matter
> of copying the HKLM code and filling in some magic numbers.  (The RPC
> for opening the PERFORMANCE_DATA tree, and the other "magic number" in
> the open command packet.)

> [...]

> So, the RPC command is 0x03 and the magic number is A0 87 (network
> byte order).  But I don't know if the other differences are
> significant. If I change the HKLM code to use these numbers, I get:

>   REG_ENUM_VALUE: NT_STATUS_UNEXPECTED_MM_CREATE_ERR

> on an enum of HKLM.  

> So, I guess my questions are: is anybody working on this, and does
> anyone have any ideas on how to make this work?

> (BTW, to get a good packet dump of an enum, run perfmon.exe, do
> "Edit/Add to Chart", type a different machine name in and press
> return.)

A quick followup.  The Perfmon stuff uses strings in:

   HKLM\Software\Microsoft\Windows NT\Perflib\...

to do some object number -> string conversion, there is code in MSDN
to decode the packets returned from the PERFORMANCE_DATA hive using
this information. So I can write code to decode this stuff if I can
get it.

The way to access the info proper is to connect to "Global" in
HKEY_PERFORMANCE_DATA.  (Or you can connect to a space seperated list
of Object #'s, e.g. "HKPD\2 3", for a subset of the data.)

The big sticking point for me right now is:

 I've changed the HKLM code to use opcode 0x03 instead of 0x02 and
 pass 0x87A0 to reg_open_hklm.  

 The windows client does a REG_INFO (opcode 0x11) "Global" in the
 PERFORMANCE_DATA tree, gets a sizable response with
 "STATUS_BUFFER_OVERFLOW" (Hint is set to 0x93ec, if that means
 anything), and reads a bunch of info from the same fileid in SMB
 packets until it stops getting STATUS_BUFFER_OVERFLOW packets.

 The Samba client sends a similar request, but gets a short response,
 which rpcclient reports as:

   REG_INFO: NT_STATUS_UNEXPECTED_MM_CREATE_ERR

 (it does report session setup ok right before this..)


Please CC me on any responses.

Thanks,
Steve Dunham
dunham at debian.org

More information about the samba-technical mailing list