Questions about unsupported registry hive (perfmon data)

dunham at cse.msu.edu dunham at cse.msu.edu
Fri Feb 4 01:01:10 GMT 2000 

Luke Kenneth Casson Leighton <lkcl at samba.org> writes:

> >  The windows client does a REG_INFO (opcode 0x11) "Global" in the
> >  PERFORMANCE_DATA tree, gets a sizable response with
> >  "STATUS_BUFFER_OVERFLOW" (Hint is set to 0x93ec, if that means
> >  anything), and reads a bunch of info from the same fileid in SMB
> >  packets until it stops getting STATUS_BUFFER_OVERFLOW packets.
> > 
> >  The Samba client sends a similar request, but gets a short response,
> >  which rpcclient reports as:
> > 
> >    REG_INFO: NT_STATUS_UNEXPECTED_MM_CREATE_ERR

> hi steve, check samba tech archives, your previos address failed to send.

> can you send me a #define for STATUS_BUFFER_OVERFLOW, and also look up the
> Win32 error code 234 (decimal)?

> the rpc client code is incorrectly interpreting the error as an NT STATUS
> code, see include/nterr.h for the decimal op codes.

I may not have worded that clearly.  When an NT client makes that
query to an NT server, it gets these packets which "netmon.exe" says
are "status buffer overflow" which I assumes means read data from the
SMB filehandle.  (Judging from the following exchange of packets.)
The exact description of the SMB packet by netmon.exe is:

SMB: R transact - NT error, System, Warning, Code = (5) STATUS_BUFFER_OVERFLOW
MSRPC: c/o RPC Response: call 0xC context 0x0 hint 0x97EC cancels 0x0


When a samba client makes a similar query to an NT machine, it gets a
different smaller response, which rpcclient (most likely correctly)
interprets as a NT_STATUS_UNEXPECTED_MM_CREATE_ERR.

I can do a "regquerykey HKLM" (remember I changed the source to point
HKLM at this performance data key) and get a response saying it has 0
subkeys and 2 values.


Here is the MSRPC part of the various packets, as provided by netmon.


Query by WinNT:

00000080                                            05 00               ..
00000090  00 03 10 00 00 00 78 00 00 00 0C 00 00 00 60 00 ......x.......`.
000000A0  00 00 00 00 11 00 00 00 00 00 ED AB BC 28 24 D5 .............($.
000000B0  D3 11 82 2E 00 50 08 00 24 A6 0E 00 0E 00 A8 7C .....P..$......|
000000C0  1A 00 07 00 00 00 00 00 00 00 07 00 00 00 47 00 ..............G.
000000D0  6C 00 6F 00 62 00 61 00 6C 00 00 00 20 00 58 F8 l.o.b.a.l.....X.
000000E0  12 00 04 FC 12 00 98 5F 1D 00 00 90 01 00 00 00 ......._........
000000F0  00 00 00 00 00 00 5C F8 12 00 00 90 01 00 54 F8 ......\.......T.
00000100  12 00 00 00 00 00                               ......          

Response to NT client:

00000070                    05 00 02 00 10 00 00 00 30 16       ........0.
00000080  00 00 0C 00 00 00 8C 3F 00 00 00 00 00 00 8C 52 .......?.......R
00000090  F0 77 05 00 00 00 00 00 00 00 82 00 00 00 81 00 .w..............
000000A0  00 00 1C 00 00 00 E6 00 00 00 0C 00 00 00 FF FF ................
000000B0  FF FF 18 00 00 00 04 00 00 00 31 00 00 00 44 00 ..........1...D.
000000C0  00 00 20 9E 21 00 00 00 00 00 80 39 0C 00 00 00 ....!......9....
    ...
000005B0  00 00 00 00 00 00 00 00 00 00 60 0E 03 00 00 00 ..........`.....
000005C0  00 00 48 00 00 00 60 53 56 A8 E0 61 BF 01 09 00 ..H...`SV..a....
000005D0  00 00 08 00 00 00 80 52 F0 77 05 00 00 00 07 00 .......R.w......
000005E0  00 00 89 00 00 00 C6 00 00 00                   ..........      


Query by Samba:

00000080                    05 00 00 03 10 00 00 00 78 00       ........x.
00000090  00 00 0B 00 00 00 60 00 00 00 00 00 11 00 00 00 ......`.........
000000A0  00 00 05 AA 35 80 34 DA D3 11 83 29 00 90 27 4F ....5.4....)..'O
000000B0  A8 05 0E 00 0E 00 01 00 00 00 07 00 00 00 00 00 ................
000000C0  00 00 07 00 00 00 47 00 6C 00 6F 00 62 00 61 00 ......G.l.o.b.a.
000000D0  6C 00 00 00 00 00 01 00 00 00 14 23 87 77 01 00 l..........#.w..
000000E0  00 00 04 01 00 00 00 00 00 00 00 00 00 00 01 00 ................
000000F0  00 00 04 01 00 00 01 00 00 00 00 00 00 00       ..............  

Response to Samba client:

00000070        05 00 02 03 10 00 00 00 44 00 00 00 0B 00   ........D.....
00000080  00 00 2C 00 00 00 00 00 00 00 BC 80 14 00 14 23 ..,............#
00000090  87 77 E8 B8 13 00 04 01 00 00 00 00 00 00 00 00 .w..............
000000A0  00 00 D4 80 14 00 04 01 00 00 DC 80 14 00 00 00 ................
000000B0  00 00 EA 00 00 00                               ......          



Steve
dunham at debian.org

More information about the samba-technical mailing list