Questions about unsupported registry hive (perfmon data)
Luke Kenneth Casson Leighton
lkcl at samba.org
Fri Feb 4 01:46:20 GMT 2000
On 3 Feb 2000 dunham at cse.msu.edu wrote:
> Luke Kenneth Casson Leighton <lkcl at samba.org> writes:
> > > The windows client does a REG_INFO (opcode 0x11) "Global" in the
> > > PERFORMANCE_DATA tree, gets a sizable response with
> > > "STATUS_BUFFER_OVERFLOW" (Hint is set to 0x93ec, if that means
> > > anything), and reads a bunch of info from the same fileid in SMB
> > > packets until it stops getting STATUS_BUFFER_OVERFLOW packets.
> > >
> > > The Samba client sends a similar request, but gets a short response,
> > > which rpcclient reports as:
> > >
> > > REG_INFO: NT_STATUS_UNEXPECTED_MM_CREATE_ERR
> > hi steve, check samba tech archives, your previos address failed to send.
> > can you send me a #define for STATUS_BUFFER_OVERFLOW, and also look up the
> > Win32 error code 234 (decimal)?
> > the rpc client code is incorrectly interpreting the error as an NT STATUS
> > code, see include/nterr.h for the decimal op codes.
> I may not have worded that clearly. When an NT client makes that
> query to an NT server, it gets these packets which "netmon.exe" says
> are "status buffer overflow" which I assumes means read data from the
> SMB filehandle. (Judging from the following exchange of packets.)
> The exact description of the SMB packet by netmon.exe is:
> SMB: R transact - NT error, System, Warning, Code = (5) STATUS_BUFFER_OVERFLOW
> MSRPC: c/o RPC Response: call 0xC context 0x0 hint 0x97EC cancels 0x0
oh. . _that_. buy my book, it's got all the details in it :-) it's a
partial PDU fragment. SMB is saying "here's the first bit of the PDU,
it's boo big to go in an SMB response).
> When a samba client makes a similar query to an NT machine, it gets a
> different smaller response, which rpcclient (most likely correctly)
> interprets as a NT_STATUS_UNEXPECTED_MM_CREATE_ERR.
which version of rpcclient are you using? you shoulld be useing
> I can do a "regquerykey HKLM" (remember I changed the source to point
> HKLM at this performance data key) and get a response saying it has 0
> subkeys and 2 values.
ok, then try regenum HKLM, it should enumerate the 2 values for you.
you should really generate log 100s, it's much clearer what's going on
rpcclient -l log op-d 100.
More information about the samba-technical