Questions about unsupported registry hive (perfmon data)

Luke Kenneth Casson Leighton lkcl at samba.org
Fri Feb 4 01:46:20 GMT 2000 

On 3 Feb 2000 dunham at cse.msu.edu wrote:

> Luke Kenneth Casson Leighton <lkcl at samba.org> writes:
> 
> > >  The windows client does a REG_INFO (opcode 0x11) "Global" in the
> > >  PERFORMANCE_DATA tree, gets a sizable response with
> > >  "STATUS_BUFFER_OVERFLOW" (Hint is set to 0x93ec, if that means
> > >  anything), and reads a bunch of info from the same fileid in SMB
> > >  packets until it stops getting STATUS_BUFFER_OVERFLOW packets.
> > > 
> > >  The Samba client sends a similar request, but gets a short response,
> > >  which rpcclient reports as:
> > > 
> > >    REG_INFO: NT_STATUS_UNEXPECTED_MM_CREATE_ERR
> 
> > hi steve, check samba tech archives, your previos address failed to send.
> 
> > can you send me a #define for STATUS_BUFFER_OVERFLOW, and also look up the
> > Win32 error code 234 (decimal)?
> 
> > the rpc client code is incorrectly interpreting the error as an NT STATUS
> > code, see include/nterr.h for the decimal op codes.
> 
> I may not have worded that clearly.  When an NT client makes that
> query to an NT server, it gets these packets which "netmon.exe" says
> are "status buffer overflow" which I assumes means read data from the
> SMB filehandle.  (Judging from the following exchange of packets.)
> The exact description of the SMB packet by netmon.exe is:
> 
> SMB: R transact - NT error, System, Warning, Code = (5) STATUS_BUFFER_OVERFLOW
> MSRPC: c/o RPC Response: call 0xC context 0x0 hint 0x97EC cancels 0x0
> 

oh. . _that_.  buy my book, it's got all the details in it :-)  it's a
partial PDU fragment.  SMB is saying "here's the first bit of the PDU,
it's boo big to go in an SMB response).

> When a samba client makes a similar query to an NT machine, it gets a
> different smaller response, which rpcclient (most likely correctly)
> interprets as a NT_STATUS_UNEXPECTED_MM_CREATE_ERR.

which version of rpcclient are you using?  you shoulld be useing
samba-tng's rpcclient.

> I can do a "regquerykey HKLM" (remember I changed the source to point
> HKLM at this performance data key) and get a response saying it has 0
> subkeys and 2 values.

ok, then try regenum HKLM, it should enumerate the 2 values for you.

you should really generate log 100s, it's much clearer what's going on
rpcclient -l log op-d 100.

More information about the samba-technical mailing list