Questions about unsupported registry hive (perfmon data)
dunham at captech.com
dunham at captech.com
Thu Feb 3 19:32:05 GMT 2000
According to MSDN, NT exports perfmon data via a HKEY_PERFORMANCE_DATA
registry hive. I'd like to be able to access this data from Linux, so
I looked into the source of samba - it looks like it would be a matter
of copying the HKLM code and filling in some magic numbers. (The RPC
for opening the PERFORMANCE_DATA tree, and the other "magic number" in
the open command packet.)
I've captured an enumeration of this registry tree with tcpdump. The
relevent part of the open packet is:
HKEY_PERFORMANCE_DATA
Data: (4 bytes)
[000] 26 00 04 40 &..@
Name=
Data: (16 bytes)
[000] 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 8C FB \.P.I.P. E.\.....
Data Data: (36 bytes)
[000] 05 00 00 03 10 00 00 00 24 00 00 00 01 00 00 00 ........ $.......
[010] 0C 00 00 00 00 00 03 00 F8 F6 12 00 A0 87 01 00 ........ ........
[020] 00 00 00 02 ....
HKEY_LOCAL_MACHINE
Data: (4 bytes)
[000] 26 00 05 08 &...
Name=\PIPE\
Data: (2 bytes)
[000] 00 00 ..
Data Data: (36 bytes)
[000] 05 00 00 03 10 00 00 00 24 00 00 00 02 00 00 00 ........ $.......
[010] 0C 00 00 00 00 00 02 00 01 00 00 00 E0 84 00 00 ........ ........
[020] 00 00 00 02 ....
So, the RPC command is 0x03 and the magic number is A0 87 (network
byte order). But I don't know if the other differences are
significant. If I change the HKLM code to use these numbers, I get:
REG_ENUM_VALUE: NT_STATUS_UNEXPECTED_MM_CREATE_ERR
on an enum of HKLM.
So, I guess my questions are: is anybody working on this, and does
anyone have any ideas on how to make this work?
(BTW, to get a good packet dump of an enum, run perfmon.exe, do
"Edit/Add to Chart", type a different machine name in and press
return.)
Please CC me on any responses.
Thanks,
Steve Dunham
dunham at debian.org
More information about the samba-technical
mailing list