Questions about unsupported registry hive (perfmon data)
dunham at cse.msu.edu
dunham at cse.msu.edu
Thu Feb 3 23:42:02 GMT 2000
dunham at captech.com writes:
> According to MSDN, NT exports perfmon data via a HKEY_PERFORMANCE_DATA
> registry hive. I'd like to be able to access this data from Linux, so
> I looked into the source of samba - it looks like it would be a matter
> of copying the HKLM code and filling in some magic numbers. (The RPC
> for opening the PERFORMANCE_DATA tree, and the other "magic number" in
> the open command packet.)
> [...]
> So, the RPC command is 0x03 and the magic number is A0 87 (network
> byte order). But I don't know if the other differences are
> significant. If I change the HKLM code to use these numbers, I get:
> REG_ENUM_VALUE: NT_STATUS_UNEXPECTED_MM_CREATE_ERR
> on an enum of HKLM.
> So, I guess my questions are: is anybody working on this, and does
> anyone have any ideas on how to make this work?
> (BTW, to get a good packet dump of an enum, run perfmon.exe, do
> "Edit/Add to Chart", type a different machine name in and press
> return.)
A quick followup. The Perfmon stuff uses strings in:
HKLM\Software\Microsoft\Windows NT\Perflib\...
to do some object number -> string conversion, there is code in MSDN
to decode the packets returned from the PERFORMANCE_DATA hive using
this information. So I can write code to decode this stuff if I can
get it.
The way to access the info proper is to connect to "Global" in
HKEY_PERFORMANCE_DATA. (Or you can connect to a space seperated list
of Object #'s, e.g. "HKPD\2 3", for a subset of the data.)
The big sticking point for me right now is:
I've changed the HKLM code to use opcode 0x03 instead of 0x02 and
pass 0x87A0 to reg_open_hklm.
The windows client does a REG_INFO (opcode 0x11) "Global" in the
PERFORMANCE_DATA tree, gets a sizable response with
"STATUS_BUFFER_OVERFLOW" (Hint is set to 0x93ec, if that means
anything), and reads a bunch of info from the same fileid in SMB
packets until it stops getting STATUS_BUFFER_OVERFLOW packets.
The Samba client sends a similar request, but gets a short response,
which rpcclient reports as:
REG_INFO: NT_STATUS_UNEXPECTED_MM_CREATE_ERR
(it does report session setup ok right before this..)
Please CC me on any responses.
Thanks,
Steve Dunham
dunham at debian.org
More information about the samba-technical
mailing list