| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.3.2 sourceware.org 8FE2538708BB |
| Authentication-Results: | sourceware.org; dmarc=none (p=none dis=none) |
| header.from=SystematicSw.ab.ca | |
| Authentication-Results: | sourceware.org; |
| spf=none smtp.mailfrom=brian DOT inglis AT systematicsw DOT ab DOT ca | |
| X-Authority-Analysis: | v=2.3 cv=LKf9vKe9 c=1 sm=1 tr=0 |
| a=kiZT5GMN3KAWqtYcXc+/4Q==:117 a=kiZT5GMN3KAWqtYcXc+/4Q==:17 | |
| a=IkcTkHD0fZMA:10 a=V8_Nyr92AAAA:8 a=FEJjjUpSAAAA:8 a=RZ24vCjvlsqmbDxLIRQA:9 | |
| a=QEXdDO2ut3YA:10 a=nxFJi58FgSUA:10 a=m4zak9p9Mz3SGnrsU8m_:22 | |
| Subject: | Re: Weird behavior in 'grep'ing for string in /proc/registry... |
| To: | cygwin AT cygwin DOT com |
| References: | <5F55C670 DOT 7030004 AT tlinx DOT org> |
| From: | Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca> |
| Autocrypt: | addr=Brian DOT Inglis AT SystematicSw DOT ab DOT ca; prefer-encrypt=mutual; |
| keydata= | |
| mDMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePa0 | |
| LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT6IlgQTFggA | |
| PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW | |
| AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO | |
| WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDLg4BF6KcfMSCisGAQQBl1UB | |
| BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAeIfgQYFggAJhYhBMM5 | |
| /lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF | |
| IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5 | |
| RSyTY8X+AQ== | |
| Organization: | Systematic Software |
| Message-ID: | <758d674d-7501-56ea-7246-894e5c877778@SystematicSw.ab.ca> |
| Date: | Mon, 7 Sep 2020 01:05:08 -0600 |
| User-Agent: | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 |
| Thunderbird/68.12.0 | |
| MIME-Version: | 1.0 |
| In-Reply-To: | <5F55C670.7030004@tlinx.org> |
| X-CMAE-Envelope: | MS4wfImzQWQYKIEodJhr6FQ8OlzLnj4zHu/XfSR1iz6mkAtL/PG9uSShU6EnnINZtMNhfClHu7+hI6zNtj84thPZ0hU0N1rkZ9e5n96eNFuDi8rQcX2UGlLh |
| CXhpb/sNz88AxCIS2QVSH+eZif9D3tJFnZxPdw7ApAvTCe/iM65jI4WWmZSNBBb/UuI2CJ+Iuxal0A== | |
| X-Spam-Status: | No, score=-7.9 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, |
| KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, | |
| RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, | |
| TXREP autolearn=ham autolearn_force=no version=3.4.2 | |
| X-Spam-Checker-Version: | SpamAssassin 3.4.2 (2018-09-13) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| Reply-To: | cygwin AT cygwin DOT com |
| Errors-To: | cygwin-bounces AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces AT cygwin DOT com> |
On 2020-09-06 23:34, L A Walsh wrote:
> In directory
> /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog
> I wanted to list all the ".dll"s that handled various types of
> events.
>
> I tried
> /bin/grep -Pr '\.dll'
>
> but got a load of bogus error messages:
>
> /bin/grep: Group: Is a directory
> /bin/grep: ImagePath: Is a directory
> /bin/grep: Description: Is a directory
> /bin/grep: ObjectName: Is a directory
> ....
>
> ---
> looking at ImagePath:
>> ll ImagePath
> -r--r----- 1 65 Sep 6 22:06 ImagePath
>> read -r x <ImagePath
>> echo $x
> C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
>
> ---
> Doesn't look like a directory.
> So, bug in 'grep'?
>
> I'm hoping this isn't limited to my machine...
You remember that the /proc/registry.../ entries are only the keys, subkeys, and
values names, not the data contained in them.
You are doing the equivalent of:
$ fgrep -r .dll
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/
2> /dev/null
producing nothing but error messages.
What you probably want to do is check for the keys, subkeys, and values data
containing .dll names, which is best performed with find and regtool:
$ find
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/
-type d -print0 | xargs -0 -l1 regtool list -v | fgrep .dll
DisplayNameFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll"
EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll"
EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\ieframe.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll"
...[90]...
EventMessageFile (REG_SZ) = "C:\Windows\SysWOW64\msvbvm60.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll"
EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\sdengin2.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll"
EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wsepno.dll"
EventMessageFile (REG_SZ) =
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\ntvdm64.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wshext.dll"
or you could use the Windows reg command directly for more verbose results:
$ reg query
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application
/s /d /f "*.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application
DisplayNameFile REG_EXPAND_SZ %SystemRoot%\system32\wevtapi.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET
Runtime
EventMessageFile REG_SZ C:\Windows\System32\mscoree.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET
Runtime Optimization Service
EventMessageFile REG_SZ C:\Windows\System32\mscoree.dll
...[104]...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WMI.NET Provider
Extension
EventMessageFile REG_SZ
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Wow64
Emulation Layer
EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\ntvdm64.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WSH
EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\wshext.dll
End of search: 110 match(es) found.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in IEC units and prefixes, physical quantities in SI.]
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |