| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| X-Original-To: | cygwin AT cygwin DOT com |
| Delivered-To: | cygwin AT cygwin DOT com |
| DMARC-Filter: | OpenDMARC Filter v1.3.2 sourceware.org ED51E386186A |
| Authentication-Results: | sourceware.org; dmarc=none (p=none dis=none) |
| header.from=SystematicSw.ab.ca | |
| Authentication-Results: | sourceware.org; |
| spf=none smtp.mailfrom=brian DOT inglis AT systematicsw DOT ab DOT ca | |
| X-Authority-Analysis: | v=2.3 cv=LKf9vKe9 c=1 sm=1 tr=0 |
| a=kiZT5GMN3KAWqtYcXc+/4Q==:117 a=kiZT5GMN3KAWqtYcXc+/4Q==:17 | |
| a=IkcTkHD0fZMA:10 a=V8_Nyr92AAAA:8 a=FEJjjUpSAAAA:8 a=Maudkj2rSRX00NJfr2cA:9 | |
| a=QEXdDO2ut3YA:10 a=nxFJi58FgSUA:10 a=m4zak9p9Mz3SGnrsU8m_:22 | |
| Subject: | Re: Weird behavior in 'grep'ing for string in /proc/registry... |
| To: | cygwin AT cygwin DOT com |
| References: | <5F55C670 DOT 7030004 AT tlinx DOT org> |
| <758d674d-7501-56ea-7246-894e5c877778 AT SystematicSw DOT ab DOT ca> | |
| <ddc33d3b-3caf-447e-fbd1-e53192eb55bc AT towo DOT net> | |
| From: | Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca> |
| Autocrypt: | addr=Brian DOT Inglis AT SystematicSw DOT ab DOT ca; prefer-encrypt=mutual; |
| keydata= | |
| mDMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePa0 | |
| LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT6IlgQTFggA | |
| PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW | |
| AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO | |
| WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDLg4BF6KcfMSCisGAQQBl1UB | |
| BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAeIfgQYFggAJhYhBMM5 | |
| /lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF | |
| IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5 | |
| RSyTY8X+AQ== | |
| Organization: | Systematic Software |
| Message-ID: | <8d6eeade-52e8-2247-2f8d-2cc468aeebf2@SystematicSw.ab.ca> |
| Date: | Mon, 7 Sep 2020 13:15:57 -0600 |
| User-Agent: | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 |
| Thunderbird/68.12.0 | |
| MIME-Version: | 1.0 |
| In-Reply-To: | <ddc33d3b-3caf-447e-fbd1-e53192eb55bc@towo.net> |
| X-CMAE-Envelope: | MS4wfLeEpzNWBmWXSxKCwf/4gZ1P1wn0HwmaaG24H444yXNR/unsYO1hf6sjci3weyMwY22zvLeBXm9MbVU5GvFSouhnU+fpLr8gqbUkFPEpcLwgnPX7o1iY |
| R9bAEfe9ZYYVDQ5Jr3pU8qyBYqcKloCvjS0RXCwe+0VZyl60t7H2HZIAX5JvlHpxGc36CbHTJFzM1A== | |
| X-Spam-Status: | No, score=-6.4 required=5.0 tests=BAYES_00, BODY_8BITS, |
| KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_DNSWL_LOW, | |
| RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, | |
| TXREP autolearn=ham autolearn_force=no version=3.4.2 | |
| X-Spam-Checker-Version: | SpamAssassin 3.4.2 (2018-09-13) on |
| server2.sourceware.org | |
| X-BeenThere: | cygwin AT cygwin DOT com |
| X-Mailman-Version: | 2.1.29 |
| List-Id: | General Cygwin discussions and problem reports <cygwin.cygwin.com> |
| List-Unsubscribe: | <https://cygwin.com/mailman/options/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe> | |
| List-Archive: | <https://cygwin.com/pipermail/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-request AT cygwin DOT com?subject=help> |
| List-Subscribe: | <https://cygwin.com/mailman/listinfo/cygwin>, |
| <mailto:cygwin-request AT cygwin DOT com?subject=subscribe> | |
| Reply-To: | cygwin AT cygwin DOT com |
| Errors-To: | cygwin-bounces AT cygwin DOT com |
| Sender: | "Cygwin" <cygwin-bounces AT cygwin DOT com> |
| X-MIME-Autoconverted: | from base64 to 8bit by delorie.com id 087JGSfg031283 |
On 2020-09-07 01:53, Thomas Wolff wrote: > Am 07.09.2020 um 09:05 schrieb Brian Inglis: >> On 2020-09-06 23:34, L A Walsh wrote: >>> In directory >>> /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog >>> I wanted to list all the ".dll"s that handled various types of >>> events. >>> >>> I tried >>> /bin/grep -Pr '\.dll' >>> >>> but got a load of bogus error messages: >>> >>> /bin/grep: Group: Is a directory >>> /bin/grep: ImagePath: Is a directory >>> /bin/grep: Description: Is a directory >>> /bin/grep: ObjectName: Is a directory >>> .... >>> >>> --- >>> looking at ImagePath: >>>> ll ImagePath >>> -r--r----- 1 65 Sep 6 22:06 ImagePath >>>> read -r x <ImagePath >>>> echo $x >>> C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted >>> >>> --- >>> Doesn't look like a directory. >>> So, bug in 'grep'? >>> >>> I'm hoping this isn't limited to my machine... >> You remember that the /proc/registry.../ entries are only the keys, subkeys, and >> values names, not the data contained in them. >> >> You are doing the equivalent of: >> >> $ fgrep -r .dll >> /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/ >> >> 2> /dev/null >> >> producing nothing but error messages. > I reproduced Lindas observation (although not in the folder she mentioned which > does not exist here) and in fact there is an inconsistency between `grep -r` > reporting "Is a directory" for entries that are not marked as directory by `ls`: > .pwd > /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Appinfo/Parameters > > .ls -l > insgesamt 0 > -r--r----- 1 SYSTEM SYSTEM 34 27. Nov 2019 ServiceDll > -r--r----- 1 SYSTEM SYSTEM 4 27. Nov 2019 ServiceDllUnloadOnStop > .grep -r . > grep: ServiceDll: Is a directory > grep: ServiceDllUnloadOnStop: Is a directory > > I checked whether `opendir` marks the d_type fields wrong in the /proc > filesystem but that's not it. I believe we are seeing that the registry fs virtualization is insufficient for grep and some other utilities to differentiate, so they are complaining, not descending and searching. So you can do what you want using: $ find /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/ -type f -print0 | xargs -0 fgrep -a .dll but you need the -a as the file contents appear as binary strings with NUL char terminators (and these appear in the output), not text files with \n terminators. My alternatives convert the values and data to text on lines which you can search with clean results. You could strace your problematic searches and post along with cygcheck.out and hope someone has time to dig in and debug the issue. >> What you probably want to do is check for the keys, subkeys, and values data >> containing .dll names, which is best performed with find and regtool: >> >> $ find >> /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/ >> >> -type d -print0 | xargs -0 -l1 regtool list -v | fgrep .dll >> DisplayNameFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll" >> EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll" >> EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll" >> CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll" >> CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll" >> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll" >> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll" >> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\ieframe.dll" >> CategoryMessageFile (REG_EXPAND_SZ) = >> "%SystemRoot%\System32\drivers\ati2erec.dll" >> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll" >> ...[90]... >> EventMessageFile (REG_SZ) = "C:\Windows\SysWOW64\msvbvm60.dll" >> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll" >> EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\sdengin2.dll" >> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll" >> CategoryMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll" >> EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll" >> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wsepno.dll" >> EventMessageFile (REG_SZ) = >> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll" >> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\ntvdm64.dll" >> EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wshext.dll" >> >> or you could use the Windows reg command directly for more verbose results: >> >> $ reg query >> HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application >> /s /d /f "*.dll" >> >> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application >>     DisplayNameFile   REG_EXPAND_SZ   %SystemRoot%\system32\wevtapi.dll >> >> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET >> Runtime >>     EventMessageFile   REG_SZ   C:\Windows\System32\mscoree.dll >> >> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET >> Runtime Optimization Service >>     EventMessageFile   REG_SZ   C:\Windows\System32\mscoree.dll >> >> ...[104]... >> >> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WMI.NET >> Provider >> Extension >>     EventMessageFile   REG_SZ >> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll >> >> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Wow64 >> Emulation Layer >>     EventMessageFile   REG_EXPAND_SZ   %SystemRoot%\System32\ntvdm64.dll >> >> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WSH >>     EventMessageFile   REG_EXPAND_SZ   %SystemRoot%\System32\wshext.dll >> >> End of search: 110 match(es) found. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in IEC units and prefixes, physical quantities in SI.] -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |