X-Recipient: archive-cygwin@delorie.com X-Original-To: cygwin@cygwin.com Delivered-To: cygwin@cygwin.com DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 8FE2538708BB Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=brian.inglis@systematicsw.ab.ca X-Authority-Analysis: v=2.3 cv=LKf9vKe9 c=1 sm=1 tr=0 a=kiZT5GMN3KAWqtYcXc+/4Q==:117 a=kiZT5GMN3KAWqtYcXc+/4Q==:17 a=IkcTkHD0fZMA:10 a=V8_Nyr92AAAA:8 a=FEJjjUpSAAAA:8 a=RZ24vCjvlsqmbDxLIRQA:9 a=QEXdDO2ut3YA:10 a=nxFJi58FgSUA:10 a=m4zak9p9Mz3SGnrsU8m_:22 Subject: Re: Weird behavior in 'grep'ing for string in /proc/registry... To: cygwin@cygwin.com References: <5F55C670.7030004@tlinx.org> From: Brian Inglis Autocrypt: addr=Brian.Inglis@SystematicSw.ab.ca; prefer-encrypt=mutual; keydata= mDMEXopx8xYJKwYBBAHaRw8BAQdAnCK0qv/xwUCCZQoA9BHRYpstERrspfT0NkUWQVuoePa0 LkJyaWFuIEluZ2xpcyA8QnJpYW4uSW5nbGlzQFN5c3RlbWF0aWNTdy5hYi5jYT6IlgQTFggA PhYhBMM5/lbU970GBS2bZB62lxu92I8YBQJeinHzAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW AgMBAh4BAheAAAoJEB62lxu92I8Y0ioBAI8xrggNxziAVmr+Xm6nnyjoujMqWcq3oEhlYGAO WacZAQDFtdDx2koSVSoOmfaOyRTbIWSf9/Cjai29060fsmdsDLg4BF6KcfMSCisGAQQBl1UB BQEBB0Awv8kHI2PaEgViDqzbnoe8B9KMHoBZLS92HdC7ZPh8HQMBCAeIfgQYFggAJhYhBMM5 /lbU970GBS2bZB62lxu92I8YBQJeinHzAhsMBQkJZgGAAAoJEB62lxu92I8YZwUBAJw/74rF IyaSsGI7ewCdCy88Lce/kdwX7zGwid+f8NZ3AQC/ezTFFi5obXnyMxZJN464nPXiggtT9gN5 RSyTY8X+AQ== Organization: Systematic Software Message-ID: <758d674d-7501-56ea-7246-894e5c877778@SystematicSw.ab.ca> Date: Mon, 7 Sep 2020 01:05:08 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <5F55C670.7030004@tlinx.org> Content-Language: en-CA X-CMAE-Envelope: MS4wfImzQWQYKIEodJhr6FQ8OlzLnj4zHu/XfSR1iz6mkAtL/PG9uSShU6EnnINZtMNhfClHu7+hI6zNtj84thPZ0hU0N1rkZ9e5n96eNFuDi8rQcX2UGlLh CXhpb/sNz88AxCIS2QVSH+eZif9D3tJFnZxPdw7ApAvTCe/iM65jI4WWmZSNBBb/UuI2CJ+Iuxal0A== X-Spam-Status: No, score=-7.9 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: cygwin@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: cygwin@cygwin.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: cygwin-bounces@cygwin.com Sender: "Cygwin" On 2020-09-06 23:34, L A Walsh wrote: > In directory > /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog > I wanted to list all the ".dll"s that handled various types of > events. > > I tried > /bin/grep -Pr '\.dll' > > but got a load of bogus error messages: > > /bin/grep: Group: Is a directory > /bin/grep: ImagePath: Is a directory > /bin/grep: Description: Is a directory > /bin/grep: ObjectName: Is a directory > .... > > --- > looking at ImagePath: >> ll ImagePath > -r--r----- 1 65 Sep 6 22:06 ImagePath >> read -r x > echo $x > C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted > > --- > Doesn't look like a directory. > So, bug in 'grep'? > > I'm hoping this isn't limited to my machine... You remember that the /proc/registry.../ entries are only the keys, subkeys, and values names, not the data contained in them. You are doing the equivalent of: $ fgrep -r .dll /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/ 2> /dev/null producing nothing but error messages. What you probably want to do is check for the keys, subkeys, and values data containing .dll names, which is best performed with find and regtool: $ find /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/ -type d -print0 | xargs -0 -l1 regtool list -v | fgrep .dll DisplayNameFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll" EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll" EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll" CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll" CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll" EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll" EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll" EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\ieframe.dll" CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll" EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll" ...[90]... EventMessageFile (REG_SZ) = "C:\Windows\SysWOW64\msvbvm60.dll" EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll" EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\sdengin2.dll" EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll" CategoryMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll" EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll" EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wsepno.dll" EventMessageFile (REG_SZ) = "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll" EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\ntvdm64.dll" EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wshext.dll" or you could use the Windows reg command directly for more verbose results: $ reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application /s /d /f "*.dll" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application DisplayNameFile REG_EXPAND_SZ %SystemRoot%\system32\wevtapi.dll HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET Runtime EventMessageFile REG_SZ C:\Windows\System32\mscoree.dll HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET Runtime Optimization Service EventMessageFile REG_SZ C:\Windows\System32\mscoree.dll ...[104]... HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WMI.NET Provider Extension EventMessageFile REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Wow64 Emulation Layer EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\ntvdm64.dll HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WSH EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\wshext.dll End of search: 110 match(es) found. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in IEC units and prefixes, physical quantities in SI.] -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple