Weird behavior in 'grep'ing for string in /proc/registry...

Brian Inglis Brian.Inglis@SystematicSw.ab.ca
Mon Sep 7 07:05:08 GMT 2020 

On 2020-09-06 23:34, L A Walsh wrote:
> In directory
> /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog
> I wanted to list all the ".dll"s that handled various types of
> events.
> 
> I tried
> /bin/grep -Pr '\.dll'
> 
> but got a load of bogus error messages:
> 
> /bin/grep: Group: Is a directory
> /bin/grep: ImagePath: Is a directory
> /bin/grep: Description: Is a directory
> /bin/grep: ObjectName: Is a directory
> ....
> 
> ---
> looking at ImagePath:
>> ll ImagePath
> -r--r----- 1 65 Sep  6 22:06 ImagePath
>> read -r x <ImagePath
>> echo $x
> C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
> 
> ---
> Doesn't look like a directory.
> So, bug in 'grep'?
> 
> I'm hoping this isn't limited to my machine...

You remember that the /proc/registry.../ entries are only the keys, subkeys, and
values names, not the data contained in them.

You are doing the equivalent of:

$ fgrep -r .dll
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/
2> /dev/null

producing nothing but error messages.

What you probably want to do is check for the keys, subkeys, and values data
containing .dll names, which is best performed with find and regtool:

$ find
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/
-type d -print0 | xargs -0 -l1 regtool list -v | fgrep .dll
DisplayNameFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll"
EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll"
EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\ieframe.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll"
...[90]...
EventMessageFile (REG_SZ) = "C:\Windows\SysWOW64\msvbvm60.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll"
EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\sdengin2.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll"
EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wsepno.dll"
EventMessageFile (REG_SZ) =
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\ntvdm64.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wshext.dll"

or you could use the Windows reg command directly for more verbose results:

$ reg query
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application
/s /d /f "*.dll"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application
    DisplayNameFile    REG_EXPAND_SZ    %SystemRoot%\system32\wevtapi.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET
Runtime
    EventMessageFile    REG_SZ    C:\Windows\System32\mscoree.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET
Runtime Optimization Service
    EventMessageFile    REG_SZ    C:\Windows\System32\mscoree.dll

...[104]...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WMI.NET Provider
Extension
    EventMessageFile    REG_SZ
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Wow64
Emulation Layer
    EventMessageFile    REG_EXPAND_SZ    %SystemRoot%\System32\ntvdm64.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WSH
    EventMessageFile    REG_EXPAND_SZ    %SystemRoot%\System32\wshext.dll

End of search: 110 match(es) found.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in IEC units and prefixes, physical quantities in SI.]

More information about the Cygwin mailing list