Weird behavior in 'grep'ing for string in /proc/registry...
Brian Inglis
Brian.Inglis@SystematicSw.ab.ca
Mon Sep 7 07:05:08 GMT 2020
On 2020-09-06 23:34, L A Walsh wrote:
> In directory
> /proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog
> I wanted to list all the ".dll"s that handled various types of
> events.
>
> I tried
> /bin/grep -Pr '\.dll'
>
> but got a load of bogus error messages:
>
> /bin/grep: Group: Is a directory
> /bin/grep: ImagePath: Is a directory
> /bin/grep: Description: Is a directory
> /bin/grep: ObjectName: Is a directory
> ....
>
> ---
> looking at ImagePath:
>> ll ImagePath
> -r--r----- 1 65 Sep 6 22:06 ImagePath
>> read -r x <ImagePath
>> echo $x
> C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
>
> ---
> Doesn't look like a directory.
> So, bug in 'grep'?
>
> I'm hoping this isn't limited to my machine...
You remember that the /proc/registry.../ entries are only the keys, subkeys, and
values names, not the data contained in them.
You are doing the equivalent of:
$ fgrep -r .dll
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/
2> /dev/null
producing nothing but error messages.
What you probably want to do is check for the keys, subkeys, and values data
containing .dll names, which is best performed with find and regtool:
$ find
/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/eventlog/Application/
-type d -print0 | xargs -0 -l1 regtool list -v | fgrep .dll
DisplayNameFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll"
EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll"
EventMessageFile (REG_SZ) = "C:\Windows\System32\mscoree.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wevtapi.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\ieframe.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\drivers\ati2erec.dll"
...[90]...
EventMessageFile (REG_SZ) = "C:\Windows\SysWOW64\msvbvm60.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wersvc.dll"
EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\sdengin2.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wer.dll"
CategoryMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll"
EventMessageFile (REG_EXPAND_SZ) = "%systemroot%\system32\tquery.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\system32\wsepno.dll"
EventMessageFile (REG_SZ) =
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\ntvdm64.dll"
EventMessageFile (REG_EXPAND_SZ) = "%SystemRoot%\System32\wshext.dll"
or you could use the Windows reg command directly for more verbose results:
$ reg query
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\eventlog\\Application
/s /d /f "*.dll"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application
DisplayNameFile REG_EXPAND_SZ %SystemRoot%\system32\wevtapi.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET
Runtime
EventMessageFile REG_SZ C:\Windows\System32\mscoree.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\.NET
Runtime Optimization Service
EventMessageFile REG_SZ C:\Windows\System32\mscoree.dll
...[104]...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WMI.NET Provider
Extension
EventMessageFile REG_SZ
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Wow64
Emulation Layer
EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\ntvdm64.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\WSH
EventMessageFile REG_EXPAND_SZ %SystemRoot%\System32\wshext.dll
End of search: 110 match(es) found.
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.
[Data in IEC units and prefixes, physical quantities in SI.]
More information about the Cygwin
mailing list