[cifs-protocol] Re: Question on Case SRX081002601173 [MS-GPEF]
ronnie sahlberg
ronniesahlberg at gmail.com
Wed Oct 8 04:32:47 GMT 2008
Hi,
Sorry I missed that Reserved2 was an 8 byte field and assumed it was
a 4 byte field.
Maybe the illustration in section 2.2.1.2.2 can be enhanced to show
Reserved2 spanning 8 bytes.
It currently looks like reserved2 is only spanning 4 bytes.
Please close this case.
regards
ronnie sahlberg
On Wed, Oct 8, 2008 at 2:59 PM, Edgar Olougouna <edgaro at microsoft.com> wrote:
> Hi Ronnie,
>
> Please note the change in the Byte numbers in my question, for clarity sake.
>
>
>
> Looking at the trace I have a clarification question of this portion of the
> case.
>
>
>
> Section 2.2.1.2.2
>
> -------------------------
>
> In one trace I have of this blob there is a 4 byte integer with the value
> 0x00000001 between the Reserved2 field and the first byte of the SID.
>
> Is this a field that is missing in the documentation?
>
>
>
> Clarification question:
>
> -----------------------
>
> I am trying to identify the 0x00000001 you referred to. According to the raw
> packet, did you mean that SID is starting from Byte 04 or Byte 07 on line
> 00c0?
>
> The SID offset is 28 (0x1c, starting from Length2 00 00 73 02) and the
> Reserved2 is defined as an 8 bytes field.
>
>
>
> Is there something I am missing here?
>
>
>
> Byte 0 1 2 3 4 5 6 7 8 9 . . .
>
>
>
> 00a0 00 00 01 00 01 00 01 00 00 00 77 02 00 00 73 02 ..........w...s.
>
> 00b0 00 00 1c 00 00 00 02 00 00 00 3b 02 00 00 38 00 ..........;...8.
>
> 00c0 00 00 20 00 00 00 01 00 00 00 01 05 00 00 00 00 .. .............
>
> 00d0 00 05 15 00 00 00 3f 5c 2b 03 a8 39 f3 d7 17 be ......?\+..9....
>
>
>
> Length1: 631
>
> Length2: 627
>
> SID Offset: 28
>
> Cert Length: 571
>
> Cert Offset: 56
>
> sid: S-1-5-21-53173311-3623041448-2049097239-500
>
> Revision: 1
>
> Num Auth: 5
>
> Authority: 5
>
> Sub-authorities:
>
>
>
> Best regards,
>
>
>
> Edgar A. Olougouna
>
> Sr. SEE, Microsoft DSC Protocol Team | Email: edgaro at microsoft.com | Tel:
> +1.469.775.7189 x 57189
>
>
>
>
>
> -----Original Message-----
> From: ronnie sahlberg [mailto:ronniesahlberg at gmail.com]
> Sent: Friday, October 03, 2008 12:59 PM
> To: Edgar Olougouna
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: Re: Email for Case SRX081002601173
>
>
>
> Sure,
>
>
>
>
>
> Find the capture attached.
>
> Frame 2420
>
>
>
>
>
>
>
> No. Time Source Destination Protocol
> Info
>
> 2420 182.851604 192.168.115.5 192.168.115.105 LSARPC
>
> lsa_QueryDomainInformationPolicy response
>
>
>
> Frame 2420 (806 bytes on wire, 806 bytes captured)
>
> Arrival Time: Sep 27, 2007 11:50:58.095991000
>
> [Time delta from previous captured frame: 0.091102000 seconds]
>
> [Time delta from previous displayed frame: 0.091102000 seconds]
>
> [Time since reference or first frame: 182.851604000 seconds]
>
> Frame Number: 2420
>
> Frame Length: 806 bytes
>
> Capture Length: 806 bytes
>
> [Frame is marked: False]
>
> [Protocols in frame:
>
> eth:ip:tcp:nbss:smb:dcerpc:gpef:x509af:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:pkcs-1:x509ce:x509af]
>
> Ethernet II, Src: 00:0c:29:44:4a:1f (00:0c:29:44:4a:1f), Dst:
>
> 00:0c:29:2a:62:61 (00:0c:29:2a:62:61)
>
> Destination: 00:0c:29:2a:62:61 (00:0c:29:2a:62:61)
>
> Address: 00:0c:29:2a:62:61 (00:0c:29:2a:62:61)
>
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>
> .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
>
> Source: 00:0c:29:44:4a:1f (00:0c:29:44:4a:1f)
>
> Address: 00:0c:29:44:4a:1f (00:0c:29:44:4a:1f)
>
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>
> .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
>
> Type: IP (0x0800)
>
> Internet Protocol, Src: 192.168.115.5 (192.168.115.5), Dst:
>
> 192.168.115.105 (192.168.115.105)
>
> Version: 4
>
> Header length: 20 bytes
>
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>
> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
>
> .... ..0. = ECN-Capable Transport (ECT): 0
>
> .... ...0 = ECN-CE: 0
>
> Total Length: 792
>
> Identification: 0xe0b9 (57529)
>
> Flags: 0x04 (Don't Fragment)
>
> 0... = Reserved bit: Not set
>
> .1.. = Don't fragment: Set
>
> ..0. = More fragments: Not set
>
> Fragment offset: 0
>
> Time to live: 128
>
> Protocol: TCP (0x06)
>
> Header checksum: 0xaf66 [correct]
>
> [Good: True]
>
> [Bad : False]
>
> Source: 192.168.115.5 (192.168.115.5)
>
> Destination: 192.168.115.105 (192.168.115.105) Transmission Control
> Protocol, Src Port: 445 (445), Dst Port: 1103 (1103), Seq: 1489, Ack: 4056,
> Len: 752
>
> Source port: 445 (445)
>
> Destination port: 1103 (1103)
>
> [Stream index: 53]
>
> Sequence number: 1489 (relative sequence number)
>
> [Next sequence number: 2241 (relative sequence number)]
>
> Acknowledgement number: 4056 (relative ack number)
>
> Header length: 20 bytes
>
> Flags: 0x18 (PSH, ACK)
>
> 0... .... = Congestion Window Reduced (CWR): Not set
>
> .0.. .... = ECN-Echo: Not set
>
> ..0. .... = Urgent: Not set
>
> ...1 .... = Acknowledgement: Set
>
> .... 1... = Push: Set
>
> .... .0.. = Reset: Not set
>
> .... ..0. = Syn: Not set
>
> .... ...0 = Fin: Not set
>
> Window size: 63154
>
> Checksum: 0x73a6 [validation disabled]
>
> [Good Checksum: False]
>
> [Bad Checksum: False]
>
> [SEQ/ACK analysis]
>
> [This is an ACK to the segment in frame: 2419]
>
> [The RTT to ACK the segment was: 0.091102000 seconds]
>
> [Number of bytes in flight: 752]
>
> [Timestamps]
>
> [Time since first frame in this TCP stream: 104.826266000 seconds]
>
> [Time since previous frame in this TCP stream: 0.091102000 seconds]
> NetBIOS Session Service
>
> Message Type: Session message
>
> Length: 748
>
> SMB (Server Message Block Protocol)
>
> SMB Header
>
> Server Component: SMB
>
> [Response to: 2419]
>
> [Time from request: 0.091102000 seconds]
>
> SMB Command: Read AndX (0x2e)
>
> NT Status: STATUS_SUCCESS (0x00000000)
>
> Flags: 0x98
>
> 1... .... = Request/Response: Message is a response to the
> client/redirector
>
> .0.. .... = Notify: Notify client only on open
>
> ..0. .... = Oplocks: OpLock not requested/granted
>
> ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
>
> .... 1... = Case Sensitivity: Path names are caseless
>
> .... ..0. = Receive Buffer Posted: Receive buffer has not been
> posted
>
> .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not
> supported
>
> Flags2: 0xc807
>
> 1... .... .... .... = Unicode Strings: Strings are Unicode
>
> .1.. .... .... .... = Error Code Type: Error codes are NT error
> codes
>
> ..0. .... .... .... = Execute-only Reads: Don't permit reads if
> execute-only
>
> ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
>
> .... 1... .... .... = Extended Security Negotiation:
>
> Extended security negotiation is supported
>
> .... .... .0.. .... = Long Names Used: Path names in request are
> not long file names
>
> .... .... .... .1.. = Security Signatures: Security signatures
> are supported
>
> .... .... .... ..1. = Extended Attributes: Extended attributes
> are supported
>
> .... .... .... ...1 = Long Names Allowed: Long file names are
> allowed in the response
>
> Process ID High: 0
>
> Signature: 0000000000000000
>
> Reserved: 0000
>
> Tree ID: 8194 (\\WIN2003.VNET3.TRIDGELL.NET\IPC$)
>
> [Path: \\WIN2003.VNET3.TRIDGELL.NET\IPC$]
>
> [Mapped in: 854]
>
> Process ID: 65279
>
> User ID: 14336
>
> Multiplex ID: 704
>
> Read AndX Response (0x2e)
>
> [FID: 0x8005 (\lsarpc)]
>
> [Opened in: 2404]
>
> [File Name: \lsarpc]
>
> Create Flags: 0x00000016
>
> .... .... .... .... .... .... ...1 .... = Extended
>
> Response: Extended responses required
>
> .... .... .... .... .... .... .... 0... = Create
>
> Directory: Target of open can be a file
>
> .... .... .... .... .... .... .... .1.. = Batch
>
> Oplock: Requesting BATCH OPLOCK
>
> .... .... .... .... .... .... .... ..1. = Exclusive
>
> Oplock: Requesting OPLOCK
>
> Access Mask: 0x0002019f
>
> 0... .... .... .... .... .... .... .... = Generic
>
> Read: Generic read is NOT set
>
> .0.. .... .... .... .... .... .... .... = Generic
>
> Write: Generic write is NOT set
>
> ..0. .... .... .... .... .... .... .... = Generic
>
> Execute: Generic execute is NOT set
>
> ...0 .... .... .... .... .... .... .... = Generic All:
>
> Generic all is NOT set
>
> .... ..0. .... .... .... .... .... .... = Maximum
>
> Allowed: Maximum allowed is NOT set
>
> .... ...0 .... .... .... .... .... .... = System
>
> Security: System security is NOT set
>
> .... .... ...0 .... .... .... .... .... = Synchronize:
>
> Can NOT wait on handle to synchronize on completion of I/O
>
> .... .... .... 0... .... .... .... .... = Write Owner:
>
> Can NOT write owner (take ownership)
>
> .... .... .... .0.. .... .... .... .... = Write DAC:
>
> Owner may NOT write to the DAC
>
> .... .... .... ..1. .... .... .... .... = Read
>
> Control: READ ACCESS to owner, group and ACL of the SID
>
> .... .... .... ...0 .... .... .... .... = Delete: NO delete
> access
>
> .... .... .... .... .... ...1 .... .... = Write
>
> Attributes: WRITE ATTRIBUTES access
>
> .... .... .... .... .... .... 1... .... = Read
>
> Attributes: READ ATTRIBUTES access
>
> .... .... .... .... .... .... .0.. .... = Delete
>
> Child: NO delete child access
>
> .... .... .... .... .... .... ..0. .... = Execute: NO
> execute access
>
> .... .... .... .... .... .... ...1 .... = Write EA:
>
> WRITE EXTENDED ATTRIBUTES access
>
> .... .... .... .... .... .... .... 1... = Read EA:
>
> READ EXTENDED ATTRIBUTES access
>
> .... .... .... .... .... .... .... .1.. = Append: APPEND
> access
>
> .... .... .... .... .... .... .... ..1. = Write: WRITE
> access
>
> .... .... .... .... .... .... .... ...1 = Read: READ access
>
> File Attributes: 0x00000000
>
> .... .... .... .... .0.. .... .... .... = Encrypted:
>
> This is NOT an encrypted file
>
> .... .... .... .... ..0. .... .... .... = Content
>
> Indexed: This file MAY be indexed by the content indexing service
>
> .... .... .... .... ...0 .... .... .... = Offline:
>
> This file is NOT offline
>
> .... .... .... .... .... 0... .... .... = Compressed:
>
> This is NOT a compressed file
>
> .... .... .... .... .... .0.. .... .... = Reparse
>
> Point: This file does NOT have an associated reparse point
>
> .... .... .... .... .... ..0. .... .... = Sparse: This is
> NOT a sparse file
>
> .... .... .... .... .... ...0 .... .... = Temporary:
>
> This is NOT a temporary file
>
> .... .... .... .... .... .... 0... .... = Normal: This file
> has some attribute set
>
> .... .... .... .... .... .... .0.. .... = Device: This is
> NOT a device
>
> .... .... .... .... .... .... ..0. .... = Archive:
>
> This file has NOT been modified since last archive
>
> .... .... .... .... .... .... ...0 .... = Directory:
>
> This is NOT a directory
>
> .... .... .... .... .... .... .... 0... = Volume ID:
>
> This is NOT a volume ID
>
> .... .... .... .... .... .... .... .0.. = System: This is
> NOT a system file
>
> .... .... .... .... .... .... .... ..0. = Hidden: This is
> NOT a hidden file
>
> .... .... .... .... .... .... .... ...0 = Read Only:
>
> This file is NOT read only
>
> Share Access: 0x00000003 SHARE_WRITE SHARE_READ
>
> .... .... .... .... .... .... .... .0.. = Delete:
>
> Object can NOT be shared for delete
>
> .... .... .... .... .... .... .... ..1. = Write:
>
> Object can be shared for WRITE
>
> .... .... .... .... .... .... .... ...1 = Read: Object can
> be shared for READ
>
> Create Options: 0x00000040
>
> .... .... .... .... .... .... .... ...0 = Directory:
>
> File being created/opened must not be a directory
>
> .... .... .... .... .... .... .... ..0. = Write
>
> Through: Writes need not flush buffered data before completing
>
> .... .... .... .... .... .... .... .0.. = Sequential
>
> Only: The file might not only be accessed sequentially
>
> .... .... .... .... .... .... .... 0... = Intermediate
>
> Buffering: Intermediate buffering is allowed
>
> .... .... .... .... .... .... ...0 .... = Sync I/O
>
> Alert: Operations NOT necessarily synchronous
>
> .... .... .... .... .... .... ..0. .... = Sync I/O
>
> Nonalert: Operations NOT necessarily synchronous
>
> .... .... .... .... .... .... .1.. .... =
>
> Non-Directory: File being created/opened must not be a directory
>
> .... .... .... .... .... .... 0... .... = Create Tree
>
> Connection: Create Tree Connections is NOT set
>
> .... .... .... .... .... ...0 .... .... = Complete If
>
> Oplocked: Complete if oplocked is NOT set
>
> .... .... .... .... .... ..0. .... .... = No EA
>
> Knowledge: The client understands extended attributes
>
> .... .... .... .... .... .0.. .... .... = 8.3 Only:
>
> The client understands long file names
>
> .... .... .... .... .... 0... .... .... = Random
>
> Access: The file will not be accessed randomly
>
> .... .... .... .... ...0 .... .... .... = Delete On
>
> Close: The file should not be deleted when it is closed
>
> .... .... .... .... ..0. .... .... .... = Open By
>
> FileID: OpenByFileID is NOT set
>
> .... .... .... .... .0.. .... .... .... = Backup
>
> Intent: This is a normal create
>
> .... .... .... .... 0... .... .... .... = No
>
> Compression: Compression is allowed for Open/Create
>
> .... .... ...0 .... .... .... .... .... = Reserve
>
> Opfilter: Reserve Opfilter is NOT set
>
> .... .... ..0. .... .... .... .... .... = Open Reparse
>
> Point: Normal open
>
> .... .... .0.. .... .... .... .... .... = Open No
>
> Recall: Open no recall is NOT set
>
> .... .... 0... .... .... .... .... .... = Open For Free
> Space query: This is NOT an open for free space query
>
> [Disposition: Open (if file exists open it, else fail) (1)]
>
> Word Count (WCT): 12
>
> AndXCommand: No further commands (0xff)
>
> Reserved: 00
>
> AndXOffset: 0
>
> [File Offset: 0]
>
> [File RW Length: 1024]
>
> Remaining: 0
>
> Data Compaction Mode: 0
>
> Reserved: 0000
>
> Data Length Low: 688
>
> Data Offset: 60
>
> Data Length High (multiply with 64K): 0
>
> Reserved: 000000000000
>
> Byte Count (BCC): 689
>
> Padding: 00
>
> DCE RPC Response, Fragment: Single, FragLen: 688, Call: 3 Ctx: 0, [Req:
> #2417]
>
> Version: 5
>
> Version (minor): 0
>
> Packet type: Response (2)
>
> Packet Flags: 0x03
>
> 0... .... = Object: Not set
>
> .0.. .... = Maybe: Not set
>
> ..0. .... = Did Not Execute: Not set
>
> ...0 .... = Multiplex: Not set
>
> .... 0... = Reserved: Not set
>
> .... .0.. = Cancel Pending: Not set
>
> .... ..1. = Last Frag: Set
>
> .... ...1 = First Frag: Set
>
> Data Representation: 10000000
>
> Byte order: Little-endian (1)
>
> Character: ASCII (0)
>
> Floating-point: IEEE (0)
>
> Frag Length: 688
>
> Auth Length: 0
>
> Call ID: 3
>
> Alloc hint: 664
>
> Context ID: 0
>
> Cancel count: 0
>
> Opnum: 53
>
> [Request in frame: 2417]
>
> [Time from request: 0.094193000 seconds] Local Security Authority,
> lsa_QueryDomainInformationPolicy
>
> Operation: lsa_QueryDomainInformationPolicy (53)
>
> [Request in frame: 2417]
>
> Pointer to Info (lsa_DomainInformationPolicy)
>
> Referent ID: 0x00020000
>
> lsa_DomainInformationPolicy
>
> Info
>
> Efs Info
>
> Blob Size: 639
>
> Pointer to Efs Blob (uint8)
>
> Referent ID: 0x00020004
>
> EFS blob size: 639
>
> GPEF
>
> Key Count: 1
>
> EfsKey
>
> Length1: 631
>
> Length2: 627
>
> SID Offset: 28
>
> Cert Length: 571
>
> Cert Offset: 56
>
> sid: S-1-5-21-53173311-3623041448-2049097239-500
>
> Revision: 1
>
> Num Auth: 5
>
> Authority: 5
>
> Sub-authorities:
>
> 21-53173311-3623041448-2049097239
>
> RID: 500 (Administrator)
>
> Certificate ()
>
> signedCertificate
>
> version: v3 (2)
>
> serialNumber :
>
> 0xba9dd46d546a2e9c4a9f658021c734bf
>
> signature (sha-1WithRSAEncryption)
>
> Algorithm Id: 1.3.14.3.2.29
>
> (sha-1WithRSAEncryption)
>
> issuer: rdnSequence (0)
>
> rdnSequence: 3 items ()
>
> Item: 1 item ()
>
> Item
>
> Id: 2.5.4.3
>
> (id-at-commonName)
>
> DirectoryString:
>
> printableString (1)
>
>
>
> printableString: administrator
>
> Item: 1 item ()
>
> Item
>
> Id: 2.5.4.7
>
> (id-at-localityName)
>
> DirectoryString:
>
> printableString (1)
>
> printableString: EFS
>
> Item: 1 item ()
>
> Item
>
> Id: 2.5.4.11
>
> (id-at-organizationalUnitName)
>
> DirectoryString:
>
> printableString (1)
>
>
>
> printableString: EFS File Encryption Certificate
>
> validity
>
> notBefore: utcTime (0)
>
> utcTime: 04-04-08 07:27:01 (UTC)
>
> notAfter: utcTime (0)
>
> utcTime: 07-04-08 07:27:01 (UTC)
>
> subject: rdnSequence (0)
>
> rdnSequence: 3 items ()
>
> Item: 1 item ()
>
> Item
>
> Id: 2.5.4.3
>
> (id-at-commonName)
>
> DirectoryString:
>
> printableString (1)
>
>
>
> printableString: administrator
>
> Item: 1 item ()
>
> Item
>
> Id: 2.5.4.7
>
> (id-at-localityName)
>
> DirectoryString:
>
> printableString (1)
>
> printableString: EFS
>
> Item: 1 item ()
>
> Item
>
> Id: 2.5.4.11
>
> (id-at-organizationalUnitName)
>
> DirectoryString:
>
> printableString (1)
>
>
>
> printableString: EFS File Encryption Certificate
>
> subjectPublicKeyInfo
>
> algorithm (rsaEncryption)
>
> Algorithm Id:
>
> 1.2.840.113549.1.1.1 (rsaEncryption)
>
> Padding: 0
>
> subjectPublicKey:
>
> 30818902818100BED9195BC7D21DCD13CEECEE24697B6A09...
>
> extensions: 1 item
>
> Item (id-ce-extKeyUsage)
>
> Extension Id: 2.5.29.37
>
> (id-ce-extKeyUsage)
>
> KeyPurposeIDs: 1 item
>
> Item:
>
> 1.3.6.1.4.1.311.10.3.4.1 (id-ms-efs-recovery)
>
> algorithmIdentifier (sha-1WithRSAEncryption)
>
> Algorithm Id: 1.3.14.3.2.29
>
> (sha-1WithRSAEncryption)
>
> Padding: 0
>
> encrypted:
>
> A7E6C169E205D3EEF730D9AE1A86379A8AF9BD9CD4FE70C1...
>
> NT Error: STATUS_SUCCESS (0x00000000)
>
>
>
> 0000 00 0c 29 2a 62 61 00 0c 29 44 4a 1f 08 00 45 00 ..)*ba..)DJ...E.
>
> 0010 03 18 e0 b9 40 00 80 06 af 66 c0 a8 73 05 c0 a8 .... at ....f..s...
>
> 0020 73 69 01 bd 04 4f cf b4 72 73 37 8f 5e 36 50 18 si...O..rs7.^6P.
>
> 0030 f6 b2 73 a6 00 00 00 00 02 ec ff 53 4d 42 2e 00 ..s........SMB..
>
> 0040 00 00 00 98 07 c8 00 00 00 00 00 00 00 00 00 00 ................
>
> 0050 00 00 02 20 ff fe 00 38 c0 02 0c ff 00 00 00 00 ... ...8........
>
> 0060 00 00 00 00 00 b0 02 3c 00 00 00 00 00 00 00 00 .......<........
>
> 0070 00 00 00 b1 02 00 05 00 02 03 10 00 00 00 b0 02 ................
>
> 0080 00 00 03 00 00 00 98 02 00 00 00 00 00 00 00 00 ................
>
> 0090 02 00 02 00 00 00 7f 02 00 00 04 00 02 00 7f 02 ................
>
> 00a0 00 00 01 00 01 00 01 00 00 00 77 02 00 00 73 02 ..........w...s.
>
> 00b0 00 00 1c 00 00 00 02 00 00 00 3b 02 00 00 38 00 ..........;...8.
>
> 00c0 00 00 20 00 00 00 01 00 00 00 01 05 00 00 00 00 .. .............
>
> 00d0 00 05 15 00 00 00 3f 5c 2b 03 a8 39 f3 d7 17 be ......?\+..9....
>
> 00e0 22 7a f4 01 00 00 30 82 02 37 30 82 01 a4 a0 03 "z....0..70.....
>
> 00f0 02 01 02 02 10 ba 9d d4 6d 54 6a 2e 9c 4a 9f 65 ........mTj..J.e
>
> 0100 80 21 c7 34 bf 30 09 06 05 2b 0e 03 02 1d 05 00 .!.4.0...+......
>
> 0110 30 50 31 16 30 14 06 03 55 04 03 13 0d 61 64 6d 0P1.0...U....adm
>
> 0120 69 6e 69 73 74 72 61 74 6f 72 31 0c 30 0a 06 03 inistrator1.0...
>
> 0130 55 04 07 13 03 45 46 53 31 28 30 26 06 03 55 04 U....EFS1(0&..U.
>
> 0140 0b 13 1f 45 46 53 20 46 69 6c 65 20 45 6e 63 72 ...EFS File Encr
>
> 0150 79 70 74 69 6f 6e 20 43 65 72 74 69 66 69 63 61 yption Certifica
>
> 0160 74 65 30 1e 17 0d 30 34 30 34 30 38 30 37 32 37 te0...0404080727
>
> 0170 30 31 5a 17 0d 30 37 30 34 30 38 30 37 32 37 30 01Z..07040807270
>
> 0180 31 5a 30 50 31 16 30 14 06 03 55 04 03 13 0d 61 1Z0P1.0...U....a
>
> 0190 64 6d 69 6e 69 73 74 72 61 74 6f 72 31 0c 30 0a dministrator1.0.
>
> 01a0 06 03 55 04 07 13 03 45 46 53 31 28 30 26 06 03 ..U....EFS1(0&..
>
> 01b0 55 04 0b 13 1f 45 46 53 20 46 69 6c 65 20 45 6e U....EFS File En
>
> 01c0 63 72 79 70 74 69 6f 6e 20 43 65 72 74 69 66 69 cryption Certifi
>
> 01d0 63 61 74 65 30 81 9f 30 0d 06 09 2a 86 48 86 f7 cate0..0...*.H..
>
> 01e0 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 ..........0.....
>
> 01f0 00 be d9 19 5b c7 d2 1d cd 13 ce ec ee 24 69 7b ....[........$i{
>
> 0200 6a 09 c8 64 06 cd 90 0f a2 8f 8f 09 44 c5 0c e7 j..d........D...
>
> 0210 dd df 7d 25 96 85 41 05 19 14 35 0c ec 73 11 5a ..}%..A...5..s.Z
>
> 0220 3e e9 8c 7b d1 fa 7d dc 81 79 39 41 d7 be 0a aa >..{..}..y9A....
>
> 0230 d7 74 5b 5f 9b a1 13 76 af a6 9f 93 6b df c3 1b .t[_...v....k...
>
> 0240 ee fe 3b c8 93 33 6f 30 5b cf 67 e6 b1 d8 41 de ..;..3o0[.g...A.
>
> 0250 3e 4f 7b 4e fc 0a 9c e1 a5 b2 fc b1 db 0b 67 13 >O{N..........g.
>
> 0260 0f 5d 6d b0 0c 6d 68 29 23 70 cc 45 df 13 2d c3 .]m..mh)#p.E..-.
>
> 0270 8d 02 03 01 00 01 a3 1a 30 18 30 16 06 03 55 1d ........0.0...U.
>
> 0280 25 04 0f 30 0d 06 0b 2b 06 01 04 01 82 37 0a 03 %..0...+.....7..
>
> 0290 04 01 30 09 06 05 2b 0e 03 02 1d 05 00 03 81 81 ..0...+.........
>
> 02a0 00 a7 e6 c1 69 e2 05 d3 ee f7 30 d9 ae 1a 86 37 ....i.....0....7
>
> 02b0 9a 8a f9 bd 9c d4 fe 70 c1 fe 06 65 b9 9a 3d a7 .......p...e..=.
>
> 02c0 b8 a6 cf 58 60 fc f5 34 8e 59 70 e4 aa 7e 4e 63 ...X`..4.Yp..~Nc
>
> 02d0 6c 22 77 a6 df 89 bc 98 7c a2 7b 0d 14 7c 95 77 l"w.....|.{..|.w
>
> 02e0 fb 1a e8 71 6b a9 f2 93 fc e1 8f ed 7d 40 c2 cf ...qk.......}@..
>
> 02f0 b4 9a 32 ea 14 cd e1 43 f1 21 3d 4b 0c 97 47 e3 ..2....C.!=K..G.
>
> 0300 8e 1c 85 8d f5 82 ee 1c 86 bb 55 07 85 51 42 f6 ..........U..QB.
>
> 0310 a6 e6 45 54 c5 4a e7 82 cd b5 6a 4a cf c3 65 f5 ..ET.J....jJ..e.
>
> 0320 4d 83 00 00 00 00 M.....
>
>
>
>
>
> On Sat, Oct 4, 2008 at 3:29 AM, Edgar Olougouna <edgaro at microsoft.com>
> wrote:
>
>> ******* The following is an email for a support case from Microsoft Corp.
>
>> ******* DO NOT REPLY TO THIS MESSAGE--your email will not be added to
>
>> ******* the case if you do. Instead, FORWARD your response to the
>
>> ******* email address COMPMAIL at MICROSOFT.COM and place your text after
>
>> ******* the keyword 'MESSAGE:'. Also, delete all other text above
>
>> ******* and below the keywords 'CASE_ID_NUM: SRnnn' and 'MESSAGE:'
>
>> ******* to ensure proper delivery of your email. Thank you.
>
>>
>
>> CASE_ID_NUM: SRX081002601173
>
>> MESSAGE:
>
>> ********************** The message for you follows
>
>> ************************ Hi Ronnie,
>
>>
>
>> I will be working with you to solve this case.
>
>>
>
>> In the [MS-GPEF] 2.2.1.2.2 EfsKey packet, you mentioned you are seeing a 4
>> byte integer with the value 0x00000001 between the Reserved2 field and the
>> first byte of the SID.
>
>> Could you send us the trace?
>
>>
>
>> Best regards,
>
>>
>
>> Edgar A. Olougouna
>
>> Sr. SEE, Microsoft DSC Protocol Team | Email: edgaro at microsoft.com |
>
>> Tel: +1.469.775.7189 x 57189
>
>>
>
>>
More information about the cifs-protocol
mailing list