[cifs-protocol] [EXTERNAL] DELETE_PENDING behaviour change between Windows 2016 and Windows 2022? - TrackingID#2204070040007396

Kristian Smith Kristian.Smith at microsoft.com
Fri Apr 15 23:16:10 UTC 2022


Hi Volker,

It looks like the upload worked. I will have a look at the traces and get back to you when I have more information.

Thanks,
Kristian

-----Original Message-----
From: Volker Lendecke <Volker.Lendecke at sernet.de> 
Sent: Thursday, April 14, 2022 4:17 AM
To: Kristian Smith <Kristian.Smith at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: Re: [EXTERNAL] DELETE_PENDING behaviour change between Windows 2016 and Windows 2022? - TrackingID#2204070040007396

[You don't often get email from volker.lendecke at sernet.de. Learn why this is important at http://aka.ms/LearnAboutSenderIdentification.]

Hi Kristian,

did the upload. Hopefully everything worked correctly.

Thanks for taking a look,

Volker Lendecke

Am Mon, Apr 11, 2022 at 07:40:56PM +0000 schrieb Kristian Smith:
> Hi Volker,
>
> I'll be the engineer helping you with this issue you posed last week.
>
> I looked through the network traces you provided and noticed that the file paths were complete on most requests on the 2016 trace, but just 'x' was used on the 2022 requests. I've included a screenshot for reference.
>
> Can you please help me by gathering traces from your Server 2016 and 2022 machines with our t.cmd tool as well (instructions follow)? I'm hoping that you will be able to setup the file paths the same way on both requests so that I can compare apples-to-apples.
>
> Collecting traces with t.cmd
>
>       1.      Rename t.txt to t.cmd (file is attached)
>       2.      Open Command Prompt as Administrator (PowerShell works too, you just need to run cmd when it opens)
>       3.      Navigate to directory of t.cmd
>       4.      Run t.cmd srvon
>       5.      Reproduce the error
>       6.      Run t.cmd off
>       7.      Drop the .cab file in the repo via link provided
>               a.      https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ3c2lkIjoiN2EzZWEzYTItZTU5Mi00NDUzLTkyZWUtODQ4ZmU0NzcyY2UzIiwic3IiOiIyMjA0MDcwMDQwMDA3Mzk2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiIzMGVkZDJmYS1mY2VlLTQzMDktOWI3Ni0yNTg3YzNkMWFlNjciLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHAiOjE2NTc0ODE4MTMsIm5iZiI6MTY0OTcwNTgxM30.pvUXrQAAePKz-rZYmoDlV5N-2sbh_UrWRwGvavt5MReeDRoLZLWJDkIroj84LMH3fkYeXCS20pR-uSj-TTkp9gaE8Iym1bYGHCr7agQxsDYnXh1bwtpOX5v6DCnlOx-uvzd735X-zA5jgqoLewyugxCN0PNskTHkfK0CO58t3GgbZr1vcQrh2aCzK8VpddSxXok2yhDSc3-d1xWdip54lLIuSk98r7ElRxS8bU0ngkd3ZVw_S_ioUBejY1PNubSBsqPd0_TSJwxy7XlbPUwK6i7GDuGHwyh4vI1AYpUYobh1JDJed4ArHiasC6XUNP1DiF6h-K_FiOUpZpQxDuUeVw%26wid%3D7a3ea3a2-e592-4453-92ee-848fe4772ce3&data=05%7C01%7CKristian.Smith%40microsoft.com%7C240e0bb6d8b14f8b14be08da1e085b9f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637855318505624407%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=IA%2F07H2EsnnOcg56bX4IvHorX2Rx2do4U6OrrZl5gHM%3D&reserved=0
>       8.      Repeat for other machine
>
> Let me know if you have any issues with the trace collection. Hopefully we can get to the bottom of this quickly.
>
> Thanks,
> Kristian
>
>
> Kristian Smith
> Support Escalation Engineer
> Windows Open Spec Protocols
> Office: (425) 421-4442
> kristian.smith at microsoft.com
>
>
>
> -----Original Message-----
> From: Jeff McCashland (He/him) <jeffm at microsoft.com>
> Sent: Thursday, April 7, 2022 11:04 AM
> To: Volker.Lendecke at sernet.de
> Cc: cifs-protocol at lists.samba.org; Jeff McCashland 
> <jeffm at microsoftsupport.com>
> Subject: RE: [EXTERNAL] DELETE_PENDING behaviour change between 
> Windows 2016 and Windows 2022? - TrackingID#2204070040007396
>
> [DocHelp to BCC, support on CC, SR ID on Subject]
>
> Hi Volker,
>
> Thank you for submitting your question. We have created SR 2204070040007396 to track this issue. One of our engineer will respond soon.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here: 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7CKristian.Smith%40m
> icrosoft.com%7C240e0bb6d8b14f8b14be08da1e085b9f%7C72f988bf86f141af91ab
> 2d7cd011db47%7C1%7C0%7C637855318505624407%7CUnknown%7CTWFpbGZsb3d8eyJW
> IjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%
> 7C%7C%7C&sdata=0PlOwmUx0DgficwU1ck%2FATz3KGoyfopQq6mJ%2FOmbVew%3D&
> amp;reserved=0 | Extension 1138300 We value your feedback.  My manager 
> is Stacy Gray (stacygr), +1 (469) 775-4055
>
> -----Original Message-----
> From: Volker Lendecke <Volker.Lendecke at sernet.de>
> Sent: Thursday, April 7, 2022 7:52 AM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol at lists.samba.org
> Subject: [EXTERNAL] DELETE_PENDING behaviour change between Windows 2016 and Windows 2022?
>
> Hello dochelp,
>
> attached find two network traces that show different delete_on_close behaviour between Windows 2016 and Windows 2022.
>
> The Win2016 trace can open a directory "x" that is held open but already deleted. The directory was created with frame 32/33, it was then opened (and held open) in 47/48. It was then "removed" or rather marked for deletoin with frames 56-62. With frame 64/65 you can see that an open with just FILE_READ_ATTRIBUTES access mask success fine.
>
> The Win2022 trace does pretty much the same, however in frames 58/59 we get a DELETE_PENDING.
>
> I'm asking because right now Samba behaves like Win2022 and some customer application fails with this behaviour.
>
> We could not find an explanation for either behaviour in neither [MS-SMB2] nor [MS-FSA].
>
> Can you explain where in the docs we could find which of the two behaviours is the correct one?
>
> Thanks,
>
> Volker Lendecke


> ::
> ::  Copyright (C) Microsoft. All rights reserved.
> ::
> ::  THIS CODE IS PROVIDED *AS IS* WITHOUT WARRANTY OF
> ::  ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY
> ::  IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
> ::  PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.
> ::
>
> @echo off
> setlocal enabledelayedexpansion
>
> @rem vars
> set disp=
> set exe=
> set mode=
> set tool=
> set etl=
> set evtx=
> set bins=
>
> @rem directories and files
> set statedir=
> set servicefile=
> set taskfile=
>
> @rem cli-srv shared logs
> set rpcxdr=0
> set sec=0
> set tcp=0
>
> @rem parsed args - on
> set single=0
> set capture=0
> set cli=0
> set srv=0
> set brief=
> set verbose=
> set ca=
> set csv=0
> set hyperv=0
> set cluster=0
> set circ=
> set circbuf=
> set circargs=
> set level=2
> set rdbss=
> set rdbssflags=
> set rdbsslevel=
> set mrxsmb=
> set mrxsmbflags=
> set mrxsmblevel=
> set smb20=
> set smb20flags=
> set smb20level=
>
> @rem parsed args - off
> set nobin=
> set nocab=
>
> @rem bin groups for the defined streams set dfsn_bins=dfssvc.exe 
> dfs.sys set dns_bins=dnsapi.dll dnsrslvr.dll set fr_bins=fde.dll 
> fdeploy.dll shell32.dll set fskm_bins=cscobj.dll cscsvc.dll csc.sys 
> dfsc.sys mup.sys mrxsmb10.sys mrxsmb20.sys mrxsmb.sys mrxdav.sys 
> nfsrdr.sys rdbss.sys ccffilter.sys resumekeyfilter.sys peerdist.dll 
> peerdistsvc.dll peerdistsh.dll wkssvc.dll wvrf.sys set 
> fsum_bins=cscapi.dll cscui.dll davclnt.dll davhlpr.dll webclnt.dll set 
> nbt_bins=netbt.sys smb.sys set nfs_bins=msnfsflt.sys nfssvr.sys 
> portmap.sys set rpcxdr_bins=rpcxdr.sys set sec_bins=kerberos.dll 
> msv1_0.dll negoexts.dll pku2u.dll set smbhash_bins=hashgen.exe 
> smbgproxy.dll smbhash.exe peerdisthash.dll peerdistsh.dll set 
> srv_bins=srv.sys srv2.sys srvnet.sys srvsvc.dll witness.exe set 
> tcp_bins=tcpip.sys set csvfs_bins=csvfs.sys set csvflt_bins=csvflt.sys 
> set csvvbus_bins=csvvbus.sys vbus.sys set csvnflt_bins=csvnflt.sys 
> nflt.sys set sr_bins=wvrf.sys
>
> call :persistGet statedir statedir
> call :detectMode %*
> if errorlevel 1 (
>     echo.ERROR: operation mode must be specified
>     echo.
>     call :usage
>     exit /b 1
> )
>
> call :getCoreOnly %*
> if errorlevel 1 set level=1
>
> if /i "%mode%" equ "on" goto :nextonarg if /i "%mode%" equ "snapshot" 
> goto :nextsnapshotarg @rem if /i "%mode%" equ "off" goto :nextoffarg
>
> :nextoffarg
> if           "%~1" equ ""        ( goto :offargfini
> ) else if /i "%~1" equ "off"     ( echo.>NUL
> ) else if /i "%~1" equ "clioff"  ( echo.>NUL
> ) else if /i "%~1" equ "srvoff"  ( echo.>NUL
> ) else if /i "%~1" equ "nocab"   ( set nocab=1
> ) else if /i "%~1" equ "nobin"   ( set nobin=1
> ) else (
>         call :invalid %1
>         @rem tracing still running; don't clear persistant state
>         exit /b 1
> )
> shift /1
> goto :nextoffarg
>
> :nextsnapshotarg
> if           "%~1" equ ""           ( goto :offargfini
> ) else if /i "%~1" equ "snapshot"   ( echo.>NUL
> ) else if /i "%~1" equ "nocab"      ( set nocab=1
> ) else if /i "%~1" equ "nobin"      ( set nobin=1
> ) else (
>         call :invalid %1
>         @rem tracing still running; don't clear persistant state
>         exit /b 1
> )
> shift /1
> goto :nextsnapshotarg
>
> :nextonarg
> if           "%~1" equ ""        ( goto :onargfini
> ) else if /i "%~1" equ "capture" ( set capture=1
> ) else if /i "%~1" equ "clion"   ( set cli=%level%
> ) else if /i "%~1" equ "srvon"   ( set srv=%level%
> ) else if /i "%~1" equ "brief"   ( set brief=1
> ) else if /i "%~1" equ "verbose" ( set verbose=1
> ) else if /i "%~1" equ "ca"      ( set ca=1
> ) else if /i "%~1" equ "core"    ( @rem no-op
> ) else if /i "%~1" equ "csv"     ( set csv=1
> ) else if /i "%~1" equ "single"  ( set single=1
> ) else if /i "%~1" equ "hyperv"  ( set hyperv=1
> ) else if /i "%~1" equ "cluster" ( set cluster=1
> ) else (
>         call :checkcirc %1
>         if errorlevel 1 (
>             call :checkdriver %1
>             if errorlevel 1 (
>                     call :invalid %1
>                     @rem clear state
>                     goto :off_final
>             )
>        )
> )
> shift /1
> goto :nextonarg
>
> :offargfini
> if "%statedir%" equ "" (
>     echo.ERROR: no tracing session in progress
>     echo.
>     call :usage
>     exit /b 1
> )
> goto :argsfini
>
> :onargfini
> if "%statedir%" neq "" (
>     echo.ERROR: tracing session already in progress.
>     echo. Stop the existing tracing session before starting another.
>     call :usage
>     exit /b 1
> )
> if %cluster% equ 0 set cluster=%csv%
>
> call :mkstatedir "%TEMP%\t"
> call :dopersist statedir
> goto :argsfini
>
> :argsfini
> :: #########################
> :: Store/Recover persisted state for binary inclusion at stop time
> :: #########################
> call :dopersist single
> call :dopersist capture
> call :dopersist cli
> call :dopersist srv
> call :dopersist csv
> call :dopersist circ
> call :dopersist circbuf
> call :dopersist hyperv
> call :dopersist cluster
> call :dopersist verbose
> call :dopersist rdbss
> call :dopersist rdbssflags
> call :dopersist rdbsslevel
> call :dopersist mrxsmb
> call :dopersist mrxsmbflags
> call :dopersist mrxsmblevel
> call :dopersist smb20
> call :dopersist smb20flags
> call :dopersist smb20level
>
> @rem common components enabled by both cli and srv options if %cli% 
> gtr 0 set rpcxdr=1 if %srv% gtr 0 set rpcxdr=1 if %cli% gtr 1 set 
> sec=1 if %srv% gtr 1 set sec=1 if %cli% gtr 1 set tcp=1
>
> @rem enable sec, wfp-tcp traces for Hyper-V servers even with 'core' 
> specified if %cli% gtr 0 if %csv% equ 0 (
>         set sec=1
>         set tcp=1
> )
>
> :: #########################
> :: OS-specific checks...
> :: #########################
>
> for /f "tokens=2 delims=[]" %%i in ('ver')    do @set OSVERTEMP=%%i
> for /f "tokens=2" %%i in ('echo %OSVERTEMP%') do @set OSVER=%%i for /f 
> "tokens=1 delims=." %%i in ('echo %OSVER%') do @set OSVER1=%%i for /f 
> "tokens=2 delims=." %%i in ('echo %OSVER%') do @set OSVER2=%%i for /f 
> "tokens=3 delims=." %%i in ('echo %OSVER%') do @set OSVER3=%%i
>
> :: #########################
> ::Detect Vista/LH OS Versions
> :: #########################
> set HasNDISCap=
>
> if %OSVER1% equ 5 (
>         goto :knownos
> ) else if %OSVER1% equ 6 (
>         if %OSVER2% geq 1 set HasNDISCap=1
>         if %OSVER2% geq 2 set nobin=1
>
>         if %OSVER2% leq 3 goto :knownos
>         goto :unknownos
> ) else if %OSVER1% equ 10 (
>         set HasNDISCap=1
>         set nobin=1
>         if %OSVER3% equ 10240 goto :knownos
>         if %OSVER3% equ 10586 goto :knownos
>         if %OSVER3% equ 14393 goto :knownos
>         goto :unknownos
> ) else (
>         @rem Win9x, Win ME, NT 3-4
>         echo. ERROR: Unsupported OS version [%OSVER%]
>         exit /b 1
> )
>
> :unknownos
> echo. WARNING : Unknown OS version [%OSVER%] echo.
>
> :knownos
>
> ::
> :: Check if NetSH has the trace context installed,
> :: which signifies ndiscap support.
> :: (Win7 build of WinPE does not)
> ::
> netsh trace >NUL 2>&1
> if errorlevel 1 (
>        set HasNDISCap=
> )
>
> if %capture% gtr 0 (
>         if not defined HasNDISCap (
>             set capture=0
>             echo. Packet capture is only supported on Windows 7 / 2008 R2
>             echo. or newer operating systems.
>             echo.
>             call :invalid capture
>             exit /b 1
>         )
>         for %%i in (sc.exe) do (set exe=%%~$PATH:i)
>         if "!exe!" equ "" (
>             set capture=0
>             echo. Packet capture requires sc.exe to be present in order
>             echo. to start the filter driver.
>             call :invalid capture
>             exit /b 1
>         )
> )
>
> :: ###################################
> :: Check for local Admin rights, and prompt for elevation as needed
> :: ###################################
>
> call :mktemp _lua_filename %systemdrive%\lua dat set 
> _lua_running=false @rem redirect 'Access Denied' error from cmd (not 
> echo) to NUL (echo 1>%_lua_filename%) >NUL 2>&1 if exist 
> %_lua_filename% (
>         set _lua_running=true
>         del /q %_lua_filename%
> )
> if '%_lua_running%' equ 'false' (
>         echo. ERROR: This script requires administrator access.
>         echo.
>         echo. Please relaunch the command prompt with administrator privileges.
>         call :persistDelete
>         exit /b 1
> )
>
> if /i "%mode%" neq "on" goto :skiponchecks set /a optionsum=cli+srv if 
> %optionsum% equ 0 (
>         echo.ERROR: At least one of the clion or srvon options must
>         echo. be specified in order to enable tracing.
>         call :persistDelete
>         call :usage
>         exit /b 1
> )
>
> :skiponchecks
> set tool=
> call :toolsearch logman.exe
> if "!tool!" equ "" (
>         call :toolsearch tracelog.exe
> )
> if "!tool!" equ "" (
>         echo. No available programs available to enable tracing.
>         echo. One of the following must be located in a directory in the PATH:
>         echo.     logman.exe
>         echo.     tracelog.exe
>         call :persistDelete
>         exit /b 1
> )
>
> if defined USERDOMAIN (
>         set NdisCapTraceSession=NetTrace-%USERDOMAIN%-%USERNAME%
> ) else (
>         set NdisCapTraceSession=NetTrace-%USERNAME%
> )
>
> set SingleTraceFile=trace
> set NdisCapTraceFile=packetcapture
> if %single% geq 1 set NdisCapTraceFile=%SingleTraceFile%
>
> :snapshot-restart
> set servicefile=%statedir%\services.txt
> set taskfile=%statedir%\tasklist.txt
>
> if /i "%mode%" neq "on" goto :core
> @rem initialization prior to enabling traces (includes packet capture)
>
> @rem grab the current process list before turning on tracing @rem and 
> be resilient to the absence of tasklist.exe for %%i in (tasklist.exe) 
> do (set exe=%%~$PATH:i) if "!exe!" equ "" (
>         echo tasklist.exe is not present > !taskfile!
> ) else (
>         !exe! /FO csv /svc > !taskfile!
> )
>
> @rem grab the current service list as well for %%i in (sc.exe) do (set 
> exe=%%~$PATH:i) if "!exe!" equ "" (
>         echo sc.exe is not present > !servicefile!
> ) else (
>         !exe! query type= all state= all > !servicefile!
> )
>
> if %capture% geq 1 goto :captureon
> if %single% geq 1 goto :singleon
> goto :core
>
> :captureon
> set netshmode=fileMode=single
> if defined circ set circargs=maxSize=%circbuf% fileMode=circular call 
> :doit netsh trace start capture=yes 
> traceFile="%statedir%\%NdisCapTraceFile%.etl" %circargs% 
> correlation=no set circargs= if not errorlevel 1 ( set disp=started 
> %NdisCapTraceFile% ^<- ndiscap ) if %single% equ 0 call :disp goto 
> :core
>
> :singleon
> call :traceon-%tool% %NdisCapTraceSession% %SingleTraceFile% if not 
> errorlevel 1 ( set disp=started trace ^<- ) goto :core
>
> :core
> if %cli% gtr 0 (
>         call :doetl fskm
>         call :doetl fsum
>
>         if %cli% gtr 1 (
>                 call :doetl dns
>                 call :doetl fr
>                 call :doetl nbt
>         )
> )
>
> if %srv% gtr 0 (
>         call :doetl dfsn
>         call :doetl srv
>         call :doetl smbhash
>         call :doetl nfs
>         call :doetl sr
> )
>
> if %rpcxdr% gtr 0 (
>         call :doetl rpcxdr
> )
>
> if %sec% gtr 0 (
>         @rem enabled by either cli or srv
>         call :doetl sec
> )
>
> if %tcp% gtr 0 (
>         call :doetl tcp
> )
>
> if %csv% gtr 0 (
>         call :doetl csvfs
>         call :doetl csvflt
>         call :doetl csvvbus
>         call :doetl csvnflt
> )
>
> call :doevtlog
>
> if /i "%mode%" equ "on" goto :on_final
>
> @rem packet capture must be the last to stop
>
> if %capture% geq 1 goto :captureoff
> if %single% geq 1 goto :singleoff
> goto :off
>
> :captureoff
> echo.Please be patient as NetSH retrieves the packet captures...
> echo.This will take a few minutes.
> call :doit netsh trace stop
> set etl=!etl! %NdisCapTraceFile%.etl
> @rem remove netsh report that can't be turned off call :doit del 
> %statedir%\%NdisCapTraceFile%.cab goto :off
>
> :singleoff
> call :traceoff-%tool% %NdisCapTraceSession% set 
> etl=%SingleTraceFile%.etl call :disp goto :off
>
> :invalid
> echo.
> echo. invalid parameter: %1
> echo.
> @rem fall through to usage
>
> :usage
> echo. Enabling Tracing:
> echo.     usage: %~n0 [clion] [srvon] [core] [verbose] [capture] [csv] [cluster] [hyperv] [circ:N] [driver:flags:level]
> echo.     clion   - generate client component traces
> echo.     srvon   - generate server component traces
> echo.     capture - enable packet capture ^(Windows 7 / Windows 2008 R2 or newer^)
> echo.
> echo.         At least one of cli, srv, and capture must
> echo.         be specified.
> echo.
> echo.     csv     - generate CSV component traces
> echo.     cluster - collect Cluster event logs
> echo.     hyperv  - collect Hyper-V event logs
> echo.     verbose - verbose mode tracing flags (defined for fskm/mup)
> echo.     circ:N  - generate circular logs of size N megabytes
> echo.               (default circular buffer size is 50 MB per log)
> echo.     driver:flags:level - specify trace flags and level for this driver (support rdbss, mrxsmb, smb20 only)
> echo.                          flags and level must be in hex
> echo.         rdbss:  0x0001 error     0x0002 misc     0x0004 io        0x0008 openclose
> echo.                 0x0010 readwrite 0x0020 fileinfo 0x0040 oplock    0x0080 connectionobject
> echo.                 0x0100 fcb       0x0200 caching  0x0400 migration 0x0800 namecache
> echo.                 0x1000 security
> echo.         mrxsmb: 0x0001 error     0x0002 misc        0x0004 network          0x0008 security
> echo.                 0x0010 exchange  0x0020 compounding 0x0040 connectionobject 0x0080 midwindow
> echo.                 0x0100 multichannel
> echo.         smb20:  0x0001 error    0x0002 misc   0x0004 network 0x0008 security
> echo.                 0x0010 exchange 0x0020 io     0x0040 handle  0x0080 infocache
> echo.                 0x0100 dircache 0x0200 oplock
> echo.         level:  0x1 error 0x2 brief 0x4 verbose
> echo. Disabling Tracing:
> echo. usage: %~n0 off [nocab] [nobin]
> echo.     off     - turn off tracing
> echo.     nocab   - do not compress traces
> echo.     nobin   - do not gather system binaries matching the captured traces
> echo.               (please do not use if external to FSF/without direction)
> echo.
> echo. Disabling/Enabling Tracing:
> echo. usage: %~n0 snapshot [nocab] [nobin] goto :eof
>
> @@@@@@@@@
> @
> @ tracing steps:
> @
> @ 1. tracepre: setup required prior to listing streams @ 2. traceadd: 
> add a stream to the session @ 3. tracepost: final setup after 
> mentioning all streams @ 4. disp: dump rendering of what trace* did @
>
> :doetl
> if %mode% equ on (
>         call :traceon %1
>         call :%1on
>         if %single% equ 0 call :disp
> ) else (
>         if %single% equ 0 (
>             call :traceoff %1
>             set etl=!etl! %1.etl
>         )
>         @rem roll up the binaries associated with this trace, if specified
>         if not defined nobin set bins=!bins! !%1_bins!
> )
> goto :eof
>
> :doevtlog
> if %mode% equ on  goto :doevtlogon
> if %mode% neq on goto :doevtlogoff
> :goto :eof
>
> :doevtlogon
> goto :eof
>
> :doevtlogoff
> if %cli% gtr 0 (
>         @rem SMB Client
>         call :export-evtx Microsoft-Windows-SMBClient/Connectivity
>         call :export-evtx Microsoft-Windows-SMBClient/Operational
>         if %OSVER1% lss 10 call :export-evtx WitnessClientAdmin Witness-Admin.evtx
>         if %OSVER1% geq 10 call :export-evtx 
> Microsoft-Windows-SMBWitnessClient/Admin Witness-Admin.evtx
> )
>
> if %cluster% gtr 0 (
>         @rem Cluster Nodes (Admin, Diagnostic, Operational channels)
>         call :export-evtx System
>         call :export-evtx Microsoft-Windows-FailoverClustering/Diagnostic
>         call :export-evtx 
> Microsoft-Windows-FailoverClustering/Operational
> )
>
> if %hyperv% gtr 0 (
>         @rem Hyper-V Events
>         call :export-evtx Microsoft-Windows-Hyper-V-VMMS-Admin
> )
> if defined evtx echo.evtlog -^> %evtx% goto :eof
>
> :export-evtx
> set "channel=%~1"
> set "file=%~2"
> if "%file%" equ "" set "file=%channel:/=-%.evtx"
> if /i "%file:~0,18%" equ "Microsoft-Windows-" set "file=%file:~18%"
> wevtutil epl "%channel%" "%statedir%\%file%" 
> "/q:*[System[TimeCreated[timediff(@SystemTime) <= 86400000]]]" >NUL 2>NUL if %ERRORLEVEL% equ 0 set "evtx=!evtx! %file%"
> exit /b
>
> @@@@@@@@
> :fskmon
>
> if %OSVER1% lss 10 (
>     if defined verbose (
>         set flags=0xfffffff
>     ) else (
>         set flags=0x3333333
>     )
>     set level=7
>
>     call :traceadd fskm     20c46239-d059-4214-a11e-7d6769cbe020 csckm/dav/dfsc/mup/rdbss/smb !level! !flags!
> ) else (
>
>     if not defined ca (
>         if defined verbose (
>             set flags=0xffff0f0
>             set level=7
>         ) else (
>             set flags=0x3333030
>             set level=0
>         )
>
>         call :traceadd fskm     20c46239-d059-4214-a11e-7d6769cbe020 csckm/dav/dfsc/mup !level! !flags!
>     )
>
>     if defined verbose (
>         set level=4
>     ) else (
>         set level=2
>     )
>
>     set flags=0xffffffff
>
>     if defined ca (
>         set flags=0x5
>     )
>
>     if defined rdbss (
>         call :traceadd fskm     0086eae4-652e-4dc7-b58f-11fa44f927b4 rdbss !rdbsslevel! !rdbssflags!
>     ) else (
>         call :traceadd fskm     0086eae4-652e-4dc7-b58f-11fa44f927b4 rdbss !level! !flags!
>     )
>
>     if defined ca (
>         set flags=0x75
>     )
>
>     if defined mrxsmb (
>         call :traceadd fskm     f818ebb3-fbc4-4191-96d6-4e5c37c8a237 mrxsmb !mrxsmblevel! !mrxsmbflags!
>     ) else (
>         call :traceadd fskm     f818ebb3-fbc4-4191-96d6-4e5c37c8a237 mrxsmb !level! !flags!
>     )
>
>     if defined smb20 (
>         call :traceadd fskm     e4ad554c-63b2-441b-9f86-fe66d8084963 smb20 !smb20level! !smb20flags!
>     ) else (
>         call :traceadd fskm     e4ad554c-63b2-441b-9f86-fe66d8084963 smb20 !level! !flags!
>     )
> )
>
> if not defined ca (
>     @rem witness / ccf
>     call :traceadd fskm 47eba62c-87e6-4564-9946-0dd4e361ed9b witnesscli
>     call :traceadd fskm 17efb9ce-8cab-4f19-8b96-0d021d9c76f1 ccffilter
>
>     @rem csc
>     call :traceadd fskm 89d89015-c0df-414c-bc48-f50e114832bc cscservice
>     call :traceadd fskm 791cd79c-65b5-48a3-804c-786048994f47 fastsync
>     call :traceadd fskm d5418619-c167-44d9-bc36-765beb5d55f3 dcluser
>     call :traceadd fskm 1f8b121d-45b3-4022-a9fb-3857177a65c1 peerdist
>
>     @rem nfs
>     call :traceadd fskm 355c2284-61cb-47bb-8407-4be72b5577b0 nfsrdr
> )
>
> goto :eof
>
> @@@@@@@@@
> :rpcxdron
> call :traceadd rpcxdr   94b45058-6f59-4696-b6bc-b23b7768343d rpcxdr
> call :traceadd rpcxdr   53c16bac-175c-440b-a266-1e5d5f38313b rpcxdr
> goto :eof
>
> @@@@@@@@@
> :secon
> call :traceadd sec      6b510852-3583-4e2d-affe-a67f9f223438 kerberos 7 0x43
> call :traceadd sec      5bbb6c18-aa45-49b1-a15f-085f7ed0aa90 ntlm 7 0x15003
> call :traceadd sec      5af52b0d-e633-4ead-828a-4b85b8daac2b negoexts 7 0x73
> call :traceadd sec      2a6faf47-5449-4805-89a3-a504f3e221a6 pku2u 7 0x1f3
> goto :eof
>
> @@@@@@@@@
> :fsumon
> @rem csc
> call :traceadd fsum     361f227c-aa14-4d19-9007-0c8d1a8a541b cscnet
> call :traceadd fsum     0999b701-3e5d-4998-bc58-a775590a55d9 cscdll
> call :traceadd fsum     19ee4cf9-5322-4843-b0d8-bab81be4e81e cscapi
> call :traceadd fsum     66418a2a-72af-4c1a-9c84-42f6865563bd cscui
> call :traceadd fsum     5e23b838-5b71-47e6-b123-6fe02ef573ef cscum
> @rem dav
> call :traceadd fsum     91efb5a1-642d-42a4-9821-f15c73064fb5 WebClnt
> goto :eof
>
> @@@@@@@@@
> :srvon
> call :traceadd srv      3121cf5d-c5e6-4f37-be86-57083590c333 srvdl
>
> if defined brief (
>     set level=0
> ) else (
>     set level=7
> )
>
> call :traceadd srv      2744f0b7-8455-44f8-9b64-5f589f9d163a srv2 !level!
> call :traceadd srv      c0183094-fdc6-493f-a3e8-697224f83f6f srvnet !level!
> call :traceadd srv      d8e0c67b-7d87-48b6-9290-42126e66faee srvsvc !level!
>
> if defined brief (
>     set level=3
> ) else (
>     set level=7
> )
>
> call :traceadd srv      c5a38574-9827-4c24-b8fb-d6635475566f resumekeyfilter !level!
>
> if defined brief (
>     set level=2
> ) else (
>     set level=7
> )
>
> call :traceadd srv      c73e561f-c5b4-4a82-9b63-34bde5718e61 witnesssvc !level!
> goto :eof
>
> @@@@@@@@@
> :smbhashon
> call :traceadd smbhash  48be2803-12c0-4932-aa80-93372d5a9114 smbhash 
> goto:eof
>
> @@@@@@@@@
> :nfson
> call :traceadd nfs      cc9a5284-cc3e-4567-b3f6-3eb24e7cfec5 msnfsfltguid
> call :traceadd nfs      3c33d8b3-66fa-4427-a31b-f7dfa429d78f nfssvrguid
> call :traceadd nfs      fc33d8b3-66fa-4427-a31b-f7dfa429d78f nfssvrguid2
> call :traceadd nfs      57294efd-c387-4e08-9144-2028e8a5cb1a nfssvrnlmguid
> call :traceadd nfs      f3bb9731-1d9f-4b8e-a42e-203bf1a32300 nfs4svrguid
> call :traceadd nfs      e18a05dc-cce3-4093-b5ad-211e4c798a0d portmapguid
> goto :eof
>
> @@@@@@@@@
> :fron
> call :traceadd fr       2955e23c-4e0b-45ca-a181-6ee442ca1fc0 fr 4 0x1f
> call :traceadd fr       6b6c257f-5643-43e8-8e5a-c66343dbc650 UstCommon 7 0x0fffffff
> goto :eof
>
> @@@@@@@@@
> :dfsnon
> call :traceadd dfsn     27246e9d-b4df-4f20-b969-736fa49ff6ff dfsn
> goto :eof
>
> @@@@@@@@@
> :nbton
> call :traceadd nbt      bca7bd7f-b0bf-4051-99f4-03cfe79664c1 nbtsmb
> goto :eof
>
> @@@@@@@@@
> :tcpon
> if %cli% gtr 1 (
>     rem - tcp-only == flags 0x80 from the original script
>     set flags=0x1080
>     set level=7
> ) else (
>     set flags=0x1000
>     set level=2
> )
>
> call :traceadd tcp      eb004a05-9b1a-11d4-9123-0050047759bc tcp !level! !flags!
> goto :eof
>
> @@@@@@@@@
> :dnson
> call :traceadd dns      609151dd-04f5-4da7-974c-fc6947eaa323 dnsapi 7 0x00797fc0
> call :traceadd dns      f230b1d5-7dfd-4da7-a3a3-7e87b4b00ebf dns
> goto :eof
>
> @@@@@@@@@
> :csvfson
> call :traceadd csvfs    d82dba12-8b70-49ee-b844-44d0885951d2 csvfs 5 0xffff
> goto :eof
>
> @@@@@@@@@
> :csvflton
> call :traceadd csvflt   b421540c-1fc8-4c24-90cc-c5166e1de302 csvflt 5 0xffff
> goto :eof
>
> @@@@@@@@@
> :csvvbuson
> call :traceadd csvvbus  4e6177a5-c0a7-4d9b-a686-56ed5435a904 csvvbus 5 
> 0xffff goto :eof
>
> @@@@@@@@@
> :csvnflton
> call :traceadd csvnflt  4e6177a5-c0a7-4d9b-a686-56ed5435a908 csvnflt 5 
> 0xffc3 goto :eof
>
> @@@@@@@@@
> :sron
> call :traceadd sr      8e37fc9c-8656-46da-b40d-34d97a532d09 wvrfguid
> call :traceadd sr      634af965-fe67-49cf-8268-af99f62d1a3e wvrsvcguid
> call :traceadd sr      fadca505-ad5e-47a8-9047-b3888ba4a8fc wvrcimprov
> goto :eof
>
> ::
> ::::::::::::::::::::::::::::::::::::::::
> :: Parameter Validation and Parsing
> ::::::::::::::::::::::::::::::::::::::::
> ::
> :: :detectMode
> :: detects operation mode
> :: @return %mode%: 'on', 'off', or 'snapshot'
> :detectMode
> set mode=
> :detectModeInnner
> for %%i in (clion srvon) do (
>     if /i "%~1" equ "%%i" (
>         if "!mode!" neq "" exit /b 1
>         set mode=on
>         exit /b 0
>     )
> )
> for %%i in (off clioff srvoff) do (
>     if /i "%~1" equ "%%i" (
>         if "!mode!" neq "" exit /b 1
>         set mode=off
>         exit /b
>     )
> )
> if /i "%~1" equ "snapshot" (
>     if "!mode!" neq "" exit /b 1
>     set mode=snapshot
>     exit /b
> )
> shift
> if "%~1" neq "" goto :detectModeInnner if "%mode%" equ "" exit /b 1 
> exit /b 0
> ::
> :: :getCoreOnly
> :: @return 1 iff 'core' is in arugments :getCoreOnly if /i "%~1" equ 
> "core" (
>     exit /b 1
> )
> shift
> if "%~1" neq "" goto :getCoreOnly
> exit /b 0
> ::
> ::::::::::::::::::::::::::::::::::::::::
> :: Persistance Utilities
> ::::::::::::::::::::::::::::::::::::::::
> :: :persistSet
> :: Sets a value to persist in the registry
> :: @param 1 registry value name
> :: @param 2 registry value data
> :persistSet
> reg.exe add "HKCU\SOFTWARE\Microsoft\t.cmd-state" /v %1 /d %2 /f > NUL 
> exit /b
> ::
> :: :persistGet
> :: Creates key in registry to store settings
> :: @param 1 name of environment variable to set
> :: @param 2 registry value name
> :: @param 3 default value (optional)
> :persistGet
> set %1=%3
> (for /F "tokens=2*" %%a in ('reg query 
> "HKCU\SOFTWARE\Microsoft\t.cmd-state" /v %2') do set %1=%%b) 2>NUL 
> exit /b
> ::
> :: :persistClear
> :: Clear a value from the registry
> :: @param 1 registry value name
> :persistClear
> reg.exe delete "HKCU\SOFTWARE\Microsoft\t.cmd-state" /v %1 /f >NUL 
> 2>NUL exit /b
> ::
> :: :persistDelete
> :: Deletes all persistent registry values related to this script 
> :persistDelete reg delete "HKCU\SOFTWARE\Microsoft\t.cmd-state" /f 
> >NUL 2>NUL exit /b
> ::
> :: :dopersist
> :: @param 1 environment variable to persist in the registry
> :: @param %mode%: "on", "off", or "snapshot"
> :: Stores settings in registry when %mode% is "on"; loads them 
> otherwise :dopersist if /i "%mode%" equ "on" (
>     if defined %1 (
>         call :persistSet %1 !%1!
>     ) else (
>         call :persistClear %1
>     )
> ) else (
>     call :persistGet %1 %1
> )
> exit /b
> ::
> ::::::::::::::::::::::::::::::::::::::::
> :: File Utitlities
> ::::::::::::::::::::::::::::::::::::::::
> ::
> :: :toolsearch
> :: Search for a tool in %PATH% and sets the variable exe to point to its full path.
> :: @param 1 Name of the tool EXE
> :: @return Sets %tool% to %1 if tool is found in path; %exe% set to 
> expanded path or
> :: cleared if not found.
> :toolsearch
> if exist "%CD%\%1" (
>     set tool=%1
>     goto :eof
> )
> for %%i in (%1) do (set exe=%%~$PATH:i) if "!exe!" neq "" (
>     set tool=%1
> )
> goto :eof
> ::
> :: :mktemp
> :: Find a non-existing temporary file with a specified prefix and 
> extension
> :: @param 1 variable to set
> :: @param 2 path prefix
> :: @param 3 file extension
> :mktemp
> set %1=%~2-!random!.%~3
> if exist "!%1!" goto :mktemp
> goto :eof
> ::
> :: :mkstatedir
> :: Create a temporary directory to store state files
> :: Does not require delayed expansion.
> :: @param 1 path prefix
> :: @return %statedir%
> :mkstatedir
> set statedir=%~1-%random%
> if exist "%statedir%" goto :mkstatedir mkdir "%statedir%" >NUL 2>&1 if 
> errorlevel 1 goto :mkstatedir goto :eof
> ::
> ::::::::::::::::::::::::::::::::::::::::
> :: Base interface to abstract between differences in NetSH, LogMan, 
> and TraceLog
> ::
> :: :traceon
> :: Create a tracing session with the given name prior to adding trace providers.
> :: @param 1 etl session name
> ::
> :: :traceadd
> :: Add a provider to the tracing session.
> :: @param 1 etl session name
> :: @param 2 guid
> :: @param 3 display name
> :: @param 4 optional level
> :: @param 5 optional flags
> ::
> :: :traceoff
> :: Disable tracing for a given session.
> :: @param 1 etl session name
> ::::::::::::::::::::::::::::::::::::::::
> ::
> :traceon
> if %single% equ 0 (
>     call :traceon-%tool% %1
>     if not errorlevel 1 ( set disp=started %1 ^<- )
> )
> goto :eof
>
> :traceadd
> setlocal
> if "%~4" equ "" (
>         set level=7
> ) else (
>         set level=%4
> )
>
> if "%5" equ "" (
>         set flags=0x7fffffff
> ) else (
>         set flags=%5
> )
> if %single% equ 0 call :traceadd-%tool% %1 %2 %3 %level% %flags% if 
> %single% geq 1 call :traceadd-%tool% %NdisCapTraceSession% %2 %3 
> %level% %flags% endlocal if not errorlevel 1 ( if "%~3" neq "" set 
> disp=!disp!%~3 ) goto :eof
>
> :traceoff
> call :traceoff-%tool% %1
> if not errorlevel 1 ( echo %1 -^> %1.etl ) goto :eof
>
> ::
> :: LogMan Tracing Implementation
> ::
> :traceon-logman.exe
> if defined circ set circargs=-f bincirc -max !circbuf!
> set file=%~1
> if "%~2" neq "" set file=%~2
> call :doit logman create trace -n %1 -o "%statedir%\%file%.etl" -mode 
> localsequence -nb 16 16 -bs 2048 -ets %circargs% goto :eof
>
> :traceadd-logman.exe
> call :doit logman update -n %1 -p {%2} %5 %4 -ets goto :eof
>
> :traceoff-logman.exe
> call :doit logman stop -n %1 -ets
> goto :eof
>
> ::
> :: TraceLog Tracing Implementation
> ::
> :traceon-tracelog.exe
> if defined circ set circargs=-cir !circbuf!
> set file=%~1
> if "%~2" neq "" set file=%~2
> call :doit tracelog -start %1 -f "%statedir%\%file%.etl" -ls -min 16 
> -max 16 -b 2048 -gs %circargs% goto :eof
>
> :traceadd-tracelog.exe
> call :doit tracelog -enable %1 -guid #%2 -level %4 -flags %5 goto :eof
>
> :traceoff-tracelog.exe
> call :doit tracelog -stop %1
> goto :eof
>
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @rem finalization / cab generator
> @rem
> @rem two phase, second (*_final) is termination :off
>
> @rem timestamp
> set timestampfile=%statedir%\timestamp.txt
> echo %DATE% %TIME%> "!timestampfile!"
>
> @rem os version data
> set verfile=%statedir%\version.txt
> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /t REG_SZ > "!verfile!"
>
> if defined nocab goto :off_nocab
>
> @rem check for makecab.exe
> for %%i in (makecab.exe) do (set exe=%%~$PATH:i) if "!exe!" equ "" (
>     echo.
>     echo.WARNING: makecab.exe not found. Proceeding as if 'nocab' was specified.
>     goto :off_nocab
> )
>
> @rem construct cab directive file
> set dirfile=%statedir%\tracecab.ddf
> set cabname=t %computername% %date:/=-% %time::=-%.cab
>
> echo .set CabinetName1="!cabname!"       >  !dirfile!
> echo .set CompressionType=LZX            >> !dirfile!
> echo .set DiskDirectory=.                >> !dirfile!
> echo .set DiskDirectory1=.               >> !dirfile!
> echo .set InfFileName=nul                >> !dirfile!
> echo .set RptFileName=nul                >> !dirfile!
> echo .set maxdisksize=0                  >> !dirfile!
> call :addfile "!timestampfile!"
> call :addfile "!verfile!"
> call :addfile "!servicefile!"
> call :addfile "!taskfile!"
> for %%i in (!etl! !evtx!) do call :addfile "%statedir%\%%i"
> for %%i in (!bins!) do (
>         if exist "%systemroot%\system32\%%i" (
>                 call :addfile "%systemroot%\system32\%%i" bin\
>         ) else if exist "%systemroot%\system32\drivers\%%i" (
>                 call :addfile "%systemroot%\system32\drivers\%%i" bin\
>         )
> )
>
> echo ---
> makecab /f "!dirfile!"
> if !errorlevel! neq 0 (
>     echo.ERROR: failed to compress trace files
>     goto :off_nocab
> )
>
> echo ---
> if defined bins echo compressed: matching system binaries
> echo.compressed: version info +!etl!
> echo.
> echo.Traces are in:
> echo.%CD%\!cabname!
> echo.
> echo.done.
>
> @rem cleanup
> call :doit del "!servicefile!"
> call :doit del "!taskfile!"
> call :doit del "!dirfile!"
> call :doit del "!verfile!"
> call :doit del "!timestampfile!"
> for %%i in (!etl! !evtx!) do call :doit del "%statedir%\%%i"
> goto :off_final
>
> @rem nocab or cab failure: print location of etl files.
> :off_nocab
> echo.
> echo.
> echo. Trace files were not compressed. They are located in:
> echo. %statedir%
>
> @rem finalization for off state
> :off_final
> if "%mode%" equ "snapshot" (
>         set mode=on
>         if defined nocab (
>                 @rem create new statedir
>                 call :mkstatedir "%TEMP%\t"
>                 call :persistSet statedir "!statedir!"
>         )
>         goto :snapshot-restart
> )
> if not defined nocab call :doit rmdir "!statedir!"
> call :persistDelete
> endlocal
> goto :eof
>
> @rem finalization for on state
> :on_final
> if %single% geq 1 call :disp
> endlocal
> goto :eof
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@
> ::
> :: :addfile
> :: Adds a file to the CAB manifest
> :: Note: Files may be located in directories containing spaces,
> :: but the files themselves must not have spaces in their names
> :: @param 1 file to add
> :: @param 2 subdirectory to place in cab file
> :: (must be followed by '\' and not contain spaces) :addfile if exist 
> %1 (
> echo.%~s1        %~2%~nx1 >> !dirfile!
> )
> goto :eof
>
> :doit
> %* >nul
> if errorlevel 1 ( echo failed: %* )
> goto :eof
>
> :disp
> echo.!disp!
> goto :eof
>
> @rem Check for circular buffer option and buffer size.
> :checkcirc
> for /f "tokens=1,2 delims=:" %%i in ("%1") do (
>     if %%i equ circ (
>
>         set circ=1
>         set circbuf=%%j
>         if "%%j" equ "" set circbuf=50
>         echo Enabling circular buffer of size !circbuf! MB
>         exit /b 0
>     )
> )
> exit /b 1
>
> @rem Check for specific driver, flags and level.
> :checkdriver
>
> for /f "tokens=1,2,3 delims=:" %%i in ("%1") do (
>     if %%i equ rdbss (
>
>         set rdbss=1
>         set rdbssflags=%%j
>         set rdbsslevel=%%k
>         exit /b 0
>     ) else if %%i equ mrxsmb (
>
>         set mrxsmb=1
>         set mrxsmbflags=%%j
>         set mrxsmblevel=%%k
>         exit /b 0
>     ) else if %%i equ smb20 (
>
>         set smb20=1
>         set smb20flags=%%j
>         set smb20level=%%k
>         exit /b 0
>     )
> )
> exit /b 1
>




More information about the cifs-protocol mailing list