[cifs-protocol] [EXTERNAL] Re: [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

Jeff McCashland (He/him) jeffm at microsoft.com
Tue Oct 4 21:38:39 UTC 2022 

Hi Christof,

Try these 2 steps instead of the previous step 1: 

	1. From an elevated command prompt, run "tasklist /FI "IMAGENAME eq lsass.exe" and note the PID number
	2. Run the command (using the PID from step 1): "C:\TTD\TTTracer.exe -attach [PID]"

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 

-----Original Message-----
From: Christof Schmitt <cs at samba.org> 
Sent: Tuesday, October 4, 2022 2:12 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>
Cc: Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] Re: [cifs-protocol] [MS-ADTS] SID as DN alternative for querying groups by member - TrackingID#2209290040008412

On Fri, Sep 30, 2022 at 10:48:35PM +0000, Jeff McCashland (He/him) wrote:
> Hello Cristof,
> 
> Have you tried issuing the LDAP commands from a Windows client as well as a Samba client? If so, what tool/command line did you use, and what were the results? 
> 
> I would like to collect an LSASS TTT trace with a concurrent network capture of the scenario where no results are returned. 
> 
> The LSASS traces can be quite large, but are highly compressible, so please add them to a .zip archive before uploading (file transfer workspace credentials are below). Please log into the workspace and find PartnerTTDRecorder_x86_x64.zip available for download. The x64 tool can be staged onto the Windows server in any location (instructions below assume C:\TTD). 
> 
> To collect the needed traces:
> 	1. From a PowerShell prompt, execute: 
> 		C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME lsass | Format-Wide -Property ID).formatEntryInfo.formatPropertyField.propertyValue)
> 	2. Wait for a little window to pop up in top left corner of your screen, titled "lsass01.run"

When trying to run these traces on the DC, this window does not appear. The Powershell window just shows:

PS C:\Users\Administrator> tttrace.exe -Attach 572 Microsoft (R) TTTrace 1.01.03
Release: 10.0.17763.1
Copyright (C) Microsoft Corporation. All rights reserved.

Is there anything that can be done?

Regards,

Christof

More information about the cifs-protocol mailing list