Hi, Sorry I missed that Reserved2 was an 8 byte field and assumed it was a 4 byte field. Maybe the illustration in section 2.2.1.2.2 can be enhanced to show Reserved2 spanning 8 bytes. It currently looks like reserved2 is only spanning 4 bytes.
Please close this case. regards ronnie sahlberg On Wed, Oct 8, 2008 at 2:59 PM, Edgar Olougouna <[EMAIL PROTECTED]> wrote: > Hi Ronnie, > > Please note the change in the Byte numbers in my question, for clarity sake. > > > > Looking at the trace I have a clarification question of this portion of the > case. > > > > Section 2.2.1.2.2 > > ------------------------- > > In one trace I have of this blob there is a 4 byte integer with the value > 0x00000001 between the Reserved2 field and the first byte of the SID. > > Is this a field that is missing in the documentation? > > > > Clarification question: > > ----------------------- > > I am trying to identify the 0x00000001 you referred to. According to the raw > packet, did you mean that SID is starting from Byte 04 or Byte 07 on line > 00c0? > > The SID offset is 28 (0x1c, starting from Length2 00 00 73 02) and the > Reserved2 is defined as an 8 bytes field. > > > > Is there something I am missing here? > > > > Byte 0 1 2 3 4 5 6 7 8 9 . . . > > > > 00a0 00 00 01 00 01 00 01 00 00 00 77 02 00 00 73 02 ..........w...s. > > 00b0 00 00 1c 00 00 00 02 00 00 00 3b 02 00 00 38 00 ..........;...8. > > 00c0 00 00 20 00 00 00 01 00 00 00 01 05 00 00 00 00 .. ............. > > 00d0 00 05 15 00 00 00 3f 5c 2b 03 a8 39 f3 d7 17 be ......?\+..9.... > > > > Length1: 631 > > Length2: 627 > > SID Offset: 28 > > Cert Length: 571 > > Cert Offset: 56 > > sid: S-1-5-21-53173311-3623041448-2049097239-500 > > Revision: 1 > > Num Auth: 5 > > Authority: 5 > > Sub-authorities: > > > > Best regards, > > > > Edgar A. Olougouna > > Sr. SEE, Microsoft DSC Protocol Team | Email: [EMAIL PROTECTED] | Tel: > +1.469.775.7189 x 57189 > > > > > > -----Original Message----- > From: ronnie sahlberg [mailto:[EMAIL PROTECTED] > Sent: Friday, October 03, 2008 12:59 PM > To: Edgar Olougouna > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Email for Case SRX081002601173 > > > > Sure, > > > > > > Find the capture attached. > > Frame 2420 > > > > > > > > No. Time Source Destination Protocol > Info > > 2420 182.851604 192.168.115.5 192.168.115.105 LSARPC > > lsa_QueryDomainInformationPolicy response > > > > Frame 2420 (806 bytes on wire, 806 bytes captured) > > Arrival Time: Sep 27, 2007 11:50:58.095991000 > > [Time delta from previous captured frame: 0.091102000 seconds] > > [Time delta from previous displayed frame: 0.091102000 seconds] > > [Time since reference or first frame: 182.851604000 seconds] > > Frame Number: 2420 > > Frame Length: 806 bytes > > Capture Length: 806 bytes > > [Frame is marked: False] > > [Protocols in frame: > > eth:ip:tcp:nbss:smb:dcerpc:gpef:x509af:x509sat:x509sat:x509sat:x509sat:x509sat:x509sat:pkcs-1:x509ce:x509af] > > Ethernet II, Src: 00:0c:29:44:4a:1f (00:0c:29:44:4a:1f), Dst: > > 00:0c:29:2a:62:61 (00:0c:29:2a:62:61) > > Destination: 00:0c:29:2a:62:61 (00:0c:29:2a:62:61) > > Address: 00:0c:29:2a:62:61 (00:0c:29:2a:62:61) > > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > > .... ..0. .... .... .... .... = LG bit: Globally unique address > (factory default) > > Source: 00:0c:29:44:4a:1f (00:0c:29:44:4a:1f) > > Address: 00:0c:29:44:4a:1f (00:0c:29:44:4a:1f) > > .... ...0 .... .... .... .... = IG bit: Individual address (unicast) > > .... ..0. .... .... .... .... = LG bit: Globally unique address > (factory default) > > Type: IP (0x0800) > > Internet Protocol, Src: 192.168.115.5 (192.168.115.5), Dst: > > 192.168.115.105 (192.168.115.105) > > Version: 4 > > Header length: 20 bytes > > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) > > 0000 00.. = Differentiated Services Codepoint: Default (0x00) > > .... ..0. = ECN-Capable Transport (ECT): 0 > > .... ...0 = ECN-CE: 0 > > Total Length: 792 > > Identification: 0xe0b9 (57529) > > Flags: 0x04 (Don't Fragment) > > 0... = Reserved bit: Not set > > .1.. = Don't fragment: Set > > ..0. = More fragments: Not set > > Fragment offset: 0 > > Time to live: 128 > > Protocol: TCP (0x06) > > Header checksum: 0xaf66 [correct] > > [Good: True] > > [Bad : False] > > Source: 192.168.115.5 (192.168.115.5) > > Destination: 192.168.115.105 (192.168.115.105) Transmission Control > Protocol, Src Port: 445 (445), Dst Port: 1103 (1103), Seq: 1489, Ack: 4056, > Len: 752 > > Source port: 445 (445) > > Destination port: 1103 (1103) > > [Stream index: 53] > > Sequence number: 1489 (relative sequence number) > > [Next sequence number: 2241 (relative sequence number)] > > Acknowledgement number: 4056 (relative ack number) > > Header length: 20 bytes > > Flags: 0x18 (PSH, ACK) > > 0... .... = Congestion Window Reduced (CWR): Not set > > .0.. .... = ECN-Echo: Not set > > ..0. .... = Urgent: Not set > > ...1 .... = Acknowledgement: Set > > .... 1... = Push: Set > > .... .0.. = Reset: Not set > > .... ..0. = Syn: Not set > > .... ...0 = Fin: Not set > > Window size: 63154 > > Checksum: 0x73a6 [validation disabled] > > [Good Checksum: False] > > [Bad Checksum: False] > > [SEQ/ACK analysis] > > [This is an ACK to the segment in frame: 2419] > > [The RTT to ACK the segment was: 0.091102000 seconds] > > [Number of bytes in flight: 752] > > [Timestamps] > > [Time since first frame in this TCP stream: 104.826266000 seconds] > > [Time since previous frame in this TCP stream: 0.091102000 seconds] > NetBIOS Session Service > > Message Type: Session message > > Length: 748 > > SMB (Server Message Block Protocol) > > SMB Header > > Server Component: SMB > > [Response to: 2419] > > [Time from request: 0.091102000 seconds] > > SMB Command: Read AndX (0x2e) > > NT Status: STATUS_SUCCESS (0x00000000) > > Flags: 0x98 > > 1... .... = Request/Response: Message is a response to the > client/redirector > > .0.. .... = Notify: Notify client only on open > > ..0. .... = Oplocks: OpLock not requested/granted > > ...1 .... = Canonicalized Pathnames: Pathnames are canonicalized > > .... 1... = Case Sensitivity: Path names are caseless > > .... ..0. = Receive Buffer Posted: Receive buffer has not been > posted > > .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not > supported > > Flags2: 0xc807 > > 1... .... .... .... = Unicode Strings: Strings are Unicode > > .1.. .... .... .... = Error Code Type: Error codes are NT error > codes > > ..0. .... .... .... = Execute-only Reads: Don't permit reads if > execute-only > > ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs > > .... 1... .... .... = Extended Security Negotiation: > > Extended security negotiation is supported > > .... .... .0.. .... = Long Names Used: Path names in request are > not long file names > > .... .... .... .1.. = Security Signatures: Security signatures > are supported > > .... .... .... ..1. = Extended Attributes: Extended attributes > are supported > > .... .... .... ...1 = Long Names Allowed: Long file names are > allowed in the response > > Process ID High: 0 > > Signature: 0000000000000000 > > Reserved: 0000 > > Tree ID: 8194 (\\WIN2003.VNET3.TRIDGELL.NET\IPC$) > > [Path: \\WIN2003.VNET3.TRIDGELL.NET\IPC$] > > [Mapped in: 854] > > Process ID: 65279 > > User ID: 14336 > > Multiplex ID: 704 > > Read AndX Response (0x2e) > > [FID: 0x8005 (\lsarpc)] > > [Opened in: 2404] > > [File Name: \lsarpc] > > Create Flags: 0x00000016 > > .... .... .... .... .... .... ...1 .... = Extended > > Response: Extended responses required > > .... .... .... .... .... .... .... 0... = Create > > Directory: Target of open can be a file > > .... .... .... .... .... .... .... .1.. = Batch > > Oplock: Requesting BATCH OPLOCK > > .... .... .... .... .... .... .... ..1. = Exclusive > > Oplock: Requesting OPLOCK > > Access Mask: 0x0002019f > > 0... .... .... .... .... .... .... .... = Generic > > Read: Generic read is NOT set > > .0.. .... .... .... .... .... .... .... = Generic > > Write: Generic write is NOT set > > ..0. .... .... .... .... .... .... .... = Generic > > Execute: Generic execute is NOT set > > ...0 .... .... .... .... .... .... .... = Generic All: > > Generic all is NOT set > > .... ..0. .... .... .... .... .... .... = Maximum > > Allowed: Maximum allowed is NOT set > > .... ...0 .... .... .... .... .... .... = System > > Security: System security is NOT set > > .... .... ...0 .... .... .... .... .... = Synchronize: > > Can NOT wait on handle to synchronize on completion of I/O > > .... .... .... 0... .... .... .... .... = Write Owner: > > Can NOT write owner (take ownership) > > .... .... .... .0.. .... .... .... .... = Write DAC: > > Owner may NOT write to the DAC > > .... .... .... ..1. .... .... .... .... = Read > > Control: READ ACCESS to owner, group and ACL of the SID > > .... .... .... ...0 .... .... .... .... = Delete: NO delete > access > > .... .... .... .... .... ...1 .... .... = Write > > Attributes: WRITE ATTRIBUTES access > > .... .... .... .... .... .... 1... .... = Read > > Attributes: READ ATTRIBUTES access > > .... .... .... .... .... .... .0.. .... = Delete > > Child: NO delete child access > > .... .... .... .... .... .... ..0. .... = Execute: NO > execute access > > .... .... .... .... .... .... ...1 .... = Write EA: > > WRITE EXTENDED ATTRIBUTES access > > .... .... .... .... .... .... .... 1... = Read EA: > > READ EXTENDED ATTRIBUTES access > > .... .... .... .... .... .... .... .1.. = Append: APPEND > access > > .... .... .... .... .... .... .... ..1. = Write: WRITE > access > > .... .... .... .... .... .... .... ...1 = Read: READ access > > File Attributes: 0x00000000 > > .... .... .... .... .0.. .... .... .... = Encrypted: > > This is NOT an encrypted file > > .... .... .... .... ..0. .... .... .... = Content > > Indexed: This file MAY be indexed by the content indexing service > > .... .... .... .... ...0 .... .... .... = Offline: > > This file is NOT offline > > .... .... .... .... .... 0... .... .... = Compressed: > > This is NOT a compressed file > > .... .... .... .... .... .0.. .... .... = Reparse > > Point: This file does NOT have an associated reparse point > > .... .... .... .... .... ..0. .... .... = Sparse: This is > NOT a sparse file > > .... .... .... .... .... ...0 .... .... = Temporary: > > This is NOT a temporary file > > .... .... .... .... .... .... 0... .... = Normal: This file > has some attribute set > > .... .... .... .... .... .... .0.. .... = Device: This is > NOT a device > > .... .... .... .... .... .... ..0. .... = Archive: > > This file has NOT been modified since last archive > > .... .... .... .... .... .... ...0 .... = Directory: > > This is NOT a directory > > .... .... .... .... .... .... .... 0... = Volume ID: > > This is NOT a volume ID > > .... .... .... .... .... .... .... .0.. = System: This is > NOT a system file > > .... .... .... .... .... .... .... ..0. = Hidden: This is > NOT a hidden file > > .... .... .... .... .... .... .... ...0 = Read Only: > > This file is NOT read only > > Share Access: 0x00000003 SHARE_WRITE SHARE_READ > > .... .... .... .... .... .... .... .0.. = Delete: > > Object can NOT be shared for delete > > .... .... .... .... .... .... .... ..1. = Write: > > Object can be shared for WRITE > > .... .... .... .... .... .... .... ...1 = Read: Object can > be shared for READ > > Create Options: 0x00000040 > > .... .... .... .... .... .... .... ...0 = Directory: > > File being created/opened must not be a directory > > .... .... .... .... .... .... .... ..0. = Write > > Through: Writes need not flush buffered data before completing > > .... .... .... .... .... .... .... .0.. = Sequential > > Only: The file might not only be accessed sequentially > > .... .... .... .... .... .... .... 0... = Intermediate > > Buffering: Intermediate buffering is allowed > > .... .... .... .... .... .... ...0 .... = Sync I/O > > Alert: Operations NOT necessarily synchronous > > .... .... .... .... .... .... ..0. .... = Sync I/O > > Nonalert: Operations NOT necessarily synchronous > > .... .... .... .... .... .... .1.. .... = > > Non-Directory: File being created/opened must not be a directory > > .... .... .... .... .... .... 0... .... = Create Tree > > Connection: Create Tree Connections is NOT set > > .... .... .... .... .... ...0 .... .... = Complete If > > Oplocked: Complete if oplocked is NOT set > > .... .... .... .... .... ..0. .... .... = No EA > > Knowledge: The client understands extended attributes > > .... .... .... .... .... .0.. .... .... = 8.3 Only: > > The client understands long file names > > .... .... .... .... .... 0... .... .... = Random > > Access: The file will not be accessed randomly > > .... .... .... .... ...0 .... .... .... = Delete On > > Close: The file should not be deleted when it is closed > > .... .... .... .... ..0. .... .... .... = Open By > > FileID: OpenByFileID is NOT set > > .... .... .... .... .0.. .... .... .... = Backup > > Intent: This is a normal create > > .... .... .... .... 0... .... .... .... = No > > Compression: Compression is allowed for Open/Create > > .... .... ...0 .... .... .... .... .... = Reserve > > Opfilter: Reserve Opfilter is NOT set > > .... .... ..0. .... .... .... .... .... = Open Reparse > > Point: Normal open > > .... .... .0.. .... .... .... .... .... = Open No > > Recall: Open no recall is NOT set > > .... .... 0... .... .... .... .... .... = Open For Free > Space query: This is NOT an open for free space query > > [Disposition: Open (if file exists open it, else fail) (1)] > > Word Count (WCT): 12 > > AndXCommand: No further commands (0xff) > > Reserved: 00 > > AndXOffset: 0 > > [File Offset: 0] > > [File RW Length: 1024] > > Remaining: 0 > > Data Compaction Mode: 0 > > Reserved: 0000 > > Data Length Low: 688 > > Data Offset: 60 > > Data Length High (multiply with 64K): 0 > > Reserved: 000000000000 > > Byte Count (BCC): 689 > > Padding: 00 > > DCE RPC Response, Fragment: Single, FragLen: 688, Call: 3 Ctx: 0, [Req: > #2417] > > Version: 5 > > Version (minor): 0 > > Packet type: Response (2) > > Packet Flags: 0x03 > > 0... .... = Object: Not set > > .0.. .... = Maybe: Not set > > ..0. .... = Did Not Execute: Not set > > ...0 .... = Multiplex: Not set > > .... 0... = Reserved: Not set > > .... .0.. = Cancel Pending: Not set > > .... ..1. = Last Frag: Set > > .... ...1 = First Frag: Set > > Data Representation: 10000000 > > Byte order: Little-endian (1) > > Character: ASCII (0) > > Floating-point: IEEE (0) > > Frag Length: 688 > > Auth Length: 0 > > Call ID: 3 > > Alloc hint: 664 > > Context ID: 0 > > Cancel count: 0 > > Opnum: 53 > > [Request in frame: 2417] > > [Time from request: 0.094193000 seconds] Local Security Authority, > lsa_QueryDomainInformationPolicy > > Operation: lsa_QueryDomainInformationPolicy (53) > > [Request in frame: 2417] > > Pointer to Info (lsa_DomainInformationPolicy) > > Referent ID: 0x00020000 > > lsa_DomainInformationPolicy > > Info > > Efs Info > > Blob Size: 639 > > Pointer to Efs Blob (uint8) > > Referent ID: 0x00020004 > > EFS blob size: 639 > > GPEF > > Key Count: 1 > > EfsKey > > Length1: 631 > > Length2: 627 > > SID Offset: 28 > > Cert Length: 571 > > Cert Offset: 56 > > sid: S-1-5-21-53173311-3623041448-2049097239-500 > > Revision: 1 > > Num Auth: 5 > > Authority: 5 > > Sub-authorities: > > 21-53173311-3623041448-2049097239 > > RID: 500 (Administrator) > > Certificate () > > signedCertificate > > version: v3 (2) > > serialNumber : > > 0xba9dd46d546a2e9c4a9f658021c734bf > > signature (sha-1WithRSAEncryption) > > Algorithm Id: 1.3.14.3.2.29 > > (sha-1WithRSAEncryption) > > issuer: rdnSequence (0) > > rdnSequence: 3 items () > > Item: 1 item () > > Item > > Id: 2.5.4.3 > > (id-at-commonName) > > DirectoryString: > > printableString (1) > > > > printableString: administrator > > Item: 1 item () > > Item > > Id: 2.5.4.7 > > (id-at-localityName) > > DirectoryString: > > printableString (1) > > printableString: EFS > > Item: 1 item () > > Item > > Id: 2.5.4.11 > > (id-at-organizationalUnitName) > > DirectoryString: > > printableString (1) > > > > printableString: EFS File Encryption Certificate > > validity > > notBefore: utcTime (0) > > utcTime: 04-04-08 07:27:01 (UTC) > > notAfter: utcTime (0) > > utcTime: 07-04-08 07:27:01 (UTC) > > subject: rdnSequence (0) > > rdnSequence: 3 items () > > Item: 1 item () > > Item > > Id: 2.5.4.3 > > (id-at-commonName) > > DirectoryString: > > printableString (1) > > > > printableString: administrator > > Item: 1 item () > > Item > > Id: 2.5.4.7 > > (id-at-localityName) > > DirectoryString: > > printableString (1) > > printableString: EFS > > Item: 1 item () > > Item > > Id: 2.5.4.11 > > (id-at-organizationalUnitName) > > DirectoryString: > > printableString (1) > > > > printableString: EFS File Encryption Certificate > > subjectPublicKeyInfo > > algorithm (rsaEncryption) > > Algorithm Id: > > 1.2.840.113549.1.1.1 (rsaEncryption) > > Padding: 0 > > subjectPublicKey: > > 30818902818100BED9195BC7D21DCD13CEECEE24697B6A09... > > extensions: 1 item > > Item (id-ce-extKeyUsage) > > Extension Id: 2.5.29.37 > > (id-ce-extKeyUsage) > > KeyPurposeIDs: 1 item > > Item: > > 1.3.6.1.4.1.311.10.3.4.1 (id-ms-efs-recovery) > > algorithmIdentifier (sha-1WithRSAEncryption) > > Algorithm Id: 1.3.14.3.2.29 > > (sha-1WithRSAEncryption) > > Padding: 0 > > encrypted: > > A7E6C169E205D3EEF730D9AE1A86379A8AF9BD9CD4FE70C1... > > NT Error: STATUS_SUCCESS (0x00000000) > > > > 0000 00 0c 29 2a 62 61 00 0c 29 44 4a 1f 08 00 45 00 ..)*ba..)DJ...E. > > 0010 03 18 e0 b9 40 00 80 06 af 66 c0 a8 73 05 c0 a8 [EMAIL PROTECTED] > > 0020 73 69 01 bd 04 4f cf b4 72 73 37 8f 5e 36 50 18 si...O..rs7.^6P. > > 0030 f6 b2 73 a6 00 00 00 00 02 ec ff 53 4d 42 2e 00 ..s........SMB.. > > 0040 00 00 00 98 07 c8 00 00 00 00 00 00 00 00 00 00 ................ > > 0050 00 00 02 20 ff fe 00 38 c0 02 0c ff 00 00 00 00 ... ...8........ > > 0060 00 00 00 00 00 b0 02 3c 00 00 00 00 00 00 00 00 .......<........ > > 0070 00 00 00 b1 02 00 05 00 02 03 10 00 00 00 b0 02 ................ > > 0080 00 00 03 00 00 00 98 02 00 00 00 00 00 00 00 00 ................ > > 0090 02 00 02 00 00 00 7f 02 00 00 04 00 02 00 7f 02 ................ > > 00a0 00 00 01 00 01 00 01 00 00 00 77 02 00 00 73 02 ..........w...s. > > 00b0 00 00 1c 00 00 00 02 00 00 00 3b 02 00 00 38 00 ..........;...8. > > 00c0 00 00 20 00 00 00 01 00 00 00 01 05 00 00 00 00 .. ............. > > 00d0 00 05 15 00 00 00 3f 5c 2b 03 a8 39 f3 d7 17 be ......?\+..9.... > > 00e0 22 7a f4 01 00 00 30 82 02 37 30 82 01 a4 a0 03 "z....0..70..... > > 00f0 02 01 02 02 10 ba 9d d4 6d 54 6a 2e 9c 4a 9f 65 ........mTj..J.e > > 0100 80 21 c7 34 bf 30 09 06 05 2b 0e 03 02 1d 05 00 .!.4.0...+...... > > 0110 30 50 31 16 30 14 06 03 55 04 03 13 0d 61 64 6d 0P1.0...U....adm > > 0120 69 6e 69 73 74 72 61 74 6f 72 31 0c 30 0a 06 03 inistrator1.0... > > 0130 55 04 07 13 03 45 46 53 31 28 30 26 06 03 55 04 U....EFS1(0&..U. > > 0140 0b 13 1f 45 46 53 20 46 69 6c 65 20 45 6e 63 72 ...EFS File Encr > > 0150 79 70 74 69 6f 6e 20 43 65 72 74 69 66 69 63 61 yption Certifica > > 0160 74 65 30 1e 17 0d 30 34 30 34 30 38 30 37 32 37 te0...0404080727 > > 0170 30 31 5a 17 0d 30 37 30 34 30 38 30 37 32 37 30 01Z..07040807270 > > 0180 31 5a 30 50 31 16 30 14 06 03 55 04 03 13 0d 61 1Z0P1.0...U....a > > 0190 64 6d 69 6e 69 73 74 72 61 74 6f 72 31 0c 30 0a dministrator1.0. > > 01a0 06 03 55 04 07 13 03 45 46 53 31 28 30 26 06 03 ..U....EFS1(0&.. > > 01b0 55 04 0b 13 1f 45 46 53 20 46 69 6c 65 20 45 6e U....EFS File En > > 01c0 63 72 79 70 74 69 6f 6e 20 43 65 72 74 69 66 69 cryption Certifi > > 01d0 63 61 74 65 30 81 9f 30 0d 06 09 2a 86 48 86 f7 cate0..0...*.H.. > > 01e0 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 ..........0..... > > 01f0 00 be d9 19 5b c7 d2 1d cd 13 ce ec ee 24 69 7b ....[........$i{ > > 0200 6a 09 c8 64 06 cd 90 0f a2 8f 8f 09 44 c5 0c e7 j..d........D... > > 0210 dd df 7d 25 96 85 41 05 19 14 35 0c ec 73 11 5a ..}%..A...5..s.Z > > 0220 3e e9 8c 7b d1 fa 7d dc 81 79 39 41 d7 be 0a aa >..{..}..y9A.... > > 0230 d7 74 5b 5f 9b a1 13 76 af a6 9f 93 6b df c3 1b .t[_...v....k... > > 0240 ee fe 3b c8 93 33 6f 30 5b cf 67 e6 b1 d8 41 de ..;..3o0[.g...A. > > 0250 3e 4f 7b 4e fc 0a 9c e1 a5 b2 fc b1 db 0b 67 13 >O{N..........g. > > 0260 0f 5d 6d b0 0c 6d 68 29 23 70 cc 45 df 13 2d c3 .]m..mh)#p.E..-. > > 0270 8d 02 03 01 00 01 a3 1a 30 18 30 16 06 03 55 1d ........0.0...U. > > 0280 25 04 0f 30 0d 06 0b 2b 06 01 04 01 82 37 0a 03 %..0...+.....7.. > > 0290 04 01 30 09 06 05 2b 0e 03 02 1d 05 00 03 81 81 ..0...+......... > > 02a0 00 a7 e6 c1 69 e2 05 d3 ee f7 30 d9 ae 1a 86 37 ....i.....0....7 > > 02b0 9a 8a f9 bd 9c d4 fe 70 c1 fe 06 65 b9 9a 3d a7 .......p...e..=. > > 02c0 b8 a6 cf 58 60 fc f5 34 8e 59 70 e4 aa 7e 4e 63 ...X`..4.Yp..~Nc > > 02d0 6c 22 77 a6 df 89 bc 98 7c a2 7b 0d 14 7c 95 77 l"w.....|.{..|.w > > 02e0 fb 1a e8 71 6b a9 f2 93 fc e1 8f ed 7d 40 c2 cf [EMAIL PROTECTED] > > 02f0 b4 9a 32 ea 14 cd e1 43 f1 21 3d 4b 0c 97 47 e3 ..2....C.!=K..G. > > 0300 8e 1c 85 8d f5 82 ee 1c 86 bb 55 07 85 51 42 f6 ..........U..QB. > > 0310 a6 e6 45 54 c5 4a e7 82 cd b5 6a 4a cf c3 65 f5 ..ET.J....jJ..e. > > 0320 4d 83 00 00 00 00 M..... > > > > > > On Sat, Oct 4, 2008 at 3:29 AM, Edgar Olougouna <[EMAIL PROTECTED]> > wrote: > >> ******* The following is an email for a support case from Microsoft Corp. > >> ******* DO NOT REPLY TO THIS MESSAGE--your email will not be added to > >> ******* the case if you do. Instead, FORWARD your response to the > >> ******* email address [EMAIL PROTECTED] and place your text after > >> ******* the keyword 'MESSAGE:'. Also, delete all other text above > >> ******* and below the keywords 'CASE_ID_NUM: SRnnn' and 'MESSAGE:' > >> ******* to ensure proper delivery of your email. Thank you. > >> > >> CASE_ID_NUM: SRX081002601173 > >> MESSAGE: > >> ********************** The message for you follows > >> ************************ Hi Ronnie, > >> > >> I will be working with you to solve this case. > >> > >> In the [MS-GPEF] 2.2.1.2.2 EfsKey packet, you mentioned you are seeing a 4 >> byte integer with the value 0x00000001 between the Reserved2 field and the >> first byte of the SID. > >> Could you send us the trace? > >> > >> Best regards, > >> > >> Edgar A. Olougouna > >> Sr. SEE, Microsoft DSC Protocol Team | Email: [EMAIL PROTECTED] | > >> Tel: +1.469.775.7189 x 57189 > >> > >> _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
