[MS-DRSR] DRS_EXTENSIONS_INT returned by the server contains the Pid of the server process

Clément Notin 6 Reputation points
2022-04-05T09:39:00.853+00:00

Hello,

The documentation for DRS_EXTENSIONS_INT https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/3ee529b1-23db-4996-948a-042f04998e91 says that:

Pid (4 bytes): A 32-bit, signed integer value that specifies the process identifier of the client. This is for informational and debugging purposes only. The assignment of this field is implementation-specific.<42>

And <42> says that:

<42> Section 5.39: This field contains the process ID of the client.

Actually what I have observed is that when this structure is used in the server response for IDL_DRSBind (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f7a71596-3ec0-4772-8aa1-eac73780b28f), then it contains the process ID of the server. I confirmed it by checking that the value was the LSASS PID in the domain controller, not the one on my client workstation.

It's more a remark than a question.

Windows Open Specifications
Windows Open Specifications
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Open Specifications: Technical documents for protocols, computer languages, standards support, and data portability. The goal with Open Specifications is to help developers open new opportunities to interoperate with Windows, SQL, Office, and SharePoint.
39 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Obaid Farooqi MSFT 591 Reputation points Microsoft Employee
    2022-04-20T02:50:52.94+00:00

    Hi @Clément Notin
    Your observation is correct. In IDL_DRSBind response, the server copies the local server properties/capabilities and pid that it copies is its own. This is actually mentioned in the document implicitly in section “4.1.3.2 Server Behavior of the IDL_DRSBind Method “, as follows:

    “The server sets ppextServer to a DRS_EXTENSIONS_INT structure whose dwReplEpoch and ConfigObjGUID fields are initialized as described in the previous section (Client Behavior When Sending the IDL_DRSBind Request (section 4.1.3.1)), and whose other fields describe the server.

    I have filed a bug against the MS-DRSR document to correct the definition of Pid in section “5.39 DRS_EXTENSIONS_INT”.

    Regards,
    Obaid Farooqi - MSFT

    0 comments