2.2.4.64.1 Request

Article
10/01/2020

 SMB_Parameters
   {
   UCHAR WordCount;
   Words
     {
     UCHAR     AndXCommand;
     UCHAR     AndXReserved;
     USHORT    AndXOffset;
     UCHAR     Reserved;
     USHORT    NameLength;
     ULONG     Flags;
     ULONG     RootDirectoryFID;
     ULONG     DesiredAccess;
     LARGE_INTEGER AllocationSize;
     SMB_EXT_FILE_ATTR ExtFileAttributes;
     ULONG     ShareAccess;
     ULONG     CreateDisposition;
     ULONG     CreateOptions;
     ULONG     ImpersonationLevel;
     UCHAR  SecurityFlags;
     }
   }
 SMB_Data
   {
   USHORT ByteCount;
   Bytes
     {
     SMB_STRING FileName;
     }
   }

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
SMB_Parameters (49 bytes)
...
...
...

SMB_Parameters (49 bytes):

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
WordCount								Words (48 bytes)
...
...
...								SMB_Data (variable)
...

WordCount (1 byte): This field MUST be 0x18.

Words (48 bytes):

0	8	6	4
AndXCommand	AndXReserved	AndXOffset
Reserved	NameLength		Flags
...			RootDirectoryFID
...			DesiredAccess
...			AllocationSize
...
...			ExtFileAttributes
...			ShareAccess
...			CreateDisposition
...			CreateOptions
...			ImpersonationLevel
...			SecurityFlags

AndXCommand (1 byte): The command code for the next SMB command in the packet. This value MUST be set to 0xFF if there are no additional SMB commands in the client request packet.

AndXReserved (1 byte): A reserved field. This MUST be set to 0x00 when this request is sent, and the server MUST ignore this value when the message is received.

AndXOffset (2 bytes): This field MUST be set to the offset in bytes from the start of the SMB Header (section 2.2.3.1) to the start of the WordCount field in the next SMB command in this packet. This field is valid only if the AndXCommand field is not set to 0xFF. If AndXCommand is 0xFF, this field MUST be ignored by the server.

Reserved (1 byte): An unused value that SHOULD be set to 0x00 when sent and MUST be ignored on receipt.

NameLength (2 bytes): This field MUST be the length of the FileName field (see following) in bytes.

Flags (4 bytes): A 32-bit field containing a set of flags that modify the client request. Unused bit fields SHOULD be set to 0 when sent and MUST be ignored on receipt.

Name and bitmask	Meaning
NT_CREATE_REQUEST_OPLOCK 0x00000002	If set, the client requests an exclusive OpLock.
NT_CREATE_REQUEST_OPBATCH 0x00000004	If set, the client requests an exclusive batch OpLock.
NT_CREATE_OPEN_TARGET_DIR 0x00000008	If set, the client indicates that the parent directory of the target is to be opened.

Name and bitmask

Meaning

NT_CREATE_REQUEST_OPLOCK

0x00000002

If set, the client requests an exclusive OpLock.

NT_CREATE_REQUEST_OPBATCH

0x00000004

If set, the client requests an exclusive batch OpLock.

NT_CREATE_OPEN_TARGET_DIR

0x00000008

If set, the client indicates that the parent directory of the target is to be opened.

RootDirectoryFID (4 bytes): If nonzero, this value is the File ID of an opened root directory, and the FileName field MUST be handled as relative to the directory specified by this RootDirectoryFID. If this value is 0x00000000, the FileName field MUST be handled as relative to the root of the share (the TID). The RootDirectoryFID MUST have been acquired in a previous message exchange.

DesiredAccess (4 bytes): A 32-bit field of flags that indicate standard, specific, and generic access rights. These rights are used in access-control entries (ACEs) and are the primary means of specifying the requested or granted access to an object. If this value is 0x00000000, it represents a request to query the attributes without accessing the file.

Name and bitmask	Meaning
FILE_READ_DATA 0x00000001	Indicates the right to read data from the file.
FILE_WRITE_DATA 0x00000002	Indicates the right to write data into the file beyond the end of the file.
FILE_APPEND_DATA 0x00000004	Indicates the right to append data to the file beyond the end of the file only.
FILE_READ_EA 0x00000008	Indicates the right to read the extended attributes (EAs) of the file.
FILE_WRITE_EA 0x00000010	Indicates the right to write or change the extended attributes (EAs) of the file.
FILE_EXECUTE 0x00000020	Indicates the right to execute the file.
FILE_READ_ATTRIBUTES 0x00000080	Indicates the right to read the attributes of the file.
FILE_WRITE_ATTRIBUTES 0x00000100	Indicates the right to change the attributes of the file.
DELETE 0x00010000	Indicates the right to delete or to rename the file.
READ_CONTROL 0x00020000	Indicates the right to read the security descriptor of the file.
WRITE_DAC 0x00040000	Indicates the right to change the discretionary access control list (DACL) in the security descriptor of the file.
WRITE_OWNER 0x00080000	Indicates the right to change the owner in the security descriptor of the file.
SYNCHRONIZE 0x00100000	SHOULD NOT be used by the sender and MUST be ignored by the receiver.
ACCESS_SYSTEM_SECURITY 0x01000000	Indicates the right to read or change the system access control list (SACL) in the security descriptor for the file. If the SE_SECURITY_NAME privilege is not set in the access token, the server MUST fail the open request and return STATUS_PRIVILEGE_NOT_HELD.
MAXIMUM_ALLOWED 0x02000000	Indicates that the client requests an open to the file with the highest level of access that the client has on this file. If no access is granted for the client on this file, the server MUST fail the open and return a STATUS_ACCESS_DENIED.
GENERIC_ALL 0x10000000	Indicates a request for all of the access flags that are previously listed except MAXIMUM_ALLOWED and ACCESS_SYSTEM_SECURITY.
GENERIC_EXECUTE 0x20000000	Indicates a request for the following combination of access flags listed previously in this table: FILE_READ_ATTRIBUTES, FILE_EXECUTE, SYNCHRONIZE, and READ_CONTROL.
GENERIC_WRITE 0x40000000	Indicates a request for the following combination of access flags listed previously in this table: FILE_WRITE_DATA, FILE_APPEND_DATA, SYNCHRONIZE, FILE_WRITE_ATTRIBUTES, and FILE_WRITE_EA.
GENERIC_READ 0x80000000	Indicates a request for the following combination of access flags listed previously in this table: FILE_READ_DATA, FILE_READ_ATTRIBUTES, FILE_READ_EA, and SYNCHRONIZE.

AllocationSize (8 bytes): The client MUST set this value to the initial allocation size of the file in bytes. The server MUST ignore this field if this request is to open an existing file. This field MUST be used only if the file is created or overwritten. The value MUST be set to 0x0000000000000000 in all other cases. This does not apply to directory-related requests. This is the number of bytes to be allocated, represented as a 64-bit integer value.

ExtFileAttributes (4 bytes): This field contains the extended file attributes of the file being requested, encoded as an SMB_EXT_FILE_ATTR (section 2.2.1.2.3) data type.

ShareAccess (4 bytes): A 32-bit field that specifies how the file SHOULD be shared with other processes. The names in the table below are provided for reference use only. If ShareAccess values of FILE_SHARE_READ, FILE_SHARE_WRITE, or FILE_SHARE_DELETE are set for a printer file or a named pipe, the server SHOULD ignore these values. The value MUST be FILE_SHARE_NONE or some combination of the other values:

Name and bitmask	Meaning
FILE_SHARE_NONE 0x00000000	(No bits set.)Prevents the file from being shared.
FILE_SHARE_READ 0x00000001	Other open operations can be performed on the file for read access.
FILE_SHARE_WRITE 0x00000002	Other open operations can be performed on the file for write access.
FILE_SHARE_DELETE 0x00000004	Other open operations can be performed on the file for delete access.

CreateDisposition (4 bytes): A 32-bit value that represents the action to take if the file already exists or if the file is a new file and does not already exist.<119>

Name and value	Meaning
FILE_SUPERSEDE 0x00000000	(No bits set.)If the file already exists, it SHOULD be superseded (overwritten). If it does not already exist, then it SHOULD be created.
FILE_OPEN 0x00000001	If the file already exists, it SHOULD be opened rather than created. If the file does not already exist, the operation MUST fail.
FILE_CREATE 0x00000002	If the file already exists, the operation MUST fail. If the file does not already exist, it SHOULD be created.
FILE_OPEN_IF 0x00000003	If the file already exists, it SHOULD be opened. If the file does not already exist, then it SHOULD be created. This value is equivalent to (FILE_OPEN \| FILE_CREATE).
FILE_OVERWRITE 0x00000004	If the file already exists, it SHOULD be opened and truncated. If the file does not already exist, the operation MUST fail.
FILE_OVERWRITE_IF 0x00000005	If the file already exists, it SHOULD be opened and truncated. If the file does not already exist, it SHOULD be created.

CreateOptions (4 bytes): A 32-bit field containing flag options to use if creating the file or directory. This field MUST be set to 0x00000000 or a combination of the following possible values. Unused bit fields SHOULD be set to 0 when sent and MUST be ignored on receipt. The following is a list of the valid values and their associated behaviors. Server implementations SHOULD reserve all bits not specified in the following definitions.

Name and bitmask	Meaning
FILE_DIRECTORY_FILE 0x00000001	The file being created or opened is a directory file. With this option, the CreateDisposition field MUST be set to FILE_CREATE, FILE_OPEN, or FILE_OPEN_IF. When this bit field is set, other compatible CreateOptions include only the following: FILE_WRITE_THROUGH, FILE_OPEN_FOR_BACKUP_INTENT, and FILE_OPEN_BY_FILE_ID.
FILE_WRITE_THROUGH 0x00000002	Applications that write data to the file MUST actually transfer the data into the file before any write request is considered complete. If FILE_NO_INTERMEDIATE_BUFFERING is set, the server MUST perform as if FILE_WRITE_THROUGH is set in the create request.
FILE_SEQUENTIAL_ONLY 0x00000004	This option indicates that access to the file can be sequential. The server can use this information to influence its caching and read-ahead strategy for this file. The file MAY in fact be accessed randomly, but the server can optimize its caching and read-ahead policy for sequential access.
FILE_NO_INTERMEDIATE_BUFFERING 0x00000008	The file SHOULD NOT be cached or buffered in an internal buffer by the server. This option is incompatible when the FILE_APPEND_DATA bit field is set in the DesiredAccess field.
FILE_SYNCHRONOUS_IO_ALERT 0x00000010	This flag MUST be ignored by the server, and clients SHOULD set this to 0.
FILE_SYNCHRONOUS_IO_NONALERT 0x00000020	This flag MUST be ignored by the server, and clients SHOULD set this to 0.
FILE_NON_DIRECTORY_FILE 0x00000040	If the file being opened is a directory, the server MUST fail the request with STATUS_FILE_IS_A_DIRECTORY in the Status field of the SMB Header in the server response.
FILE_CREATE_TREE_CONNECTION 0x00000080	This option SHOULD NOT be sent by the clients, and this option MUST be ignored by the server.
FILE_COMPLETE_IF_OPLOCKED 0x00000100	This option SHOULD NOT be sent by the clients, and this option MUST be ignored by the server.
FILE_NO_EA_KNOWLEDGE 0x00000200	The application that initiated the client's request does not support extended attributes (EAs). If the EAs on an existing file being opened indicate that the caller SHOULD support EAs to correctly interpret the file, the server SHOULD fail this request with STATUS_ACCESS_DENIED (ERRDOS/ERRnoaccess) in the Status field of the SMB Header in the server response.
FILE_OPEN_FOR_RECOVERY 0x00000400	This option SHOULD NOT be sent by the clients, and this option MUST be ignored if received by the server.
FILE_RANDOM_ACCESS 0x00000800	Indicates that access to the file can be random. The server MAY use this information to influence its caching and read-ahead strategy for this file. This is a hint to the server that sequential read-ahead operations might not be appropriate on the file.
FILE_DELETE_ON_CLOSE 0x00001000	The file SHOULD be automatically deleted when the last open request on this file is closed. When this option is set, the DesiredAccess field MUST include the DELETE flag. This option is often used for temporary files.
FILE_OPEN_BY_FILE_ID 0x00002000	Opens a file based on the FID. If this option is set, the server MUST fail the request with STATUS_NOT_SUPPORTED in the Status field of the SMB Header in the server response.
FILE_OPEN_FOR_BACKUP_INTENT 0x00004000	The file is being opened or created for the purposes of either a backup or a restore operation. Thus, the server can make appropriate checks to ensure that the caller is capable of overriding whatever security checks have been placed on the file to allow a backup or restore operation to occur. The server can check for certain access rights to the file before checking the DesiredAccess field.
FILE_NO_COMPRESSION 0x00008000	When a new file is created, the file MUST NOT be compressed, even if it is on a compressed volume. The flag MUST be ignored when opening an existing file.
FILE_RESERVE_OPFILTER 0x00100000	This option SHOULD NOT be sent by the clients, and this option MUST be ignored if received by the server.
FILE_OPEN_NO_RECALL 0x00400000	In a hierarchical storage management environment, this option requests that the file SHOULD NOT be recalled from tertiary storage such as tape. A file recall can take up to several minutes in a hierarchical storage management environment. The clients can specify this option to avoid such delays.
FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000	This option SHOULD NOT be sent by the clients, and this option MUST be ignored if received by the server.

ImpersonationLevel (4 bytes): This field specifies the impersonation level requested by the application that is issuing the create request, and MUST contain one of the following values.

Impersonation is described in [MS-WPO] section 8.5.1; for more information about impersonation, see [MSDN-IMPERS].

Name and value	Meaning
SEC_ANONYMOUS 0x00000000	The application-requested impersonation level is Anonymous.
SEC_IDENTIFY 0x00000001	The application-requested impersonation level is Identification.
SEC_IMPERSONATE 0x00000002	The application-requested impersonation level is Impersonation.

Name and value

Meaning

SEC_ANONYMOUS

0x00000000

The application-requested impersonation level is Anonymous.

SEC_IDENTIFY

0x00000001

The application-requested impersonation level is Identification.

SEC_IMPERSONATE

0x00000002

The application-requested impersonation level is Impersonation.

SecurityFlags (1 byte): An 8-bit field containing a set of options that specify the security tracking mode. These options specify whether the server is to be given a snapshot of the client's security context (called static tracking) or is to be continually updated to track changes to the client's security context (called dynamic tracking). When bit 0 of the SecurityFlags field is clear, static tracking is requested. When bit 0 of the SecurityFlags field is set, dynamic tracking is requested. Unused bit fields SHOULD be set to 0 when sent and MUST be ignored on receipt. This field MUST be set to 0x00 or a combination of the following possible values. Value names are provided for convenience only. Supported values are:

Name and value	Meaning
SMB_SECURITY_CONTEXT_TRACKING 0x01	When set, dynamic tracking is requested. When this bit field is not set, static tracking is requested.
SMB_SECURITY_EFFECTIVE_ONLY 0x02	Specifies that only the enabled aspects of the client's security context are available to the server. If this flag is not specified, all aspects of the client's security context are available. This flag allows the client to limit the groups and privileges that a server can use while impersonating the client.

Name and value

Meaning

SMB_SECURITY_CONTEXT_TRACKING

0x01

When set, dynamic tracking is requested. When this bit field is not set, static tracking is requested.

SMB_SECURITY_EFFECTIVE_ONLY

0x02

Specifies that only the enabled aspects of the client's security context are available to the server. If this flag is not specified, all aspects of the client's security context are available. This flag allows the client to limit the groups and privileges that a server can use while impersonating the client.

SMB_Data (variable):

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
ByteCount																Bytes (variable)
...

ByteCount (2 bytes): The length in bytes of the remaining SMB_Data. If SMB_FLAGS2_UNICODE is set in the Flags2 field of the SMB Header of the request, this field has a minimum value of 0x0003. If SMB_FLAGS2_UNICODE is not set, this field has a minimum value of 0x0002. This field MUST be the total length of the Name field, plus any padding added for alignment.

Bytes (variable):

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
FileName (variable)
...

FileName (variable): A string that represents the fully qualified name of the file relative to the supplied TID to create or truncate on the server. If SMB_FLAGS2_UNICODE is set in the Flags2 field of the SMB Header of the request, the FileName string MUST be a null-terminated array of 16-bit Unicode characters. Otherwise, the FileName string MUST be a null-terminated array of extended ASCII (OEM) characters. If the FileName string consists of Unicode characters, this field MUST be aligned to start on a 2-byte boundary from the start of the SMB Header. When opening a named pipe, the FileName field MUST contain only the relative name of the pipe, that is, the "\PIPE\" prefix MUST NOT be present. This is in contrast with other commands, such as SMB_COM_OPEN_ANDX and TRANS2_OPEN2, which require that the "\PIPE" prefix be present in the pathname.

2.2.4.64.1 Request

Additional resources