MS SMB2
MS SMB2
MS SMB2
No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.
Patents. Microsoft has patents that may cover your implementations of the technologies
described in the Open Specifications. Neither this notice nor Microsoft's delivery of the
documentation grants any licenses under those or any other Microsoft patents. However, a given
Open Specification may be covered by Microsoft's Open Specification Promise (available here:
http://www.microsoft.com/interop/osp) or the Community Promise (available here:
http://www.microsoft.com/interop/cp/default.mspx). If you would prefer a written license, or if
the technologies described in the Open Specifications are not covered by the Open Specifications
Promise or Community Promise, as applicable, patent licenses are available by contacting
[email protected].
Trademarks. The names of companies and products contained in this documentation may be
covered by trademarks or similar intellectual property rights. This notice does not grant any
licenses under those rights.
Fictitious Names. The example companies, organizations, products, domain names, e-mail
addresses, logos, people, places, and events depicted in this documentation are fictitious. No
association with any real company, organization, product, domain name, email address, logo,
person, place, or event is intended or should be inferred.
Reservation of Rights. All other rights are reserved, and this notice does not grant any rights
other than specifically described above, whether by implication, estoppel, or otherwise.
Tools. The Open Specifications do not require the use of Microsoft programming tools or
programming environments in order for you to develop an implementation. If you have access to
Microsoft programming tools and environments you are free to take advantage of them. Certain
Open Specifications are intended for use in conjunction with publicly available standard
specifications and network programming art, and assumes that the reader either is familiar with the
aforementioned material or has immediate access to it.
1 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
3 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2 Messages................................................................................................................ 22
2.1 Transport............................................................................................................ 22
2.2 Message Syntax .................................................................................................. 22
2.2.1 SMB2 Packet Header....................................................................................... 23
2.2.1.1 SMB2 Packet Header - ASYNC .................................................................... 23
2.2.1.2 SMB2 Packet Header - SYNC ...................................................................... 27
2.2.2 SMB2 ERROR Response Packet......................................................................... 30
2.2.2.1 Symbolic Link Error Response .................................................................... 31
2.2.2.1.1 Handling the Symbolic Link Error Response ............................................ 33
2.2.3 SMB2 NEGOTIATE Request .............................................................................. 34
2.2.4 SMB2 NEGOTIATE Response ............................................................................ 35
2.2.5 SMB2 SESSION_SETUP Request ....................................................................... 38
2.2.6 SMB2 SESSION_SETUP Response ..................................................................... 40
2.2.7 SMB2 LOGOFF Request ................................................................................... 41
2.2.8 SMB2 LOGOFF Response ................................................................................. 41
2.2.9 SMB2 TREE_CONNECT Request ........................................................................ 41
2.2.10 SMB2 TREE_CONNECT Response .................................................................... 42
2.2.11 SMB2 TREE_DISCONNECT Request ................................................................. 44
2.2.12 SMB2 TREE_DISCONNECT Response ............................................................... 45
2.2.13 SMB2 CREATE Request .................................................................................. 45
2.2.13.1 SMB2 Access Mask Encoding .................................................................... 51
2.2.13.1.1 File_Pipe_Printer_Access_Mask ........................................................... 51
2.2.13.1.2 Directory_Access_Mask ...................................................................... 52
2.2.13.2 SMB2_CREATE_CONTEXT Request Values .................................................. 54
2.2.13.2.1 SMB2_CREATE_EA_BUFFER ................................................................ 55
2.2.13.2.2 SMB2_CREATE_SD_BUFFER ................................................................ 56
2.2.13.2.3 SMB2_CREATE_DURABLE_HANDLE_REQUEST ....................................... 56
2.2.13.2.4 SMB2_CREATE_DURABLE_HANDLE_RECONNECT ................................... 56
2.2.13.2.5 SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST ............................ 57
2.2.13.2.6 SMB2_CREATE_ALLOCATION_SIZE ...................................................... 57
2.2.13.2.7 SMB2_CREATE_TIMEWARP_TOKEN ...................................................... 57
2.2.13.2.8 SMB2_CREATE_REQUEST_LEASE ........................................................ 58
2.2.14 SMB2 CREATE Response ................................................................................ 59
2.2.14.1 SMB2_FILEID ......................................................................................... 62
2.2.14.2 SMB2_CREATE_CONTEXT Response Values ................................................ 62
2.2.14.2.1 SMB2_CREATE_EA_BUFFER ................................................................ 62
2.2.14.2.2 SMB2_CREATE_SD_BUFFER ................................................................ 62
4 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
5 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
6 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
7 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
8 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
9 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
10 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
11 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
1.1 Glossary
@GMT token
discretionary access control list (DACL)
Distributed File System (DFS)
Distributed File System (DFS) link
file system
file system control (FSCTL)
fully qualified domain name (FQDN)(1)
globally unique identifier (GUID)
main stream
named pipe
named stream
NetBIOS
NT file system (NTFS)
print job
reparse point
security context (1)
security descriptor
security identifier (SID)
security principal
snapshot
symbolic link
system access control list (SACL)
Transmission Control Protocol (TCP)
Unicode
Authenticated Context: The runtime state that is associated with the successful authentication
of a security principal between the client and the server, such as the security principal itself,
the cryptographic key that was generated during authentication, and the rights and privileges
of this security principal.
12 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Content: A file that is accessed by an application. Examples of content include Web pages and
documents stored on either Web Servers or SMB file servers.
Content Information: An opaque blob of data containing a set of hashes for a specific file that
can be used by the application to retrieve the contents of the file using the branch cache. The
details of Content Information are discussed in [MS-PCCRC].
Create Context: A variable-length attribute that is sent with an SMB2 CREATE Request (section
2.2.13) or SMB2 CREATE Response that either gives extra information about how the create
shall be processed, or returns extra information about how the create was processed. See
sections 2.2.13.2 and 2.2.14.2.
Credit: A value that is granted to an SMB 2 Protocol client by an SMB 2 Protocol server that
limits the number of outstanding requests that a client can send to a server.
Durable Open: An open to a file that allows the client to attempt to preserve and reestablish
the open after a network disconnect. It cannot be permissible to a directory, named pipe, or
printer.
I/O Control (IOCTL): A command that is issued to a target file system or target device in order
to query or alter the behavior of the target; or to query or alter the data and attributes that
are associated with the target or the objects that are exposed by the target.
Lease: A lease is a mechanism that is designed to allow clients to dynamically alter their
buffering strategy in a consistent manner in order to increase performance and reduce
network use. The network performance for remote file operations may be increased if a client
can locally buffer file data, which reduces or eliminates the need to send and receive network
packets. For example, a client may not have to write information into a file on a remote server
if the client confirms that no other client is accessing the data. Likewise, the client may buffer
read-ahead data from the remote file if the client confirms that no other client is writing data
to the remote file.
A read-caching lease allows a client to cache reads and can be granted to multiple clients.
A write-caching lease allows a client to cache writes and byte range locks and can only be
granted to a single client.
A handle-caching lease allows a client to cache open handles and can be granted to
multiple clients.
A lease can be a combination of one or more of the lease types listed above. When a client
opens a file, it requests that the server grant it a lease on the file. The response from the
server indicates the lease that is granted to the client. The client uses the granted lease to
adjust its buffering policy.
A lease can span multiple opens as well as multiple connections from the same client.
Lease Break: An unsolicited request that is sent by an SMB 2 Protocol server to an SMB 2
Protocol client to inform the client to change the lease state for a file.
13 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Open: A runtime object that corresponds to a currently established access to a specific file or
named pipe from a specific client to a specific server, using a specific user security context.
Both clients and servers maintain opens that represent active accesses.
An exclusive oplock allows a client to open a file for exclusive access and allows the client
to perform arbitrary buffering.
A batch oplock allows a client to keep a file open on the server even though the local
accessor on the client machine has closed the file.
A Level II oplock indicates that there are multiple readers of a file and no writers.
When a client opens a file, it requests that the server grant it a particular type of oplock on
the file. The response from the server indicates the type of oplock that is granted to the
client. The client uses the granted oplock type to adjust its buffering policy.
Oplock Break: An unsolicited request that is sent by an SMB 2 Protocol server to an SMB 2
Protocol client to inform the client to change the oplock level for a file.
Sequence Number: A number that uniquely identifies a request and response that is sent on an
SMB 2 Protocol connection. For a description of how sequence numbers are allocated, see
sections 3.2.4.1.6 and 3.3.1.1.
Session: An authenticated context that is established between an SMB 2 Protocol client and
an SMB 2 Protocol server over an SMB 2 Protocol connection for a specific security principal.
There could be multiple active sessions over a single SMB 2 Protocol connection. The
SessionId field in the SMB2 packet header (section 2.2.1) distinguishes the various
sessions.
Share: A local resource that is offered by an SMB 2 Protocol server for access by SMB 2 Protocol
clients over the network. The SMB 2 Protocol defines three types of shares: file (or disk)
shares, which represent a directory tree and its included files; pipe shares, which expose
access to named pipes; and print shares, which provide access to print resources on the
server. A pipe share as defined by the SMB 2 Protocol must always have the name "IPC$". A
pipe share must only allow named pipe operations and DFS referral requests to itself.
14 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
1.2 References
We conduct frequent surveys of the normative references to assure their continued availability. If
you have any issue with finding a normative reference, please contact [email protected]. We
will assist you in finding the relevant information. Please check the archive site,
http://msdn2.microsoft.com/en-us/library/E4BD6494-06AD-4aed-9823-445E921C9624, as an
additional source.
[FIPS180-2] Federal Information Processing Standards Publication, "Secure Hash Standard", FIPS
PUB 180-2, August 2002, http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf
[MS-CIFS] Microsoft Corporation, "Common Internet File System (CIFS) Protocol Specification",
September 2009.
[MS-DFSC] Microsoft Corporation, "Distributed File System (DFS): Referral Protocol Specification",
July 2006.
[MS-NLMP] Microsoft Corporation, "NT LAN Manager (NTLM) Authentication Protocol Specification",
July 2006.
[MS-PCCRC] Microsoft Corporation, "Peer Content Caching and Retrieval: Content Identification",
December 2008.
[MS-RPCE] Microsoft Corporation, "Remote Procedure Call Protocol Extensions", July 2006.
[MS-SMB] Microsoft Corporation, "Server Message Block (SMB) Protocol Specification", July 2006.
[MS-SPNG] Microsoft Corporation, "Simple and Protected Generic Security Service Application
Program Interface Negotiation Mechanism (SPNEGO) Protocol Extensions", July 2006.
[MS-SRVS] Microsoft Corporation, "Server Service Remote Protocol Specification", July 2006.
[RFC1002] Network Working Group, "Protocol Standard for a NetBIOS Service on a TCP/UDP
Transport: Detailed Specifications", STD 19, RFC 1002, March 1987,
http://www.ietf.org/rfc/rfc1002.txt
[RFC2104] Krawczyk, H., Bellare, M., and Canetti, R., "HMAC: Keyed-Hashing for Message
Authentication", RFC 2104, February 1997, http://www.ietf.org/rfc/rfc2104.txt
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC
2119, March 1997, http://www.ietf.org/rfc/rfc2119.txt
15 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
[RFC4178] Zhu, L., Leach, P., Jaganathan, K., and Ingersoll, W., "The Simple and Protected Generic
Security Service Application Program Interface (GSS-API) Negotiation Mechanism", RFC 4178,
October 2005, http://www.ietf.org/rfc/rfc4178.txt
[FSBO] Microsoft Corporation, "File System Behavior in the Microsoft Windows Environment", June
2008, http://download.microsoft.com/download/4/3/8/43889780-8d45-4b2e-9d3a-
c696a890309f/File%20System%20Behavior%20Overview.pdf
[MS-PCCRR] Microsoft Corporation, "Peer Content Caching and Retrieval: Retrieval Protocol
Specification", December 2008.
1.3 Overview
The Server Message Block (SMB) Version 2 Protocol is an extension of the original Server Message
Block (SMB) Protocol (as specified in [MS-SMB] and [MS-CIFS]). Both protocols are used by clients
to request file and print services from a server system over the network. Both are stateful protocols
in which clients establish a connection to a server, establish an authenticated context on that
connection, and then issue a variety of requests to access files, printers, and named pipes for
interprocess communication.
The SMB 2 Protocol is a major revision of the existing SMB Protocol, as specified in [MS-SMB]. The
packet formats are completely different from those of the SMB Protocol; however, many of the
underlying concepts are carried over. The underlying transports that are used to initiate and accept
connections are either Direct TCP or NetBIOS over TCP transports as specified in [MS-SMB] section
2.1.
16 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Like its predecessor, which was the original SMB Protocol (as specified in [MS-SMB]), the SMB 2
Protocol supports the following features:
Establishing one or more authenticated contexts for different security principals on a connection.
Opening, reading, modifying, or closing multiple files or named pipes on the target server.
Using the opportunistic locking of files to allow clients to cache data for better performance.
Passing through IO control code operations to the underlying object store on the server machine.
The SMB 2 Protocol provides several enhancements in addition to the preceding features:
Allowing the server to balance the number of simultaneous operations that a client can have
outstanding at any time.
Providing scalability in terms of the number of shares, users, and simultaneously open files.
Allowing a client to indicate support for multiple SMB 2 dialects in a multi-protocol negotiate
request.
Allowing a client to obtain and preserve client caching state across multiple opens from the same
client.
Allowing a client to retrieve hashes of a file for use in branch cache retrieval, as specified in [MS-
PCCRC].
The Server Message Block (SMB) Version 2 Protocol may be negotiated by using an SMB negotiate,
as specified in [MS-SMB] section 1.7. After a dialect of the SMB 2 Protocol is selected during
negotiation, all messages that are sent on the connection (including the negotiate response) will be
SMB 2 Protocol messages, as specified in this document, and no further SMB traffic will be
exchanged on the connection.
17 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SMB 2 Protocol uses either TCP or NetBIOS over TCP as underlying transports.
Machines using the SMB 2 Protocol can use the Distributed File System (DFS): Referral Protocol as
specified in [MS-DFSC] to resolve names from a namespace distributed across many servers and
geographies into local names on specific file servers.
DFS clients communicate with DFS servers via referral requests/responses conveyed in SMB2 IOCTL
messages, analogous to a file system client performing control operations on a remote object store
via requests/responses conveyed in SMB2 IOCTL messages. The communication between the SMB2
server and the DFS server (or SMB2 server and object store), for the purpose of performing the
specified IOCTL operations, is local to the server machine, and takes place via implementation-
dependent means.
The Remote Procedure Call Protocol Extensions, as specified in [MS-RPCE], define an RPC over SMB
Protocol or SMB 2 Protocol sequence that can use SMB 2 Protocol named pipes as its underlying
transport. The selection of protocol is based on client behavior during negotiation, as specified in
section 1.7.
Peer Content Caching and Retrieval framework, or Branch Cache, is designed to reduce bandwidth
consumption on branch-office wide area network (WAN) links by having clients request Content
from distributed caches. Content is uniquely identified by Content Information retrieved from the
server through SMB 2 IOCTL messages, as specified in sections 3.2.4.20.7 and 3.3.5.15.7. This
capability is only supported for the SMB 2.1 dialect.
18 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
1.5 Prerequisites/Preconditions
The Server Message Block (SMB) Version 2 Protocol assumes the availability of the following
resources:
Either TCP or NetBIOS over TCP to support reliable, in-order message delivery.
An underlying local resource, such as a file system on the server side, exposing file, named pipe,
or printer objects.
Infrastructure that supports Simple and Protected GSS-API Negotiation (SPNEGO), as specified in
[RFC4178] and [MS-SPNG], on both the client and the server.
The Server Message Block (SMB) Version 2 Protocol<1> is applicable for all scenarios that involve
transferring files between client and server. The SMB 2 Protocol is also applicable for inter-process
communication between client and server using named pipes.
The SMB 2 Protocol may be more applicable than the SMB Protocol in scenarios that require the
following features:
Higher scalability of the number of files that a client may open simultaneously, as well as the
number of shares and user sessions that servers may maintain.
Quality of Service guarantees from the server for the number of requests that can be outstanding
against a server at any specified time.
Stronger end-to-end data integrity protection, using the HMAC-SHA256 hash algorithm. The
HMAC-SHA256 hash is specified in [FIPS180-2] and [RFC2104].
Supported Transports: This protocol can be implemented on top of NetBIOS or TCP, as defined in
section 2.1.
Protocol Versions: This protocol supports several capability bits. These are defined in section
2.2.5.
19 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Capability Negotiation: Though the semantics and the command set for the SMB 2 Protocol
closely match the SMB Protocol, as specified in [MS-SMB], the wire format for SMB 2 Protocol
packets is different from that of the SMB Protocol. For maintaining interoperability between
clients and servers in a mixed SMB 2/SMB Protocol environment, the SMB 2 Protocol can be
negotiated in one of two ways:
By using an SMB negotiate message (as specified in [MS-SMB] sections 2.2.4.5.1 and
3.2.4.2.2) with one of the new dialect strings: "SMB 2.002" or "SMB 2.???".
If a client uses an SMB negotiate message to indicate to an SMB 2 Protocol–capable server that it
requests to use SMB 2, the server must respond with an SMB2 NEGOTIATE Response as specified in
section 2.2.4.
A client that maintains a runtime cache for each server with which it communicates, including
whether the server is SMB 2 Protocol–capable, would then use an SMB2 NEGOTIATE Request (as
specified in section 2.2.3) in future attempts to connect to any server whose cached entry indicates
support for the SMB 2 Protocol.
Servers capable of only the SMB 2 Protocol would reject communication with traditional SMB
Protocol clients that do not offer "SMB 2.002" or "SMB 2.???" as a negotiate dialect, and accept
communication only from SMB 2 Protocol clients.
There are currently two dialects of the SMB 2 Protocol. Negotiating the SMB 2.1 dialect implies
support for the requests and responses as specified in this document, unless specifically noted
otherwise. Negotiating the SMB 2.002 dialect implies support for the requests and responses as
specified in this document, except those explicitly marked for the SMB 2.1 dialect. Certain
functionalities are negotiated through the exchange of capabilities as specified in sections 2.2.4 and
2.2.5.
The following state diagram illustrates dialect negotiation in the SMB 2.1 server. In this diagram,
state transitions occur as the SMB_COM_NEGOTIATE, SMB2 NEGOTIATE, and other requests are
received from the client. The server uses a per-connection variable, Connection.NegotiateDialect,
to represent the current state of dialect negotiation between client and server on each transport
connection.
20 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
There are no vendor-extensible fields for the Server Message Block (SMB) Version 2 Protocol.
This protocol shares the standards assignments of TCP port and NetBIOS-over-TCP port, as specified
in [MS-SMB] section 1.9 and [RFC1002], respectively.
21 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2.1 Transport
The Server Message Block (SMB) Version 2 Protocol shares only direct TCP and NetBIOS over TCP
transports and endpoints specified in the original Server Message Block (SMB) Protocol (as specified
in [MS-SMB] section 2.1).
When the SMB 2 Protocol is negotiated on the connection, there is no inheritance of the base SMB
Protocol state. The SMB 2 Protocol takes over the transport connection that is initially used for
negotiation, and thereafter, all protocol flow on that connection MUST be SMB 2 Protocol.
The SMB 2 Protocol is composed of, and driven by, message exchanges between the client and the
server in the following categories:
File access (SMB2 CREATE, SMB2 CLOSE, SMB2 READ, SMB2 WRITE, SMB2 LOCK, SMB2 IOCTL,
SMB2 QUERY_INFO, SMB2 SET_INFO, SMB2 FLUSH, SMB2 CANCEL)
The SMB 2.1 dialect in the SMB 2 Protocol enhances the following categories of messages in the
SMB 2 Protocol:
All SMB 2 Protocol messages begin with a fixed-length SMB2 header that is described in section
2.2.1. The SMB2 header contains a Command field indicating the operation code that is requested
by the client or responded to by the server. An SMB 2 Protocol message is of variable length,
22 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Unless otherwise specified, multiple-byte fields (16-bit, 32-bit, and 64-bit fields) in an SMB 2
Protocol message MUST be transmitted in little-endian order (least-significant byte first).
Unless otherwise indicated, numeric fields are integers of the specified byte length.
Unless otherwise specified, all textual strings MUST be in Unicode version 5.0 format, as specified
in [UNICODE], using the 16-bit Unicode Transformation Format (UTF-16) form of the encoding.
Textual strings with separate fields identifying the length of the string MUST NOT be null-terminated
unless otherwise specified.
Unless otherwise noted, fields marked as "unused" MUST be set to 0 when being sent and MUST be
ignored when received. These fields are reserved for future protocol expansion and MUST NOT be
used for implementation-specific functionality.
When it is necessary to insert unused padding bytes into a buffer for data alignment purposes, such
bytes MUST be set to 0 when being sent and MUST be ignored when received.
When an error occurs, a server MUST send back an SMB 2 Protocol error response as specified in
section 2.2.2, unless otherwise noted in section 3.3.
All constants in section 2 and 3 that begin with STATUS_ have their values defined in [MS-ERREF]
section 2.3.
Operations executed on a printer share are handled on the server by creating a file, and printing the
contents of the file when it is closed. Unless otherwise specified, descriptions in this document
concerning protocol behavior for files also apply to printers. More information about processing
specific to printers is specified in section 2.2.13.
The SMB2 Packet Header (also called the SMB2 header) is the header of all SMB 2 Protocol packets.
ASYNC
SYNC
If the SMB2_FLAGS_ASYNC_COMMAND bit is set in Flags, the header takes the form: SMB2
Protocol Header – ASYNC (section 2.2.1.1). This header format is used for responses to requests
processed asynchronously by SMB2 server. For more details refer to sections 3.3.4.2, 3.2.5.1.4 and
3.2.4.24. The SMB2 CANCEL Request uses this format for canceling requests that are being
processed asynchronously.
If the SMB2_FLAGS_ASYNC_COMMAND bit is not set in Flags, the header takes the form: SMB2
Protocol Header – SYNC (section 2.2.1.2). This format is used for all requests with the exception of
the SMB2 CANCEL Request to cancel a previously sent request being processed asynchronously.
If the SMB2_FLAGS_ASYNC_COMMAND bit is set in Flags, the header takes the following form.
23 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
ProtocolId
StructureSize CreditCharge
Status
Command CreditRequest/CreditResponse
Flags
NextCommand
MessageId
...
AsyncId
...
SessionId
...
Signature
...
...
...
ProtocolId (4 bytes): The protocol identifier. The value MUST be (in network order) 0xFE, 'S',
'M', and 'B'.
StructureSize (2 bytes): MUST be set to 64, which is the size, in bytes, of the SMB2 header
structure.
24 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Status (4 bytes): The status code for a response. For a request, the client MUST set this field
to 0 and the server MUST ignore it on receipt. For a response, this field can be set to any
value. For a list of valid status codes, see [MS-ERREF] section 2.3.
Command (2 bytes): The command code of this packet. This field MUST contain one of the
following valid commands:
Name Value
Flags (4 bytes): A flags field, which indicates how to process the operation. This field MUST be
constructed using the following values:
25 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SMB2_FLAGS_SIGNED When set, indicates that this packet has been signed. The
0x00000008 use of this flag is as specified in 3.1.5.1.
NextCommand (4 bytes): For a compounded request, this field MUST be set to the offset, in
bytes, from the beginning of this SMB2 header to the start of the subsequent 8-byte aligned
SMB2 header. If this is not a compounded request, or this is the last header in a compounded
request, this value MUST be 0.
MessageId (8 bytes): A value that identifies a message request and response uniquely across
all messages that are sent on the same SMB 2 Protocol transport connection.
AsyncId (8 bytes): A unique identification number that is created by the server to handle
operations asynchronously, as specified in section 3.3.4.2.
SessionId (8 bytes): Uniquely identifies the established session for the command. This MUST
be 0 for requests that do not have a user context that is associated with them. This MUST be
0 for the first SMB2 SESSION_SETUP Request for a specified security principal. The following
SMB 2 Protocol commands do not require the SessionId to be set to a nonzero value received
from a previous SMB2 SESSION_SETUP Response. SessionId SHOULD<2> be set to 0 for the
following commands:
Signature (16 bytes): The 16-byte signature of the message, if SMB2_FLAGS_SIGNED is set in
the Flags field of the SMB2 header. If the message is not signed, this field MUST be 0.
26 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the SMB2_FLAGS_ASYNC_COMMAND bit is not set in Flags, the header takes the following form.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
ProtocolId
StructureSize CreditCharge
Status
Command CreditRequest/CreditResponse
Flags
NextCommand
MessageId
...
ProcessId
TreeId
SessionId
...
Signature
...
...
...
ProtocolId (4 bytes): The protocol identifier. The value MUST be (in network order) 0xFE, 'S',
'M', and 'B'.
StructureSize (2 bytes): This MUST be set to 64, which is the size, in bytes, of the SMB2
header structure.
27 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Status (4 bytes): The status code for a response. For a request, the client MUST set this field
to 0 and the server MUST ignore it on receipt. For a response, this field can be set to any
value. For a list of valid status codes, see [MS-ERREF] section 2.3.
Command (2 bytes): The command code of this packet. This field MUST contain one of the
following valid commands.
Name Value
Flags (4 bytes): A Flags field indicates how to process the operation. This field MUST be
constructed using the following values:
28 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SMB2_FLAGS_SIGNED When set, indicates that this packet has been signed. The
0x00000008 use of this flag is as specified in 3.1.5.1.
NextCommand (4 bytes): For a compounded request, this field MUST be set to the offset, in
bytes, from the beginning of this SMB2 header to the start of the subsequent 8-byte aligned
SMB2 header. If this is not a compounded request, or this is the last header in a compounded
request, this value MUST be 0.
MessageId (8 bytes): A value that identifies a message request and response uniquely across
all messages that are sent on the same SMB 2 Protocol transport connection.
ProcessId (4 bytes): The identification of the process that is issuing the request. For a
request, the client MUST set this field to 0xFEFF. For a response, the server SHOULD set this
field to 0xFEFF. The client MUST ignore it on receipt.
TreeId (4 bytes): Uniquely identifies the tree connect for the command. This MUST be 0 for
the SMB2 TREE_CONNECT Request. The TreeId MAY be any unsigned 32-bit integer that is
received from a previous SMB2 TREE_CONNECT Response. The following SMB 2 Protocol
commands do not require the TreeId to be set to a nonzero value received from a previous
SMB2 TREE_CONNECT Response. TreeId SHOULD be set to 0 for the following commands:
29 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SessionId (8 bytes): Uniquely identifies the established session for the command. This MUST
be 0 for requests that do not have a user context that is associated with them. This MUST be
0 for the first SMB2 SESSION_SETUP Request for a specified security principal. The following
SMB 2 Protocol commands do not require the SessionId to be set to a nonzero value received
from a previous SMB2 SESSION_SETUP Response. SessionId SHOULD be set to 0 for the
following commands:
Signature (16 bytes): The 16-byte signature of the message, if SMB2_FLAGS_SIGNED is set in
the Flags field of the SMB2 header. If the message is not signed, this field MUST be 0.
The SMB2 ERROR Response packet is sent by the server to respond to a request that has failed or
encountered an error. This response is composed of an SMB2 Packet Header (section 2.2.1) followed
by this response structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
ByteCount
ErrorData (variable)
...
StructureSize (2 bytes): The server MUST set this field to 9, indicating the size of the
response structure, not including the header. The server MUST set it to this value regardless
of how long ErrorData[] actually is in the response being sent.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
ErrorData (variable): A variable-length data field that contains extended error information. If
the Status code in the header of the response is set to STATUS_STOPPED_ON_SYMLINK, this
field MUST contain a Symbolic Link Error Response as specified in section 2.2.2.1. If the
30 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The Symbolic Link Error Response is used to indicate that a symbolic link was encountered on
create; it describes the target path that the client must use if it requires to follow the symbolic link.
This structure is contained in the ErrorData section of the SMB2 ERROR Response (section 2.2.2).
This structure MUST NOT be returned in an SMB2 ERROR Response unless the Status code in the
header of that response is set to STATUS_STOPPED_ON_SYMLINK.<4> The structure has the
following format.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
SymLinkLength
SymLinkErrorTag
ReparseTag
ReparseDataLength UnparsedPathLength
SubstituteNameOffset SubstituteNameLength
PrintNameOffset PrintNameLength
Flags
PathBuffer (variable)
...
SymLinkLength (4 bytes): The length, in bytes, of the response including the variable-length
portion and excluding SymLinkLength.
ReparseTag (4 bytes): The type of link encountered. The server MUST set this field to
0xA000000C.
31 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SubstituteNameOffset (2 bytes): The offset, in bytes, from the beginning of the PathBuffer
field, at which the substitute name is located. The substitute name is the name the client
MUST use to access this file if it requires to follow the symbolic link.
PrintNameOffset (2 bytes): The offset, in bytes, from the beginning of the PathBuffer field,
at which the print name is located. The print name is the user-friendly name the client MUST
return to the application if it requests the name of the symbolic link target.
PrintNameLength (2 bytes): The length, in bytes, of the print name string. If there is a
terminating null character at the end of the string, it is not included in the PrintNameLength
count. This value MUST be greater than or equal to 0.
Flags (4 bytes): A 32-bit bit field that specifies whether the substitute is an absolute target
path name or a path name relative to the directory containing the symbolic link.
Value Meaning
SYMLINK_FLAG_RELATIVE When this Flags value is set, the substitute name is a path name
0x00000001 relative to the directory containing the symbolic link.
PathBuffer (variable): A buffer that contains the Unicode strings for the substitute name and
the print name, as described by SubstituteNameOffset, SubstituteNameLength,
PrintNameOffset, and PrintNameLength. The substitute name string MUST be a Unicode
path to the target of the symbolic link. The print name string MUST be a Unicode string,
suitable for display to a user, that also identifies the target of the symbolic link.
For an absolute target that is on a remote machine, the server MUST return the path in the
format "\??\UNC\server\share\..." where server is replaced by the target server name,
share is replaced by the target share name, and ... is replaced by the remainder of the
path to the target.
The server SHOULD NOT return symbolic link information with an absolute target that is a
local resource, because local evaluation will vary based on client operating system
(OS).<5>
For a relative target, the server MUST return a path that does not start with "\". The path
MUST be evaluated, by the calling application, relative to the directory containing the
symbolic link. The path can contain either "." to refer to the current directory or ".." to
refer to the parent directory, and could contain multiple elements.
For more information on absolute and relative targets, see Handling the Symbolic Link Error
Response (section 2.2.2.1.1).
32 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If a symbolic link error response is received, it MUST be processed by the calling application as
follows:
1. The unparsed portion of the original path name that is located at the end of the path-name string
MUST be extracted.
The size, in bytes, of the unparsed portion is specified in the UnparsedPathLength field. The
byte count MUST be used from the end of the path-name string and walked backward to find the
starting location of the unparsed bytes.
2. If the SYMLINK_FLAG_RELATIVE flag is not set in the Flags field of the symbolic link error
response, the unparsed portion of the file name MUST be appended to the substitute name to
create the new target path name.
3. If the SYMLINK_FLAG_RELATIVE flag is set in the Flags field of the symbolic link error response,
the symbolic link name MUST be identified by backing up one path name element from the
unparsed portion of the path name. The symbolic link MUST be replaced with the substitute name
to create the new target path name.
2. The server returns a symbolic link error response with the following data:
PathBuffer containing the Unicode string substitute name and print name
"\??\D:\DonHall\MiscDocuments\PDocsD:\DonHall\MiscDocuments\PDocs"
SubstituteNameoffset 0x00
SubstituteNamelength 0x44
The unparsed portion of the path name will be "\DailyDocs\[MS-SMB].doc". Appending the
substitute name with the unparsed portion of the file name gives the new target path name of
"\??\D:\DonHall\MiscDocuments\PDocs\DailyDocs\[MS-SMB].doc".
2. The server returns a symbolic link error response with the following data:
PathBuffer containing the Unicode string substitute name and print name
"..\DonHall\Documents\PDocs..\DonHall\Documents\PDocs"
SubstituteNameoffset 0x00
33 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Replacing the symbolic link name "ProtocolDocs" in the original open request (path name
"\\MachX\ShareY\Public\ProtocolDocs\DailyDocs\[MS-SMB].doc") with the substitute name
"..\DonHall\Documents\PDocs" gives the new target path name
"\\MachX\ShareY\Public\..\DonHall\Documents\PDocs\DailyDocs\[MS-SMB].doc". Because "."
and ".." are not permitted as components of a path name to be sent over the wire, before
reissuing the SMB2 CREATE request the client MUST first eliminate the ".." by normalizing the
new target path name to "\\MachX\ShareY\DonHall\Documents\PDocs\DailyDocs\[MS-
SMB].doc".
The SMB2 NEGOTIATE Request packet is used by the client to notify the server what dialects of the
SMB 2 Protocol the client understands. This request is composed of an SMB2 header, as specified in
section 2.2.1, followed by this request structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize DialectCount
SecurityMode Reserved
Capabilities
ClientGuid
...
...
...
ClientStartTime
...
Dialects (variable)
...
StructureSize (2 bytes): The client MUST set this field to 36, indicating the size of a
NEGOTIATE request. This is not the size of the structure with a single dialect in the Dialects[]
array. This value MUST be set regardless of the number of dialects sent.
34 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SecurityMode (2 bytes): The security mode field specifies whether SMB signing is enabled,
required at the server, or both. This field MUST be constructed using the following values.
Value Meaning
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this to 0, and the server MUST ignore it on receipt.
Capabilities (4 bytes): This field MUST be set to 0 and the server MUST ignore it on receipt.
ClientGuid (16 bytes): It MUST be a GUID (as specified in [MS-DTYP] section 2.3.2.2)
generated by the client, if the client implements SMB 2.1 dialect. Otherwise, the client MUST
set this to 0.
ClientStartTime (8 bytes): This field MUST NOT be used and MUST be reserved. The client
MUST set this to 0, and the server MUST ignore it on receipt.
Dialects (variable): An array of one or more 16-bit integers specifying the supported dialect
revision numbers. The array MUST contain at least one of the following values.<7>
Value Meaning
The SMB2 NEGOTIATE Response packet is sent by the server to notify the client of the preferred
common dialect. This response is composed of an SMB2 header, as specified in section 2.2.1,
followed by this response structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize SecurityMode
DialectRevision Reserved
35 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
...
...
...
Capabilities
MaxTransactSize
MaxReadSize
MaxWriteSize
SystemTime
...
ServerStartTime
...
SecurityBufferOffset SecurityBufferLength
Reserved2
Buffer (variable)
...
StructureSize (2 bytes): The server MUST set this field to 65, indicating the size of the
response structure, not including the header. The server MUST set it to this value, regardless
of how long Buffer[] actually is in the response being sent.
SecurityMode (2 bytes): The security mode field specifies whether SMB signing is enabled,
required at the server, or both. This field MUST be constructed using the following values.
Value Meaning
36 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
DialectRevision (2 bytes): The preferred common SMB 2 Protocol dialect number from the
Dialects array that is sent in the SMB2 NEGOTIATE Request (SECTION 2.2.3) or the SMB2
wildcard revision number. The server SHOULD set this field to one of the following
values.<10>
Value Meaning
0x02FF SMB2 wildcard revision number; indicates that the server supports SMB 2.1 or future
dialect revisions and expects the client to send a subsequent SMB2 Negotiate request to
negotiate the actual SMB 2 Protocol revision to be used. The wildcard revision number is
sent only in response to a multi-protocol negotiate request with the "SMB 2.???" dialect
string.<13>
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The server SHOULD
set this to 0, and the client MUST ignore it on receipt.<14>
ServerGuid (16 bytes): A globally unique identifier that is generated by the server to uniquely
identify this server. This field MUST NOT be used by a client as a secure method of identifying
a server.<15>
Capabilities (4 bytes): The Capabilities field specifies protocol capabilities for the server. This
field MUST be constructed using the following values.
Value Meaning
SMB2_GLOBAL_CAP_DFS When set, indicates that the server supports the Distributed
0x00000001 File System (DFS).
SMB2_GLOBAL_CAP_LEASING When set, indicates that the server supports leasing. This flag
0x00000002 MUST only be valid for the SMB 2.1 dialect.
MaxTransactSize (4 bytes): The maximum size, in bytes, of the buffer that can be used for
QUERY_INFO, QUERY_DIRECTORY, SET_INFO and CHANGE_NOTIFY operations. This field is
applicable only for buffers sent by the client in SET_INFO requests, or returned from the
server in QUERY_INFO, QUERY_DIRECTORY, and CHANGE_NOTIFY responses.<16>
MaxReadSize (4 bytes): The maximum size, in bytes, of the Length in an SMB2 READ
Request (section 2.2.19) that the server will accept.
37 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SystemTime (8 bytes): The system time of the SMB2 server when the SMB2 NEGOTIATE
Request was processed; in FILETIME format as specified in [MS-DTYP] section 2.3.1.
ServerStartTime (8 bytes): The SMB2 server start time, in FILETIME format as specified in
[MS-DTYP] section 2.3.1.
SecurityBufferOffset (2 bytes): The offset, in bytes, from the beginning of the SMB2 header
to the security buffer.
Reserved2 (4 bytes): This field MUST NOT be used and MUST be reserved. The server may set
this to any value, and the client MUST ignore it on receipt.
Buffer (variable): The variable-length buffer that contains the security buffer for the response,
as specified by SecurityBufferOffset and SecurityBufferLength. The buffer SHOULD
contain a token as produced by the GSS protocol as specified in section 3.3.5.3. If
SecurityBufferLength is 0, then client-initiated authentication, with an authentication
protocol of the client's choice, will be used instead of server-initiated SPNEGO authentication
as described in [MS-AUTHSO] section 3.2.2.
The SMB2 SESSION_SETUP Request packet is sent by the client to request a new authenticated
session within a new or existing SMB 2 Protocol transport connection to the server. This request is
composed of an SMB2 header as specified in section 2.2.1 followed by this request structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Capabilities
Channel
SecurityBufferOffset SecurityBufferLength
PreviousSessionId
...
Buffer (variable)
...
38 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
VcNumber (1 byte): The number of other transport connections that are already established.
The client MUST set this field to 0 regardless of the number of outstanding connections.
SecurityMode (1 byte): The security mode field specifies whether SMB signing is enabled,
required at the server, or both. This field MUST be constructed using the following values.
Value Meaning
Capabilities (4 bytes): Specifies protocol capabilities for the client. This field MUST be
constructed using the following values.
Value Meaning
SMB2_GLOBAL_CAP_DFS When set, indicates that the client supports the Distributed File
0x00000001 System (DFS).
Values other than those that are defined in the previous table are unused at present and
SHOULD<17> be treated as reserved.
Channel (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this to 0, and the server MUST ignore it on receipt.
SecurityBufferOffset (2 bytes): The offset, in bytes, from the beginning of the SMB 2 Protocol
header to the security buffer.
Buffer (variable): A variable-length buffer that contains the security buffer for the request, as
specified by SecurityBufferOffset and SecurityBufferLength. The buffer SHOULD contain a
token as produced by the GSS protocol as specified in section 3.3.5.5. If
39 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SMB2 SESSION_SETUP Response packet is sent by the server in response to an SMB2
SESSION_SETUP Request packet. This response is composed of an SMB2 header, as specified in
section 2.2.1, that is followed by this response structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize SessionFlags
SecurityBufferOffset SecurityBufferLength
Buffer (variable)
...
StructureSize (2 bytes): The server MUST set this to 9, indicating the size of the fixed part of
the response structure not including the header. The server MUST set it to this value
regardless of how long Buffer[] actually is in the response.
SessionFlags (2 bytes): A flags field that indicates additional information about the session.
This field MUST contain either 0 or one of the following values:
Value Meaning
SecurityBufferOffset (2 bytes): The offset, in bytes, from the beginning of the SMB2 header
to the security buffer.
Buffer (variable): A variable-length buffer that contains the security buffer for the response, as
specified by SecurityBufferOffset and SecurityBufferLength. The buffer SHOULD contain a
token as produced by the GSS protocol as specified in section 3.2.5.3. If
SecurityBufferLength is 0, then client-initiated authentication, with an authentication
protocol of the client's choice, will be used instead of server-initiated SPNEGO authentication
as described in [MS-AUTHSO] section 3.2.2.
40 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SMB2 LOGOFF Request packet is sent by the client to request termination of a particular
session. This request is composed of an SMB2 header as specified in section 2.2.1 followed by this
request structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
StructureSize (2 bytes): The client MUST set this field to 4, indicating the size of the request
structure not including the header.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this to 0, and the server MUST ignore it on receipt.
The SMB2 LOGOFF Response packet is sent by the server to confirm that an SMB2 LOGOFF Request
(section 2.2.7) was completed successfully. This response is composed of an SMB2 header, as
specified in section 2.2.1, followed by this request structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
StructureSize (2 bytes): The server MUST set this field to 4, indicating the size of the
response structure, not including the header.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
The SMB2 TREE_CONNECT Request packet is sent by a client to request access to a particular share
on the server. This request is composed of an SMB2 Packet Header (section 2.2.1) that is followed
by this request structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
PathOffset PathLength
Buffer (variable)
41 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
StructureSize (2 bytes): The client MUST set this field to 9, indicating the size of the request
structure, not including the header. The client MUST set it to this value regardless of how long
Buffer[] actually is in the request being sent.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this to 0, and the server MUST ignore it on receipt.
PathOffset (2 bytes): The offset, in bytes, of the full share path name from the beginning of
the packet header.
Buffer (variable): A variable-length buffer that contains the path name of the share in Unicode
in the form "\\server\share" for the request, as described by PathOffset and PathLength.
The server component of the path MUST be a NetBIOS name, a fully qualified domain
name (FQDN), a textual IPv4 or IPv6 address, or the alias of an existing server name, and it
MUST be fewer than 256 characters in length. The share component of the path MUST be less
than or equal to 80 characters in length. The share name MUST NOT contain any invalid
characters, as specified in [MS-FSCC] section 2.1.6.<18>
The SMB2 TREE_CONNECT Response packet is sent by the server when an SMB2 TREE_CONNECT
request is processed successfully by the server. The server MUST set the TreeId of the newly
created tree connect in the SMB 2 Protocol header of the response. This response is composed of an
SMB2 Packet Header (section 2.2.1) that is followed by this response structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
ShareFlags
Capabilities
MaximalAccess
StructureSize (2 bytes): The server MUST set this field to 16, indicating the size of the
response structure, not including the header.
ShareType (1 byte): The type of share being accessed. This field MUST contain one of the
following values.
Value Meaning
42 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Reserved (1 byte): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
This field MUST contain one of the following offline caching properties:
SMB2_SHAREFLAG_MANUAL_CACHING, SMB2_SHAREFLAG_AUTO_CACHING,
SMB2_SHAREFLAG_VDO_CACHING and SMB2_SHAREFLAG_NO_CACHING.
This field MUST contain zero or more of the following values: SHI1005_FLAGS_DFS,
SHI1005_FLAGS_DFS_ROOT, SHI1005_FLAGS_RESTRICT_EXCLUSIVE_OPENS,
SHI1005_FLAGS_FORCE_SHARED_DELETE, SHI1005_FLAGS_ALLOW_NAMESPACE_CACHING,
SHI1005_FLAGS_ACCESS_BASED_DIRECTORY_ENUM,
SHI1005_FLAGS_FORCE_LEVELII_OPLOCK and SHI1005_FLAGS_ENABLE_HASH.
Value Meaning
43 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Capabilities (4 bytes): Indicates various capabilities for this share. This field MUST be
constructed using the following value.
Value Meaning
SMB2_SHARE_CAP_DFS The specified share is present in a Distributed File System (DFS) tree
0x00000008 structure. The server MUST set the SMB2_SHARE_CAP_DFS bit in the
Capabilities field if the per-share property Share.IsDfs is TRUE.
MaximalAccess (4 bytes): Contains the maximal access for the user that establishes the tree
connect on the share based on the share's permissions. This value takes the form as specified
in section 2.2.13.1.
The SMB2 TREE_DISCONNECT Request packet is sent by the client to request that the tree connect
that is specified in the TreeId within the SMB2 header be disconnected. This request is composed of
an SMB2 header, as specified in section 2.2.1, that is followed by this variable-length request
structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
StructureSize (2 bytes): The client MUST set this field to 4, indicating the size of the request
structure, not including the header.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this to 0, and the server MUST ignore it on receipt.
44 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SMB2 TREE_DISCONNECT Response packet is sent by the server to confirm that an SMB2
TREE_DISCONNECT Request (section 2.2.11) was successfully processed. This response is
composed of an SMB2 header, as specified in section 2.2.1, that is followed by this request
structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
StructureSize (2 bytes): The server MUST set this field to 4, indicating the size of the
response structure, not including the header.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
The SMB2 CREATE Request packet is sent by a client to request either creation of or access to a file.
In case of a named pipe or printer, the server MUST create a new file.
This request is composed of an SMB2 Packet Header, as specified in section 2.2.1, that is followed
by this request structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
ImpersonationLevel
SmbCreateFlags
...
Reserved
...
DesiredAccess
FileAttributes
ShareAccess
45 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
CreateOptions
NameOffset NameLength
CreateContextsOffset
CreateContextsLength
Buffer (variable)
...
StructureSize (2 bytes): The client MUST set this field to 57, indicating the size of the request
structure, not including the header. The client MUST set it to this value regardless of how long
Buffer[] actually is in the request being sent.
SecurityFlags (1 byte): This field MUST NOT be used and MUST be reserved. The client MUST
set this to 0, and the server MUST ignore it.
RequestedOplockLevel (1 byte): The requested oplock level. This field MUST contain one of
the following values.<20> For named pipes, the server MUST always revert to
SMB2_OPLOCK_LEVEL_NONE irrespective of the value of this field.
Value Meaning
ImpersonationLevel (4 bytes): This field specifies the impersonation level of the application
that is issuing the create request. Unless otherwise specified, the security context is that of
the authenticated user that established the session. This field MUST contain one of the
following values.
46 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Anonymous The client application is anonymous to the server. The server process
0x00000000 SHOULD<21> impersonate the client.
Identification The server SHOULD use information from the client's security context to perform
0x00000001 access control list (ACL) checks.
Impersonation The server SHOULD impersonate the client's security context while acting on
0x00000002 behalf of the client. The server MAY access local resources as the client.
Delegate The server SHOULD impersonate the client's security context while acting on
0x00000003 behalf of the client. During impersonation, the client's credentials (both local and
network) MAY be passed to any number of machines.
SmbCreateFlags (8 bytes): This field MUST NOT be used and MUST be reserved. The client
sets this to any value, and the server MUST ignore it on receipt.
Reserved (8 bytes): This field MUST NOT be used and MUST be reserved. The client sets this
to any value, and the server MUST ignore it on receipt.
DesiredAccess (4 bytes): The level of access that is required, as specified in section 2.2.13.1.
FileAttributes (4 bytes): This field MUST be a combination of the values specified in [MS-
FSCC] section 2.6, and MUST NOT include any values other than those specified in that
section. This field is only valid when a file is created.
When a client requests that a file be created or opened, if any bits other than those
documented in [MS-FSCC] section 2.6 are set, the server MUST fail the request with
STATUS_INVALID_PARAMETER.
The server MUST ignore the FileAttributes field when opening an existing file, and the client
SHOULD<22> set the FileAttributes field to 0.
For print files, if FileAttributes includes FILE_ATTRIBUTE_DIRECTORY the server MUST fail
the open with the error code STATUS_NOT_SUPPORTED. All other attributes MUST be ignored
by the server.
ShareAccess (4 bytes): Specifies the sharing mode for the open. If ShareAccess values of
FILE_SHARE_READ, FILE_SHARE_WRITE and FILE_SHARE_DELETE are set for a printer file or
a named pipe, the server SHOULD<23> ignore these values. The field MUST be constructed
using a combination of zero or more of the following bit values.
Value Meaning
FILE_SHARE_READ When set, indicates that other opens are allowed to read this file while this
0x00000001 open is present. This bit MUST NOT be set for a named pipe or a printer
file. Each open creates a new instance of a named pipe. Likewise, opening
a printer file always creates a new file.
FILE_SHARE_WRITE When set, indicates that other opens are allowed to write this file while this
0x00000002 open is present. This bit MUST NOT be set for a named pipe or a printer
47 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
file. Each open creates a new instance of a named pipe. Likewise, opening
a printer file always creates a new file.
FILE_SHARE_DELETE When set, indicates that other opens are allowed to delete or rename this
0x00000004 file while this open is present. This bit MUST NOT be set for a named pipe
or a printer file. Each open creates a new instance of a named pipe.
Likewise, opening a printer file always creates a new file.
CreateDisposition (4 bytes): Defines the action the server MUST take if the file that is
specified in the name field already exists. For opening named pipes, this field may be set to
any value by the client and MUST be ignored by the server. For other files, this field MUST
contain one of the following values.
Value Meaning
FILE_SUPERSEDE If the file already exists, supersede it. Otherwise, create the file. This value
0x00000000 SHOULD NOT be used for a printer object.<24>
FILE_OPEN If the file already exists, return success; otherwise, fail the operation.
0x00000001 MUST NOT be used for a printer object.
FILE_CREATE If the file already exists, fail the operation; otherwise, create the file.
0x00000002
FILE_OPEN_IF Open the file if it already exists; otherwise, create the file. This value
0x00000003 SHOULD NOT be used for a printer object.<25>
FILE_OVERWRITE Overwrite the file if it already exists; otherwise, fail the operation. MUST
0x00000004 NOT be used for a printer object.
FILE_OVERWRITE_IF Overwrite the file if it already exists; otherwise, create the file. This value
0x00000005 SHOULD NOT be used for a printer object.<26>
CreateOptions (4 bytes): Specifies the options to be applied when creating or opening the file.
Combinations of the bit positions listed below are valid, unless otherwise noted. This field
MUST be constructed using the following values.<27>
Value Meaning
48 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
STATUS_INVALID_PARAMETER.
FILE_NON_DIRECTORY_FILE The file being opened MUST NOT be a directory file or the
0x00000040 server MUST fail the request with
STATUS_FILE_IS_A_DIRECTORY. This flag MUST NOT be
used with FILE_DIRECTORY_FILE or the server MUST fail
the request with STATUS_INVALID_PARAMETER.
FILE_OPEN_BY_FILE_ID This bit SHOULD be set to 0 and the server MUST fail the
0x00002000 request with a STATUS_NOT_SUPPORTED error if this bit
is set.<31>
49 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
FILE_OPEN_FOR_BACKUP_INTENT The file is being opened for backup intent. That is, it is
0x00004000 being opened or created for the purposes of either a
backup or a restore operation. The server MAY check to
ensure that the caller is capable of overriding whatever
security checks have been placed on the file to allow a
backup or restore operation to occur. The server MAY
check for access rights to the file before checking the
DesiredAccess field.
FILE_RESERVE_OPFILTER This bit SHOULD be set to 0 and the server MUST fail the
0x00100000 request with a STATUS_NOT_SUPPORTED error if this bit
is set.<32>
FILE_OPEN_FOR_FREE_SPACE_QUERY Open file to query for free space. The client SHOULD set
0x00800000 this to 0 and the server MUST ignore it.<33>
NameOffset (2 bytes): The offset, in bytes, from the beginning of the SMB2 header to the 8-
byte aligned file name. If SMB2_FLAGS_DFS_OPERATIONS is set in the Flags field of the SMB2
header, the file name can be prefixed with DFS link information that will be removed during
DFS name normalization as specified in section 3.3.5.9. Otherwise, the file name is relative to
the share that is identified by the TreeId in the SMB2 header. The NameOffset field SHOULD
be set to the offset of the Buffer field from the beginning of the SMB2 header. The file name
(after DFS normalization if needed) MUST conform to the specification of a relative pathname
in [MS-FSCC] section 2.1.5. A zero length file name indicates a request to open the root of the
share.
NameLength (2 bytes): The length of the file name, in bytes. If no file name is provided, this
field MUST be set to 0.
CreateContextsOffset (4 bytes): The offset, in bytes, from the beginning of the SMB2 header
to the first 8-byte aligned SMB2_CREATE_CONTEXT structure in the request. If no
SMB2_CREATE_CONTEXTs are being sent, this value MUST be 0.
Buffer (variable): A variable-length buffer that contains the Unicode file name and create
context list, as defined by NameOffset, NameLength, CreateContextsOffset, and
CreateContextsLength. In the request, the Buffer field MUST be at least one byte in length.
The file name (after DFS normalization if needed) MUST conform to the specification of a
relative pathname in [MS-FSCC] section 2.1.5.
50 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SMB2 Access Mask Encoding in SMB2 is a 4-byte bit field value that contains an array of flags.
An access mask can specify access for one of two basic groups: either for a file, pipe, or printer
(specified in section 2.2.13.1.1) or for a directory (specified in section 2.2.13.1.2). Each access
mask MUST be a combination of zero or more of the bit positions that are shown below.
2.2.13.1.1 File_Pipe_Printer_Access_Mask
The following SMB2 Access Mask flag values can be used when accessing a file, pipe or printer.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
File_Pipe_Printer_Access_Mask
Value Meaning
FILE_READ_DATA This value indicates the right to read data from the file or named
0x00000001 pipe.
FILE_WRITE_DATA This value indicates the right to write data into the file or named
0x00000002 pipe beyond the end of the file.
FILE_APPEND_DATA This value indicates the right to append data into the file or named
0x00000004 pipe.
FILE_READ_EA This value indicates the right to read the extended attributes of the
0x00000008 file or named pipe.
FILE_WRITE_EA This value indicates the right to write or change the extended
0x00000010 attributes to the file or named pipe.
FILE_READ_ATTRIBUTES This value indicates the right to read the attributes of the file.
0x00000080
FILE_WRITE_ATTRIBUTES This value indicates the right to change the attributes of the file.
0x00000100
READ_CONTROL This value indicates the right to read the security descriptor for the
0x00020000 file or named pipe.
WRITE_DAC This value indicates the right to change the discretionary access
0x00040000 control list (DACL) in the security descriptor for the file or named
pipe. For the DACL data structure, see ACL in [MS-DTYP].
51 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
WRITE_OWNER This value indicates the right to change the owner in the security
0x00080000 descriptor for the file or named pipe.
ACCESS_SYSTEM_SECURITY This value indicates the right to read or change the system access
0x01000000 control list (SACL) in the security descriptor for the file or named
pipe. For the SACL data structure, see ACL in [MS-DTYP].<36>
MAXIMUM_ALLOWED This value indicates that the client is requesting an open to the file
0x02000000 with the highest level of access the client has on this file. If no
access is granted for the client on this file, the server MUST fail the
open with STATUS_ACCESS_DENIED.
GENERIC_ALL This value indicates a request for all the access flags that are
0x10000000 previously listed except MAXIMUM_ALLOWED and
ACCESS_SYSTEM_SECURITY.
2.2.13.1.2 Directory_Access_Mask
The following SMB2 Access Mask flag values can be used when accessing a directory.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Directory_Access_Mask
Directory_Access_Mask (4 bytes): For a directory, the value MUST be constructed using the
following values:
Value Meaning
FILE_LIST_DIRECTORY This value indicates the right to enumerate the contents of the
0x00000001 directory.
FILE_ADD_FILE This value indicates the right to create a file under the directory.
0x00000002
52 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
FILE_ADD_SUBDIRECTORY This value indicates the right to add a sub-directory under the
0x00000004 directory.
FILE_READ_EA This value indicates the right to read the extended attributes of the
0x00000008 directory.
FILE_WRITE_EA This value indicates the right to write or change the extended
0x00000010 attributes of the directory.
FILE_TRAVERSE This value indicates the right to traverse this directory if the server
0x00000020 enforces traversal checking.
FILE_DELETE_CHILD This value indicates the right to delete the files and directories
0x00000040 within this directory.
FILE_READ_ATTRIBUTES This value indicates the right to read the attributes of the directory.
0x00000080
FILE_WRITE_ATTRIBUTES This value indicates the right to change the attributes of the
0x00000100 directory.
READ_CONTROL This value indicates the right to read the security descriptor for the
0x00020000 directory.
WRITE_DAC This value indicates the right to change the DACL in the security
0x00040000 descriptor for the directory. For the DACL data structure, see ACL
in [MS-DTYP].
WRITE_OWNER This value indicates the right to change the owner in the security
0x00080000 descriptor for the directory.
SYNCHRONIZE SMB2 clients set this flag to any value.<37> SMB2 servers MUST
0x00100000 ignore this flag.
ACCESS_SYSTEM_SECURITY This value indicates the right to read or change the SACL in the
0x01000000 security descriptor for the directory. For the SACL data structure,
see ACL in [MS-DTYP].
MAXIMUM_ALLOWED This value indicates that the client is requesting an open to the
0x02000000 directory with the highest level of access the client has on this
directory. If no access is granted for the client on this directory, the
server MUST fail the open with STATUS_ACCESS_DENIED.
GENERIC_ALL This value indicates a request for all the access flags that are listed
0x10000000 above except MAXIMUM_ALLOWED and
ACCESS_SYSTEM_SECURITY.
GENERIC_EXECUTE This value indicates a request for the following access flags listed
0x20000000 above: FILE_READ_ATTRIBUTES| FILE_TRAVERSE| SYNCHRONIZE|
READ_CONTROL.
GENERIC_WRITE This value indicates a request for the following access flags listed
0x40000000 above: FILE_ADD_FILE| FILE_ADD_SUBDIRECTORY|
FILE_WRITE_ATTRIBUTES| FILE_WRITE_EA| SYNCHRONIZE|
53 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
READ_CONTROL.
GENERIC_READ This value indicates a request for the following access flags listed
0x80000000 above: FILE_LIST_DIRECTORY| FILE_READ_ATTRIBUTES|
FILE_READ_EA| SYNCHRONIZE| READ_CONTROL.
The SMB2_CREATE_CONTEXT structure is used by the SMB2 CREATE Request and the SMB2
CREATE Response to encode additional flags and attributes: in requests to specify how the CREATE
request MUST be processed, and in responses to specify how the CREATE request was in fact
processed.
There is no required ordering when multiple create context structures are used. The server MUST
support receiving the contexts in any order.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Next
NameOffset NameLength
Reserved DataOffset
DataLength
Buffer (variable)
...
Next (4 bytes): The offset from the beginning of this create context to the beginning of a
subsequent 8-byte aligned create context. This field MUST be set to 0 if there are no
subsequent contexts.
NameOffset (2 bytes): The offset from the beginning of this structure to its 8-byte aligned
name value. The name is represented as four or more ASCII characters and MUST be one of
the values provided in the following table. The structure name indicates what information is
encoded by the data payload. The following values are the valid create context values. The
names are case-sensitive. More details are provided for each of these values in the following
subsections.
Value Meaning
54 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. This value MUST be
set to 0 by the client, and ignored by the server.
DataOffset (2 bytes): The offset, in bytes, from the beginning of this structure to the 8-byte
aligned data payload. If DataLength is 0, the client SHOULD set this value to 0 and the server
MUST ignore it on receipt.<38>
DataLength (4 bytes): The length, in bytes, of the data. The format of the data is determined
by the type of SMB2_CREATE_CONTEXT request, as outlined in the following sections. The
type is indicated in the NameOffset field in the message.
Buffer (variable): A variable-length buffer that contains the name and data fields, as defined
by NameOffset, NameLength, DataOffset, and DataLength.
2.2.13.2.1 SMB2_CREATE_EA_BUFFER
55 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2.2.13.2.2 SMB2_CREATE_SD_BUFFER
The SMB2_CREATE_SD_BUFFER context is specified on an SMB2 CREATE Request when the client is
applying a security descriptor to a newly created file. The server MUST ignore this Create Context
for requests to open an existing file, a pipe, or a printer. The Data in the Buffer field of the
SMB2_CREATE_CONTEXT MUST contain a security descriptor that MUST be a self-relative
SECURITY_DESCRIPTOR in the format as specified in [MS-DTYP] section 2.4.6.
2.2.13.2.3 SMB2_CREATE_DURABLE_HANDLE_REQUEST
When requesting a durable open, the client SHOULD also request a batch oplock (by setting
RequestedOplockLevel to SMB2_OPLOCK_LEVEL_BATCH) or a handle caching lease (by using an
SMB2_CREATE_REQUEST_LEASE Create Context with a LeaseState that includes
SMB2_LEASE_HANDLE_CACHING). The server MUST ignore this Create Context if neither a batch
oplock nor a handle caching lease is requested and granted. The format of the Data in the Buffer
field of this SMB2_CREATE_CONTEXT MUST be as follows.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
DurableRequest
...
...
...
DurableRequest (16 bytes): A 16-byte field that MUST NOT be used and MUST be reserved.
This value MUST be set to 0 by the client and ignored by the server.
2.2.13.2.4 SMB2_CREATE_DURABLE_HANDLE_RECONNECT
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Data
...
...
56 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Data (16 bytes): An SMB2_FILEID structure, as specified in section 2.2.14.1, for the open that
is being reestablished.
2.2.13.2.5 SMB2_CREATE_QUERY_MAXIMAL_ACCESS_REQUEST
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Timestamp
...
This time stamp MUST be compared (as specified in section 3.3.5.9.5) with the
LastModifiedTime of the file being opened in the underlying object store.
2.2.13.2.6 SMB2_CREATE_ALLOCATION_SIZE
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
AllocationSize
...
AllocationSize (8 bytes): The size, in bytes, that the newly created file MUST have reserved
on disk.
2.2.13.2.7 SMB2_CREATE_TIMEWARP_TOKEN
57 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Timestamp
...
Timestamp (8 bytes): The time stamp of the version of the file to be opened, in FILETIME
format as specified in [MS-DTYP] section 2.3.1. If no version of this file exists at this time
stamp, the operation MUST be failed.
2.2.13.2.8 SMB2_CREATE_REQUEST_LEASE
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
LeaseKey
...
...
...
LeaseState
LeaseFlags
LeaseDuration
...
LeaseKey (16 bytes): A unique key that identifies the owner of the lease.
LeaseState (4 bytes): The requested lease state. This field MUST be constructed as a
combination of the following values.<39>
Value Meaning
58 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
LeaseFlags (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST
set this to 0, and the server MUST ignore it on receipt.
LeaseDuration (8 bytes): This field MUST NOT be used and MUST be reserved. The client
MUST set this to 0, and the server MUST ignore it on receipt.
The SMB2 CREATE Response packet is sent by the server to notify the client of the status of its
SMB2 CREATE Request. This response is composed of an SMB2 header, as specified in section 2.2.1,
followed by this response structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
CreateAction
CreationTime
...
LastAccessTime
...
LastWriteTime
...
ChangeTime
...
AllocationSize
59 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
EndofFile
...
FileAttributes
Reserved2
FileId
...
...
...
CreateContextsOffset
CreateContextsLength
Buffer (variable)
...
StructureSize (2 bytes): The server MUST set this field to 89, indicating the size of the
request structure, not including the header. The server MUST set this field to this value
regardless of how long Buffer[] actually is in the request being sent.
OplockLevel (1 byte): The oplock level that is granted to the client for this open. This field
MUST contain one of the following values.<40>
Value Meaning
60 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Reserved (1 byte): This field MUST NOT be used and MUST be reserved. The server sets this
to any value, and the client MUST ignore it on receipt.
CreateAction (4 bytes): The action taken in establishing the open. This field MUST contain one
of the following values.<41>
Value Meaning
FILE_SUPERSEDED An existing file was deleted and a new file was created in its place.
0x00000000
CreationTime (8 bytes): The time when the file was created; in FILETIME format as specified
in [MS-DTYP] section 2.3.1.
LastAccessTime (8 bytes): The time the file was last accessed; in FILETIME format as
specified in [MS-DTYP] section 2.3.1.
LastWriteTime (8 bytes): The time when data was last written to the file; in FILETIME
format as specified in [MS-DTYP] section 2.3.1.
ChangeTime (8 bytes): The time when the file was last modified; in FILETIME format as
specified in [MS-DTYP] section 2.3.1.
AllocationSize (8 bytes): The size, in bytes, of the data that is allocated to the file.
FileAttributes (4 bytes): The attributes of the file. The valid flags are as specified in [MS-
FSCC] section 2.6.
Reserved2 (4 bytes): This field MUST NOT be used and MUST be reserved. The server
SHOULD set this to 0, and the client MUST ignore it on receipt.<42>
CreateContextsOffset (4 bytes): The offset, in bytes, from the beginning of the SMB2 header
to the first 8-byte aligned SMB2_CREATE_CONTEXT response that is contained in this
response. If none are being returned in the response, this value MUST be 0. These values are
specified in section 2.2.14.2.
61 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Buffer (variable): A variable-length buffer that contains the list of create contexts that are
contained in this response, as described by CreateContextsOffset and
CreateContextsLength. This takes the form of a list of SMB2 CREATE_CONTEXT Response
Values, as specified in section 2.2.14.2.
2.2.14.1 SMB2_FILEID
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Persistent
...
Volatile
...
Persistent (8 bytes): A file handle that remains persistent when an open is reconnected after
being lost on a disconnect, as specified in section 3.3.5.9.7. The server MUST return this file
handle as part of an SMB2 CREATE Response (section 2.2.14). If the open is a durable open,
this value MUST be globally unique. If the open is not a durable open, this value MUST be
unique for all persistent handles on that SMB2 transport connection.
Volatile (8 bytes): A file handle that MAY be changed when an open is reconnected after being
lost on a disconnect, as specified in section 3.3.5.9.7. The server MUST return this file handle
as part of an SMB2 CREATE Response (section 2.2.14). This value MUST NOT change unless a
reconnection is performed. This value MUST be unique for all volatile handles on the SMB2
transport connection.
The SMB2_CREATE_CONTEXT Response Values MUST take the same form as specified in section
2.2.13.2. The individual values that are contained in the data buffer of the create context responses
varies, based on the name of the create context in the request. For each well-known name that is
specified in the definition of the NameOffset field in section 2.2.13, representing a type of
SMB2_CREATE_CONTEXT Request Values, the format of the response is provided below.
2.2.14.2.1 SMB2_CREATE_EA_BUFFER
2.2.14.2.2 SMB2_CREATE_SD_BUFFER
62 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the server succeeds in opening a durable handle to a file as requested by the client via the
SMB2_CREATE_DURABLE_HANDLE_REQUEST (section 2.2.13.2.3), it MUST send an SMB2
CREATE_DURABLE_HANDLE_RESPONSE back to the client to inform the client that the handle is
durable.
If the server does not mark it for durable operation or the server does not implement durable
handles, it MUST ignore this request.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Reserved
...
Reserved (8 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore the value on receipt.
2.2.14.2.4 SMB2_CREATE_DURABLE_HANDLE_RECONNECT
2.2.14.2.5 SMB2_CREATE_QUERY_MAXIMAL_ACCESS_RESPONSE
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
QueryStatus
MaximalAccess
QueryStatus (4 bytes): The resulting status code of the attempt to query maximal access. The
MaximalAccess field is valid only if QueryStatus is STATUS_SUCCESS. The status code
MUST be one of those defined in [MS-ERREF] section 2.3.
MaximalAccess (4 bytes): The maximal access that the user who is described by SessionId
has on the file or named pipe that was opened. This is an access mask value, as specified in
section 2.2.13.1.
63 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2.2.14.2.7 SMB2_CREATE_TIMEWARP_TOKEN
2.2.14.2.8 SMB2_CREATE_QUERY_ON_DISK_ID
The server responds with an opaque 32-byte BLOB that uniquely identifies the opened file on disk.
This value cannot change for the lifetime of the file.
2.2.14.2.9 SMB2_CREATE_RESPONSE_LEASE
The server responds with a lease that is granted for this open. The data in the Buffer field of the
SMB2_CREATE_CONTEXT structure MUST contain the following structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
LeaseKey
...
...
...
LeaseState
LeaseFlags
LeaseDuration
...
LeaseKey (16 bytes): A unique key that identifies the owner of the lease.
LeaseState (4 bytes): The granted lease state. This field MUST be constructed using the
following values.
Value Meaning
64 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
LeaseFlags (4 bytes): If the server implements SMB 2.1, this field MUST be set to 0 or the
following value. Otherwise, it is unused and MUST be reserved; the server MUST set this to 0,
and the client MUST ignore it on receipt.
Value Meaning
LeaseDuration (8 bytes): This field MUST NOT be used and MUST be reserved. The server
MUST set this to 0, and the client MUST ignore it on receipt.
The SMB2 CLOSE Request packet is used by the client to close an instance of a file that was opened
previously with a successful SMB2 CREATE Request. This request is composed of an SMB2 header,
as specified in section 2.2.1, followed by this request structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Flags
Reserved
FileId
...
...
...
StructureSize (2 bytes): The client MUST set this field to 24, indicating the size of the request
structure, not including the header.
Flags (2 bytes): A Flags field indicates how to process the operation. This field MUST be
constructed using the following value:
65 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB If set, the server MUST set the attribute fields in the
0x0001 response, as specified in section 2.2.16, to valid
values. If not set, the client MUST NOT use the values
that are returned in the response.
Reserved (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this to 0, and the server MUST ignore it on receipt.
The identifier of the open to a file or named pipe that is being closed.
The SMB2 CLOSE Response packet is sent by the server to indicate that an SMB2 CLOSE Request
was processed successfully. This response is composed of an SMB2 header, as specified in section
2.2.1, followed by this response structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Flags
Reserved
CreationTime
...
LastAccessTime
...
LastWriteTime
...
ChangeTime
...
AllocationSize
...
66 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
...
FileAttributes
StructureSize (2 bytes): The server MUST set this field to 60, indicating the size of the
response structure, not including the header.
Flags (2 bytes): A Flags field indicates how to process the operation. This field MUST be the
logical OR of the following value, or zero if none are selected:
Value Meaning
SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB If set, the client MUST use the attribute fields in the
0x0001 response. If not set, the client MUST NOT use the
attribute fields that are returned in the response.
Reserved (4 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
CreationTime (8 bytes): The time when the file was created; in FILETIME format as specified
in [MS-DTYP] section 2.3.1. If the SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB flag in the SMB2
CLOSE Request was set, this field MUST be set to the value that is returned by the attribute
query. If the flag is not set, the field SHOULD be set to zero and MUST NOT be checked on
receipt.
LastAccessTime (8 bytes): The time when the file was last accessed; in FILETIME format as
specified in [MS-DTYP] section 2.3.1. If the SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB flag in
the SMB2 CLOSE Request was set, this field MUST be set to the value that is returned by the
attribute query. If the flag is not set, this field MUST be set to zero.
LastWriteTime (8 bytes): The time when data was last written to the file; in FILETIME
format as specified in [MS-DTYP] section 2.3.1. If the
SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB flag in the SMB2 CLOSE Request was set, this field
MUST be set to the value that is returned by the attribute query. If the flag is not set, this
field MUST be set to zero.
ChangeTime (8 bytes): The time when the file was last modified; in FILETIME format as
specified in [MS-DTYP] section 2.3.1. If the SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB flag in
the SMB2 CLOSE Request was set, this field MUST be set to the value that is returned by the
attribute query. If the flag is not set, this field MUST be set to zero.
AllocationSize (8 bytes): The size, in bytes, of the data that is allocated to the file. If the
SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB flag in the SMB2 CLOSE Request was set, this field
MUST be set to the value that is returned by the attribute query. If the flag is not set, this
field MUST be set to zero.
67 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SMB2 FLUSH Request packet is sent by a client to request that a server flush all cached file
information for a specified open of a file to the persistent store that backs the file. If the open refers
to a named pipe, the operation will complete once all data written to the pipe has been consumed
by a reader. This request is composed of an SMB2 header, as specified in section 2.2.1, followed by
this request structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved1
Reserved2
FileId
...
...
...
StructureSize (2 bytes): The client MUST set this field to 24, indicating the size of the request
structure, not including the header.
Reserved1 (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST
set this to 0, and the server MUST ignore it on receipt.
Reserved2 (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST
set this to 0, and the server MUST ignore it on receipt.
The client MUST set this field to the identifier of the open to a file or named pipe that is being
flushed.
The SMB2 FLUSH Response packet is sent by the server to confirm that an SMB2 FLUSH Request
(section 2.2.17) was successfully processed. This response is composed of an SMB2 header, as
specified in section 2.2.1, followed by this request structure:
68 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
StructureSize Reserved
StructureSize (2 bytes): The server MUST set this field to 4, indicating the size of the
response structure, not including the header.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set
this field to 0, and the client MUST ignore it on receipt.
The SMB2 READ Request packet is sent by the client to request a read operation on the file that is
specified by the FileId. This request is composed of an SMB2 header, as specified in section 2.2.1,
followed by this request structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Length
Offset
...
FileId
...
...
...
MinimumCount
Channel
RemainingBytes
ReadChannelInfoOffset ReadChannelInfoLength
69 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
...
StructureSize (2 bytes): The client MUST set this field to 49, indicating the size of the request
structure, not including the header. The client MUST set it to this value regardless of how long
Buffer[] actually is in the request being sent.
Padding (1 byte): The requested offset from the start of the SMB2 header, in bytes, at which
to place the data read in the SMB2 READ Response (section 2.2.20). This value is provided to
optimize data placement on the client and is not binding on the server.
Reserved (1 byte): This field MUST NOT be used and MUST be reserved. The client MUST set
this field to 0, and the server MUST ignore it on receipt.
Length (4 bytes): The length, in bytes, of the data to read from the specified file or pipe. The
length of the data being read may be zero bytes.
Offset (8 bytes): The offset, in bytes, into the file from which the data MUST be read. If the
read is being executed on a pipe, the Offset MUST be set to 0 by the client and MUST be
ignored by the server.
MinimumCount (4 bytes): The minimum number of bytes to be read for this operation to be
successful. If fewer than the minimum number of bytes are read by the server, the server
MUST return an error rather than the bytes read.
Channel (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this field to 0, and the server MUST ignore it on receipt.
RemainingBytes (4 bytes): The number of subsequent bytes that the client intends to read
from the file after this operation completes. This value is provided to facilitate read-ahead
caching, and is not binding on the server.
ReadChannelInfoOffset (2 bytes): This field MUST NOT be used and MUST be reserved. The
client MUST set this field to 0, and the server MUST ignore it on receipt.
ReadChannelInfoLength (2 bytes): This field MUST NOT be used and MUST be reserved. The
client MUST set this field to 0, and the server MUST ignore it on receipt.
Buffer (variable): A variable-length buffer that contains the read channel information, as
described by ReadChannelInfoOffset and ReadChannelInfoLength. Unused at present.
The client MUST set one byte of this field to 0, and the server MUST ignore it on receipt.
The SMB2 READ Response packet is sent in response to an SMB2 READ Request (section 2.2.19)
packet. This response is composed of an SMB2 header, as specified in section 2.2.1, followed by this
response structure:
70 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
DataLength
DataRemaining
Reserved2
Buffer (variable)
...
StructureSize (2 bytes): The server MUST set this field to 17, indicating the size of the
response structure, not including the header. This value MUST be used regardless of how large
Buffer[] is in the actual response.
DataOffset (1 byte): The offset, in bytes, from the beginning of the header to the data read
being returned in this response.
Reserved (1 byte): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
DataLength (4 bytes): The length, in bytes, of the data read being returned in this response.
The minimum size is 1 byte.
DataRemaining (4 bytes): This field MUST NOT be used and MUST be reserved. The server
MUST set this field to 0, and the client MUST ignore it on receipt.
Reserved2 (4 bytes): This field MUST NOT be used and MUST be reserved. The server MUST
set this to 0, and the client MUST ignore it on receipt.
Buffer (variable): A variable-length buffer that contains the data read for the response, as
described by DataOffset and DataLength. The minimum length is 1 byte. If 0 bytes are
returned from the underlying object store, the server MUST send a failure response with
status == STATUS_END_OF_FILE.
The SMB2 WRITE Request packet is sent by the client to write data to the file or named pipe on the
server. This request is composed of an SMB2 header, as specified in section 2.2.1, followed by this
request structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize DataOffset
71 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Offset
...
FileId
...
...
...
Channel
RemainingBytes
WriteChannelInfoOffset WriteChannelInfoLength
Flags
Buffer (variable)
...
StructureSize (2 bytes): The client MUST set this field to 49, indicating the size of the request
structure, not including the header. The client MUST set it to this value regardless of how long
Buffer[] actually is in the request being sent.
DataOffset (2 bytes): The offset, in bytes, from the beginning of the SMB2 header to the data
being written.
Length (4 bytes): The length of the data being written, in bytes. The length of the data being
written may be zero bytes.
Offset (8 bytes): The offset, in bytes, of where to write the data in the destination file. If the
write is being executed on a pipe, the Offset MUST be set to 0 by the client and MUST be
ignored by the server.
Channel (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this field to 0, and the server MUST ignore it on receipt.
72 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
WriteChannelInfoOffset (2 bytes): This field MUST NOT be used and MUST be reserved. The
client MUST set this field to 0, and the server MUST ignore it on receipt.
WriteChannelInfoLength (2 bytes): This field MUST NOT be used and MUST be reserved. The
client MUST set this field to 0, and the server MUST ignore it on receipt.
Flags (4 bytes): A Flags field indicates how to process the operation. This field MUST be
constructed using the following value:
Value Meaning
Buffer (variable): A variable-length buffer that contains the data to write and the write channel
information, as described by DataOffset, Length, WriteChannelInfoOffset, and
WriteChannelInfoLength.
The SMB2 WRITE Response packet is sent in response to an SMB2 WRITE Request (section 2.2.21)
packet. This response is composed of an SMB2 header, as specified in section 2.2.1, followed by this
response structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
Count
Remaining
WriteChannelInfoOffset WriteChannelInfoLength
StructureSize (2 bytes): The server MUST set this field to 17, the actual size of the response
structure notwithstanding.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
Remaining (4 bytes): This field MUST NOT be used and MUST be reserved. The server MUST
set this to 0, and the client MUST ignore it on receipt.
73 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
WriteChannelInfoLength (2 bytes): This field MUST NOT be used and MUST be reserved. The
server MUST set this to 0, and the client MUST ignore it on receipt.
The SMB2 Oplock Break Notification packet is sent by the server when the underlying object store
indicates that an opportunistic lock (oplock) is being broken, representing a change in the oplock
level. This response is composed of an SMB2 header, as specified in section 2.2.1, followed by this
notification structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Reserved2
FileId
...
...
...
StructureSize (2 bytes): The server MUST set this to 24, indicating the size of the response
structure, not including the header.
OplockLevel (1 byte): The server MUST set this to the maximum value of the OplockLevel
that the server will accept for an acknowledgment from the client. Because
SMB2_OPLOCK_LEVEL_BATCH is the highest oplock level, and it is being broken to a lower
level, the server will never send a break from SMB2_OPLOCK_LEVEL_BATCH to
SMB2_OPLOCK_LEVEL_BATCH. Thus this field MUST contain one of the following values.<43>
Value Meaning
Reserved (1 byte): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
74 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The identifier of the file or pipe on which the oplock break occurred.
The SMB2 Lease Break Notification packet is sent by the server when the underlying object store
indicates that a lease is being broken, representing a change in the lease state. This is only valid on
the SMB 2.1 dialect. This response is composed of an SMB2 header, as specified in section 2.2.1,
followed by this notification structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
Flags
LeaseKey
...
...
...
CurrentLeaseState
NewLeaseState
BreakReason
AccessMaskHint
ShareMaskHint
StructureSize (2 bytes): The server MUST set this to 44, indicating the size of the response
structure, not including the header.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
Flags (4 bytes): The field MUST be constructed using the following value.
75 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
LeaseKey (16 bytes): A unique key which identifies the owner of the lease.
CurrentLeaseState (4 bytes): The current lease state of the open. This field MUST be
constructed using the following values.
Value Meaning
NewLeaseState (4 bytes): The new lease state for the open. This field MUST be constructed
using the SMB2_LEASE_NONE or above values.
BreakReason (4 bytes): This field MUST NOT be used and MUST be reserved. The server
MUST set this to 0, and the client MUST ignore it on receipt.
AccessMaskHint (4 bytes): This field MUST NOT be used and MUST be reserved. The server
MUST set this to 0, and the client MUST ignore it on receipt.
ShareMaskHint (4 bytes): This field MUST NOT be used and MUST be reserved. The server
MUST set this to 0, and the client MUST ignore it on receipt.
The Oplock Break Acknowledgment packet is sent by the client in response to an SMB2 Oplock Break
Notification packet sent by the server. The server responds to an oplock break acknowledgment with
an SMB2 Oplock Break response. The client MUST NOT send an oplock break acknowledgment for an
oplock break from level II to none. A break from level II MUST transition to none. Thus, the client
does not send a request to the server because there is no question how the transition was made.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Reserved2
FileId
76 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
...
...
StructureSize (2 bytes): The client MUST set this to 24, indicating the size of the request
structure, not including the header.
OplockLevel (1 byte): The resulting oplock level. This MUST be at least as permissive as the
level that is specified by the server in its initial oplock break notification packet. For example,
if the server specifies an SMB2_OPLOCK_LEVEL_II, the client can respond with an
SMB2_OPLOCK_LEVEL_II or an SMB2_OPLOCK_LEVEL_NONE. Because
SMB2_OPLOCK_LEVEL_BATCH is the highest oplock level, the server will never send a break
from SMB2_OPLOCK_LEVEL_BATCH to SMB2_OPLOCK_LEVEL_BATCH. Thus this field MUST
contain one of the following values.<44>
Value Meaning
SMB2_OPLOCK_LEVEL_NONE The client has lowered its oplock level for this file to none.
0x00
SMB2_OPLOCK_LEVEL_II The client has lowered its oplock level for this file to level II.
0x01
Reserved (1 byte): This field MUST NOT be used and MUST be reserved. The client MUST set
this to 0, and the server MUST ignore it on receipt.
Reserved2 (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST
set this to 0, and the server MUST ignore it on receipt.
The identifier of the file or pipe on which the oplock break occurred.
The SMB2 Lease Break Acknowledgment packet is sent by the client in response to an SMB2 Lease
Break Notification packet sent by the server. This request is valid only in the SMB 2.1 dialect. The
server responds to a lease break acknowledgment with an SMB2 Lease Break Response.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
Flags
LeaseKey
77 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
...
...
LeaseState
LeaseDuration
...
StructureSize (2 bytes): The client MUST set this to 36, indicating the size of the request
structure, not including the header.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this to 0, and the server MUST ignore it on receipt.
Flags (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set this
to 0, and the server MUST ignore it on receipt.
LeaseKey (16 bytes): A unique key which identifies the owner of the lease.
LeaseState (4 bytes): The lease state in the Lease Break Acknowledgment message MUST be
a subset of the lease state granted by the server via the preceding Lease Break Notification
message.<45> This field MUST be constructed using the following values:
Value Meaning
LeaseDuration (8 bytes): This field MUST NOT be used and MUST be reserved. The client
MUST set this to 0, and the server MUST ignore it on receipt.
The Oplock Break Response packet is sent by the server in response to an Oplock Break
Acknowledgment from the client. This response is composed of an SMB2 header, as specified in
section 2.2.1, followed by this response structure:
78 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Reserved2
FileId
...
...
...
StructureSize (2 bytes): The server MUST set this to 24, indicating the size of the response
structure, not including the header.
OplockLevel (1 byte): The resulting oplock level. This MUST be the same as the level that is
specified by the client in its oplock break acknowledgment packet. This field MUST contain
one of the following values.
Value Meaning
SMB2_OPLOCK_LEVEL_NONE The server has lowered oplock level for this file to none.
0x00
SMB2_OPLOCK_LEVEL_II The server has lowered oplock level for this file to level II.
0x01
Reserved (1 byte): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
Reserved2 (4 bytes): This field MUST NOT be used and MUST be reserved. The server MUST
set this to 0, and the client MUST ignore it on receipt.
The identifier of the file or pipe on which the oplock break occurred.
The SMB2 Lease Break Response packet is sent by the server in response to a Lease Break
Acknowledgment from the client. This request is valid only in the SMB 2.1 dialect.
79 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
StructureSize Reserved
Flags
LeaseKey
...
...
...
LeaseState
LeaseDuration
...
StructureSize (2 bytes): The server MUST set this to 36, indicating the size of the response
structure, not including the header.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
Flags (4 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set this
to 0, and the client MUST ignore it on receipt.
LeaseKey (16 bytes): A unique key which identifies the owner of the lease.
LeaseState (4 bytes): The requested lease state. This field MUST be constructed using the
following values:
Value Meaning
80 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SMB2 LOCK Request packet is sent by the client to either lock or unlock portions of a file.
Several different segments of the file can be affected with a single SMB2 LOCK Request packet, but
they all MUST be within the same file.
Byte range locks in SMB2 are associated with the handle (SMB2 FileID) on which the lock is taken.
Read/write/lock requests using the same SMB2 FileID will not conflict. However, I/O on a different
handle (a different SMB2 FileID) will conflict. It is the client's responsibility to locally resolve lock
conflicts across multiple processes on the same client, if any such conflicts exist.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize LockCount
LockSequence
FileId
...
...
...
Locks (variable)
...
StructureSize (2 bytes): The client MUST set this to 48, indicating the size of an SMB2 LOCK
Request with a single SMB2_LOCK_ELEMENT structure. This value is set regardless of the
number of locks that are sent.
LockCount (2 bytes): MUST be set to the number of SMB2_LOCK_ELEMENT structures that are
contained in the Locks[] array. The lock count MUST be greater than or equal to 1.
LockSequence (4 bytes): In the SMB 2.002 dialect, this field is unused and MUST be reserved.
The client MUST set this to 0, and the server MUST ignore it on receipt. In the SMB 2.1
dialect, this field indicates a value that identifies a lock or unlock request uniquely across all
lock or unlock requests that are sent on the same file.
FileId (16 bytes): An SMB2_FILEID that identifies the file on which to perform the byte range
locks or unlocks.
81 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SMB2 LOCK_ELEMENT Structure packet is used by the SMB2 LOCK Request packet to indicate
segments of files that should be locked or unlocked.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Offset
...
Length
...
Flags
Reserved
Offset (8 bytes): The starting offset, in bytes, in the destination file from where the range
being locked or unlocked starts.
Length (8 bytes): The length, in bytes, of the range being locked or unlocked.
Flags (4 bytes): The description of how the range is being locked or unlocked and how to
process the operation. This field takes the following format:
Value Meaning
The following are the only valid combinations for the flags field:
82 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SMB2_LOCKFLAG_EXCLUSIVE_LOCK
SMB2_LOCKFLAG_SHARED_LOCK | SMB2_LOCKFLAG_FAIL_IMMEDIATELY
SMB2_LOCKFLAG_EXCLUSIVE_LOCK | SMB2_LOCKFLAG_FAIL_IMMEDIATELY
SMB2_LOCKFLAG_UNLOCK
Reserved (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this to 0, and the server MUST ignore it on receipt.
The SMB2 LOCK Response packet is sent by a server in response to an SMB2 LOCK Request (section
2.2.26) packet. This response is composed of an SMB2 header, as specified in section 2.2.1,
followed by this request structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
StructureSize (2 bytes): The server MUST set this to 4, indicating the size of the response
structure, not including the header.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
The SMB2 ECHO Request packet is sent by a client to determine whether a server is processing
requests. This request is composed of an SMB2 header, as specified in section 2.2.1, followed by
this request structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
StructureSize (2 bytes): The client MUST set this to 4, indicating the size of the request
structure, not including the header.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this to 0, and the server MUST ignore it on receipt.
The SMB2 ECHO Response packet is sent by the server to confirm that an SMB2 ECHO Request
(section 2.2.28) was successfully processed. This response is composed of an SMB2 header, as
specified in section 2.2.1, followed by the following response structure.
83 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
StructureSize Reserved
StructureSize (2 bytes): The server MUST set this to 4, indicating the size of the response
structure, not including the header.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set
this to 0, and the client MUST ignore it on receipt.
The SMB2 CANCEL Request packet is sent by the client to cancel a previously sent message on the
same SMB2 transport connection. The MessageId of the request to be canceled MUST be set in the
SMB2 header of the request. This request is composed of an SMB2 header, as specified in section
2.2.1, followed by this request structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
StructureSize (2 bytes): The client MUST set this field to 4, indicating the size of the request
structure, not including the header.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this field to 0, and the server MUST ignore it on receipt.
The SMB2 IOCTL Request packet is sent by a client to issue an implementation-specific file system
control or device control (FSCTL/IOCTL) command across the network. For a list of IOCTL
operations, see section 3.2.4.20 and [MS-FSCC] section 2.3. This request is composed of an SMB2
header, as specified in section 2.2.1, followed by this request structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
CtlCode
FileId
...
84 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
...
InputOffset
InputCount
MaxInputResponse
OutputOffset
OutputCount
MaxOutputResponse
Flags
Reserved2
Buffer (variable)
...
StructureSize (2 bytes): The client MUST set this field to 57, indicating the size of the request
structure, not including the header. The client MUST set this field to this value regardless of
how long Buffer[] actually is in the request being sent.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this field to 0, and the server MUST ignore it on receipt.
CtlCode (4 bytes): The control code of the FSCTL/IOCTL method. The values are listed in
subsequent sections, and in [MS-FSCC] section 2.3. The following values indicate SMB2-
specific processing as specified in sections 3.2.4.20 and 3.3.5.15.
Name Value
FSCTL_DFS_GET_REFERRALS 0x00060194
FSCTL_PIPE_PEEK 0x0011400C
FSCTL_PIPE_WAIT 0x00110018
FSCTL_PIPE_TRANSCEIVE 0x0011C017
FSCTL_SRV_COPYCHUNK 0x001440F2
85 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
FSCTL_SRV_ENUMERATE_SNAPSHOTS 0x00144064
FSCTL_SRV_REQUEST_RESUME_KEY 0x00140078
FSCTL_SRV_READ_HASH 0x001441bb
FSCTL_SRV_COPYCHUNK_WRITE 0x001480F2
FSCTL_LMR_REQUEST_RESILIENCY 0x001401D4
FileId (16 bytes): An SMB2_FILEID identifier of the file on which to perform the command. For
FSCTL_DFS_GET_REFERRALS and FSCTL_PIPE_WAIT CtlCode values, this parameter MUST
be set to -1.
InputOffset (4 bytes): The offset, in bytes, from the beginning of the SMB2 header to the
input data buffer. If no input data is required for the FSCTL/IOCTL command being issued, the
client SHOULD set this value to 0 and the server MUST ignore it on receipt.<46>
MaxInputResponse (4 bytes): The maximum number of bytes that the server can return for
the input data in the SMB2 IOCTL Response.
OutputOffset (4 bytes): This field MUST NOT be used and MUST be reserved. The client
SHOULD set this to 0, and the server MUST ignore it.<47>
OutputCount (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST
set this to 0, and the server MUST ignore it.
MaxOutputResponse (4 bytes): The maximum number of bytes that the server can return for
the output data in the SMB2 IOCTL Response.
Flags (4 bytes): A Flags field indicating how to process the operation. This field MUST be
constructed using one of the following values.
Value Meaning
Reserved2 (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST
set this field to 0, and the server MUST ignore it on receipt.
86 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2.2.31.1 SRV_COPYCHUNK_COPY
The SRV_COPYCHUNK_COPY packet is sent in an SMB2 IOCTL Request by the client to initiate a
server-side copy of data. It is set as the contents of the input data buffer. This packet consists of
the following:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
SourceKey
...
...
...
...
...
ChunkCount
Reserved
Chunks (variable)
...
Reserved (4 bytes): This field MUST NOT be used and MUST be reserved. This field MUST be
set to 0 by the client, and ignored by the server.
Chunks (variable): An array of packets describing the ranges to be copied. This array MUST be
of a length equal to ChunkCount * size of SRV_COPYCHUNK.
87 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
SourceOffset
...
TargetOffset
...
Length
Reserved
SourceOffset (8 bytes): The offset, in bytes, from the beginning of the source file to the
location from which the data will be copied.
TargetOffset (8 bytes): The offset, in bytes, from the beginning of the destination file to
where the data will be copied.
Reserved (4 bytes): this field MUST NOT be used and MUST be reserved. SHOULD be set to
zero and MUST be ignored.<48>
The SRV_READ_HASH request is sent to the server by the client in an SMB2 IOCTL Request
FSCTL_SRV_READ_HASH to retrieve the hash blob for a specified file. The request is valid only for
the SMB 2.1 dialect. It is set as the contents of the input data buffer. This packet consists of the
following:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
HashType
HashVersion
HashRetrievalType
88 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Offset
HashType (4 bytes): The hash type of the request indicates what the hash is used for. This
field MUST be set to the following value:
Value Meaning
HashVersion (4 bytes): The version number of the algorithm used to create the Content
Information. This field MUST be set to the following value:
Value Meaning
HashRetrievalType (4 bytes): Defines the Offset field relative to the Content Information.
This field MUST be set to the following value:
Value Meaning
Length (4 bytes): The maximum length, in bytes, of the Content Information to be returned in
the SRV_READ_HASH response to the client.
Offset (4 bytes): The starting offset of the Content Information to be retrieved. If the
HashRetrievalType is SRV_HASH_RETRIEVE_HASH_BASED, this value is an offset, in bytes,
from the beginning of the Content Information data structure.
2.2.31.2.1 HASH_HEADER
All hash files storing a hash BLOB MUST start from a valid format HASH_HEADER as follows. The
format is valid only for the SMB 2.1 dialect.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
HashType
HashVersion
SourceFileChangeTime
89 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SourceFileSize
...
HashBlobLength
HashBlobOffset
Dirty SourceFileNameLength
SourceFileName (variable)
...
HashType (4 bytes): The hash type of the request indicates what the hash is used for. This
field MUST be constructed using the following value.
Value Meaning
HashVersion (4 bytes): The version number of the algorithm that is used to create the
Content Information algorithm. This field MUST be constructed using the following value.
Value Meaning
SourceFileChangeTime (8 bytes): The last update time for the source file from which the
hash BLOB is generated, in FILETIME format as specified in [MS-DTYP] section 2.3.1.
SourceFileSize (8 bytes): The length, in bytes, of the source file from which the hash BLOB is
generated.
HashBlobOffset (4 bytes): The offset of the hash BLOB, in bytes, from the beginning of the
hash file.
Dirty (2 bytes): The flag that indicates whether the hash file is currently being updated. A
nonzero value indicates TRUE.
SourceFileNameLength (2 bytes): The length, in bytes, of the source file full name.
90 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The NETWORK_RESILIENCY_REQUEST request packet is sent to the server by the client in an SMB2
IOCTL Request (section 2.2.31) FSCTL_LMR_REQUEST_RESILIENCY to request resiliency for a
specified open file. The request is valid only for the SMB 2.1 dialect. It is set as the contents of the
input data buffer. This packet consists of the following:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Timeout
Reserved
Timeout (4 bytes): The requested time the server should hold the file open after a disconnect
before releasing it. This time is in milliseconds.
Reserved (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this to 0, and the server MUST ignore it on receipt.
The SMB2 IOCTL Response packet is sent by the server to transmit the results of a client SMB2
IOCTL Request. This response consists of an SMB2 header, as specified in section 2.2.1, followed by
this response structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Reserved
CtlCode
FileId
...
...
...
InputOffset
91 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
OutputOffset
OutputCount
Flags
Reserved2
Buffer (variable)
...
StructureSize (2 bytes): The server MUST set this field to 49, indicating the size of the
response structure, not including the header. This value MUST be used regardless of how large
Buffer[] is in the actual response.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set
this field to 0, and the client MUST ignore it on receipt.
CtlCode (4 bytes): The control code of the FSCTL/IOCTL method that was executed. SMB2-
specific values are listed in section 2.2.31.
FileId (16 bytes): An SMB2_FILEID identifier of the file on which the command was performed.
OutputOffset (4 bytes): The offset, in bytes, from the beginning of the SMB2 header to the
output data buffer. If output data is returned, the output offset MUST be set to InputOffset
+ InputCount rounded up to a multiple of 8. If no output data is returned for the
FSCTL/IOCTL command that was issued, then this value SHOULD<52> be set to 0.
Flags (4 bytes): This field MUST NOT be used and MUST be reserved. The server MUST set this
field to 0, and the client MUST ignore it on receipt.
Reserved2 (4 bytes): This field MUST NOT be used and MUST be reserved. The server MUST
set this field to 0, and the client MUST ignore it on receipt.
Buffer (variable): A variable-length buffer that contains the input and output data buffer for
the response, as described by InputOffset, InputCount, OutputOffset, and OutputCount.
For more details, refer to section 3.3.5.15.
92 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
ChunksWritten
ChunkBytesWritten
TotalBytesWritten
ChunksWritten (4 bytes): If the Status field in the SMB2 header of the response is not
STATUS_INVALID_PARAMETER, as specified in [MS-ERREF] section 2.3, this value indicates
the number of chunks that were successfully written. If the Status field in the SMB2 header of
the response is STATUS_INVALID_PARAMETER, this value indicates the maximum number of
chunks that the server will accept in a single request. This would allow the client to correctly
reissue the request.
ChunkBytesWritten (4 bytes): If the Status field in the SMB2 header of the response is not
STATUS_INVALID_PARAMETER, as specified in [MS-ERREF] section 2.3, this value indicates
the number of bytes written in the last chunk that did not successfully process (if a partial
write occurred). If the Status field in the SMB2 header of the response is
STATUS_INVALID_PARAMETER, this value indicates the maximum number of bytes the server
will allow to be written in a single chunk.
TotalBytesWritten (4 bytes): If the Status field in the SMB2 header of the response is not
STATUS_INVALID_PARAMETER, as specified in [MS-ERREF] section 2.3, this value indicates
the total number of bytes written in the server-side copy operation. If the Status field in the
SMB2 header of the response is STATUS_INVALID_PARAMETER, this value indicates the
maximum number of bytes the server will accept to copy in a single request.
2.2.32.2 SRV_SNAPSHOT_ARRAY
The SRV_SNAPSHOT_ARRAY packet is returned to the client by the server in an SMB2 IOCTL
Response for the FSCTL_SRV_ENUMERATE_SNAPSHOTS request, as specified in section 3.3.5.15.1.
This packet MUST contain all the revision time-stamps that are associated with the Tree Connect
share in which the open resides, provided that the buffer size required is less than or equal to the
maximum output buffer size received in the SMB2 IOCTL request. This SRV_SNAPSHOT_ARRAY is
placed in the Buffer field in the SMB2 IOCTL Response,<53> and the OutputOffset and
OutputCount fields MUST be updated to describe the buffer as specified in section 2.2.32. This
packet consists of the following:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
NumberOfSnapShots
93 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SnapShotArraySize
SnapShots (variable)
...
NumberOfSnapShots (4 bytes): The number of previous versions associated with the volume
that backs this file.
SnapShotArraySize (4 bytes): The length, in bytes, of the SnapShots[ ] array. If the output
buffer is too small to accommodate the entire array, SnapShotArraySize will be the amount of
space that the array would have occupied.
The SRV_REQUEST_RESUME_KEY packet is returned to the client by the server in an SMB2 IOCTL
Response for the FSCTL_SRV_REQUEST_RESUME_KEY request. This
SRV_REQUEST_RESUME_KEY is placed in the Buffer field in the SMB2 IOCTL Response, and the
OutputOffset and OutputCount fields MUST be updated to describe the buffer as specified in
section 2.2.32. This packet consists of the following:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
ResumeKey
...
...
...
...
...
94 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Context (variable)
...
ResumeKey (24 bytes): A 24-byte resume key generated by the server that can be
subsequently used by the client to uniquely identify the source file in an
FSCTL_SRV_COPYCHUNK or FSCTL_SRV_COPYCHUNK_WRITE request. The resume key
MUST be treated as a 24-byte opaque structure. The client that receives the 24-byte resume
key MUST NOT attach any interpretation to this key and MUST treat it as an opaque value.
ContextLength (4 bytes): The length, in bytes, of the context information. This field is
unused. The server MUST set this field to 0, and the client MUST ignore it on receipt.
The SRV_READ_HASH response is returned to the client by the server in an SMB2 IOCTL Response
for the FSCTL_SRV_READ_HASH request. This structure is placed in the Buffer field in the SMB2
IOCTL Response, and the OutputOffset and OutputCount fields MUST be updated to describe the
buffer as specified in section 2.2.32. The SRV_READ_HASH response MUST be formatted as follows:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
NextOffset
...
BufferLength
Reserved
Buffer (variable)
...
NextOffset (8 bytes): If the hash retrieval type specified in the SRV_READ_HASH request is
SRV_HASH_RETRIEVE_HASH_BASED, this field is the offset, in bytes, to the next portion of
the Content Information data structure, as specified in [MS-PCCRC] section 2.3, retrieved
from the server. This is equal to the sum of the value of the Offset field in the
SRV_READ_HASH request and the value of the BufferLength field in this response.
BufferLength (4 bytes): The length, in bytes, of the retrieved portion of the Content
Information data structure.
95 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Buffer (variable): A variable-length buffer that contains the retrieved portion of the Content
Information data structure as specified in [MS-PCCRC] section 2.3.
The SMB2 QUERY_DIRECTORY Request packet is sent by the client to obtain a directory
enumeration on a directory open. This request consists of an SMB2 header, as specified in section
2.2.1, followed by this request structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
FileIndex
FileId
...
...
...
FileNameOffset FileNameLength
OutputBufferLength
Buffer (variable)
...
StructureSize (2 bytes): The client MUST set this field to 33, indicating the size of the request
structure, not including the header. The client MUST set this field to this value regardless of
how long Buffer[] actually is in the request being sent.
FileInformationClass (1 byte): The file information class describing the format that data
MUST be returned in. Possible values are as specified in [MS-FSCC] section 2.4. This field
MUST contain one of the following values:
Value Meaning
96 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
FileBothDirectoryInformation Basic information plus extended attribute size and short name
0x03 about a file or directory.
Flags (1 byte): Flags indicating how the query directory operation MUST be processed. This
field MUST be a logical OR of the following values, or zero if none are selected:
Value Meaning
SMB2_RESTART_SCANS The server MUST restart the enumeration from the beginning,
0x01 but the search pattern is not changed.
SMB2_RETURN_SINGLE_ENTRY The server MUST only return the first entry of the search results.
0x02
SMB2_REOPEN The server MUST restart the enumeration from the beginning,
0x10 and the search pattern MUST be changed to the provided value.
This often involves silently closing and reopening the directory
on the server side.
FileIndex (4 bytes): The byte offset within the directory, indicating the position at which to
resume the enumeration. If SMB2_INDEX_SPECIFIED is set in Flags, this value MUST be
supplied, and should be based on the FileIndex value received in a previous enumeration
response. Otherwise, it MUST be set to zero and the server MUST ignore it.
FileId (16 bytes): An SMB2_FILEID identifier of the directory on which to perform the
enumeration. This is returned from an SMB2 Create Request to open a directory on the server.
FileNameOffset (2 bytes): The offset, in bytes, from the beginning of the SMB2 header to the
search pattern to be used for the enumeration. This field MUST be 0 if no search pattern is
provided.
FileNameLength (2 bytes): The length, in bytes, of the search pattern. This field MUST be 0 if
no search pattern is provided.
97 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Buffer (variable): A variable-length buffer containing the Unicode search pattern for the
request, as described by the FileNameOffset and FileNameLength fields. The format,
including wildcards and other conventions for this pattern, is specified in [MS-CIFS] section
2.2.1.1.3.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize OutputBufferOffset
OutputBufferLength
Buffer (variable)
...
StructureSize (2 bytes): The server MUST set this field to 9, indicating the size of the request
structure, not including the header. The server MUST set this field to this value regardless of
how long Buffer[] actually is in the request.
OutputBufferOffset (2 bytes): The offset, in bytes, from the beginning of the SMB2 header to
the directory enumeration data being returned.
Buffer (variable): A variable-length buffer containing the directory enumeration being returned
in the response, as described by the OutputBufferOffset and OutputBufferLength. The
format of this content is as specified in [MS-FSCC] section 2.4, within the topic for the specific
file information class referenced in the SMB2 QUERY_DIRECTORY Request.
The SMB2 CHANGE_NOTIFY Request packet is sent by the client to request change notifications on a
directory. This request consists of an SMB2 header, as specified in section 2.2.1, followed by this
request structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize Flags
98 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
FileId
...
...
...
CompletionFilter
Reserved
StructureSize (2 bytes): The client MUST set this field to 32, indicating the size of the request
structure, not including the header.
Flags (2 bytes): Flags indicating how the operation MUST be processed. This field MUST be the
logical OR of the following value, or zero if none is selected:
Value Meaning
SMB2_WATCH_TREE The request MUST monitor changes on any file or directory contained
0x0001 beneath the directory specified by FileId.
OutputBufferLength (4 bytes): The maximum number of bytes the server is allowed to return
in the SMB2 CHANGE_NOTIFY Response (section 2.2.36).
FileId (16 bytes): An SMB2_FILEID identifier of the directory to monitor for changes.
Value Meaning
99 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
0x00000010 changes.
Reserved (4 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this field to 0, and the server MUST ignore it on receipt.
The SMB2 CHANGE_NOTIFY Response packet is sent by the server to transmit the results of a
client's SMB2 CHANGE_NOTIFY Request (section 2.2.35). The server MUST send this packet only if a
change occurs and MUST NOT send this packet otherwise. An SMB2 CHANGE_NOTIFY Request
(section 2.2.35) will result in, at most, one response from the server. A server may choose to
aggregate multiple changes into the same change notify response. The server MUST include at least
one FILE_NOTIFY_INFORMATION structure if it detects a notification. This response consists of an
SMB2 header, as specified in section 2.2.1, followed by this response structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize OutputBufferOffset
OutputBufferLength
Buffer (variable)
...
StructureSize (2 bytes): The server MUST set this field to 9, indicating the size of the request
structure, not including the header. The server MUST set the field to this value regardless of
how long Buffer[] actually is in the request being sent.
100 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Buffer (variable): A variable-length buffer containing the change information being returned in
the response, as described by the OutputBufferOffset and OutputBufferLength fields. This
field is an array of FILE_NOTIFY_INFORMATION.
2.2.36.1 FILE_NOTIFY_INFORMATION
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
NextEntryOffset
Action
FileNameLength
FileName (variable)
...
NextEntryOffset (4 bytes): The offset, in bytes, from the beginning of this structure to the
subsequent FILE_NOTIFY_INFORMATION structure. If there are no subsequent structures, the
NextEntryOffset field MUST be 0. NextEntryOffset MUST always be an integral multiple of
4. The FileName array MUST be padded to the next 4-byte boundary counted from the
beginning of the structure.
Action (4 bytes): The changes that occurred on the file. This field MUST contain one of the
following values.
Value Meaning
FILE_ACTION_MODIFIED The file was modified. This may be a change to the data or
0x00000003 attributes of the file.
FILE_ACTION_RENAMED_OLD_NAME The file was renamed, and this is the old name. If the new
0x00000004 name resides within the directory being monitored, the
client will also receive the
101 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
FILE_ACTION_RENAMED_NEW_NAME The file was renamed, and this is the new name. If the old
0x00000005 name resides within the directory being monitored, the
client will also receive the
FILE_ACTION_RENAME_OLD_NAME. If the old name
resides outside of the directory being monitored, the client
will not receive the FILE_ACTION_RENAME_OLD_NAME.
If two or more files have been renamed, then the corresponding FILE_NOTIFY_INFORMATION
entries for each file rename MUST be consecutive in this response, in order for the client to
make the correct correspondence between old and new names.
FileNameLength (4 bytes): The length, in bytes, of the file name in the FileName[] field.
FileName (variable): A Unicode string with the name of the file that changed.
The SMB2 QUERY_INFO Request (section 2.2.37) packet is sent by a client to request information on
a file, named pipe, or underlying volume. This request consists of an SMB2 header, as specified in
section 2.2.1, followed by this request structure:
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
OutputBufferLength
InputBufferOffset Reserved
InputBufferLength
AdditionalInformation
Flags
FileId
...
...
102 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Buffer (variable)
...
StructureSize (2 bytes): The client MUST set this field to 41, indicating the size of the request
structure, not including the header. The client MUST set this field to this value regardless of
how long Buffer[] actually is in the request being sent.
InfoType (1 byte): The type of information queried. This field MUST contain one of the
following values:
Value Meaning
FileInfoClass (1 byte): For file information queries, this field MUST contain one of the
following FILE_INFORMATION_CLASS values, as specified in section 3.3.5.20.1 and in [MS-
FSCC] section 2.4:
FileAccessInformation
FileAlignmentInformation
FileAllInformation
FileAlternateNameInformation
FileAttributeTagInformation
FileBasicInformation
FileCompressionInformation
FileEaInformation
FileFullEaInformation
FileInternalInformation
FileModeInformation
FileNetworkOpenInformation
103 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
FilePipeLocalInformation
FilePipeRemoteInformation
FilePositionInformation
FileStandardInformation
FileStreamInformation
For underlying object store information queries, this field MUST contain one of the following
FS_INFORMATION_CLASS values, as specified in section 3.3.5.20.2 and in [MS-FSCC] section
2.5:
FileFsAttributeInformation
FileFsControlInformation
FileFsDeviceInformation
FileFsFullSizeInformation
FileFsObjectIdInformation
FileFsSizeInformation
FileFsVolumeInformation
OutputBufferLength (4 bytes): The maximum number of bytes of information the server can
send in the response.
InputBufferOffset (2 bytes): The offset, in bytes, from the beginning of the SMB2 header to
the input buffer. For quota requests, the input buffer MUST contain an
SMB2_QUERY_QUOTA_INFO, as specified in section 2.2.37.1. For FileFullEaInformation
requests, the input buffer MUST contain the user supplied EA list with zero or more
FILE_GET_EA_INFORMATION structures, specified in [MS-FSCC] section 2.4.15.1. For other
information queries, this field SHOULD<56> be set to 0.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this field to 0, and the server MUST ignore it on receipt.
InputBufferLength (4 bytes): The length of the input buffer. For quota requests, this MUST
be the length of the contained SMB2_QUERY_QUOTA_INFO embedded in the request. For
FileFullEaInformation requests, this MUST be set to the length of the user supplied EA list
specified in [MS-FSCC] section 2.4.15.1. For other information queries, this field MUST be set
to 0.
If security information is being queried, this value contains a 4-byte bit field of flags indicating
what security attributes MUST be returned. For more information about security descriptors,
see SECURITY_DESCRIPTOR in [MS-DTYP].
104 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
OWNER_SECURITY_INFORMATION The client is querying the owner from the security descriptor
0x00000001 of the file or named pipe.
GROUP_SECURITY_INFORMATION The client is querying the group from the security descriptor
0x00000002 of the file or named pipe.
SACL_SECURITY_INFORMATION The client is querying the system access control list from the
0x00000008 security descriptor of the file or named pipe.
LABEL_SECURITY_INFORMATION The client is querying the integrity label from the security
0x00000010 descriptor of the file or named pipe.
If FileFullEaInformation is being queried and the application has not provided a list of EAs
to query, but has provided an index into the object's full extended attribute information array
at which to start the query, this field MUST contain a ULONG representation of that index. For
all other queries, this field MUST be set to 0 and the server MUST ignore it.
Flags (4 bytes): The flags MUST be set to a combination of zero or more of these bit values for
a FileFullEaInformation query.
Value Meaning
For all other queries, the client MUST set this field to 0, and the server MUST ignore it on
receipt.
FileId (16 bytes): An SMB2_FILEID identifier of the file or named pipe on which to perform the
query. Queries for underlying object store or quota information are directed to the volume on
which the file resides.
Buffer (variable): A variable-length buffer containing the input buffer for the request, as
described by the InputBufferOffset and InputBufferLength fields.<57>
105 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
SidListLength
StartSidLength
StartSidOffset
SidBuffer (variable)
...
ReturnSingle (1 byte): A Boolean value, where zero represents FALSE and nonzero represents
TRUE.<58> If the ReturnSingle field is TRUE, the server MUST return a single value.
Otherwise, the server SHOULD return the maximum number of entries that will fit in the
maximum output size that is indicated in the request.
RestartScan (1 byte): A Boolean value, where zero represents FALSE and nonzero represents
TRUE.<59> If RestartScan is TRUE, the quota information MUST be read from the beginning.
Otherwise, the quota information MUST be continued from the previous enumeration that was
executed on this open.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this field to 0, and the server MUST ignore it on receipt.
SidListLength (4 bytes): The length, in bytes, of the SidBuffer when sent in format 1 as
defined in the SidBuffer field or zero in all other cases.
StartSidLength (4 bytes): The length, in bytes, of the SID, as specified in [MS-DTYP] section
2.4.2, when sent in format 2 as defined in the SidBuffer field, or zero in all other cases.
StartSidOffset (4 bytes): The offset, in bytes, from the start of the SidBuffer field to the SID
when sent in format 2 as defined in the SidBuffer field, or zero in all other cases.<60>
2. A SID.<61>
106 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SMB2 QUERY_INFO Response packet is sent by the server in response to an SMB2 QUERY_INFO
Request packet. This response consists of an SMB2 header, as specified in section 2.2.1, followed by
this response structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
StructureSize OutputBufferOffset
OutputBufferLength
Buffer (variable)
...
StructureSize (2 bytes): The server MUST set this field to 9, indicating the size of the request
structure, not including the header. The server MUST set this field to this value regardless of
how long Buffer[] actually is in the request being sent.
OutputBufferOffset (2 bytes): The offset, in bytes, from the beginning of the SMB2 header to
the information being returned.
Buffer (variable): A variable-length buffer that contains the information that is returned in the
response, as described by the OutputBufferOffset and OutputBufferLength fields. Buffer
format depends on InfoType and AdditionalInformation, as follows.
107 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SACL_SECURITY_INFORMATION
The SMB2 SET_INFO Request packet is sent by a client to set information on a file or underlying
object store. This request consists of an SMB2 header, as specified in section 2.2.1, followed by this
request structure.
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
BufferLength
BufferOffset Reserved
AdditionalInformation
FileId
...
...
...
Buffer (variable)
...
StructureSize (2 bytes): The client MUST set this field to 33, indicating the size of the request
structure, not including the header. The client MUST set this field to this value regardless of
how long Buffer[] actually is in the request being sent.
InfoType (1 byte): The type of information being set. The valid values are as follows.
Value Meaning
108 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
FileInfoClass (1 byte): For setting file information, this field MUST contain one of the following
FILE_INFORMATION_CLASS values, as specified in section 3.3.5.21.1 and [MS-FSCC] section
2.4:
FileAllocationInformation
FileBasicInformation
FileDispositionInformation
FileEndOfFileInformation
FileFullEaInformation
FileLinkInformation
FileModeInformation
FilePipeInformation
FilePositionInformation
FileRenameInformation
FileShortNameInformation
FileValidDataLengthInformation
For setting underlying object store information, this field MUST contain one of the following
FS_INFORMATION_CLASS values, as specified in [MS-FSCC] section 2.5:
FileFsControlInformation
FileFsObjectIdInformation
BufferOffset (2 bytes): The offset, in bytes, from the beginning of the SMB2 header to the
information to be set.
Reserved (2 bytes): This field MUST NOT be used and MUST be reserved. The client MUST set
this field to 0, and the server MUST ignore it on receipt.
109 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Value Meaning
OWNER_SECURITY_INFORMATION The client is setting the owner in the security descriptor of the
0x00000001 file or named pipe.
GROUP_SECURITY_INFORMATION The client is setting the group in the security descriptor of the
0x00000002 file or named pipe.
DACL_SECURITY_INFORMATION The client is setting the discretionary access control list in the
0x00000004 security descriptor of the file or named pipe.
SACL_SECURITY_INFORMATION The client is setting the system access control list in the
0x00000008 security descriptor of the file or named pipe.
FileId (16 bytes): An SMB2_FILEID identifier of the file or named pipe on which to perform the
set. Set operations for underlying object store and quota information are directed to the
volume on which the file resides.
Buffer (variable): A variable-length buffer that contains the information being set for the
request, as described by the BufferOffset and BufferLength fields. Buffer format depends
on InfoType and the AdditionalInformation, as follows.
The SMB2 SET_INFO Response packet is sent by the server in response to an SMB2 SET_INFO
Request (section 2.2.39) to notify the client that its request has been successfully processed. This
response consists of an SMB2 header, as specified in section 2.2.1, followed by this response
structure:
110 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
StructureSize
StructureSize (2 bytes): The server MUST set this field to 2, indicating the size of the request
structure, not including the header.
111 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
This section describes a conceptual model of possible data organization that an implementation
maintains to participate in this protocol. The described organization is provided to facilitate the
explanation of how the protocol behaves. This document does not mandate that implementations
adhere to this model as long as their external behavior is consistent with what is described in this
document.
3.1.1.1 Global
The following global data is required by both the client and server:
RequireMessageSigning: A Boolean that, if set, indicates that this node requires that messages
MUST be signed if the message is sent with a user security context that is neither anonymous nor
guest. If not set, this node does not require that any messages be signed, but MAY still choose to do
so if the other node requires it.
3.1.2 Timers
3.1.3 Initialization
If the client or server sending the message requires that the message be signed, it provides the
message length, the buffer containing the message, and the session key to use for signing. The
following steps describe the signing process:
1. The sender MUST zero out the 16-byte signature field in the SMB2 Header of the message to be
sent prior to generating the signature.
2. The sender MUST compute a 32-byte hash using HMAC-SHA256 over the entire message,
beginning with the SMB2 Header from step 1, and using the session key as the signing key. The
HMAC-SHA256 hash is specified in [FIPS180-2] and [RFC2104]. If the message is part of a
compounded chain, any padding at the end of the message MUST be used in the hash
computation.
3. The first 16 bytes (the high-order portion) of the hash created in step 2 MUST be copied
(beginning with the first, most significant, byte) into the 16-byte signature field of the SMB2
Header.
Determining when a client will sign an outgoing message is specified in 3.2.4.1.1, and determining
when a server will sign an outgoing message is specified in 3.3.4.1.1.
112 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
None.
If a client or server requires verification of a signed message, it provides the message length, the
buffer containing the message, and the session key. The following steps describe how the signature
MUST be verified:
1. The receiver MUST save the 16-byte signature from the Signature field in the SMB2 Header for
use in step 4.
2. The receiver MUST zero out the 16-byte signature field in the SMB2 Header of the incoming
message.
3. The receiver MUST compute a 32-byte hash using HMAC-SHA256 over the entire message,
beginning with the SMB2 Header from step 2, and using the session key as the signing key. The
HMAC-SHA256 hash is specified in [FIPS180-2] and [RFC2104]. If the message is part of a
compounded chain, any padding at the end of the message MUST be used in the hash
computation.
4. If the first 16 bytes (the high-order portion) of the computed signature from step 3 matches the
saved signature from step 1, the message is signed correctly.
Determining when a client will verify a signature and the action taken on the result of verification is
specified in section 3.2.5.1.2. Determining when a server will verify a signature and the action taken
on the result of verification is specified in section 3.3.5.2.3.
This document specifies a conceptual model of possible data organization that an implementation
maintains to participate in this protocol. The described organization is provided to explain how the
protocol behaves. This document does not mandate that implementations adhere to this model as
long as their external behavior is consistent with what is described in this document.
3.2.1.1 Global
If a client implements the SMB 2.100 dialect, it MUST also implement the following:
113 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Connection.OpenTable: A table of opens, as specified in section 3.2.1.6. The table MUST allow
lookup by either file name or by Open.FileId.
Connection.MaxTransactSize: The maximum buffer size, in bytes, that the server will accept
on this connection for QUERY_INFO, QUERY_DIRECTORY, SET_INFO and CHANGE_NOTIFY
operations. This field is applicable only for buffers sent by the client in SET_INFO requests, or
returned from the server in QUERY_INFO, QUERY_DIRECTORY, and CHANGE_NOTIFY
responses.<63>
Connection.MaxReadSize: The maximum read size, in bytes, that the server will accept in an
SMB2 READ Request on this connection.
Connection.MaxWriteSize: The maximum write size, in bytes, that the server will accept in an
SMB2 WRITE Request on this connection.
If a client implements the SMB 2.1 dialect, it MUST also implement the following:
Connection.Dialect: The dialect of SMB2 negotiated with the server. This value MUST be
either "2.002", "2.100", or "Unknown".
114 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Session.SessionId: An 8-byte identifier returned by the server to identify this session on this
SMB2 transport connection.
Session.SessionKey: The first 16 bytes of the cryptographic key for this authenticated context.
If the cryptographic key is less than 16 bytes, it is right-padded with zero bytes.
Session.ShouldSign: A Boolean that indicates whether this session MUST sign communication if
signing is enabled on this connection.
TreeConnect.MaximalAccess: The maximal rights that the security principal that is described
by TreeConnect.Session has on the target share. This MUST be an access mask value, as
specified in section 2.2.13.1.
TreeConnect.Session: A reference to the session on which this tree connect was established.
TreeConnect.IsDFSShare: A Boolean that, if set, indicates that the tree connect was
established to a DFS share.
If a client implements the SMB 2.1 dialect, then for each unique file opened by this client, the client
MUST create the items in the following list.
The uniqueness is based on the name of the file being opened and is defined by the concatenation of
the server name, the share name and the share relative-path name.
File.LeaseState: The lease level state granted for this file by the server as described in
2.2.13.2.8.
A lease state containing SMB2_LEASE_WRITE_CACHING implies that the client has exclusive
access to the file and it MAY choose to cache writes to the file. The client MAY also choose to
cache byte-range-locks.
115 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
A lease state containing SMB2_LEASE_HANDLE_CACHING implies that the client MAY choose to
keep open handles to the file even after the application that opened the file has closed its
handles or has ended.
Open.File: A reference to an SMB2 File (described in section 3.2.1.5) uniquely describing the
open file.
Open.FileId: The SMB2_FILEID, as specified in section 2.2.14.1, returned by the server for this
open.
Open.TreeConnect: A reference to the tree connect on which this Open was established.
Open.Connection: A reference to the SMB2 transport connection on which this open was
established.
Open.Durable: A Boolean that indicates whether this open is setup for reestablishment after a
disconnect.
Open.ResilientHandle: A Boolean that indicates whether resiliency was granted for this open by
the server.
Open.ResilientTimeout: The minimum time (in milliseconds) for which the server will hold this
open, while waiting for the client to reestablish the open after a network disconnect.
SequenceNumber: A rolling 4-bit sequence number which counts from 0 through 15.
Free: A value of FALSE indicates that there is an outstanding lock or unlock request using
this BucketNumber and SequenceNumber combination.
3.2.2 Timers
This timer optionally regulates the amount of time the client waits for a response from the server
before failing the request and disconnecting the connection. The client MAY<64> choose to
implement this timer.
116 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The client SHOULD scan existing connections on a periodic basis, and disconnect connections on
which no opens exist and no operations have been issued within an implementation-specific<65>
time-out.
A client that implements the idle connection timer MUST scan through the global ConnectionTable
(defined in section 3.2.1.1). For each connection, if Connection.OpenTable is empty and the idle
time-out has expired, the client MUST tear down the Connection and all associated sessions from
Connection.SessionTable. The client is not required to explicitly send SMB2 LOGOFF and SMB2
TREE_DISCONNECT requests to the server because the teardown of the connection will implicitly
result in the teardown of all Sessions and Tree Connects on the connection, as specified in section
3.3.7.1.
3.2.3 Initialization
The SMB2 client protocol is initiated and subsequently driven by a series of higher-layer triggered
events in the following categories:
Accessing a file, named pipe, or directory on a remote share (reading, writing, locking, unlocking,
handling IOCTL requests, querying or applying attributes, and so on)
Unless specifically noted in a subsequent section, the following logic MUST be applied to any request
message being sent from the client to the server.
If the request message being sent contains a nonzero SessionId in the SMB2 header field, and the
session identified by that identifier has Session.ShouldSign equal to TRUE, the client MUST sign
the request as specified below. If Session.ShouldSign is FALSE, the client MAY<66> sign the
request.
117 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The client MAY request more credits if it requires to have more outstanding simultaneous requests.
If the client is requesting more credits, it MUST set CreditRequest equal to the number of credits it
is requesting from the server. To request that its number of credits be maintained, a client
SHOULD<67> set the number of credits it is requesting to 1. To decrease the number of credits, the
client SHOULD set the number of credits it is requesting to 0.
Any message sent from the client to the server MUST have a valid MessageId placed in the SMB2
header. The client MUST take an available identifier from Connection.SequenceWindow. If there
are no available identifiers, the request MUST wait for an available identifier before it can be sent to
the server. For a description of how the available credit window is changed, see sections 3.2.4.1.6
and 3.3.1.1. The request MUST be inserted into Connection.OutstandingRequests. If the client
chooses to implement the Request Expiration Timer, the client MUST then set the Request Expiration
Timer to signal at the configured time-out interval for this command.
A nonzero value for the NextCommand field in the SMB2 header indicates a compound request.
NextCommand in the SMB2 header of a request specifies an offset, in bytes, from the beginning of
the SMB2 header under consideration to the start of the 8-byte aligned SMB2 header of the
subsequent request. Such compounding MAY be used to append multiple requests up to the
maximum size that is supported by the transport. The client MUST choose one of two possible styles
of message compounding specified in subsequent sections. These two styles MUST NOT be
intermixed in the same transport send and, in such a case, the server SHOULD<68> fail the
requests with STATUS_INVALID_PARAMETER. Compounded requests MUST be aligned on 8-byte
boundaries; the last request of the compounded requests does not need to be padded to an 8-byte
boundary. If a client or server receives a message that is not aligned on such a boundary, the
machine SHOULD<69> disconnect the connection.
SMB2_FLAGS_RELATED_OPERATIONS MUST NOT be set in the Flags field of all SMB2 headers in
the chain. The client MUST NOT expect the responses of unrelated requests to arrive in the same
transport receive from the server, or even in the same order they were sent.<70>
1. The client MUST construct the initial request as it would if sending the requests separately.
2. It MUST set the NextCommand field in the SMB2 header of the initial request to the offset, in
bytes, from the beginning of the SMB2 header to the beginning of the 8-byte aligned SMB2
118 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
3. The client MUST construct the subsequent request as it would do normally. For any subsequent
requests the client MUST set SMB2_FLAGS_RELATED_OPERATIONS in the Flags field of the
SMB2 header to indicate that it is using the SessionID, TreeID, and FileID supplied in the
previous request (or generated by the server in processing that request). The client SHOULD set
the SessionID, TreeID, and FileID fields of the request to 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFF,
and { 0xFFFFFFFFFFFFFFFF, 0xFFFFFFFFFFFFFFFF }.
The client MAY<72> send multi-credit requests if the server supports multi-credit operations.
CreditCharge in the SMB2 header MUST base on the payload size of the request or the anticipated
payload size of the response.
If the server does not support multi-credit operations, CreditCharge SHOULD be set to 0 and the
payload size of a request or an anticipated response MUST be a maximum of 64 kilobytes.
Before sending a multi-credit request, the client MUST consume 1 or more consecutive MessageIds
from Connection.SequenceWindow.
The client MUST implement an algorithm to manage message sequence numbers. Sequence
numbers are used to associate requests with responses and to determine what requests are allowed
for processing. The algorithm MUST meet the following conditions:
When the connection is first established, the allowable sequence numbers for sending a request
MUST be set to the set { 0 }.
The client MUST never send a request on a given connection with a sequence number that has
already been used unless it is a request to cancel a previously sent request.
The client MUST grow the set in a monotonically increasing manner based on the credits granted.
If the set is { 0 }, and 2 credits are granted, the set MUST grow to { 0, 1, 2 }.
The client SHOULD use the lowest available sequence number in its allowable set for each
request.
If a cancel request is sent, a client MUST NOT consume a sequence number. Otherwise, the client
MUST consume a sequence number when it sends out an SMB2 request.
119 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Upon successful completion, the client MUST return an existing or newly constructed Session
(section 3.2.1.3) and an existing or newly constructed TreeConnect (section 3.2.1.4) to the caller.
The request to connect to a server could be either explicit (the application requests the connection
directly) or implicit (the application requests opening a file with a network path including server and
share). In either case, the client MUST follow the steps described in the following flow chart.<73>
For the implicit case, any error returned from the connection attempt MUST be returned as the error
code for the operation that initiated the implicit connection attempt. For the explicit case, any error
returned from the connection attempt MUST be returned to the calling application.
The client SHOULD search the ConnectionTable and attempt to find an SMB connection where
Connection.ServerName matches the application-supplied ServerName. If a connection is found,
the client MAY choose to use the existing connection or establish a new one. For each existing
connection to the target server, the client MUST search through Connection.SessionTable for a
Session that satisfies the client implementation requirements for session reuse. <74><75>
If UserCredentials, the credentials to be used for the application request, do not match
Session.UserCredentials, those used in establishing the existing session, the session MUST
NOT be reused.
For operations on an existing Open, the client MUST select the same session that was used to
establish the Open.
The client SHOULD attempt to minimize redundant sessions to the same server.
The client MAY establish multiple sessions to the same server by the same security context.
If a new session is being established, the client MAY reuse an existing connection such that
multiple sessions are multiplexed on the same connection. If not reusing an existing connection,
the client can establish a new connection for the new session.
If a matching session is found, the client MUST search through Session.TreeConnectTable to find
a matching tree connection to the share. If a tree connection is found, the client MUST use the
existing tree connection, and no additional steps are required to be performed. If a matching tree
connection is not found, the client MUST proceed with establishing a tree connection to the share as
described in section 3.2.4.2.4.
If a matching session is not found, but a compatible connection is found, the client MAY<76> either
attempt to establish the session on the existing connection, or establish a new connection. If the
client is reusing an existing connection, the client MUST perform the following steps:
2. Establish a new tree connection to the target share as described in section 3.2.4.2.4.
120 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
4. Establish a new tree connection to the target share as described in section 3.2.4.2.4.
Figure 3: The client MUST follow the steps outlined in this chart.
The client MUST attempt to connect to the target server over the registered transports specified in
section 2.1 and [MS-SMB] section 2.1. The ServerName and the optional TransportIdentifier
121 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
This connection MUST be inserted into ConnectionTable, and processing MUST continue, as
specified in section 3.2.4.2.2.
If the connection attempt fails, the client returns the error code to the calling application.
When a new connection is established, the client MUST negotiate capabilities with the server. The
client MAY<77> use either of two possible methods for negotiation.
The first is a multi-protocol negotiation that involves sending an SMB message to negotiate the use
of SMB2. If the server does not support the SMB 2 Protocol, this method allows the negotiation to
fall back to older SMB dialects, as specified in [MS-SMB].
The second method is to send an SMB2-only negotiate message. This method will result in
successful negotiation only for servers that support the SMB 2 Protocol.
To negotiate either the SMB 2 Protocol or the SMB Protocol, the client MUST allocate sequence
number 0 from Connection.SequenceWindow. It MUST construct an SMB_COM_NEGOTIATE
message following the syntax as specified in [MS-SMB] sections 2.2.4.5.1 and 3.2.4.2 and in [MS-
CIFS] sections 2.2.4.52 and 3.2.4.2.2.
If a client does not implement the SMB 2.1 dialect, it MUST perform the following:
The client MUST include the dialect string "SMB 2.002"<78>in the list of dialects, along with any
other SMB dialects that it supports. The remaining field in the request MUST be set up as
specified in [MS-SMB] section 3.2.4.2.
If a client implements the SMB 2.1 dialect, it MUST perform the following:
122 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
To issue an SMB2-only negotiate, the client MUST construct an SMB2 NEGOTIATE Request following
the syntax as specified in section 2.2.3:
Set DialectCount to 0.
If the client implements the SMB 2.002 dialect, it MUST do the following:
If the client implements the SMB 2.1 dialect, it MUST do the following:
If the client implements the SMB 2.1 dialect, ClientGuid MUST be set to the global ClientGuid
value; otherwise it MUST be set to 0.
OR
Choose to ignore the Connection.GSSNegotiateToken that is received from the server, and
initiate a normal GSS sequence, as specified in [MS-SPNG] section 3.3.4 and [RFC4178] section
3.2.
In either case, it MUST call the GSS authentication protocol with the MutualAuth and Delegate
options. In addition the client MUST also set the GSS_C_FRAGMENT_TO_FIT parameter as specified
in [MS-SPNG] section 3.3.1. The GSS-API output token is up to a size limit determined by local
policy <80> when GSS_C_FRAGMENT_TO_FIT is set.
123 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the GSS authentication succeeds, the client MUST construct an SMB2 SESSION_SETUP Request,
as specified in section 2.2.5. The SMB2 header MUST be initialized as follows:
If the client supports the Distributed File System (DFS), as specified in [MS-DFSC], the
SMB2_GLOBAL_CAP_DFS bit in the Capabilities field MUST be set.
The GSS output token is copied into the Buffer field in the request. The client MUST set
SecurityBufferOffset and SecurityBufferLength to describe the location and length of the
GSS output token in the request.
It is possible that the server indicates that authentication has expired, as specified in sections
3.3.5.7 and 3.3.5.9, and the application or the client itself requests that an existing session be
reauthenticated. To do so, the client MUST issue a subsequent session setup request for the
SessionId of the session being reauthenticated.
or
Choose to ignore the Connection.GSSNegotiateToken received from the server, and initiate a
normal GSS sequence as specified in [MS-SPNG] section 3.3.4 and [RFC4178] section 3.2.
In either case, it initializes the GSS authentication protocol with the MutualAuth and Delegate
options. In addition the client MUST also set the GSS_C_FRAGMENT_TO_FIT parameter as specified
in [MS-SPNG] section 3.3.1. The GSS-API output token is up to a size limit determined by local
policy <82> when GSS_C_FRAGMENT_TO_FIT is set.
If the GSS authentication protocol returns an error, the reauthentication attempt MUST be aborted,
and the error MUST be returned to the higher-level application.
124 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SessionId field MUST be set to the Session.SessionId for the session being
reauthenticated.
If the client supports the Distributed File System (DFS), as specified in [MS-DFSC], the
SMB2_GLOBAL_CAP_DFS bit in the Capabilities field MUST be set.
The GSS output token is copied into the Buffer field in the request. The client MUST set
SecurityBufferOffset and SecurityBufferLength to describe the location and length of the
GSS output token in the request.
To connect to a share, the client MUST follow the steps outlined below.
The client MUST construct an SMB2 TREE_CONNECT Request using the syntax specified in section
2.2.9. The SMB2 header MUST be initialized as follows:
The SessionId field is set to Session.SessionId of the session identified or established as part
of processing section 3.2.4.2.3.
The target share path, including server name, in the format "\\server\share", is copied into the
Buffer field of the request. PathOffset and PathLength MUST be set to describe the location
and length of the target share path in the request.
125 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The path name of the file being opened, relative to the TreeConnect.
The Session representing the security context of the user opening the file.
The create options to be applied for the open, as specified in section 2.2.13.
The impersonation level for the open, as specified in section 2.2.13 (optional).
The security flags for the open, as specified in section 2.2.13 (optional).
The requested oplock level or lease state for the open, as specified in section 2.2.13 (optional).
As outlined in subsequent sections, the application may also provide a series of create contexts,
as specified in section 2.2.13.2.
Upon successful completion, the newly constructed Open MUST be returned to the calling
application.
The caller MUST ensure that the supplied TreeConnect is valid within the Session.
TreeConnect.Session MUST match the caller supplied Session.
The client MUST use the Connection referenced by Session.Connection to send the request to the
server.
If the client supports leasing and the server supports leasing as identified by
Connection.SupportsLeasing, the client MUST look up the GlobalFileTable for an entry matching
the concatenation of ServerName, ShareName, and share-relative PathName. If an entry is not
found, a new File entry MUST be created and added to the GlobalFileTable and a unique
File.LeaseKey MUST be assigned to the entry. File.OpenTable MUST be initialized to an empty
table and File.LeaseState MUST be initialized to SMB2_LEASE_NONE.
The client MUST construct an SMB2 CREATE Request using the syntax specified in section 2.2.13.
The SMB2 header MUST be initialized as follows:
126 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The RequestedOplockLevel field is set to the oplock level that is requested by the application.
If the application does not provide a requested oplock level, the client MUST choose an
implementation-specific oplock level.<83>
The client sets the DesiredAccess field to the value that is provided by the application.
The client sets the FileAttributes field to the attributes that are provided by the application.
The client sets the ShareAccess field to the sharing mode that is provided by the application.
The client sets the CreateDisposition field to the create disposition that is provided by the
application.
The client sets the CreateOptions field to the create options that are provided by the
application.
The client copies the relative path into the Buffer, and sets the NameLength to the length, in
bytes, of the relative path and the NameOffset to the offset, in bytes, to the relative path from
the beginning of the SMB2 header.
The client copies any provided create contexts into the Buffer after the file name, and sets the
CreateContextOffset to the offset, in bytes, to the create contexts from the beginning of the
SMB2 header and sets the CreateContextLength to the length, in bytes, of the array of create
contexts. If there are no provided create contexts, CreateContextLength and
CreateContextOffset MUST be set to 0.
This request MUST be sent to the server. The response from the server MUST be processed as
described in section 3.2.5.7.
For opening a named pipe, the application provides the same parameters that are specified in
section 3.2.4.3, except the name of the share MUST be "IPC$". This share name indicates that the
open targets a named pipe.
For sending a file to a printer, the application opens the root of a print share, writes data, and closes
the file. The semantics and parameters are the same as specified in section 3.2.4.3, except that the
name of the share MUST be the name of a printer share, and the share relative path MUST be NULL.
To create a file with extended attributes, in addition to the parameters that are specified in section
3.2.4.3, the application MUST provide a buffer of extended attributes in the format that is specified
in [MS-FSCC] section 2.4.15. The client MUST construct a create context, as specified in section
2.2.13.2.1, and append it to any other create contexts being issued and pass it in for create
processing.
127 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
To create a file with a security descriptor, in addition to the parameters that are specified in section
3.2.4.3, the application MUST provide a buffer with a SECURITY_DESCRIPTOR in the format as
specified in [MS-DTYP] section 2.4.6. The client MUST construct a create context using the syntax
specified for SMB2_CREATE_SD_BUFFER in section 2.2.13.2.2, and append it to any other create
contexts being issued and pass it in for create processing.
To request durable operation on a file being opened or created, in addition to the parameters that
are specified in section 3.2.4.3, the application MUST provide a Boolean indicating whether durability
is requested. If the application is requesting durability, the client MUST construct a create context
using the syntax specified in section 2.2.13.2.3. The client MUST append it to any other create
contexts being issued and pass it in for create processing. If the application is not requesting
durability, the client MUST follow the normal processing, as specified in section 3.2.4.3.
To open a previous version of a file, in addition to the parameters that are specified in section
3.2.4.3, the application MUST provide a time stamp for the version to be opened, in FILETIME
format as specified in [MS-DTYP] section 2.3.1. The client MUST construct a create context following
the syntax as specified in section 2.2.13.2.7 using this time stamp. The client MUST append it to
any other create contexts being issued and pass it in for create processing.
To create a file with a specific allocation size, in addition to the parameters specified in section
3.2.4.3, the application MUST provide an allocation size in LARGE_INTEGER format. The client MUST
construct a create context following the syntax that is specified in section 2.2.13.2.6 and using this
allocation size. The client MUST append it to any other create contexts being issued and pass it in
for create processing.
To request a lease, in addition to the parameters that are specified in 3.2.4.3, the application MUST
provide a Boolean value indicating that a lease requires to be taken and a LeaseState value (as
defined in section 2.2.13.2.8) that indicates the type of lease to be requested.<84>
If the client does not support the SMB 2.1 dialect, the client MUST fail this request with
STATUS_NOT_SUPPORTED.
The client MUST construct an SMB2 CREATE request as described in 3.2.4.3, with a
RequestedOplockLevel of SMB2_OPLOCK_LEVEL_LEASE. The client MUST attach an
SMB2_CREATE_REQUEST_LEASE create context to the request. The create context MUST be
formatted as described in section 2.2.13.2.8, with the LeaseState value provided by the
application.
128 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The client MUST attempt to connect to the target share, as specified in section 3.2.4.2, by obtaining
the name of the server and the name of the share to connect to from the Open.FileName. If this
attempt fails, the client MUST fail the re-establishment attempt. If this attempt succeeds, the client
MUST construct an SMB2 CREATE Request according to the syntax specified in section 2.2.13. The
SMB2 header MUST be initialized as follows:
The client copies the relative path into Buffer and sets NameLength to the length, in bytes, of
the relative path, and NameOffset to the offset, in bytes, to the relative path from the
beginning of the SMB2 header.
If a client implements the SMB 2.1 dialect, and the original open was performed using a lease as
described in section 3.2.4.3.8, it MUST also implement the following:
129 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
A Boolean that, if set, specifies that it requires the attributes of the file after the close is
executed.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, the close MUST be retried. If
it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the close operation.
If Open.Connection is not NULL, the client MUST initialize an SMB2 CLOSE Request by following
the syntax specified in section 2.2.15. The SMB2 header MUST be initialized as follows:
If the application requires to have the attributes of the file returned after close, the client sets
SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB to TRUE in the Flags field.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this Open, as specified in section 3.2.4.4. If the reconnect succeeds, the read MUST be retried. If
it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the read operation.
If Open.Connection is not NULL, the client initializes an SMB2 READ Request following the syntax
specified in section 2.2.19. The SMB2 header MUST be initialized as follows:
130 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The Length field is set to the number of bytes the application requested to read.
The Offset field is set to the offset within the file, in bytes, at which the application requested
the read to start.
The MinimumCount field is set to the value that is provided by the application. If no value is
provided by the application, the client MUST set this field to 0.
The Padding field SHOULD be set to 0x50, which is the default padding of an SMB2 READ
Response.
If the number of bytes to read exceeds Connection.MaxReadSize, the client MUST split the read
up into separate read operations no larger than Connection.MaxReadSize. The client MAY send
these separate reads in any order.<85>
If the client requests reading from a file and the server supports multi-credit operations, the
CreditCharge field in the SMB2 header MUST be set to ( 1 + (Length – 1) / 65536 ).
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open as specified in section 3.2.4.4. If the reconnect succeeds, the write MUST be retried. If
it fails, the error code MUST be returned to the application.
If Open.Connection is NULL and Open.Durable is FALSE, the client MUST fail the write operation.
If Open.Connection is not NULL, the client initializes an SMB2 WRITE Request, following the syntax
specified in section 2.2.21. The SMB2 header MUST be initialized as follows:
131 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The Length field is set to the number of bytes the application requested to write.
The Offset field is set to the offset within the file, in bytes, at which the application requested
the write to start.
The DataOffset field is set to the offset from the beginning of the SMB2 header to the data
being written. This value SHOULD be 0x70, which is the default offset for write requests.
The data being written is copied into the request at DataOffset bytes from the beginning of the
SMB2 header.
The client MUST fill the bytes, if any, between the beginning of the Buffer field and the
beginning of the data (at DataOffset) with zeros.<86>
If the number of bytes to write exceeds the Connection.MaxWriteSize, the client MUST split the
write into separate write operations no larger than the Connection.MaxWriteSize. The client
MAY<87> send these separate writes in any order.
If the client requests writing to a file and the server supports multi-credit operations, the
CreditCharge field in the SMB2 header MUST be set to ( 1 + (Length – 1) / 65536 ).
The InformationClass of the attributes being queried, as specified in [MS-FSCC] section 2.4.
If the information being queried is FileFullEaInformation, the application also MUST provide
the following:
The index of the first EA entry to return from the array of extended attributes that are
associated with the file or named pipe. An index value of 1 corresponds to the first extended
attribute.
132 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the query
operation.
If Open.Connection is not NULL, the client initializes an SMB2 QUERY_INFO Request following the
syntax specified in section 2.2.37. The SMB2 header MUST be initialized as follows:
The FileInfoClass field is set to the InformationLevel received from the application.
The OutputBufferLength field is set to the maximum output buffer the calling application will
accept.
If the query is for FileFullEaInformation and the application has provided a list of EAs to query,
the InputBufferOffset field MUST be set to the offset of the Buffer field from the start of the
SMB2 header. Otherwise, the InputBufferOffset field SHOULD be set to 0.<88>
If the query is for FileFullEaInformation and the application has provided a list of EAs to query,
the InputBufferLength field MUST be set to the length of the FILE_GET_EA_INFORMATION
buffer provided by the application, as specified in [MS-FSCC] section 2.4.15.1. Otherwise, the
InputBufferLength field MUST be set to 0.
If the query is for FileFullEaInformation, and the application has not provided a list of EAs to
query, but has provided an extended attribute index, the AdditionalInformation field MUST be
set to the extended attribute index provided by the calling application. Otherwise, the
AdditionalInformation field MUST be set to 0.
If the query is for FileFullEaInformation, the Flags field in the SMB2 QUERY_INFO request
MUST be set to zero or more of the following bit flags. Otherwise, it MUST be set to 0.
133 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The InformationClass of the information being applied to the file or pipe, as specified in [MS-
FSCC] section 2.4.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, the set MUST be retried. If it
fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the set operation.
If Open.Connection is not NULL, the client initializes an SMB2 SET_INFO Request following the
syntax specified in section 2.2.37. The SMB2 header MUST be initialized as follows:
The BufferOffset field is set to the offset, in bytes, from the beginning of the SMB2 header to
Buffer[].
The BufferLength field is set to the length, in bytes, of the buffer that is provided by the
application.
134 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, the query MUST be retried. If
it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the query
operation.
If Open.Connection is not NULL, the client initializes an SMB2 QUERY_INFO Request following the
syntax specified in section 2.2.37. The SMB2 header MUST be initialized as follows:
The FileInfoClass field is set to the InformationLevel that is received from the application.
The OutputBufferLength field is set to the maximum output buffer that the calling application
will accept.
The InformationClass of the file system attributes being queried, as specified in [MS-FSCC]
section 2.5.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, the set MUST be retried. If it
fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the set operation.
135 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The FileInfoClass field is set to the InformationClass that is provided by the application.
The BufferOffset field is set to the offset, in bytes, from the beginning of the SMB2 header to
Buffer[].
The BufferLength field is set to the length, in bytes, of the buffer that is provided by the
application.
The security attributes it is querying for the file, as specified in the AdditionalInformation
description of section 2.2.37.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, the query MUST be retried. If
it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the query
operation.
If Open.Connection is not NULL, the client initializes an SMB2 QUERY_INFO Request following the
syntax specified in section 2.2.37. The SMB2 header MUST be initialized as follows:
136 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The OutputBufferLength field is set to the maximum output buffer that the calling application
will accept.
The AdditionalInformation is set to the security attributes that are provided by the calling
application.
The security information being applied in security descriptor format, as specified in [MS-DTYP]
section 2.4.6.
The security attributes it requires to set for the file, as specified in section 2.2.37.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, the set MUST be retried. If it
fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the set operation.
If Open.Connection is not NULL, the client initializes an SMB2 SET_INFO Request following the
syntax specified in section 2.2.37. The SMB2 header MUST be initialized as follows:
137 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The security descriptor that is provided by the client is copied into Buffer[].
The BufferOffset field is set to the offset, in bytes, from the beginning of the SMB2 header to
Buffer[].
The BufferLength field is set to the length, in bytes, of the security descriptor that is provided
by the application.
The AdditionalInformation is set to the security attributes that are provided by the calling
application.
It also optionally can provide either a StartSid to determine where the enumeration should begin,
or a SidList via FILE_GET_QUOTA_INFORMATION structures linked via the NextOffset field.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, the query MUST be retried. If
it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the query
operation.
If Open.Connection is not NULL, the client initializes an SMB2 QUERY_INFO Request following the
syntax specified in section 2.2.37. The SMB2 header MUST be initialized as follows:
138 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The OutputBufferLength field is set to the maximum output buffer that the calling application
will accept.
An SMB2_QUERY_QUOTA_INFO structure is constructed and copied into the SidBuffer of the
SMB2 QUERY_INFO structure field, and initialized as follows:
If only a single entry is to be returned, the client sets ReturnSingle to TRUE. Otherwise, it is
set to FALSE.
If the application requires to restart the scan, the client sets RestartScan to TRUE.
Otherwise, it is set to FALSE.
If the application provides a StartSid,<92> it is copied into the SidBuffer, the
StartSidLength MUST be set to the length of the SID, the StartSidOffset MUST be set to
the offset, in bytes, to the start SID from the beginning of the SidBuffer, and
SidListLength SHOULD<93> be set to 0.<94>
If neither a StartSid nor a SidList is provided by the application, then SidListLength MUST
be set to 0, StartSidLength MUST be set to 0, and StartSidOffset MUST be set to 0.
The InputBufferOffset field is set to describe the length and offset from the beginning of the
SMB2 header to the SMB2_QUERY_QUOTA_INFO structure.
The quota information being applied in the format specified in [MS-SMB] section 2.2.7.3.2.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, the set MUST be retried. If it
fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the set operation.
139 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The quota information that is provided by the client is copied into the Buffer[].
The BufferOffset field is set to the offset, in bytes, from the beginning of the SMB2 header to
the Buffer[].
The BufferLength field is set to the length, in bytes, of the quota information that is provided by
the application.
The Open identifying a file or named pipe for which it requires to flush cached data.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, the flush MUST be retried. If
it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the flush
operation.
If Open.Connection is not NULL, the client initializes an SMB2 FLUSH Request by following the
syntax specified in section 2.2.17. The SMB2 header MUST be initialized as follows:
140 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The InformationClass of the file information being queried, as specified in [MS-FSCC] section
2.4.
A Boolean indicating whether the file specifier has been changed if the enumeration is being
restarted.
A 4-byte index number to resume the enumeration from if the destination file system supports it
(optional).
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, the enumeration MUST be
retried. If it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the enumeration
operation.
The FileInformationClass field is set to the InformationClass that is received from the
application.
The OutputBufferLength field is set to the maximum output buffer that the calling application
will accept. The number of bytes MUST NOT exceed Connection.MaxTransactSize.
141 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If a file index was provided by the application, the client sets the value in the FileIndex field and
sets SMB2_INDEX_SPECIFIED to TRUE in the Flags field.
If the application requested that the enumeration be restarted, the client sets
SMB2_RESTART_SCANS to TRUE in the Flags field.
If the application requested that the enumeration be restarted and indicated that the file specifier
has changed, the client sets SMB2_REOPEN to TRUE in the Flags field.<95>
If the application requested that only a single entry be returned, the client sets
SMB2_RETURN_SINGLE_ENTRY to TRUE in the Flags field.
If the server supports multi-credit operations, the CreditCharge field in the SMB2 header MUST be
set to ( 1 + (OutputBufferLength – 1) / 65536 ).
If an application requires to continue an enumeration for which only partial results were previously
returned, it does so by executing a request, as specified in section 3.2.4.17, but makes sure it does
not request restarting the enumeration. Doing so allows it to continue a previous enumeration.
The completion filter following the syntax specified in section 2.2.35, denoting which changes the
application would like to be notified of.
If the application requires to be notified when changes occur and does not require to see the actual
changes, the maximum output buffer MUST be set to 0.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, the change notify MUST be
retried. If it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the change notify
operation.
If Open.Connection is not NULL, the client initializes an SMB2 CHANGE_NOTIFY Request, following
the syntax specified in section 2.2.37. The SMB2 header MUST be initialized as follows:
142 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The CompletionFilter field is set to the completion filter that is provided by the calling
application.
The OutputBufferLength field is set to the maximum output buffer that the calling application
will accept.
If the application requested that the directory be monitored recursively, the client sets
SMB2_WATCH_TREE to TRUE in the Flags field.
An array of byte ranges to lock. For each range, the application provides:
Whether the lock request is to wait until the lock can be acquired to return, or whether it is to
fail immediately if the range is locked by another open.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open as specified in section 3.2.4.4. If the reconnect succeeds, the lock MUST be retried. If it
fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the lock operation.
If Open.Connection is not NULL, the client initializes an SMB2 LOCK Request following the syntax
specified in section 2.2.26. The SMB2 header MUST be initialized as follows:
143 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The LockCount field is set to the number of byte ranges being locked.
For each range being locked, the client creates an SMB2_LOCK_ELEMENT structure and places it
in the Locks[] array of the request, setting the following values:
If the lock is to be acquired shared, the client sets SMB2_LOCKFLAG_SHARED_LOCK to TRUE
in the Flags field.
If the lock is to fail immediately if the range is already locked, the client sets
SMB2_LOCKFLAG_FAIL_IMMEDIATELY to TRUE in the Flags field. If the Locks[] array has
more than one element, the client MUST set SMB2_LOCKFLAG_FAIL_IMMEDIATELY.
The client MUST scan through Open.OperationBuckets and find an element with its Free field
set to TRUE. If no such element could be found, an implementation-specific error MUST be
returned to the application.
Let the zero-based array index of the element chosen above be referred to as BucketIndex, and
let BucketNumber = BucketIndex +1.
The LockSequence field of the SMB2 lock request MUST be set to (BucketNumber<< 4) +
BucketSequence.
Increment the SequenceNumber of the element chosen above using MOD 16 arithmetic.
The Open identifying a file on a volume for which the application requires the previous version
time stamps.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, this FSCTL MUST be retried.
If it fails, the error code MUST be returned to the application.
144 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If Open.Connection is not NULL, the client initializes an SMB2 IOCTL Request following the syntax
specified in section 2.2.31. The SMB2 header MUST be initialized as follows:
The MaxOutputResponse field is set to the maximum output buffer size that the application will
accept.
Requesting a server-side data copy occurs in several steps. These are outlined in the following
diagram:
145 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The method for requesting the key to the source file and for requesting the server-side copy of data
ranges is outlined in the following sections.
The Open identifying a file for which the application requires a key to use in server-side data
operations.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, this FSCTL MUST be retried.
If it fails, the error code MUST be returned to the application.
146 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If Open.Connection is not NULL, the client initializes an SMB2 IOCTL Request following the syntax
specified in section 2.2.31. The SMB2 header MUST be initialized as follows:
The FSCTL code for the server side copy, either FSCTL_SRV_COPYCHUNK or
FSCTL_SRV_COPYCHUNK_WRITE.<100>
The key for the source file queried, as specified in the previous section "Application Requests a
Source File Key."
An array of ranges to copy. Each item in the array MUST contain the source offset, the
destination offset, and the number of bytes to copy.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, this FSCTL MUST be retried.
If it fails, the error code MUST be returned to the application.
147 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If Open.Connection is not NULL, the client initializes an SMB2 IOCTL Request following the syntax
specified in section 2.2.31. The SMB2 header MUST be initialized as follows:
The CtlCode field MUST be set to the FSCTL code supplied by the application.
The InputOffset field is set to the offset to the Buffer[], in bytes, from the beginning of the
SMB2 header.
The InputCount is set to the size, in bytes, of the SRV_COPYCHUNK_COPY structure that is
constructed following the syntax specified in section 2.2.31.1.1 with the client input parameters
as follows:
The client sets the SourceKey field to the key of the source file.
For each range to be copied, the client initializes a SRV_COPYCHUNK structure following the
syntax specified in section 2.2.31.1.1 using the provided source offset, destination offset, and
length, in bytes.
The SRV_COPYCHUNK_COPY structure is copied into the request at InputOffset bytes from the
beginning of the SMB2 header.
148 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The maximum DFS referral level that the application will accept.
The client MUST connect to the IPC$ share on the target server as described in section 3.2.4.2 using
the supplied ServerName and UserCredentials.
The client initializes an SMB2 IOCTL Request following the syntax specified in section 2.2.31. The
SMB2 header MUST be initialized as follows:
The InputOffset field is set to the offset to the Buffer[], in bytes, from the beginning of the
SMB2 header.
The MaxReferralLevel is set to the maximum referral level that the calling application will
accept.
The RequestFileName is set to the path for which the referral information is being queried.
The InputCount field is set to the size of the constructed REQ_GET_DFS_REFERRAL structure.
The MaxOutputResponse field is set to the maximum response buffer size that the calling
application will accept.
The request MUST be sent to the server using the Session and TreeConnect obtained as a result
of connecting to the IPC$ share on the server.
149 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The Open identifying the named pipe on which to issue the operation.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, this FSCTL MUST be retried.
If it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail this FSCTL
operation.
If Open.Connection is not NULL, the client initializes an SMB2 IOCTL Request following the syntax
specified in section 2.2.31. The SMB2 header MUST be initialized as follows:
The InputOffset field is set to the offset to the Buffer[], in bytes, from the beginning of the
SMB2 header.
The InputCount field is set to the size, in bytes, of the application-provided input buffer.
The input buffer that is received from the application is copied into the request at InputOffset
bytes from the beginning of the SMB2 header.
The MaxOutputResponse field is set to the maximum output buffer size that the application will
accept.
150 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The Open identifying the named pipe on which to issue the operation.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, this FSCTL MUST be retried.
If it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail this FSCTL
operation.
If Open.Connection is not NULL, the client initializes an SMB2 IOCTL Request following the syntax
specified in section 2.2.31. The SMB2 header MUST be initialized as follows:
The MaxOutputResponse field is set to the number of bytes that the client requires to peek at.
The Open identifying a file or named pipe on which to issue the operation.
151 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, the FSCTL or IOCTL MUST be
retried. If it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the FSCTL or IOCTL
operation.
If Open.Connection is not NULL, the client initializes an SMB2 IOCTL Request following the syntax
specified in section 2.2.31. The SMB2 header MUST be initialized as follows:
The CtlCode field is set to the operation code that is received from the application.
The InputOffset field is set to the offset to the Buffer[], in bytes, from the beginning of the
SMB2 header.
The InputCount field is set to the size, in bytes, of the application-provided input buffer.
The input buffer received from the application is copied into the request at InputOffset bytes
from the beginning of the SMB2 header.
The MaxInputResponse field is set to the maximum input buffer response size, in bytes, that
the application will accept.
The MaxOutputResponse field is set to the maximum output buffer response size, in bytes,
that the application will accept.
If the operation is an FSCTL, SMB2_0_IOCTL_IS_FSCTL in the Flags field is set to TRUE.
Otherwise, it is set to FALSE.
152 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
An application can request Content Information from the server that contains a set of hashes that
can be used by the application to retrieve the contents of a specific file using the branch cache, as
specified in [MS-PCCRC]. This request is only valid for the SMB 2.1 dialect. To retrieve the Content
Information, the application MUST provide the following:
The Open identifying the remote file with which the Content Information is associated.
The maximum number of bytes to get from the associated Content Information data structure.
The offset into the Content Information data structure, if the structure is being retrieved across
multiple requests, in bytes.
If Open.Connection.Dialect is not equal to "2.100", the client MUST fail the application request
with STATUS_NOT_SUPPORTED.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If the reconnect succeeds, this FSCTL MUST be retried.
If it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail this FSCTL
operation.
If Open.Connection is not NULL, the client MUST format a SMB2 IOCTL Request following the
syntax specified in section 2.2.31. The SMB2 header MUST be initialized as follows:
The InputOffset field is set to the offset to the Buffer[], in bytes, from the beginning of the
SMB2 header.
The InputCount is set to the size, in bytes, of the SRV_READ_HASH request structure that is
constructed following the syntax specified in section 2.2.31.2 with the client input parameters as
follows:
153 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SRV_READ_HASH request structure is copied into the request at InputOffset bytes from the
beginning of the SMB2 header.
The MaxOutputResponse field is set to the maximum number of bytes that the application
expects to retrieve.
The request MUST be sent to the server, and the response from the server MUST be handled as
described in section 3.2.5.14.7.
The time-out for which the server must hold the handle open on behalf of the client after a
network disconnection, in milliseconds.
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open, as specified in section 3.2.4.4. If it fails, the error code MUST be returned to the
application.
If the negotiated dialect (as given by Open.Connection.Dialect) is not 2.10 or higher, an error
MUST be returned to the application.
If Open.Connection is not NULL, the client initializes an SMB2 IOCTL Request following the syntax
specified in section 2.2.31. The SMB2 header MUST be initialized as follows:
154 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The InputOffset field MUST be set to the offset to the Buffer[], in bytes, from the beginning of
the SMB2 header.
The InputCount field MUST be set to the size, in bytes, of the NETWORK_RESILIENCY_REQUEST
structure specified in section 2.2.31.3
The request MUST be sent to the server, and the response from the server MUST be handled as
described in section 3.2.5.14.9.
An array of byte ranges to unlock. For each range, the application provides:
If Open.Connection is NULL, and Open.Durable is TRUE, the client SHOULD attempt to reconnect
to this open as specified in section 3.2.4.4. If the reconnect succeeds, the unlock MUST be retried. If
it fails, the error code MUST be returned to the application.
If Open.Connection is NULL, and Open.Durable is FALSE, the client MUST fail the unlock
operation.
If Open.Connection is not NULL, the client initializes an SMB2 LOCK Request following the syntax
specified in section 2.2.26. The SMB2 header MUST be initialized as follows:
155 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The LockCount field is set to the number of byte ranges being unlocked.
For each range being unlocked, the client creates an SMB2_LOCK_ELEMENT structure and places
it in the Locks[] array of the request, setting the following values:
The client MUST scan through Open.OperationBuckets and find an element with its Free field
set to TRUE. If no such element could be found, an implementation-specific error MUST be
returned to the application.
Let the zero-based array index of the element chosen above be referred to as BucketIndex, and
let BucketNumber = BucketIndex + 1.
The LockSequence field of the SMB2 lock request MUST be set to (BucketNumber << 4) +
BucketSequence.
Increment the SequenceNumber of the element chosen above using MOD 16 arithmetic.
The request MUST be sent to the server, and the response from the server MUST be handled as
described in section 3.2.5.13.
TreeConnect - The SMB Tree Connection (TreeConnect), which identifies the share from which
to disconnect.
Then the client MUST issue a disconnect request for each tree connect as follows:
The client initializes an SMB2 TREE_DISCONNECT Request following the syntax specified in section
2.2.11. The SMB2 header MUST be initialized as follows:
156 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SMB2 TREE_DISCONNECT Request MUST be initialized to the default values, as specified in
2.2.11.
Session - The SMB Session (Session), which identifies the authenticated session to terminate.
The client MUST close all tree connects in the Session.TreeConnectTable, as specified in section
3.2.4.22.
The client initializes an SMB2 LOGOFF Request, following the syntax specified in section 2.2.7. The
SMB2 header MUST be initialized as follows:
The SMB2 LOGOFF Request MUST be initialized to the default values, as specified in 2.2.7.
The client MUST locate the connection on which the request was sent and find the MessageId for
that request by locating it in Connection.OutstandingRequests.
The client initializes an SMB2 CANCEL Request following the syntax specified in section 2.2.30. The
SMB2 header MUST be initialized as follows:
The MessageId field is set to the identifier that is previously used for the request being
canceled. Because the same MessageId is reused, cancel requests MUST NOT consume a
sequence number.
If the command has returned an indication of an asynchronous response, the client sets
SMB2_FLAGS_ASYNC_COMMAND to TRUE in the Flags field and sets AsyncId to the
asynchronous identifier for the request.
157 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
There is no response to a cancel request. If the server has not processed the original request, it
MUST cancel that pending request.
Open - The Open identifying a file or named pipe established on the session for which the
session key is being queried.
The SMB 2 Protocol client is driven by a series of response messages that are sent by the server.
Processing for these messages is determined by the command in the SMB2 header of the response
and is detailed for each of the SMB2 response messages in the sections that follow.
Unless specifically noted in a subsequent section, the following logic MUST be applied to any
response message that is received from the server by the client.
The client MUST locate the request for which this response was sent in reply by locating the request
in Connection.OutstandingRequests using the MessageId field of the SMB2 header. If the
request is not found, the response MUST be discarded as invalid.
If the MessageId is 0xFFFFFFFFFFFFFFFF, this is not a reply to a previous request, and the client
MUST NOT attempt to locate the request, but instead process it as follows:
If the command field in the SMB2 header is SMB2 OPLOCK_BREAK, it MUST be processed as
specified in 3.2.5.19. Otherwise, the response MUST be discarded as invalid.
If the SMB2 header of the response has SMB2_FLAGS_SIGNED set in the Flags field, the client
MUST verify the signature as follows:
The client MUST look up the session in the Connection.SessionTable using the SessionId in the
SMB2 header of the response. If the session is not found, the response MUST be discarded as
invalid.
If the session is found, the client MUST verify the signature of the message as specified in section
3.1.5.1, using Session.SessionKey as the session key, and passing the response message.
If signature verification fails, the client MUST discard the received message and do no further
processing for it. The client MAY also choose to disconnect the connection. If signature verification
succeeds, the client MUST continue processing the packet, as specified in subsequent sections.
158 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If CreditResponse is greater than 0, the client MUST insert the newly granted credits into the
Connection.SequenceWindow. For each credit that is granted, the client MUST insert the next
highest value into the sequence window, as specified in section 3.2.4.1.6. The client MUST then
signal any requests that were waiting for available message identifiers to continue processing.
If SMB2_FLAGS_ASYNC_COMMAND is set in the Flags field of the SMB2 header of the response and
the Status field in the SMB2 header is STATUS_PENDING, the client MUST mark the request in
Connection.OutstandingRequests as being handled asynchronously and store the new AsyncId
of the request. Processing of this response is now complete.
If SMB2_FLAGS_ASYNC_COMMAND is set in the Flags field of the SMB2 header and Status is not
STATUS_PENDING, this is a response to an asynchronous request and processing MUST continue as
specified below.
If the Status field in the SMB2 header is STATUS_NETWORK_SESSION_EXPIRED, the client MUST
attempt to reauthenticate the session that is identified by the SessionId in the SMB2 header, as
specified in section 3.2.4.2.3. If the reauthentication attempt succeeds, the client MUST retry the
request that failed with STATUS_NETWORK_SESSION_EXPIRED. If the reauthentication attempt
fails, the client MUST fail the operation and terminate the session, as specified in section 3.2.4.23.
If the client receives a response that does not conform to the structures specified in 2, the client
MUST discard the response and fail the corresponding application request with an error indicating
that an invalid network response was received. The client MAY<111> also disconnect the
connection.
The client MUST process the response based on the Command field of the SMB2 header of the
response. When the processing is completed, the corresponding request MUST be removed from
Connection.OutstandingRequests.
If the command that is received is not a valid command, or if the server returned a command that
did not match the command of the request, the client SHOULD<112> fail the application request
with an implementation-specific error that indicates an invalid network response was received.
159 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
A client detects that a server sent a compounded response (multiple responses chained together
into a single network send) by checking if the NextCommand in the SMB2 header of the response
is not equal to 0. The client MUST handle compounded responses by separating them into individual
responses.
For a series of responses compounded together, each response MUST be processed in order as an
individual message with a size, in bytes, as determined by the NextCommand field in the SMB2
header. The final response in the compounded response chain will have NextCommand equal to 0,
and it MUST be processed as an individual message of a size equal to the number of bytes
remaining in this receive.
If the Status field in the SMB2 header of the response is not STATUS_SUCCESS, the client MUST
return the error code to the calling application.
If the SecurityMode field in the SMB2 header of the response does not have the
SMB2_NEGOTIATE_SIGNING_ENABLED bit set, the client MUST return
STATUS_INVALID_NETWORK_RESPONSE.
If the SecurityMode field in the SMB2 header of the response has the
SMB2_NEGOTIATE_SIGNING_ENABLED bit set, the client MUST store the received
MaxTransactSize in Connection.MaxTransactSize, the received MaxReadSize in
Connection.MaxReadSize, the received MaxWriteSize in Connection.MaxWriteSize, and the
received ServerGuid in Connection.ServerGuid.<113> The client MUST store the received
security buffer described by SecurityBufferOffset and SecurityBufferLength into
Connection.GSSNegotiateToken.
If the SecurityMode field in the SMB2 header of the response has the
SMB2_NEGOTIATE_SIGNING_REQUIRED bit set, the client MUST set Connection.RequireSigning
to TRUE.
If the DialectRevision in the SMB2 NEGOTIATE Response is 0x02FF, the client MUST issue a new
SMB2 NEGOTIATE request as described in section 3.2.4.2.2.2. Otherwise, the client MUST proceed
as follows.
If the client supports SMB 2.1, the client MUST perform the following:
If the Flags field of the SMB2 NEGOTIATE include SMB2_GLOBAL_CAP_LEASING, the client MUST
set Connection.SupportsLeasing to TRUE. If the flag is not set, it MUST set
Connection.SupportsLeasing to FALSE.
The client MUST attempt to locate a session in Connection.SessionTable using the SessionId in
the SMB2 header of the SMB2 SESSION_SETUP Response. If a session is not located, this response
MUST be handled as a new authentication attempt. If a session is located, this response MUST be
handled as a reauthentication attempt.
160 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the Status field in the SMB2 header of the response is not STATUS_SUCCESS and is not
STATUS_MORE_PROCESSING_REQUIRED, the client MUST return the error code to the calling
application that initiated the authentication request and processing is complete.
Otherwise, the client MUST process the GSS token received in the SMB2 SESSION_SETUP Response
following the SMB2 header, described by SecurityBufferOffset and SecurityBufferLength. The
client MUST use the configured GSS authentication protocol as specified in [MS-SPNG] section 3.3.5
and [RFC4178] section 3.2 to obtain the next GSS output token for the authentication exchange.
Based on the result from the GSS authentication protocol, one of the following actions will be taken:
If the GSS protocol indicates an error, the error MUST be returned to the calling application that
initiated the authentication request and processing is complete.
If the GSS protocol returns success, and the Status code of the SMB2 header of the response was
STATUS_SUCCESS, authentication is complete. The client MUST allocate a session object and place
it in the Connection.SessionTable. The session MUST be initialized as follows:
Session.SessionId MUST be set to the SessionId in the SMB2 header of the response.
Session.UserCredentials MUST be set to the OS-specific entity that identifies the credentials
that were used to authenticate to the server.
Session.SessionKey MUST be set as described in section 3.2.1.3 using the value queried from
the GSS protocol. For information about how this is calculated for Kerberos authentication via
Generic Security Service Application Programming Interface (GSS-API), see [MS-KILE] section
3.1.1.2. For information about how this is calculated for NTLM authentication via GSS-API, see
[MS-NLMP] section 3.1.5.1.
Session.Connection MUST be set to the connection on which this authentication attempt was
issued.
If the SMB2_SESSION_FLAG_IS_NULL bit is set in the SessionFlags field of the SMB2
SESSION_SETUP Response, Session.ShouldSign MUST be set to FALSE.
If the SMB2_SESSION_FLAG_IS_GUEST bit is set in the SessionFlags field of the SMB2
SESSION_SETUP Response AND if Session.ShouldSign is TRUE, this indicates a
SESSION_SETUP failure and the connection MUST be terminated.
The client MUST return success to the calling application that initiated the authentication request,
and processing is complete.
If the GSS protocol returns success and the Status code of the SMB2 header of the response was
STATUS_MORE_PROCESSING_REQUIRED, the client MUST send a subsequent session setup request
to continue the authentication attempt. The client MUST construct an SMB2 SESSION_SETUP
Request by following the syntax specified in section 2.2.5. The SMB2 header MUST be initialized as
follows:
161 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The client MUST set the SessionId field in the SMB2 header of the new request to the
SessionId received in the SMB2 header of the response.
If the client supports the Distributed File System (DFS), the client MUST set the
SMB2_GLOBAL_CAP_DFS bit in the Capabilities field. For more information about DFS, see
[MSDFS].
The client MUST copy the GSS output token into the response. The client MUST set
SecurityBufferOffset and SecurityBufferLength to describe the GSS output token.
If the Status field in the SMB2 header of the response is not STATUS_SUCCESS and is not
STATUS_MORE_PROCESSING_REQUIRED, the client MUST return the error code to the calling
application that initiated the reauthentication request and processing is complete.
Otherwise, the client MUST process the Generic Security Service (GSS) token that is received in the
SMB2 SESSION_SETUP response following the SMB2 header, described by SecurityBufferOffset
and SecurityBufferLength. The client MUST use the configured GSS authentication protocol, as
specified in [MS-SPNG] section 3.3.5 and [RFC4178] section 3.2, to obtain the next GSS output
token for the authentication exchange. Based on the result from the GSS authentication protocol,
one of the following actions will be taken:
If the GSS protocol indicates an error, the error MUST be returned to the calling application that
initiated the reauthentication request and processing is complete.
If the GSS protocol returns success and the Status code of the SMB2 header of the response was
STATUS_SUCCESS, reauthentication is complete. The client MUST return success to the calling
application that initiated the reauthentication request.
If the GSS protocol returns success and the Status code of the SMB2 header of the response was
STATUS_MORE_PROCESSING_REQUIRED, the client MUST send a subsequent session setup request
to continue the reauthentication attempt. The client MUST construct an SMB2 SESSION_SETUP
request following the syntax specified in section 2.2.5. The SMB2 header MUST be initialized as
follows:
162 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the client supports the Distributed File System (DFS), the client MUST set the
SMB2_GLOBAL_CAP_DFS bit in the Capabilities field. For more information about DFS, see
[MSDFS].
The client MUST copy the GSS output token into the response. The client MUST set
SecurityBufferOffset and SecurityBufferLength to describe the GSS output token.
The client MUST locate the session in Connection.SessionTable using the SessionId in the SMB2
header of the response. The associated session object MUST be removed from
Connection.SessionTable and freed. The client MUST return success to the application that
requested the authenticated context termination.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application.
If the Status field of the SMB2 header of the response indicates success, the client MUST locate the
session in the Connection.SessionTable using the SessionId in the SMB2 header of the response.
The client MUST allocate a tree connect object and insert it into the Session.TreeConnectTable.
The tree connect is initialized as follows:
The TreeConnect.TreeConnectId MUST be set to the TreeId that is received in the SMB2
header of the response.
The TreeConnect.Session MUST be set to the session that is looked up using SessionId from
the SMB2 header of the response.
The client MUST return success to the application that initiated the connection to the share.
163 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The client MUST locate the session in the Connection.SessionTable using the SessionId in the
SMB2 header of the response. It MUST locate the tree connect in the Session.TreeConnectTable
using the TreeId in the SMB2 header of the response. The associated tree connect object MUST be
removed from the Session.TreeConnectTable and freed. The client MUST return success to the
application that requested the share connection termination.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application that initiated the open of a file or named pipe.
The client MUST locate the corresponding request in Connection.OutstandingRequests using the
MessageId field of the SMB2 header. If the request is for a new create operation, then the
processing MUST continue as specified below.
If the Status field of the SMB2 header of the response indicates success, the client MUST locate the
session in the Connection.SessionTable using the SessionId in the SMB2 header of the response.
The client MUST locate a tree connect in the Session.TreeConnectTable using the TreeId in the
SMB2 header of the response. The client MUST allocate an open object and initialize it as follows:
Open.File MUST be initialized to the SMB2 File created or looked up in section 3.2.4.3.
Open.FileId MUST be set to the FileId that is received in the SMB2 CREATE Response following
the SMB2 header.
Open.TreeConnect MUST be set to the tree connect that was looked up in the
Session.TreeConnectTable.
Open.Connection MUST be set to the connection on which the response was received.
If the response includes response create contexts following the syntax specified in section 2.2.14.2,
the processing described in subsequent subsections MUST be handled if the specified create context
is present in the response.
The client MUST insert the open into the Connection.OpenTable. If the client implements the SMB
2.1 dialect and Connection.SupportsLeasing is TRUE, the client MUST locate the file
corresponding to Open.FileName in the GlobalFileTable and insert the open into
164 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the client implements the SMB 2.1 dialect and an SMB2_CREATE_RESPONSE_LEASE create
context is present in the SMB2_CREATE response returned from the server, it MUST do the
following:
If Connection.SupportsLeasing is FALSE, the client MUST fail the create request from the
application.
The client MUST locate the file corresponding to Open.FileName in the GlobalFileTable and
copy the LeaseState in the response to File.LeaseState.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application that initiated the open of a file or named pipe.
The client MUST locate the corresponding request in Connection.OutstandingRequests using the
MessageId field of the SMB2 header. If the request is for an open reestablishment, then the
processing MUST continue as specified below using the Open associated with this request in section
3.2.4.4.
If the Status field of the SMB2 header of the response indicates success, the client MUST locate the
session in the Connection.SessionTable using the SessionId in the SMB2 header of the response.
The client MUST locate a tree connect in the Session.TreeConnectTable using the TreeId in the
SMB2 header of the response. The following fields MUST be reinitialized:
Open.FileId MUST be set to the FileId received in the SMB2 CREATE Response following the
SMB2 header.
Open.TreeConnect MUST be set to the tree connect that was looked up in the
Session.TreeConnectTable.
Open.Connection MUST be set to the connection on which the response was received.
The client MUST insert the open into the Connection.OpenTable and File.OpenTable. The client
MUST return success to the application that initiated the open reestablishment operation.
165 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the Status field of the SMB2 header of the response indicates an error, then the client MUST
return the received status code to the calling application.
The client MUST locate the Open in the Connection.OpenTable using the FileId in the SMB2
header of the response.
If the client implements the SMB 2.1 dialect and Connection.SupportsLeasing is TRUE, the client
MUST locate the File in the GlobalFileTable by looking up Open.FileName. The client MUST
delete the Open from the File.OpenTable. If all opens in File.OpenTable are deleted, then the
entry for this File MUST be deleted from the GlobalFileTable, and the File object MUST be freed.
The open object MUST be removed from the Connection.OpenTable and freed.
The client MUST return success to the application that requested that the file or named pipe be
closed.
The client MUST return the received status code in the Status field of the SMB2 header of the
response to the application that issued the request to flush data on the file or named pipe.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application.
If the Status field of the SMB2 header of the response indicates success, the client MUST copy the
received information in the SMB2 READ Response following the SMB2 header described by
DataOffset and DataLength into the buffer that is provided by the calling application. The client
MUST return success and DataLength to the application.
The client MUST return the received status code in the Status field of the SMB2 header of the
response to the application that issued the request to write data to the file or named pipe. The client
MUST also return the Count value from the SMB2 WRITE Response following the SMB2 header,
indicating how many bytes were written.
1. From the LockSequence field in the SMB2 lock or SMB2 unlock request (constructed in sections
3.2.4.19 and 3.2.4.21) that was looked up as described in the previous paragraph, compute
166 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the OutputCount field in an SMB2 IOCTL Response is 0, the OutputOffset field SHOULD<114>
be ignored by the client.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application.
If the Status field of the SMB2 header of the response indicates success, the client MUST copy the
received information in the SMB2 IOCTL Response following the SMB2 header described by
OutputOffset and OutputCount into the buffer that is provided by the calling application for
receiving the response output buffer. The client MUST return success and OutputCount to the
application.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application.
If the Status field of the SMB2 header of the response indicates success, the client MUST copy the
received information in the SMB2 IOCTL Response following the SMB2 header described by
OutputOffset and OutputCount into the buffer that is provided by the calling application for
receiving the response output buffer. The client MUST return success and OutputCount to the
application.
Otherwise, if the Status field of the SMB2 header of the response indicates an error, the client
MUST return the received status code to the calling application, ignoring any accompanying
SRV_COPYCHUNK_RESPONSE.
If the Status field of the SMB2 header of the response indicates success, the client MUST copy the
received information in the SMB2 IOCTL Response following the SMB2 header that is described by
OutputOffset and OutputCount into the buffer that is provided by the calling application for
receiving the response output buffer. The client MUST return success and the OutputCount to the
application.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application.
167 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application.
If the Status field of the SMB2 header of the response indicates success, the client MUST copy the
received information in the SMB2 IOCTL Response following the SMB2 header that is described by
the OutputOffset and OutputCount into the buffer that is provided by the calling application for
receiving the response output buffer. The client MUST ignore the InputOffset and InputCount.
The client MUST return success and the OutputCount to the application.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application.
If the Status field of the SMB2 header of the response indicates success, the client MUST copy the
received information in the SMB2 IOCTL Response following the SMB2 header that is described by
the OutputOffset and OutputCount into the buffer that is provided by the calling application for
receiving the response output buffer. The client MUST return success and the OutputCount to the
application.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application.
If the Status field of the SMB2 header of the response indicates success, the client MUST copy the
received information in the SMB2 IOCTL Response following the SMB2 header that is described by
the OutputOffset and OutputCount into the buffer that is provided by the calling application for
receiving the response output buffer. The client MUST ignore the InputOffset and InputCount.
The client MUST return success and the OutputCount to the application.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application.
If the Status field of the SMB2 header of the response indicates success, the client MUST copy the
received information in the SMB2 IOCTL Response following the SMB2 header that is described by
the InputOffset and InputLength into the buffer that is provided by the calling application for
receiving the response input buffer. The client MUST copy the received information in the SMB2
IOCTL Response following the SMB2 header that is described by the OutputOffset and
OutputCount into the buffer that is provided by the calling application for receiving the response
output buffer. The client MUST return success, the InputLength, and the OutputCount to the
application.
168 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application.
If the Status field of the SMB2 header of the response indicates success, the client MUST perform
the following steps:
1. The client SHOULD<115> setup periodic probing of the connection to detect an unresponsive or
dead server or a broken TCP connection.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application.
If the Status field of the SMB2 header of the response indicates success, the client MUST copy the
received information in the SMB2 QUERY_DIRECTORY Response following the SMB2 header that is
described by the OutputBufferOffset and OutputBufferLength into the buffer that is provided by
the calling application. The client MUST return success and the OutputBufferLength to the
application.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application.
If the Status field of the SMB2 header of the response indicates success, the client MUST copy the
received information in the SMB2 CHANGE_NOTIFY Response following the SMB2 header that is
described by the OutputBufferOffset and OutputBufferLength into the buffer that is provided by
the calling application. The client MUST return success and the OutputBufferLength to the
application.
If the Status field of the SMB2 header of the response indicates an error, the client MUST return the
received status code to the calling application. If the error code is either
STATUS_BUFFER_TOO_SMALL or STATUS_INFO_LENGTH_MISMATCH and the SMB2 ERROR
Response following the SMB2 header has a ByteCount of 4, the client MUST also return the 4-byte
error data to the calling application. This error data indicates the size, in bytes, that is required to
successfully query the information.
If the Status field of the SMB2 header of the response indicates success, the client MUST copy the
received information in the SMB2 QUERY_INFO Response following the SMB2 header that is
described by the OutputBufferOffset and OutputBufferLength into the buffer that is provided by
the calling application. The client MUST return success and the OutputBufferLength to the
application.
169 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The client MUST return the received status code in the Status field of the SMB2 header of the
response to the application that issued the request to set information on the file, underlying object
store, or named pipe. This applies for requests to set file information, underlying object store
information, quota information, and security information.
If the MessageId field of the SMB2 header of the response is 0xFFFFFFFFFFFFFFFF, this MUST be
processed as an oplock break indication. Otherwise, the client MUST process it as a response to an
oplock break acknowledgment.
If the client implements the SMB 2.1 dialect and Connection.SupportsLeasing is TRUE, the client
MUST use the StructureSize member in the SMB2 OPLOCK_BREAK notification to differentiate
between an oplock break notification and a lease break notification as described in 2.2.25.
The client MUST locate the open in the Connection.OpenTable using the FileId in the Oplock
Break Notification following the SMB2 header. If the open is not found, the oplock break indication
MUST be discarded, and no further processing is required.
If the open is found, the client MUST take action based on the Open.OplockLevel and the new
OplockLevel that is received in the Oplock Break Notification.
If the client is required to send an oplock break acknowledgment, it MUST construct a request
following the syntax that is specified in section 2.2.24.1. The SMB2 header is initialized as follows:
170 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The client MUST locate the file in the GlobalFileTable using the LeaseKey in the Lease Break
Notification. If a file is not found, no further processing is required.
If a File entry is located, the client MUST take action based on the File.LeaseState and the new
LeaseState that is received in the Lease Break Notification.
If File.LeaseState includes SMB2_LEASE_WRITE_CACHING and the new LeaseState does not
include SMB2_LEASE_WRITE_CACHING, the client MUST flush any cached data associated with
this file by issuing one or more SMB2 WRITE requests as described in 3.2.4.7. It MUST also flush
out any cached byte-range locks it has on the file by enumerating the File.OpenTable and for
each open, send the cached byte-range locks by issuing SMB2 LOCK requests as described in
3.2.4.19.
If File.LeaseState includes SMB2_LEASE_READ_CACHING and the new LeaseState does not
include SMB2_LEASE_READ_CACHING, the client MUST purge any cached data.
If File.LeaseState includes SMB2_LEASE_HANDLE_CACHING and the new LeaseState does not
include SMB2_LEASE_HANDLE_CACHING, the client MUST enumerate all handles in
File.OpenTable and close any cached handles that have already been closed by the application.
The close process is described in 3.2.4.5.
The new LeaseState granted by the server in the Lease Break Notification MUST be copied to
File.LeaseState.
If all open handles on this file are closed (that is, File.OpenTable is empty for this file), the
client SHOULD consider it as an implicit acknowledgment of the lease break. No explicit
acknowledgment is required.
The client MUST construct a Lease Break Acknowledgment request following the syntax
specified in 2.2.24.2. The LeaseKey in the request MUST be set to File.LeaseKey and the
LeaseState in the request MUST be set to File.LeaseState.
The client MUST choose an Open from among the remaining opens in File.OpenTable and it
MUST be used to send the acknowledgment to the server.
171 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The request MUST be sent to the server via the connection identified above.
When the Request Expiration timer expires, the client MUST walk all connections in the
ConnectionTable. For each connection, the client MUST walk the outstanding requests in
Connection.OutstandingRequests.
The client MAY<117> choose any time-out it requires based on local policy, the type of request, and
network characteristics.
Clients MAY<118> choose to extend the time-out if the server returns STATUS_PENDING, which
indicates that the operation is being processed asynchronously and may take a long time to
complete, as specified in section 3.2.5.1.4.
If a request has exceeded its time-out interval, the client MUST process the request as if it received
a failure response from the server and the client SHOULD<119> return an implementation-specific
error to the calling application.
When the Idle Connection timer expires, the client MUST walk all connections in the
ConnectionTable. For any connection in which the Connection.OpenTable is empty and no
operations have been performed within the default time-out, the client MAY<121> choose to
disconnect the connection.
When the underlying transport indicates a disconnect, the client MUST walk all opens in the
Connection.OpenTable. For each open, if Open.Durable is not TRUE, the open MUST be removed
from the Connection.OpenTable and freed.
172 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The client MUST then walk all the sessions in the Connection.SessionTable. For each session, the
client MUST walk all tree connects in the Session.TreeConnectTable. Each tree connect in the
table MUST be freed. Then the session MUST be freed.
Finally, the connection MUST be removed from the ConnectionTable and freed.
If Open.ResilientHandle is TRUE for any of the opens enumerated above, the client MUST perform
the following steps for each of the opens which are resilient:
1. The client MUST capture the current system time at which the disconnect occurred.
2. The client MUST attempt to reestablish the durable open as specified in section 3.2.4.4.
3. If the reestablishment fails with a network error, the client MUST retry the reestablishment of the
open for at least Open.ResilientTimeout milliseconds after the captured disconnect time,
before giving up.
4. If the reestablishment of the durable handle fails, Open.Durable MUST be set to FALSE,
Open.ResilientHandle MUST be set to FALSE, the open MUST be removed from
Connection.OpenTable and the open MUST be freed.
This document specifies a conceptual model of possible data organization that an implementation
maintains to participate in this protocol. The described organization is provided to explain how the
protocol behaves. This document does not mandate that implementations adhere to this model as
long as their external behavior is consistent with what is described in this document.
This document assumes the SMB 2 Protocol server is a combination of a server and one or more
underlying object store(s). However, an implementation may subdivide the server into whatever
functional blocks it chooses, including combining them into a single block.
The server MUST implement an algorithm to manage message sequence numbers. Sequence
numbers are used to associate requests with responses, and to determine what requests are allowed
for processing. The algorithm MUST meet the following conditions:
When an SMB2 transport connection is first established, the allowable sequence numbers that
comprise the valid command window for received messages on that connection MUST be the set
{ 0 }.
After a sequence number is received, its value MUST never be allowed to be received again.
(After the sequence number 0 is received, no other request that uses the sequence number 0
shall be processed.) If the 64-bit sequence wraps, the connection MUST be terminated.
173 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server MUST allow requests to be received out of sequence. For example, if the valid
command window set is { 0, 1, 2, 3 }, it is valid to receive a request with sequence number 2
before receiving a request with sequence number 0.
The server MAY limit the maximum range of the acceptable sequence numbers. For example, if
the valid command window set is { 0, 1, 2, 3, 4, 5 }, and the server receives requests for 1, 2,
3, 4, and 5, it MAY<122> choose to not grant more credits and keep the valid command window
set at { 0 } until the sequence number 0 is received.
The server MUST consume one sequence number for any request except CANCEL command; if
server implements SMB 2.1, it MAY consume more than one sequence number based on request
data payload see section 3.3.5.2.4.
The server MUST implement an algorithm for granting credits to the client. Each credit provides the
client the capability to send a request to the server. Multiple credits allow for multiple simultaneous
requests. The algorithm MUST meet the following conditions:
The number of credits granted to the client MUST be considered as 1 when the connection is
established.
The server MUST ensure that the number of credits granted to the client is never reduced to
zero. If the condition occurs, there is no way for the client to send subsequent requests for more
credits.<123>
The server MAY<124> grant any number of credits up to that which the client requests, or more
if required by the preceding rule.
The server MAY<125> vary the number of credits granted to different clients based on quality of
service features, such as identity, behavior, or administrator configuration.
The server MUST implement an algorithm that monitors for changes on an object store. The effect of
this algorithm MUST be identical to that used to offer the behavior specified in [MS-CIFS] sections
3.2.4.38 and 3.3.5.57.5. The algorithm MUST meet the following conditions:
If a change notification request is pending on a directory AND a change occurs to the directory
contents matching the events to be monitored as specified in CompletionFilter, the server
MUST copy the results into the buffer of the Change Notification response. The server MAY
choose to aggregate one or more changes indicated by the underlying object store into a single
response. The server MUST construct a SMB2 CHANGE_NOTIFY Response as specified in section
2.2.36. The server MUST then return the results to the client.
The server SHOULD try to fit in the maximum number of events that match the
CompletionFilter of the request before completing the request.
174 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the client requested that an entire tree be watched, the server MUST monitor all objects
beneath the directory on which the operation was issued, instead of simply the immediate
children of that directory.
Change notification information that is returned to the user MUST conform to the syntax specified
in section 2.2.36.1.
If the server implements SMB 2.1 and supports leasing, the underlying object store MUST
implement an algorithm that permits multiple opens to the same object to share lease state (for
valid lease states, see section 3.3.1.12). The algorithm MUST meet the following conditions:
The algorithm MUST permit a create request from the server to the underlying object store to be
accompanied by a global identifier that indicates the unique context for this lease, which will be
referred to as the ClientID. The ClientID consists of a ClientGuid combined with a LeaseKey.
The algorithm MUST allow multiple opens to an object that specifies the same ClientId. These
opens MUST NOT alter the lease state on an object.
The algorithm MUST permit three different caching capabilities within a lease: READ, WRITE, and
HANDLE, with the following semantics:
READ caching permits the SMB client to cache data read from the object. If one of the
following operations occurs, the object store MUST request that the server revoke READ
caching. The object store is not required to wait for acknowledgment:
WRITE caching permits the SMB client to cache writes and byte-range locks on an object. If
one of the following operations is about to occur, the underlying object store MUST request
that the server revoke WRITE caching, and the object store MUST wait for acknowledgment
from the server before proceeding with the operation:
The file is opened by a local application or via another protocol, or opened via SMB 2
without providing the same ClientId, and requested access includes any flags other than
FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, and SYNCHRONIZE.
HANDLE caching permits one or more SMB clients to delay closing handles it holds open, or to
defer sending opens. If one of the following operations is about to occur, the underlying object
store MUST request that the server revoke HANDLE caching, and the object store MUST wait
for acknowledgment before proceeding with the operation:
A file is being opened by a local application, via another protocol, or opened via SMB 2
without providing the same ClientId, and this open will fail with SHARING_VIOLATION due
to the existing opens that hold the lease.
175 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The underlying object store SHOULD request the server revoke multiple lease state flags at the
same time if an operation results in the loss of several caching flags.
The algorithm SHOULD support the following combinations of caching flags: No caching, Read
Caching, Read + Write Caching, Read + Handle Caching, Read + Write + Handle Caching.
The algorithm MUST allow a client to flow one or more creates with the same ClientId to the
underlying object store during a lease break without blocking the create until the
acknowledgment of the lease break is received.
The algorithm SHOULD allow additional lease state flags on subsequent opens from the same
ClientID to permit upgrading the lease state. The algorithm MUST NOT allow the client to release
lease state flags on subsequent opens from the same ClientID to downgrade the lease state.
If the requested lease state is not a superset of the existing lease state flags for this ClientID,
then the requested lease state SHOULD be interpreted as the union of the existing lease state
and the requested lease state.
When the underlying object store requests that the server issue a lease break, it MUST also
provide a new lease state for the server to pass to the client as part of the lease break packet,
based on the local operations that caused the lease break to occur.
ShareList: A list of available shares for the system. The structure of a share is as specified in
section 3.3.1.6 and is uniquely indexed by the share name.
GlobalOpenTable: A table containing all the files opened by remote clients on the server,
indexed by Open.DurableFileId. The structure of an open is as specified in section 3.3.1.10.
The table MUST support enumeration of all entries in the table.
GlobalSessionTable: A list of all the active sessions established to this server, indexed by the
Session.SessionId. The server MUST also be able to search the list by security principal, and
the list MUST allow for multiple sessions with the same security principal on different
connections.
ConnectionList: A list of all open connections on the server, indexed by the connection endpoint
addresses.
ServerStartTime: The start time of the SMB2 server, in FILETIME format as specified in [MS-
DTYP] section 2.3.1.
IsDfsCapable: A Boolean that, if set, indicates that the server supports the Distributed File
System.
176 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
ServerSideCopyMaxDataSize: The maximum total number of bytes the server will accept for a
server side copy operation.
ServerHashLevel: A state that indicates the caching level configured on the server. It takes any
of the following three values:
HashEnableAll: Indicates that caching is enabled for all shares on the server.
HashDisableAll: Indicates that caching is disabled for all shares on the server.
If the server implements SMB 2.1 and supports leasing, it MUST implement the following:
GlobalLeaseTableList: A list of all the lease tables as described in 3.3.1.11, indexed by the
ClientGuid.
Share.LocalPath: A path that describes the local resource that is being shared. This MUST be a
store that either provides named pipe functionality, or that offers storage and/or retrieval of files.
In the case of the latter, it MAY<127> be a device that accepts a file and then processes it in
some format, such as a printer.
Share.FileSecurity: An authorization policy such as an access control list that describes what
actions users that connect to this share are allowed to perform on the shared resource.<128>
Share.CscFlags: The configured offline caching policy for this share. This value MUST be manual
caching, automatic caching of files, automatic caching of files and programs, or no offline
caching. For more information, see section 2.2.10. For more information about offline caching,
see [OFFLINE].
Share.IsDfs: A Boolean that, if set, indicates that this share is configured for DFS. For more
information, see [MSDFS].
177 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Share.ForceSharedDelete: A Boolean that, if set, indicates that all opens on this share MUST
include FILE_SHARE_DELETE in the sharing access.
Share.RestrictExclusiveOpens: A Boolean that, if set, indicates that users who request read-
only access to a file are not allowed to deny other readers.
Share.Type: The value indicates the type of share. It MUST be one of the values that are listed
in [MS-SRVS] section 2.2.2.4.
Share.MaxUses: The value indicates the maximum number of concurrent connections that the
shared resource can accommodate.
Share.CurrentUses: The value indicates the number of current trees connected to the shared
resource.
Share.ForceLevel2Oplock: A Boolean that, if set, indicates that the server does not issue
exclusive caching rights on this share.
Share.HashEnabled: A Boolean that, if set, indicates that the share supports hash generation
for branch cache retrieval of data.
Connection.RequestList: A list of all client requests being processed. Each request MUST
include a Boolean value that indicates whether it is being handled asynchronously.
Connection.Dialect: The dialect of SMB2 negotiated with the client. This value MUST be either
"2.002", "2.100", or "Unknown".
Connection.ShouldSign: A Boolean that, if set, indicates that all sessions on this connection
MUST have signing enabled.
178 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Session.State: The current activity state of this session. This value MUST be either InProgress,
Valid, or Expired.
Session.SecurityContext: The security context of the user that authenticated this session (see
security context (1), defined in [MS-GLOS]). This value MUST be in a form that allows for
evaluating security descriptors within the server, as well as being passed to the underlying object
store to handle security evaluation that may happen there.
Session.SessionKey: The first 16 bytes of the cryptographic key for this authenticated context. If
the cryptographic key is less than 16 bytes, it is right-padded with zero bytes.
Session.ShouldSign: A Boolean that, if set, indicates that this session MUST sign
communication if signing is enabled on this connection.
Session.ExpirationTime: A value that specifies the time after which the client must
reauthenticate with the server.
Session.Connection: The connection on which this session was established (see also sections
3.3.5.5.1 and 3.3.4.5).
Session.IdleTime: The time the session processed its most recent request.
TreeConnect.TreeId: A numeric value that uniquely identifies a tree connect within the scope of
the session over which it was established. This value is represented as a 32-bit TreeId in the
SMB2 header.
TreeConnect.Session: A pointer to the authenticated session that established this tree connect.
TreeConnect.Share: A pointer to the share that this tree connect was established for.
179 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Open.FileId: A numeric value that uniquely identifies the open handle to a file or a pipe within
the scope of a session over which the handle was opened. This value is the volatile portion of the
identifier. A 64-bit representation of this value, combined with Open.DurableFileId as described
below, combine to form the SMB2_FILEID described in section 2.2.14.1.
Open.DurableFileId: A numeric value that uniquely identifies the open handle to a file or a pipe
within the scope of all opens granted by the server, as described by the GlobalOpenTable. A
64-bit representation of this value combined with Open.FileId, as described above, form the
SMB2_FILEID described in section 2.2.14.1. This value is the persistent portion of the identifier.
Open.LocalOpen: An open of a file or named pipe in the underlying local resource that is used
to perform the local operations, such as reading or writing, to the underlying object. For named
pipes, Open.LocalOpen is shared between the SMB server and RPC server applications which
serve RPC requests on a given named pipe. The higher level interfaces described in sections
3.3.4.5 and 3.3.4.11 require this shared ADM element.
Open.OplockLevel: The current oplock level for this open. This value MUST be one of the
OplockLevel values defined in section 2.2.14: SMB2_OPLOCK_LEVEL_NONE,
SMB2_OPLOCK_LEVEL_II, SMB2_OPLOCK_LEVEL_EXCLUSIVE, SMB2_OPLOCK_LEVEL_BATCH, or
OPLOCK_LEVEL_LEASE.
Open.OplockState: The current oplock state of the file. This value MUST be Held, Breaking, or
None.
Open.OplockTimeout: The time value that indicates when an oplock that is breaking and has
not received an acknowledgment from the client will be acknowledged by the server.
Open.IsDurable: A Boolean that indicates whether this open has requested durable operation.
180 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Open.DurableOwner: A security descriptor that holds the original opener of the file. This allows
the server to determine if a caller that is trying to reestablish a durable open is allowed to do so.
If the server implements SMB 2.1 and supports resiliency, this value is also used to enforce
security during resilient open reestablishment.
Open.EnumerationSearchPattern: For directories, this value holds the search pattern that is
used in directory enumeration and allows for the continuing of an enumeration across multiple
requests. For files, this value is unused.
Open.CurrentEaIndex: For extended attribute information, this value indicates the current
location in an extended attribute information list and allows for the continuing of an enumeration
across multiple requests.
Open.CurrentQuotaIndex: For quota queries, this value indicates the current index in the
quota information list and allows for the continuation of an enumeration across multiple requests.
Open.LockCount: A numeric value that indicates the number of locks that are held by current
open.
Open.PathName: A variable-length string that contains the Unicode path name that the open is
performed on.
If the server implements SMB 2.1 and supports leasing, it MUST implement the following:
Open.Lease: The lease associated with this open, as defined in 3.3.1.11. This value MUST point
to a valid lease, or be set to NULL.
Open.IsResilient: A Boolean that indicates whether this open has requested resilient operation.
Open.ResiliencyTimeout: A time-out value that indicates how long the server will hold the file
open after a disconnect before releasing the open.
Open.ResilientOpenTimeout: A time value that indicates when a handle that has been
preserved for resiliency will be closed by the system if a client has not reclaimed it.
Open.LockSequenceArray[]: An array of lock sequence entries (each of size 1 byte) that have
been successfully processed by the server for resilient opens. The size of this array is
implementation-dependent.<129>
If the server implements SMB 2.1 and supports leasing, it implements the following:
181 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the server implements SMB 2.1 and supports leasing, it implements the following:
Lease.LeaseState: The current state of the lease as indicated by the underlying object store.
This value MUST be a combination of the flags described in section 2.2.13.2.8 for "LeaseState".
For the remainder of section 3.3, these will be referred to as follows:
Abbreviated
Lease State Name
0 NONE
SMB2_LEASE_READ_CACHING R
SMB2_LEASE_READ_CACHING | SMB2_LEASE_WRITE_CACHING RW
SMB2_LEASE_READ_CACHING | SMB2_LEASE_HANDLE_CACHING RH
Lease.BreakToLeaseState: The state to which the lease is breaking. This value MUST be a
combination of the flags described in section 2.2.13.2.8 for "LeaseState". For the remainder of
section 3.3, these will be referred to as described in the table above.
Lease.LeaseBreakTimeout: The time value that indicates when a lease that is breaking and
has not received a Lease Break Acknowledgment from the client will be acknowledged by the
server to the underlying object store.
3.3.2 Timers
This timer controls the amount of time the server waits for an oplock break acknowledgment from
the client (as specified in section 2.2.24) after sending an oplock break notification (as specified in
section 2.2.23) to the client. The server MUST wait for an interval of time greater than or equal to
the oplock break acknowledgment timer. This timer MUST be smaller than the client Request
Expiration time, as specified in section 3.2.6.1.<130> If the server implements SMB 2.1, this timer
MUST also be used to control the time a server waits for a Lease Break Acknowledgment from the
client (as specified in section 2.2.24.2).
This timer controls the amount of time the server keeps a durable handle active after the underlying
transport connection to the client is lost.<131> The server MUST keep the durable handle active for
at least this amount of time, except in the case where the underlying object store indicates an
oplock break for this file. In this case the server MAY tear down the durable open. The server MAY
182 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
This timer controls the periodic scheduling of searching for sessions that have passed their
expiration time. The server SHOULD<132> schedule this timer such that sessions are expired in a
timely manner.
This timer controls the amount of time the server keeps a resilient handle active after the underlying
transport connection to the client is lost. This value is not a constant but set based on the time-out
requested by the client as specified in section 3.3.5.15.9. The server MUST keep the resilient handle
active for that amount of time with the following exception:
The server MAY tear down a resilient handle based on administrative action or resource
constraints before the timer expires.
3.3.3 Initialization
The server MUST establish a listening TCP endpoint on port number 445 as specified in [MS-SMB]
section 2.1. The server MAY<133> also listen on the NetBIOS transport as specified in [MS-CIFS]
section 2.1.1.
ServerStartTime MUST be set to the time at which the SMB2 server was started.
The ShareList MUST be populated based on server configuration. The values are retrieved from
a persistent configuration store, and for each entry, a share MUST be created and inserted into
the list. The information retrieved from the configuration MUST include:
Share.Name is set to the Unicode name. The share name MUST be no longer than 80
characters (not including the terminating null character) and MUST NOT contain any invalid
characters, as specified in [MS-FSCC] section 2.1.6.
Share.LocalPath MUST correctly specify a local resource on the server computer, such as a
underlying object store volume or a subdirectory on that volume.
183 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Share.CscFlags MUST be set to the value provided in the configuration store. If one is not
provided, it MUST be set to manual caching.
Share.IsDfs MUST be set to the value provided in the configuration store. If one is not
provided, it MUST be set to FALSE.
Share.Type MUST be set to the value provided in the configuration store. If one is not
provided, it MUST be set to 0.
Share.Remark MUST be set to the value provided in the configuration store. If one is not
provided, it MUST an empty string.
Share.MaxUses MUST be set to the value provided in the configuration store. If one is not
provided, it MUST be set to 0xFFFFFFFF.
Share.HashEnabled MUST be set to the value provided in the configuration store. If one is
not provided, it MUST be set to FALSE.
If the server implements SMB 2.1 and supports leasing, the server MUST implement the following:
184 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SMB 2 Protocol server is driven by a series of higher-layer triggered events in the following
categories:
Indications of buffering state changes on local opens (oplock breaks or lease breaks).
Unless specifically noted in a subsequent section, the following logic MUST be applied to any
response message being sent from the server to the client.
If the message is a response to a message that contained a nonzero SessionId in the SMB2
header field, and either the session identified by that SessionId in GlobalSessionTable has
Session.ShouldSign equal to TRUE or the request was signed by the client, and the response is
neither an error response nor an interim response to an asynchronously processed request, then it
MUST be signed as specified below.
If signing is required, the server MUST sign the response as specified in section 3.1.4.1. The server
provides the Session.SessionKey, the length of the response, and the response itself, and
calculates the signature as described.
As described in section 3.3.1.1, the server maintains a list of message identifiers available for
incoming requests. The total number of available message identifiers can change dynamically as the
system runs, with the server granting credits based on some local policy.
Based on the CreditRequest specified in the SMB2 header of a client request, the server MUST
determine how many credits it will grant the client on each request by using a vendor-specific
algorithm as specified in section 3.3.1.2. The server MUST then place the number of credits granted
in the CreditResponse field in the SMB2 header of the response.
To maintain the same number of credits already granted, the server returns a value of credit
number consumed by this command. To reduce the number of credits granted, the server returns a
value of 0, which implies that the credit consumed by this command is not returned to the client. To
increase the number of credits granted, the server returns a value greater than credit number
consumed by this command. The server consumes one credit for any request except CANCEL
command. If the server implements SMB 2.1, it MAY consume more than one credit, as specified in
section 3.3.5.2.4.
For an asynchronously processed request, any credits to be granted MUST be granted in the interim
response, as specified in section 3.3.4.2.<140>
185 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
To compound responses, the server MUST set the NextCommand in the first response to the
offset, in bytes, from the beginning of the SMB2 header of the first response to the beginning of the
8-byte aligned SMB2 header in the subsequent response. This process MUST be done for each
response except the final response in the chain, whose NextCommand MUST be set to 0. The
server MAY<142> grant credits separately on each request in the compounded chain. Then the
entire response chain MUST be sent to the client as a single submission to the underlying transport.
Then the entire response chain MUST be sent to the client as a single submission to the underlying
transport.
The server MAY<143> choose to send an interim response for any request that is received. It
SHOULD<144> send an interim response for any request that could potentially block for an
indefinite amount of time (such as pipe operations, directory change notifications, blocking byte-
range-lock operations, and creates blocked by an oplock break). If an operation would require
asynchronous processing but resources are constrained, the server MAY<145> choose to fail that
operation with STATUS_INSUFFICIENT_RESOURCES.
An interim response indicates to the client that the request has been received and a full response
will come later. As noted in section 3.3.4.1.1, it is not mandatory for the server to sign an interim
response.
To send an interim response for a request, the server MUST generate an asynchronous identifier for
it
The identifier MUST be unique for all outstanding asynchronous requests on a specified SMB2
transport connection.
The identifier MUST remain valid until the final response for the request is sent.
The identifier MUST NOT be reused until the final response is sent.
The server MUST construct a response packet for the request. The SMB2 header of the response
MUST be identical to that in the request with the following changes:
It MUST set the Status field in the SMB2 header to STATUS_PENDING.
The NextCommand field MUST be set to 0. If this response is later combined with other
responses into a compounded response, as specified in section 3.3.4.1.3, this value will change
later. The server SHOULD<146> fail requests in a compound chain that try to go async
The server MUST set the SMB2_FLAGS_SERVER_TO_REDIR bit in the Flags field of the SMB2
header.
The server MUST set the SMB2_FLAGS_ASYNC_COMMAND bit in the Flags field of the SMB2
header.
It MUST set the AsyncId field of the SMB2 header to the value that was generated earlier.
186 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
It MUST append an SMB2 ERROR Response following the SMB2 header, as specified in section 2.2.2,
with a ByteCount of zero. It MUST locate the request in Connection.RequestList and set its state
to Asynchronous. This response MUST be sent to the client.
When the operation completes, the server MUST set the AsyncId field of the final response to the
identifier generated and returned to the client in the interim response. It MUST also set the
SMB2_FLAGS_ASYNC_COMMAND bit in the Flags field of the SMB2 header. The server MUST set
CreditResponse in the SMB2 header to 0, as credits were granted on the interim response. All
other fields of the final response MUST be identical to what is described for the individual operations.
The server MUST remove the request from Connection.AsyncCommandList.
When the server responds with a success to any command sent by the client, the response message
MUST be constructed as specified in this section.
The server MUST fill in the SMB2 header of the success response to match the SMB2 header of the
request with the following changes:
The Status field of the SMB2 header MUST be set to the status code provided.
The NextCommand field MUST be set to zero. If this response is later combined with other
responses into a compounded response, as specified in section 3.3.4.1.3, this value will change.
The SMB2_FLAGS_SERVER_TO_REDIR bit MUST be set in the Flags field of the SMB2 header.
If the request was handled asynchronously, the server MUST set the AsyncId field to the
asynchronous identifier generated for this request, and set the SMB2_FLAGS_ASYNC_COMMAND
bit in the Flags field.
If the request was not handled asynchronously, the server MUST set the CreditResponse field
to the number of credits the server chooses to grant the request, as specified in section 3.3.1.2.
If the request was handled asynchronously, the server MUST set the CreditResponse field to 0.
Any other additional changes to the header will be made on a command-specific basis.
The information that follows the SMB2 header is command-specific, as specified in section 3.3.5.
This response MUST be sent to the client.
When the server is responding with a failure to any command sent by the client, the response
message MUST be constructed as described here. An error code other than one of the following
indicates a failure:
187 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server MUST provide the error code of the failure and a data buffer to be returned with the
error. If nothing is specified, the buffer MUST be considered to be zero bytes in length.
The server MUST fill in the SMB2 header of the error response to match the SMB2 header of the
request with the following changes:
The Status field of the SMB2 header MUST be set to the error code provided.
The NextCommand field MUST be set to 0. If this response is later combined with other
responses into a compounded response, as specified in section 3.3.4.1.3, this value will change
later.
The SMB2_FLAGS_SERVER_TO_REDIR bit MUST be set in the Flags field of the SMB2 header.
If the request was handled asynchronously, the server MUST set the AsyncId field to the
asynchronous identifier generated for this request, and set the SMB2_FLAGS_ASYNC_COMMAND
bit in the Flags field.
If the request was not handled asynchronously, the server MUST set the CreditResponse field
to the number of credits the server chooses to grant the request, as specified in section 3.3.1.2.
If the request was handled asynchronously, the server MUST set the CreditResponse field to 0.
Following the SMB2 header MUST be an SMB2 ERROR Response structure, as specified in section
2.2.2. The ByteCount of this response MUST be set to the length of the buffer that is provided as
part of the error. If ByteCount is greater than zero, the server MUST place the data given in the
error buffer in the ErrorData array of the response. This response MUST then be sent to the client.
An application running on the server issues a query for a session key, specifying the LocalOpen to
a named pipe that has been opened by the SMB2 server on behalf of the remote client. The
application also provides a 16-byte buffer to receive the session key.
The server MUST cycle through the entries in the GlobalOpenTable and locate the Open for which
Open.LocalOpen matches the provided LocalOpen. If no Open is found, the request MUST be
failed with STATUS_OBJECT_NAME_NOT_FOUND.
If Open.TreeConnect.Share.Name is not equal to "IPC$" (indicating that the open is not a named
pipe), the request SHOULD be failed with STATUS_ACCESS_DENIED.
Otherwise, the server MUST return the 16-byte session key specified by
Open.TreeConnect.Session.SessionKey to the caller.
188 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The underlying object store on the local resource indicates the breaking of an opportunistic lock,
specifying the LocalOpen and the new oplock level, a status code of the oplock break, and
optionally expects the new oplock level in return. The new oplock level MUST be either
SMB2_OPLOCK_LEVEL_NONE or SMB2_OPLOCK_LEVEL_II. The conditions under which each oplock
level is to be indicated are described in [MS-FSA] section 3.1.5.17.3.
The server MUST locate the open by walking the GlobalOpenTable to find an entry whose
Open.LocalOpen matches the one provided in the oplock break. If no entry is found, the break
indication MUST be ignored and the server MUST complete the oplock break call with
SMB2_OPLOCK_LEVEL_NONE as the new oplock level.
If an entry is found, the server MUST check the state of Open.Connection. If Open.Connection is
NULL and the oplock level is not equal to SMB2_OPLOCK_LEVEL_BATCH, the server MUST remove
the Open from the GlobalOpenTable, close the Open.LocalOpen, and free the open. The server
MUST then complete the oplock break call with SMB2_OPLOCK_LEVEL_NONE as the new oplock
level.
If Open.Connection is not NULL, the server MUST construct an Oplock Break Notification following
the syntax specified in section 2.2.23.1 to send back to the client. The server MUST set the
Command in the SMB2 header to SMB2 OPLOCK_BREAK, the MessageId to 0xFFFFFFFFFFFFFFFF,
and SHOULD set the ProcessId to 0. The server MUST set the SessionId and TreeId in the SMB2
header to 0. The FileId field of the response structure MUST be set to the values from the Open
structure, with the volatile part set to Open.FileId and the persistent part set to
Open.DurableFileId. The oplock Level of the response MUST be set to the value provided by the
object store. The server MUST set Open.OplockState to Breaking and set Open.OplockTimeout
to the current time plus an implementation-specific default value in milliseconds.<148> This
response is sent to the client. This response MUST NOT be signed, as specified in section 3.3.4.1.1.
The server MUST start the oplock break acknowledgment timer as specified in section 3.3.2.1.
The underlying object store indicates the breaking of a lease by specifying the ClientGuid, the
LeaseKey, and the new lease state. The actual lease state MUST either be NONE or a subset of the
flags of the suggested lease state.<149>
When the underlying object store indicates the lease break, the server MUST locate the Lease Table
by performing a lookup in GlobalLeaseTableList using the provided ClientGuid as the lookup key,
and then locate the Lease entry by performing a lookup in the LeaseTable.LeaseList using the
provided LeaseKey as the lookup key.
If no entry is found, the server MUST NOT generate a Lease Break Notification. Instead, the server
MUST complete the lease break call from the underlying object store with "NONE" as the new lease
state, and take no further action.
If a lease entry is found, the server MUST check the state of Open.Connection for all Opens in
Lease.LeaseOpens. If Open.Connection is NULL or if Lease.BreakToLeaseState does not
contain SMB2_LEASE_HANDLE_CACHING, the server MUST remove the Open from the
Lease.LeaseOpens list, remove the Open from the GlobalOpenTable, close the
Open.LocalOpen, and free the open.
If Lease.LeaseOpens is empty, the server MUST NOT generate a Lease Break Notification. Instead,
the server MUST complete the lease break call from the underlying object store with "NONE" as the
new lease state, set Lease.LeaseState to "NONE", and take no further action.
189 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The SMB2 Lease Break Notification is sent to the client using the connection specified in
Open.Connection of the first Open in Lease.LeaseOpens. The message SHOULD NOT be signed.
The server MUST start the oplock break acknowledgment timer as specified in 3.3.2.1. If there was
an error in attempting to transmit the message to the client, the server MUST retry the send using
the connection specified in Open.Connection of the next open in Lease.LeaseOpens. If the server
fails to send transmit the message on any Open.Connection associated with this lease, the server
MUST complete the lease break call from the underlying object store with "NONE" as the new lease
state.
In response to this event, the SMB2 server MUST set the global state variable IsDfsCapable to
TRUE. If the DFS server is running on this computer, it MUST notify the SMB2 server that the DFS
capability is available via this event.
3.3.4.9 DFS Server Notifies SMB2 Server That a Share Is a DFS Share
In response to this event, the SMB2 server MUST set the Share.IsDfs attribute of the share
specified in section 3.3.1.6. When a DFS server running on this computer claims a share as a DFS
share, it MUST notify the SMB2 server via this event.
3.3.4.10 DFS Server Notifies SMB2 Server That a Share Is Not a DFS Share
In response to this event, the SMB2 server MUST clear the Share.IsDfs attribute of the share
specified in section 3.3.1.6.
An application running on the server issues a query for the security context of a client, specifying
the LocalOpen to a named pipe that has been opened by the SMB2 server on behalf of the remote
client.
The server MUST cycle through the entries in the GlobalOpenTable and locate the Open for which
Open.LocalOpen matches the provided LocalOpen. If no Open is found, the request MUST be
failed with STATUS_OBJECT_NAME_NOT_FOUND.
If Open.TreeConnect.Share.Name is not equal to "IPC$" (indicating that the open is not a named
pipe), the request SHOULD be failed with STATUS_ACCESS_DENIED.
190 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The calling application provides GlobalSessionId of the session to be closed. The server MUST look
up Session from the GlobalSessionTable where Session.SessionGlobalId is equal to
GlobalSessionId, and remove it from the table. If there is no matching session, the call MUST
return.
The server MUST deregister the session by invoking event as specified in [MS-SRVS] section
3.1.6.3, providing GlobalSessionId as the input parameter.
191 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The calling application provides tuple< ServerName, ShareName > of the share that is being
deregistered. The server MUST look up the share in ShareList and remove it from the list if the
share is found.
The server MUST enumerate every session in GlobalSessionTable and every tree connect in
Session.TreeConnectTable to free all tree connect objects where TreeConnect.Share matches
the current share.
192 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The calling application provides tuple <ServerName, ShareName> of the share that is being
queried. The server MUST look up the Share in ShareList. If the matching Share is found, the server
MUST return a share in SHARE_INFO_503_I structure and SHARE_INFO_1005 structure to the caller
with the following value set; otherwise the server MUST fail the request.
SHARE_INFO_503_I.shi503_netname Share.Name
SHARE_INFO_503_I.shi503_type Share.Type
SHARE_INFO_503_I.shi503_remark Share.Remark
SHARE_INFO_503_I.shi503_permissions 0
SHARE_INFO_503_I.shi503_max_uses Share.MaxUses
SHARE_INFO_503_I.shi503_current_uses Share.CurrentUses
SHARE_INFO_503_I.shi503_path Share.LocalPath
SHARE_INFO_503_I.shi503_servername Share.ServerName
SHARE_INFO_503_I.shi503_security_descriptor Share.FileSecurity
193 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SHI1005_FLAGS_FORCE_LEVELII_OPLOCK bit if
Share.ForceLevel2Oplock is TRUE.
The calling application provides GlobalFileId as input parameter. The server MUST look up Open in
GlobalOpenTable where Open.FileGlobalId is equal to GlobalFileId, and remove it from the
table if the Open is found. If no Open is found, the call MUST return.
The server MUST provide GlobalFileId to deregister the Open by invoking event as specified in
[MS-SRVS] section 3.1.6.5.
The calling application provides GlobalSessionId as an identifier for the Session. The server MUST
look up session in GlobalSessionTable where GlobalSessionId is equal to
Session.SessionGlobalId. If Session is found, the server MUST return a session in
SESSION_INFO_502 structure as specified in [MS-SRVS] section 2.2.4.15 with the following values
set.
SESSION_INFO_502
Parameters SMB2 Session Properties
sesi502_cname Session.Connection.ClientName
sesi502_username Session.UserName.
sesi502_transport Session.Connection.TransportName
The calling application provides GlobalTreeConnectId as an identifier for the tree connect. The
server MUST enumerate all session entries in GlobalSessionTable and look up all TreeConnect
entries in Session.TreeConnectTable where GlobalTreeConnectId is equal to
TreeConnect.TreeGlobalId. If TreeConnect is found, the server MUST return ServerName and a
CONNECT_INFO_1 structure as specified in [MS-SRVS] section 2.2.4.2 with the following values set.
coni1_id TreeConnect.TreeGlobalId
194 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
coni1_type TreeConnect.Share.ShareType
coni1_num_opens TreeConnect.OpenCount
coni1_num_users 1
coni1_username TreeConnect.Session.UserName
coni1_netname TreeConnect.Share.Name
ServerName TreeConnect.Share.ServerName
The calling application provides GlobalFileId as an identifier for the Open. The server MUST look
up open in GlobalOpenTable where GlobalFileId is equal to Open.FileGlobalId. If Open is
found, the server MUST return an open in FILE_INFO_3 structure as specified in [MS-SRVS] section
2.2.4.7 with the following values set.
fi3_id Open.FileGlobalId
fi3_permissions Open.GrantedAccess
fi3_num_locks Open.LockCount
fi3_path_name Open.PathName
fi3_username Open.Session.UserName
The calling application MUST provide a null-terminated Unicode string that contains the
implementation-specific name of a device to notify of new transport arrival. The server MUST attach
to the operating system-specific transport protocol identified by the device name on which the
connection can be established.
The SMB 2 Protocol server is driven by a series of request messages sent by the client. Processing
for these messages is determined by the command in the SMB2 header of the response and is
detailed for each of the SMB2 response messages below.
When the server accepts an incoming connection from any of its registered transports, it MUST
allocate a Connection object for it. The Connection object is initialized as described here.
195 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Connection.ClientCapabilities is set to 0.
The incoming request is added to the Connection.RequestList before verifying the connection
state, sequence number, or signature.<151>
The server MUST check the MessageId for every received request whose Command is not SMB2
CANCEL and make sure it is a valid value that falls within the
Connection.CommandSequenceWindow, as specified in section 3.3.1.7. If the received request
is an SMB_COM_NEGOTIATE, as described in section 1.7, the server MUST assume that MessageId
is zero for this request.
If the negotiate dialect is SMB 2.1 and the underlying TCP endpoint is on port 445 and the
CreditCharge field in the SMB header is not 0, the server MUST check a number of CreditCharge
consecutive sequence numbers starting from MessageId fall within the
Connection.CommandSequenceWindow.
If the server determines that the MessageId(s) for the incoming request is not valid, based on the
Connection.CommandSequenceWindow and CreditCharge field, the server SHOULD fail the
request, as specified in section 3.3.4.4, with the error code STATUS_INVALID_PARAMETER, and
SHOULD<152> disconnect the connection.
If the SMB2 header of the request has SMB2_FLAGS_SIGNED set in the Flags field, the server
MUST verify the signature. The server MUST look up the session in the GlobalSessionTable using
the SessionId in the SMB2 header of the request. If the session is not found, the request MUST be
failed, as specified in section Sending an Error Response (section 3.3.4.4), with the error code
STATUS_USER_SESSION_DELETED. If the session is found, the server MUST verify the signature of
196 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the SMB2 header of the request does not have SMB2_FLAGS_SIGNED set in the Flags field, the
server MUST determine if the client failed to sign a packet that required it. The server MUST look up
the session in the GlobalSessionTable using the SessionId in the SMB2 header of the request. If
the session is found and Session.ShouldSign is equal to TRUE, the server MUST fail this request
with STATUS_ACCESS_DENIED. The server MAY<154> also choose to disconnect the connection. If
either the session is not found, or Session.ShouldSign is FALSE, the server continues processing
on the packet.
If the negotiate dialect is SMB 2.1 and the underlying TCP endpoint is on port 445, the server MUST
verify the CreditCharge field in the SMB header. If CreditCharge is 0, the server MUST take the
default value of 1; if CreditCharge is not 0, the server MUST calculate the expected credit number
consumed for the current operation with the following algorithm:
Each credit is consumed per 64KB payload based on the maximum length for request and
response. The request or response with a payload length greater than 64KB MUST consume more
than one credit rounded up to (payload length/64KB).
If the calculated credit number is greater than CreditCharge, the server MUST consume credits
with a value of CreditCharge and fail the request with the error code
STATUS_INVALID_PARAMETER. Otherwise, the server MUST continue processing on the packet.
If the negotiate dialect is not SMB 2.1 or the underlying TCP endpoint is not on port 445, the
CreditCharge field in the SMB header is ignored by the server. The server MUST skip the credit
number check and consume one credit.
If the server receives a request that does not conform to the structures outlined in section 2, the
server MUST fail the request, as specified in section 3.3.4.4, with the error code
STATUS_INVALID_PARAMETER. The server MAY<155> also disconnect the connection.
The server MUST disconnect without sending an error response if any of the following are true:
The ProtocolId field in the SMB2 header is not equal to 0xFE, 'S', 'M', and 'B' (in network order).
The Command code in the SMB2 header does not match one of the command codes in the SMB2
header as specified in section 2.2.1.
The server receives a request with a length less than the length of the SMB2 header as specified
in section 2.2.1.
If the NextCommand field in the SMB2 header of the request is not equal to 0, the server MUST
process the received request as a compounded series of requests. The server SHOULD<156> fail
requests in a compound chain that try to go async. There are two different styles of compounded
requests, which are described in the following sections.
197 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server MUST handle each individual request described in the chain separately. The length of
each request is determined by the NextCommand value in the SMB2 header of the request. The
length of the final request is equal to the length between the beginning of SMB2 header and the end
of the received buffer.
If SMB2_FLAGS_RELATED_OPERATIONS is set in the Flags field of the SMB2 header of all requests
except the first one, the received requests MUST be handled as a series of compounded related
requests. If the first request has SMB2_FLAGS_RELATED_OPERATIONS set, the server
SHOULD<158> fail processing the compound chain request.
The server MUST handle each individual request that is described in the chain in order. For the first
request, the identifiers for FileId, SessionId, and TreeId MUST be taken from the received
request. For every subsequent request, the values used for FileId, SessionId, and TreeId MUST
be the ones used in processing the previous request or generated for the previous resulting
response. When all operations are complete, the responses SHOULD<159> be compounded into a
single response to return to the client.
For every request received, the server MUST locate the session, using the SessionId in the SMB2
header of the request to do a lookup on the GlobalSessionTable. If a session is found,
Session.IdleTime MUST be set to the current time. If the request does not have an SMB2 header
following the syntax specified in section 2.2.1 or no session is found, no action regarding the idle
time is taken.
If the request does not have a valid SMB2 header following the syntax specified in section 2.2.1, the
server MUST check to see if it has received an SMB_COM_NEGOTIATE as described in section 1.7.
This request is defined in [MS-SMB] section 2.2.4.5.1, with the SMB header defined in section
2.2.3.1. If the request matches the format described there, and Connection.NegotiateDialect is
0xFFFF, processing MUST continue as specified in 3.3.5.3.1. Otherwise, the server MUST disconnect
the connection without sending a response.
If the server does not support SMB 2.1, processing MUST continue as specified in 3.3.5.3.2.
198 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server MUST set the command of the SMB2 header to SMB2 NEGOTIATE and SHOULD set the
ProcessId to 0. All other values MUST be set following the syntax specified in section 2.2.1, and
any value not defined there with a default MUST be set to 0. The header is followed by an SMB2
NEGOTIATE Response that MUST be constructed as specified in 2.2.4, with the following specific
values:
The Capabilities field MUST be set to a combination of zero or more of the following bit values:
MaxTransactSize is set to the maximum buffer size, in bytes, that this server allows on the
transport that established this connection for QUERY_INFO, QUERY_DIRECTORY, SET_INFO and
CHANGE_NOTIFY operations. This field is applicable only for buffers sent by the client in
SET_INFO requests, or returned from the server in QUERY_INFO, QUERY_DIRECTORY and
CHANGE_NOTIFY responses.<160><161>
MaxReadSize is set to the maximum size, in bytes, of the Length in an SMB2 READ Request
(2.2.19) that the server will accept on the transport that established this connection.<162>
MaxWriteSize is set to the maximum size, in bytes, of the Length in an SMB2 Write Request
(2.2.21) that the server will accept on the transport that established this connection.<163>
SystemTime is set to the current time, in FILETIME format as specified in [MS-DTYP] section
2.3.1.
SecurityBufferOffset is set to the offset to the Buffer[] field in the response, in bytes, from
the beginning of the SMB2 header.
SecurityBufferLength is set to the length of the GSS token being returned in the negotiate
response, generated as described below.
Buffer[] is filled with the GSS token being returned in the negotiate response as described
below.
The generation of the GSS token for SMB2 NEGOTIATE Response MUST be done as specified in [MS-
SPNG] 3.2.5.1. The server MUST initialize the mechanism with the Integrity, Confidentiality, and
Delegate options and use the server-initiated variation as specified in [MS-SPNG] section 3.2.5.1.
199 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server MUST scan the dialects provided for the dialect string "SMB 2.002".<164> If the string is
present, the client understands SMB2, and the server MUST respond with an SMB2 NEGOTIATE
Response. If the string is not present in the dialect list and the server also implements SMB as
specified in [MS-SMB], it MUST terminate SMB2 processing on this connection and start SMB
processing on this connection. If the string is not present in the dialect list and the server does not
implement SMB, the server MUST disconnect the connection without sending a response.
The server MUST set the command of the SMB2 header to SMB2 NEGOTIATE and SHOULD set the
ProcessId to 0. All other values MUST be set following the syntax specified in section 2.2.1, and
any value not defined there with a default MUST be set to 0. The header is followed by an SMB2
NEGOTIATE Response that MUST be constructed as specified in section 2.2.4, with the following
specific values:
If the server supports the Distributed File System, set the SMB2_GLOBAL_CAP_DFS bit in the
Capabilities field of the negotiate response.
MaxTransactSize is set to the maximum buffer size, in bytes, that this server allows on the
transport that established this connection for QUERY_INFO, QUERY_DIRECTORY, SET_INFO and
CHANGE_NOTIFY operations. This field is applicable only for buffers sent by the client in
SET_INFO requests, or returned from the server in QUERY_INFO, QUERY_DIRECTORY and
CHANGE_NOTIFY responses.<166>
MaxReadSize is set to the maximum size, in bytes, of the Length in an SMB2 READ Request
(2.2.19) that the server will accept on the transport that established this connection.
MaxWriteSize is set to the maximum size, in bytes, of the Length in an SMB2 WRITE Request
(2.2.21) that the server will accept on the transport that established this connection.
SystemTime is set to the current time, in FILETIME format as specified in [MS-DTYP] section
2.3.1.
SecurityBufferOffset is set to the offset to the Buffer[] field in the response in bytes from the
beginning of the SMB2 header.
SecurityBufferLength is set to the length of the GSS token being returned in the negotiate
response, generated as described below.
Buffer[] is filled with the GSS token being returned in the negotiate response as described
below.
The generation of the GSS token for SMB2 NEGOTIATE Response MUST be done as specified in
[MS-SPNG] section 3.2.5.1. The server MUST initialize the mechanism with the Integrity,
200 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
When the server receives a request with an SMB2 header with a Command value equal to SMB2
NEGOTIATE, it MUST process it as follows:
If the server implements SMB2.1, the server MUST set Connection.ClientGuid to the ClientGuid
field of the SMB2 Negotiate request.
The server MUST select the greatest common dialect between the dialects it supports and the
Dialects array of the SMB2 NEGOTIATE request. If a common dialect is not found, the server MUST
fail the request with STATUS_NOT_SUPPORTED.
If a common dialect is found, the server MUST set Connection.Dialect to "2.002" or "2.100" and
Connection.NegotiateDialect to 0x0202 or 0x0210 accordingly, to reflect the dialect selected. The
server MUST then construct an SMB2 NEGOTIATE Response, as specified in section 2.2.4, with the
following specific values, and return STATUS_SUCCESS to the client.
If the server supports the Distributed File System, set the SMB2_GLOBAL_CAP_DFS bit in the
Capabilities field of the negotiate response.
MaxTransactSize is set to the maximum buffer size, in bytes, that this server allows on the
transport that established this connection for QUERY_INFO, QUERY_DIRECTORY, SET_INFO, and
CHANGE_NOTIFY operations. This field is applicable only for buffers sent by the client in
SET_INFO requests, or returned from the server in QUERY_INFO, QUERY_DIRECTORY, and
CHANGE_NOTIFY responses.
MaxReadSize is set to the maximum size, in bytes, of the Length in an SMB2 READ Request
(section 2.2.19) that the server will accept on the transport that established this connection.
MaxWriteSize is set to the maximum size, in bytes, of the Length in an SMB2 WRITE Request
(section 2.2.21) that the server will accept on the transport that established this connection.
SystemTime is set to the current time, in FILETIME format as specified in [MS-DTYP] section
2.3.1.
201 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
SecurityBufferLength is set to the length of the GSS token being returned in the negotiate
response, generated as described below.
Buffer[] is filled with the GSS token being returned in the negotiate response as described
below.
The generation of the GSS token for SMB2 NEGOTIATE Response MUST be done as specified in
[MS-SPNG] section 3.2.5.1. The server MUST initialize the mechanism with the Integrity,
Confidentiality, and Delegate options and use the server-initiated variation as specified in [MS-
SPNG] section 3.2.5.1.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INSUFFICIENT_RESOURCES
STATUS_INVALID_PARAMETER
STATUS_NOT_SUPPORTED
When the server receives a request with an SMB2 header with a Command value equal to SMB2
SESSION_SETUP, message handling proceeds as follows:
1. If SessionId in the SMB2 header of the request is zero, the server MUST process the
authentication request as specified in section 3.3.5.5.1.
2. The server MUST look up the session in the GlobalSessionTable using the SessionId from the
SMB2 header.
3. If the session is not found, the server MUST fail the session setup request with
STATUS_USER_SESSION_DELETED. Otherwise, proceed to step 4.
4. If Session.State is Expired, the server MUST process the session setup request as specified in
section 3.3.5.5.2. Otherwise, proceed to step 5.
5. If Session.State is Valid and the server does not implement SMB 2.1, the server MUST fail the
session setup request with STATUS_REQUEST_NOT_ACCEPTED. Otherwise, proceed to step 6.
6. If Session.State is Valid and the server does implement SMB 2.1, the server MUST process the
session setup request as specified in section 3.3.5.5.2. Otherwise, proceed to step 7.
7. The server MUST continue processing the request as specified in section 3.3.5.5.3.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_LOGON_FAILURE
STATUS_INSUFFICIENT_RESOURCES
STATUS_SUCCESS
202 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
STATUS_INVALID_PARAMETER
STATUS_USER_SESSION_DELETED
STATUS_REQUEST_NOT_ACCEPTED
STATUS_PASSWORD_EXPIRED
SEC_E_INVALID_TOKEN
SEC_E_NO_CREDENTIALS
A session object MUST be allocated for this request. The session MUST be inserted into the
GlobalSessionTable and a unique Session.SessionId is assigned to serve as a lookup key in the
table. The server MUST register the session by invoking the event as specified in [MS-SRVS] section
3.1.6.3 and assign the return value to Session.SessionGlobalId. The SMB2 server MUST reserve -
1 as an invalid SessionId and 0 as a SessionId for which no session exists. The other values MUST
be initialized as follows:
The server MUST extract the GSS token from the request. The token is SecurityBufferLength
bytes in length, and located SecurityBufferOffset bytes from the beginning of the SMB2 header.
The server SHOULD use the configured authentication protocol to obtain the next GSS output token
for the authentication exchange. The input GSS token can be 0 bytes in length.<167>
If the authentication protocol indicates an error, the server MUST fail the session setup request with
the error received by placing the 32-bit NTSTATUS code received into the Status field of the SMB2
203 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The following errors can be returned by the GSS-API interface as specified in [RFC2743].
STATUS_PASSWORD_EXPIRED SHOULD be treated as GSS_S_CREDENTIALS_EXPIRED,
SEC_E_INVALID_TOKEN SHOULD be treated as GSS_S_DEFECTIVE_TOKEN, and
SEC_E_NO_CREDENTIALS SHOULD be treated as GSS_S_NO_CRED. All other errors SHOULD be
treated as a GSS_S_FAILURE error code. A detailed description of these errors is specified in [MS-
ERREF].
STATUS_DOWNGRADE_DETECTED
STATUS_NO_SUCH_LOGON_SESSION
SEC_E_WRONG_PRINCIPAL
STATUS_NO_SUCH_USER
STATUS_ACCOUNT_DISABLED
STATUS_ACCOUNT_RESTRICTION
STATUS_ACCOUNT_LOCKED_OUT
STATUS_WRONG_PASSWORD
STATUS_SMARTCARD_WRONG_PIN
STATUS_ACCOUNT_EXPIRED
STATUS_PASSWORD_EXPIRED
STATUS_INVALID_LOGON_HOURS
STATUS_INVALID_WORKSTATION
STATUS_PASSWORD_MUST_CHANGE
STATUS_LOGON_TYPE_NOT_GRANTED
STATUS_PASSWORD_RESTRICTION
STATUS_SMARTCARD_SILENT_CONTEXT
STATUS_SMARTCARD_NO_CARD
STATUS_SMARTCARD_CARD_BLOCKED
STATUS_PKINIT_FAILURE
STATUS_PKINIT_CLIENT_FAILURE
STATUS_PKINIT_NAME_MISMATCH
STATUS_NETLOGON_NOT_STARTED
STATUS_DOMAIN_CONTROLLER_NOT_FOUND
204 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
STATUS_BAD_NETWORK_PATH
STATUS_TRUST_FAILURE
STATUS_TRUSTED_RELATIONSHIP_FAILURE
STATUS_NETWORK_UNREACHABLE
SEC_E_INVALID_TOKEN
SEC_E_NO_AUTHENTICATING_AUTHORITY
SEC_E_NO_CREDENTIALS
STATUS_INTERNAL_ERROR
STATUS_NO_MEMORY
SEC_E_NOT_OWNER
SEC_E_CERT_WRONG_USAGE
SEC_E_SMARTCARD_LOGON_REQUIRED
SEC_E_SHUTDOWN_IN_PROGRESS
STATUS_LOGON_FAILURE
If the authentication protocol indicates success, the server MUST construct an SMB2
SESSION_SETUP Response, specified in section 2.2.6, as described here:
The output token received from the GSS mechanism MUST be returned in the response.
SecurityBufferLength indicates the length of the output token, and SecurityBufferOffset
indicates its offset, in bytes, from the beginning of the SMB2 header.
If the GSS mechanism indicates that this is the final message in the authentication exchange, the
following additional steps MUST be taken:
1. The status code in the SMB2 header of the response MUST be set to STATUS_SUCCESS.
3. If the security principal is an anonymous user, the server MUST set the
SMB2_SESSION_FLAG_IS_NULL flag in the SessionFlags of the SMB2 SESSION_SETUP
Response.
4. If the security principal is a guest user, the server MUST set the
SMB2_SESSION_FLAG_IS_GUEST in the SessionFlags of the SMB2 SESSION_SETUP Response.
205 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
6. If Session.ShouldSign is TRUE, the server MUST sign the final session setup response before
sending it to the client.
8. If Session.SessionKey is NULL, the server MUST query the session key for this authentication
from the underlying authentication protocol and store the session key in Session.SessionKey.
Session.SessionKey MUST be set as described in section 3.3.1.8, using the value queried from
the GSS protocol. For how this value is calculated for Kerberos authentication via GSS-API, see
[MS-KILE] section 3.1.1.2. For how this value is calculated for NTLM authentication via GSS-API,
see [MS-NLMP] section 3.1.5.1.
9. If the PreviousSessionId field of the request is not equal to zero, the server MUST take the
following actions:
1. The server MUST look up the old session based on this value. If no session is found, no other
processing is necessary.
1. If the server determines the authentications were for the same user, the server MUST
remove the old session from the GlobalSessionTable and deregister the session by
invoking event as specified in [MS-SRVS] section 3.1.6.4, providing
Session.SessionGlobalId as an input parameter. Any open in Session.OpenTable of the
old session MUST be closed and freed and each entry MUST be deregistered by invoking
event as specified in [MS-SRVS] section 3.1.6.5, providing Open.FileGlobalId as an input
parameter. Any tree connects in Session.TreeConnectTable of the old session MUST be
deregistered by invoking event as specified in [MS-SRVS] section 3.1.6.7, providing
Treeconnect.TreeGlobalId as input parameter, and each of them MUST be freed.
2. If the server determines that the authentications were for different users, the server MUST
ignore the PreviousSessionId value.
206 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The GSS-API can indicate that this is not the final message in authentication exchange using the
GSS_S_CONTINUE_NEEDED semantics as specified in [MS-SPNG] section 3.3.1. If the GSS
mechanism indicates that this is not the final message of the authentication exchange, the following
additional step MUST be taken:
The status code in the SMB2 header of the response MUST be set to
STATUS_MORE_PROCESSING_REQUIRED.
When the server receives a request with an SMB2 header with a Command value equal to SMB2
LOGOFF, message handling MUST proceed as follows.
The server MUST locate the session being logged off, using the SessionId in the SMB2 header of
the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to Expired,
the server MUST fail the request with STATUS_NETWORK_SESSION_EXPIRED. If Session.State is
set to InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
Otherwise, the server MUST remove this session from the GlobalSessionTable, and deregister the
session by invoking event, as specified in [MS-SRVS] section 3.1.6.3, providing
Session.SessionGlobalId as input parameter. Any opens in Session.OpenTable of the old
session MUST be closed and freed, and each entry MUST be deregistered by invoking event, as
specified in [MS-SRVS] section 3.1.6.5, providing Open.FileGlobalId as input parameter. Any tree
connects in Session.TreeConnectTable of the old session MUST be deregistered by invoking
event, as specified in [MS-SRVS] section 3.1.6.7, providing Treeconnect.TreeGlobalId as input
parameter, and each of them MUST be freed. The server MUST construct an SMB2 LOGOFF
Response with a status code of STATUS_SUCCESS, following the syntax specified in section 2.2.8,
and send it to the client. The session itself is then freed.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_USER_SESSION_DELETED
STATUS_INVALID_PARAMETER
STATUS_NETWORK_SESSION_EXPIRED
STATUS_ACCESS_DENIED
When the server receives a request with an SMB2 header with a Command value equal to SMB2
TREE_CONNECT, message handling proceeds as follows:
The server MUST locate the authenticated session that is attempting to connect to a share by
looking up the session object in GlobalSessionTable using the SessionId provided in the SMB2
header of the request. If the session is not found, or if Session.Connection of the session found is
not the same as the connection on which this request was received, the server MUST fail the request
207 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server MUST provide <server name, share name> parsed from request message to invoke
event as specified in [MS-SRVS] section 3.1.6.8 and get the updated server name. The server MUST
use <updated server name, share name> to lookup the Share in ShareList. If no share with a
matching share name and server name is found, the server MUST fail the request with
STATUS_BAD_NETWORK_NAME. If a share is found, the server MUST determine whether the user
represented by Session.SecurityContext should be granted access based on the authorization
policy specified in Share.ConnectSecurity. If the server determines that access should not be
granted, the server MUST fail the request with STATUS_ACCESS_DENIED. If Share.CurrentUses is
equal to or greater than Share.MaxUses, the server MUST fail the request with
STATUS_REQUEST_NOT_ACCEPTED. Otherwise, the server MUST allocate a tree connect object and
insert it into Session.TreeConnectTable. The server MUST register TreeConnect by invoking the
event as specified in [MS-SRVS] section 3.1.6.6 and assign the return value to
TreeConnect.TreeGlobalId. The other initial values MUST be set as follows:
TreeConnect.TreeId MUST be set to a value generated to uniquely identify this tree connect in
the Session.TreeConnectTable. The SMB2 server MUST reserve -1 for invalid TreeId.
The tree connect response MUST be constructed following the syntax specified in section 2.2.12, as
described here:
The server MUST set the SHI1005_FLAGS_DFS bit if the per-share property Share.IsDfs is
TRUE, indicating that the share is part of a DFS namespace.
The server MUST set the SHI1005_FLAGS_DFS_ROOT bit if the share is a DFS root.
208 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If this share provides access to named pipes, ShareType MUST be set to
SMB2_SHARE_TYPE_PIPE.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_ACCESS_DENIED
STATUS_INSUFFICIENT_RESOURCES
STATUS_BAD_NETWORK_NAME
STATUS_INVALID_PARAMETER
STATUS_USER_SESSION_DELETED
STATUS_NETWORK_SESSION_EXPIRED
When the server receives a request with an SMB2 header having a Command value equal to SMB2
TREE_DISCONNECT, message handling proceeds as follows:
Session Verification:
The server MUST locate the session, using the SessionId in the SMB2 header of the request to do a
lookup on the GlobalSessionTable. If no session is found, or if Session.Connection is not equal
to the connection on which the request was received, the server MUST fail the request with
STATUS_USER_SESSION_DELETED. If Session.State is set to Expired, the server MUST fail the
request with STATUS_NETWORK_SESSION_EXPIRED. If Session.State is set to InProgress, the
server MUST fail the request with STATUS_ACCESS_DENIED.
The server MUST locate the tree connection being disconnected using the TreeId in the SMB2
header of the request to do a lookup in Session.TreeConnectTable. If no tree connect is found,
the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
209 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server MUST enumerate all the TreeConnects in TreeConnectList as specified in [MS-SRVS]
section 3.1.1.1. For any TreeConnect that is equal to the tree connect being disconnected, it MUST
be removed from TreeConnectList.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INSUFFICIENT_RESOURCES
STATUS_USER_SESSION_DELETED
STATUS_NETWORK_NAME_DELETED
STATUS_INVALID_PARAMETER
STATUS_NETWORK_SESSION_EXPIRED
STATUS_ACCESS_DENIED
When the server receives a request with an SMB2 header with a Command value equal to SMB2
CREATE, message handling proceeds as described in the following sections.
Session Verification:
The server MUST locate the session performing the create, using the SessionId in the SMB2 header
of the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to Expired,
the server MUST fail the request with STATUS_NETWORK_SESSION_EXPIRED. If Session.State is
set to InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
The server MUST locate the tree connection used in the create using the TreeId in the SMB2 header
of the request to do a lookup in Session.TreeConnectTable. If no tree connect is found, the
request MUST be failed with STATUS_NETWORK_NAME_DELETED.
The server MUST verify the request size. If the size of the SMB2 CREATE Request (excluding the
SMB2 header) is less than specified in the StructureSize field, then the request MUST be failed
with STATUS_ INVALID_PARAMETER.
210 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the normalization fails with STATUS_PATH_NOT_COVERED (the path contains or matches a DFS
link) and if FILE_OPEN_REPARSE_POINT flag was specified in the CreateOptions field of the
request, the server SHOULD<168> attempt to open the underlying file or directory and return a
handle to it. If normalization fails with any other error, the server MUST fail the create request with
the error code returned by the DFS normalization routine.
If the normalization procedure succeeds, returning an altered target name, the modified name MUST
be used for further operations.
If the file name length is greater than zero and the first character is a separator character, the
server MUST fail the request with STATUS_OBJECT_NAME_INVALID. If the file name fails to conform
with the specification of a relative pathname in [MS-FSCC] section 2.1.5, the server MUST fail the
request with STATUS_OBJECT_NAME_INVALID.
If any flags other than those defined in [MS-FSCC] section 2.6 are set in the FileAttributes field of
the request packet, the server MUST fail the request with STATUS_INVALID_PARAMETER.
If any of the bits in the mask 0x0CE0FE00 are set in the DesiredAccess field, the server
SHOULD<169> fail the create request with STATUS_ACCESS_DENIED.
If the share that is the target of the create request is a printer, the server MUST validate the
DesiredAccess and CreateDisposition fields of the request. If the DesiredAccess value does not
include one or more of the FILE_WRITE_DATA, FILE_APPEND_DATA, or GENERIC_WRITE bits, the
server SHOULD<170> fail the request with STATUS_NOT_SUPPORTED. If the DesiredAccess value
contains any other bits, the server MUST fail the request with STATUS_NOT_SUPPORTED. If the
CreateDisposition value is other than FILE_CREATE, the server SHOULD<171> fail the request
with STATUS_OBJECT_NAME_NOT_FOUND.
If any intermediate component of the path specified in the create request is a symbolic link, the
server MUST return an error as specified in section 2.2.2.1. Symbolic links MUST NOT be evaluated
by the server.
If the final component of the path is a symbolic link, the server behavior depends on whether the
flag FILE_OPEN_REPARSE_POINT was specified in the CreateOptions field of the request. If
FILE_OPEN_REPARSE_POINT was specified, the server MUST open the underlying file or directory
and return a handle to it. Otherwise, the server MUST return an error as specified in section 2.2.2.1.
The description contained here is for a generic create operation. Sections 3.3.5.9.1 through
3.3.5.9.7 detail server behavior when various create contexts are provided in the request, and
describe how that affects server operation.
The server SHOULD<172> fail any request having a create context not specified in 2.2.13.2, with a
STATUS_INVALID_PARAMETER error.
Open Execution:
If the FILE_DELETE_ON_CLOSE flag is set in CreateOptions, and the DELETE flag is not set in
DesiredAccess, the server MUST fail the operation with STATUS_INVALID_PARAMETER.
211 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the underlying object store returns a failure indicating that the attempted open operation failed
due to the presence of a symbolic link in the target path name, the server MUST fail the create
operation with the error code STATUS_STOPPED_ON_SYMLINK, and pass back the error to the client
by constructing an error response as specified in section 2.2.2.1.<174>
If the open is successful, the server MUST allocate an open object for this open and insert it into
Session.OpenTable and GlobalOpenTable. The server MUST also register the Open by invoking
event as specified in [MS-SRVS] section 3.1.6.4 and assign the return value to Open.FileGlobalId.
The other initial values MUST be set as follows:
Open.Connection is set to refer to the connection on which the open request was received.
Open.LocalOpen is set to the open of the object in the local resource received as part of the
local create operation.
Open.GrantedAccess is the access granted to the caller for the open by the underlying object
store. It MUST be equal to the DesiredAccess specified in the request, except in the case where
MAXIMUM_ALLOWED is included in the DesiredAccess.
Open.OplockTimeout is set to 0.
Open.DurableOpenTimeout is set to 0.
Open.EnumerationLocation is set to 0.
212 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Open.CurrentQuotaIndex is set to 1.
Open.TreeConnect is set to refer to the TreeConnect on which the open request was
performed and Open.TreeConnect.OpenCount MUST be increased by 1.
Open.LockCount is set to 0.
Open.PathName is set to the full local path that the current open is performed on.
If the server implements SMB 2.1 and supports leasing, the server MUST initialize the following:
Oplock Acquisition:
If the server does not implement SMB 2.1 or does not support leasing, and RequestedOplockLevel
is set to SMB2_OPLOCK_LEVEL_LEASE, the request MUST be failed with STATUS_NOT_SUPPORTED.
If the server implements SMB 2.1 and supports leasing, and the RequestedOplockLevel is set to
SMB2_OPLOCK_LEVEL_LEASE, the server MUST attempt to acquire a lease on the open from the
underlying object store as described in section 3.3.5.9.8.
Otherwise, if the open is successful, the shared resource is not a named pipe, and the
RequestedOplockLevel is not SMB2_OPLOCK_LEVEL_NONE, the server MUST attempt to acquire
an opportunistic lock on the open from the underlying object store.<175> If the underlying object
store grants the oplock, then Open.OplockState is set to Held and Open.OplockLevel is set to
the level of the oplock acquired.
Response Construction:
The server MUST construct a response following the syntax specified in section 2.2.14. The values
MUST be set as follows:
CreateAction is set to the action taken by the create following the syntax specified in section
2.2.14.
CreationTime is set to the value queried from the object store for when the object was
created.<176>
LastAccessTime is set to the value queried from the object store for when the object was last
accessed.<177>
LastWriteTime is set to the value queried from the object store for when the object was last
written to.<178>
ChangeTime is set to the value queried from the object store for when the object was last
modified, including attribute changes.<179>
213 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
EndofFile is set to the size of the main stream of the object in bytes.<182> For named pipes
this value SHOULD be 0.<183>
FileAttributes MUST be set to the attributes of the object following the syntax specified in
section 2.2.14.<184>
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INSUFFICIENT_RESOURCES
STATUS_ACCESS_DENIED
STATUS_OBJECT_NAME_NOT_FOUND
STATUS_INVALID_PARAMETER
STATUS_STOPPED_ON_SYMLINK
STATUS_USER_SESSION_DELETED
STATUS_NETWORK_NAME_DELETED
STATUS_NETWORK_SESSION_EXPIRED
STATUS_NOT_SUPPORTED
STATUS_EAS_NOT_SUPPORTED
STATUS_DISK_FULL
STATUS_FILE_CLOSED
The following create contexts are potentially received as part of the create request. In each
subsection, handling this create context is outlined. Any combination of the create contexts listed in
the following sections is valid, with the following exception:
The client is requesting that an array of extended attributes be applied to the file that is being
created. This create context MAY be combined with any of those listed here except
SMB2_CREATE_DURABLE_HANDLE_RECONNECT.
214 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
In the "Open Execution" phase, the server MUST pass the received extended attributes array to the
underlying object store to be stored on the created file.<185> If the object store does not support
extended attributes, the server MUST fail the open request with STATUS_EAS_NOT_SUPPORTED.
The client is requesting that a specific security descriptor be applied to the file that is being created.
This create context can be combined with any of those listed here except
SMB2_CREATE_DURABLE_HANDLE_RECONNECT.
In the "Open Execution" phase, the server MUST pass the received security descriptor to the
underlying object store to be stored on the created file.<186> If the object store does not support
file security, the value MAY<187> be ignored or STATUS_NOT_SUPPORTED SHOULD be returned to
the client.
The client is requesting that a specific allocation size be set for the file that is being created. This
create context can be combined with any of those listed here except
SMB2_CREATE_DURABLE_HANDLE_RECONNECT. The server SHOULD support this create context
request.<188> If the server does not support it, the SMB2_CREATE_ALLOCATION_SIZE create
context request MUST be ignored.
In the "Open Execution" phase, the server MUST pass the received allocation size to the underlying
object store to reserve the requested space for the created file.<189> If the object store does not
have sufficient space available to hold a file of the requested size, the server MUST fail the open
request with STATUS_DISK_FULL.
The client is requesting that the create operation be performed on a snapshot of the underlying
object store taken at a previous time. This create context can be combined with any of those listed
here except SMB2_CREATE_DURABLE_HANDLE_RECONNECT.
In the "Path Name Validation" phase, the server MUST verify that a snapshot of the underlying
object store at the time stamp provided in the create context exists.<190> If it does not, the server
MUST fail the request with STATUS_OBJECT_NAME_NOT_FOUND.
In the "Open Execution" phase, the server MUST perform the open on the snapshot of the
underlying object store taken at the time specified, instead of using the current view of the object
store.<191>
The client is requesting that the server return maximal access information for the open if the last
modified time for the file, as returned by the underlying object store, is not equal to the time stamp
215 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
In the "Response Construction" phase, if the LastModifiedTime is not equal to the time received in
the request create context, the server MUST calculate the maximal access that the user identified by
Session.SecurityContext has on the object that was opened.<192> It must construct a response
create context, following the syntax specified in section 2.2.14.2.5, and include it in the buffer
described by the response CreateContextLength and CreateContextOffset.
If the LastModifiedTime is equal to the time received in the request create context, then the
server MUST NOT calculate or append the maximal access information to the response.
The client is requesting that the open be marked for durable operation. This create context can be
combined with any of those listed here except SMB2_CREATE_DURABLE_HANDLE_RECONNECT.
In the "Successful Open Initialization" phase, the server MUST set Open.IsDurable to TRUE. This
permits the client to use Open.DurableFileId to request a reopen of the file on a subsequent
request as specified in section 3.3.5.9.7. The server MUST also set Open.DurableOwner to a
security descriptor accessible only by the user represented by Open.Session.SecurityContext.
The client is requesting a reconnect to an existing durable or resilient open. If the server supports
leasing, this create context SHOULD only be combined with an SMB2_CREATE_LEASE_REQUEST
create context. Otherwise, this create context SHOULD NOT be combined with any other create
context.
There is no processing done for "Path Name Validation" or "Open Execution" as listed in the section
above.
1. The server MUST look up an existing open in the GlobalOpenTable by doing a lookup with the
FileId.Persistent portion of the create context.
2. If the lookup fails, the server MUST fail the request with STATUS_OBJECT_NAME_NOT_FOUND
and proceed as specified in "Failed Open Handling" in section 3.3.5.9.
5. If the server implements SMB 2.1 and supports leasing, and Open.Lease is not NULL, and
Lease.LeaseKey does not match the LeaseKey provided in an SMB2_CREATE_LEASE_REQUEST
216 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
7. The server MUST set the Open.Connection to refer to the connection that received this request.
8. The server MUST regenerate Open.FileId (the volatile portion of the SMB2_FILEID).
9. The server MUST insert the open into the Session.OpenTable with the Open.FileId as the new
key.
10.The "Successful Open Initialization" and "Oplock Acquisition" phases MUST be skipped, and
processing MUST continue as specified in "Response Construction."
If the server does not implement SMB 2.1 and support leasing, or Connection.Dialect is not equal
to "2.100" or if the RequestedOplockLevel is not SMB2_OPLOCK_LEVEL_LEASE, the server MUST
ignore the SMB2_CREATE_REQUEST_LEASE Create Context request.
In the "Path Name Validation" phase, the server MUST attempt to locate a Lease Table by
performing a lookup in GlobalLeaseTableList using Connection.ClientGuid as the lookup key. If
no LeaseTable is found, one MUST be allocated and the following values set:
If the allocation fails, the create request MUST be failed with STATUS_INSUFFICIENT_RESOURCES.
The server MUST attempt to locate a Lease by performing a lookup in the LeaseTable.LeaseList
using the LeaseKey in the SMB2_CREATE_REQUEST_LEASE as the lookup key. If a lease is found
but Lease.Filename does not match the file name for the incoming request, the request MUST be
failed with STATUS_INVALID_PARAMETER.
If no lease is found, one MUST be allocated with the following values set:
217 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Lease.LeaseBreakTimeout is set to 0.
If the allocation fails, the create request MUST be failed with STATUS_INSUFFICIENT_RESOURCES.
Otherwise, if a LeaseTable was created it MUST be added to the GlobalLeaseTableList, and if a
Lease was created it MUST be added to the LeaseTable.LeaseList.
At this point, execution of create continues as described in 3.3.5.9 until the Oplock Acquisition
phase.
During "Oplock Acquisition", if the underlying object store does not support leasing, the server
SHOULD fall back to requesting a batch oplock instead of a lease and continue processing as
described in "Oplock Acquisition". If the underlying object store does support leasing, the following
steps are taken:
The server MUST set Open.OplockState to Lease, set Open.Lease to a reference to Lease, set
Open.OplockLevel to SMB2_OPLOCK_LEVEL_LEASE, and add Open to Lease.LeaseOpens. The
remainder of open response construction continues as described in "Response Construction."
218 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
When the server receives a request with an SMB2 header with a Command value equal to SMB2
CLOSE, message handling proceeds as follows:
The server MUST locate the session that is taking the action, using the SessionId in the SMB2
header of the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to Expired,
the server MUST fail the request with STATUS_NETWORK_SESSION_EXPIRED. If Session.State is
set to InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
Next, the server MUST locate the tree connect by performing a lookup in the
Session.TreeConnectTable, using the TreeId in the SMB2 header of the request. If no tree
connect is found, the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
Next, the server MUST locate the open being closed by performing a lookup in the
Session.OpenTable, using FileId.Volatile of the request as the lookup key. If no open is found, or
if Open.DurableFileId is not equal to FileId.Persistent, the server MUST fail the request with
STATUS_FILE_CLOSED.
The server MUST provide Open.FileGlobalId as the input parameter and deregister the Open by
invoking the event as specified in [MS-SRVS] section 3.1.6.5. The server MUST remove the open
from both Session.OpenTable and the GlobalOpenTable, close the underlying
Open.LocalOpen.<194> Open.TreeConnect.OpenCount MUST be decreased by 1. If the server
implements SMB 2.1 and supports leasing, and Open.Lease is not NULL, the server MUST remove
the open from Lease.LeaseOpens. If LeaseOpens is now empty, the following steps MUST be
taken:
If Lease.Breaking is TRUE, the server MUST complete the lease break to the underlying object
store with NONE as the new lease state,<195> and Lease.LeaseState MUST be set to NONE.
If SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB is set in the Flags field of the request, the server MUST
query the attributes of the file after the close.<196> This gives the client the attributes that have
been updated to take into account any cached writes or extends that may have happened. The
attributes that MUST be queried are the creation time, last access time, last write time, change
time, allocation size in bytes, end of file in bytes, and file attributes.
The server then MUST construct the response following the syntax specified in section 2.2.16. The
values MUST be set as follows:
If the attributes of the file were requested and can be fetched, the server MUST set the Flags
field to SMB2_CLOSE_FLAG_POSTQUERY_ATTRIB. Otherwise Flags MUST be set to 0.
219 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INSUFFICIENT_RESOURCES
STATUS_FILE_CLOSED
STATUS_NETWORK_NAME_DELETED
STATUS_USER_SESSION_DELETED
STATUS_INVALID_PARAMETER
STATUS_NETWORK_SESSION_EXPIRED
STATUS_ACCESS_DENIED
When the server receives a request with an SMB2 header with a Command value equal to SMB2
FLUSH, message handling proceeds as follows:
The server MUST locate the session that is taking the action, using the SessionId in the SMB2
header of the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to Expired,
the server MUST fail the request with STATUS_NETWORK_SESSION_EXPIRED. If Session.State is
set to InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
Next, the server MUST locate the tree connect by performing a lookup in the
Session.TreeConnectTable, using the TreeId in the SMB2 header of the request. If no tree
connect is found, the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
Next the server MUST locate the open being flushed by performing a lookup in the
Session.OpenTable, using the FileId.Volatile of the request as the lookup key. If no open is
found, or if Open.DurableFileId is not equal to FileId.Persistent, the server MUST fail the
request with STATUS_FILE_CLOSED.
The server MUST issue a request to the underlying object store to flush any cached data for
Open.LocalOpen.<197> If this is a file, the object store MUST propagate any cached data to
persistent storage. If this is a named pipe, the server MUST wait for all data written to the pipe to
be consumed by a reader. This operation MUST block until the flush is complete. (The server
SHOULD<198> choose to handle this request asynchronously, as specified in section 3.3.4.2.)
If the operation succeeds, the server MUST initialize a response following the syntax specified in
section 2.2.18.
If the operation fails, the server MUST return the error code to the client.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
220 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
STATUS_ACCESS_DENIED
STATUS_FILE_CLOSED
STATUS_NETWORK_NAME_DELETED
STATUS_USER_SESSION_DELETED
STATUS_NETWORK_SESSION_EXPIRED
STATUS_INVALID_PARAMETER
STATUS_PIPE_BROKEN
STATUS_DISK_FULL
STATUS_CANCELLED
When the server receives a request with an SMB2 header with a Command value equal to SMB2
READ, message handling proceeds as follows:
The server MUST locate the session that is taking the action, using the SessionId in the SMB2
header of the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to Expired,
the server MUST fail the request with STATUS_NETWORK_SESSION_EXPIRED. If Session.State is
set to InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
Next the server MUST locate the tree connect by performing a lookup in the
Session.TreeConnectTable, using the TreeId in the SMB2 header of the request. If no tree
connect is found, the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
Next the server MUST locate the open that is being read from, by performing a lookup in the
Session.OpenTable, using the FileId.Volatile of the request as the lookup key. If no open is
found, or if Open.DurableFileId is not equal to FileId.Persistent, the server MUST fail the
request with STATUS_FILE_CLOSED.
If Open.GrantedAccess does not allow for FILE_READ_DATA, the request MUST be failed with
STATUS_ACCESS_DENIED.
The server MUST validate that the length to read is within its configured maximum read size. If not,
it SHOULD<199> fail the request with STATUS_INVALID_PARAMETER.
If the negotiate dialect is SMB 2.1 and the underlying TCP endpoint is on port 445 and the
CreditCharge field in the SMB2 header is not zero, the server MUST validate CreditCharge based
on Length, as specified in section 3.3.5.2.4. If the validation fails, it MUST fail the read request with
STATUS_INVALID_PARAMETER.
The server MUST return STATUS_FILE_LOCK_CONFLICT if the read is to a region that is exclusively
locked by another open.
The server MUST issue a read to the underlying object store represented by Open.LocalOpen for
the length, in bytes, given by Length, at the offset, in bytes, from the beginning of the file,
provided in Offset.<200>
221 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the read fails, the server MUST fail the request using the error code received from the read
operation. If the read returns fewer bytes than specified by the MinimumCount field of the
request, the server MUST fail the request with STATUS_END_OF_FILE.
If the read succeeds, the server MUST construct a read response following the syntax specified in
section 2.2.20 with the following values:
DataOffset MUST be set to the offset into the response in bytes from the beginning of the SMB2
header where the data is located.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INSUFFICIENT_RESOURCES
STATUS_ACCESS_DENIED
STATUS_FILE_CLOSED
STATUS_NETWORK_NAME_DELETED
STATUS_USER_SESSION_DELETED
STATUS_NETWORK_SESSION_EXPIRED
STATUS_INVALID_PARAMETER
STATUS_END_OF_FILE
STATUS_PIPE_BROKEN
STATUS_BUFFER_OVERFLOW
STATUS_CANCELLED
STATUS_FILE_LOCK_CONFLICT
222 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
When the server receives a request with an SMB2 header with a Command value equal to SMB2
WRITE, message handling proceeds as follows:
The server MUST locate the session that is taking the action, using the SessionId in the SMB2
header of the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to Expired,
the server MUST fail the request with STATUS_NETWORK_SESSION_EXPIRED. If Session.State is
set to InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
Next the server MUST locate the tree connect by performing a lookup in the
Session.TreeConnectTable, using the TreeId in the SMB2 header of the request. If no tree
connect is found, the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
Next the server MUST locate the open being written to by performing a lookup in the
Session.OpenTable, using FileId.Volatile of the request as the lookup key. If no open is found, or
if Open.DurableFileId is not equal to FileId.Persistent, the server MUST fail the request with
STATUS_FILE_CLOSED.
If the range being written to is within the existing file size and Open.GrantedAccess does not
include FILE_WRITE_DATA, or if the range being written to extends the file size and
Open.GrantedAccess does not include FILE_APPEND_DATA, the server SHOULD<203> fail the
request with STATUS_ACCESS_DENIED.
The server MUST validate that the length to write is within its configured maximum write size. If
not, it SHOULD<204> fail the request with STATUS_INVALID_PARAMETER.
If the negotiate dialect is SMB 2.1 and the underlying TCP endpoint is on port 445 and the
CreditCharge field in the SMB2 header is not zero, the server MUST validate CreditCharge based
on Length, as specified in section 3.3.5.2.4. If the validation fails, it MUST fail the write request
with STATUS_INVALID_PARAMETER.
The server MUST issue a write to the underlying object store represented by Open.LocalOpen for
the length, in bytes, given by Length, at the offset, in bytes, from the beginning of the file,
provided in Offset. If SMB 2.1 is supported, and SMB2_WRITEFLAG_WRITE_THROUGH is set in the
Flags field of the SMB2 WRITE Request, the server SHOULD<205> indicate to the underlying object
store that the write is to be written to persistent storage before completion is returned.
If the write is being executed on a named pipe, and the pipe is in blocking mode (the default), the
operation could block for a long time, so the server MAY<206> be required to handle it
asynchronously, as specified in section 3.3.4.2. To query a pipe's blocking mode, use the
FilePipeInformation file information class, as specified in [MS-FSCC] section 2.4.29. To change a
pipe's blocking mode, use an SMB2 SMB2 SET_INFO Request with the FilePipeInformation file
information class, as specified in [MS-FSCC] section 2.4.29.
The server MUST return STATUS_FILE_LOCK_CONFLICT if the write is to a region that is locked by
another open.
If the write fails, the server MUST fail the request with the error code received from the write.
If the write succeeds, the server MUST construct a write response following the syntax specified in
section 2.2.22 with the following values:
223 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INSUFFICIENT_RESOURCES
STATUS_ACCESS_DENIED
STATUS_FILE_CLOSED
STATUS_NETWORK_NAME_DELETED
STATUS_USER_SESSION_DELETED
STATUS_NETWORK_SESSION_EXPIRED
STATUS_INVALID_PARAMETER
STATUS_PIPE_BROKEN
STATUS_DISK_FULL
STATUS_CANCELLED
STATUS_FILE_LOCK_CONFLICT
When the server receives a request with an SMB2 header with a Command value equal to SMB2
LOCK, message handling proceeds as follows:
The server MUST locate the session that is taking the action, using the SessionId in the SMB2
header of the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to Expired,
the server MUST fail the request with STATUS_NETWORK_SESSION_EXPIRED. If Session.State is
set to InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
Next, the server MUST locate the tree connect by performing a lookup in the
Session.TreeConnectTable, using the TreeId in the SMB2 header of the request. If no tree
connect is found, the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
Next, the server MUST locate the open on which the client is requesting a lock or unlock by
performing a lookup in the Session.OpenTable, using the FileId.Volatile of the request as the
lookup key. If no open is found, or if Open.DurableFileId is not equal to FileId.Persistent, the
server MUST fail the request with STATUS_FILE_CLOSED.
224 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
1. The server MUST compute ((LockSequence >> 4)-1) to use as an index into
Open.LockSequenceArray[] in order to locate the sequence number entry (1 byte). If the
index exceeds the maximum extent of the Open.LockSequenceArray[], the server MUST skip
step 2 and continue lock/unlock processing.
2. The server MUST take the 4 least significant bits as the lock sequence number and compare to
the entry retrieved from step 1. If the sequence numbers are equal, the server MUST complete
the lock/unlock request with success. Otherwise, the server MUST reset the entry value to be
0xFF and continue lock/unlock processing.
If the flags of the initial SMB2_LOCK_ELEMENT in the Locks array of the request has
SMB2_LOCKFLAG_UNLOCK set, the server MUST process the lock array as a series of unlocks.
Otherwise, it MUST process the lock array as a series of lock requests.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INSUFFICIENT_RESOURCES
STATUS_ACCESS_DENIED
STATUS_FILE_CLOSED
STATUS_NETWORK_NAME_DELETED
STATUS_USER_SESSION_DELETED
STATUS_NETWORK_SESSION_EXPIRED
STATUS_INVALID_PARAMETER
STATUS_FILE_LOCK_CONFLICT
STATUS_CANCELLED
STATUS_LOCK_NOT_GRANTED
The server MUST issue the byte-range unlock request to the underlying object store using
Open.LocalOpen, and passing the Offset and Length (in bytes) from the SMB2_LOCK_ELEMENT
entry.<208> If the unlock operation fails, the server MUST fail the operation with the error code
received from the object store and stop processing further entries in the Locks array.
225 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the unlock operation succeeds, and there are no remaining entries in the Locks array, and the
negotiate dialect is SMB 2.1, the server supports leasing, and Open.IsResilient is TRUE, the server
MUST set the lock sequence number in Open.LockSequenceArray[] through the following steps to
indicate the unlock request with LockSequence has been successfully processed by the server:
1. The server MUST compute ((LockSequence >> 4)-1) to use as an index into
Open.LockSequenceArray[] in order to locate the sequence number entry (1 byte). If the
index exceeds the maximum extent of the Open.LockSequenceArrary[], the server MUST skip
step 2 and continue unlock processing.
2. The server MUST take the 4 least significant bits as the lock sequence number and save it into
the corresponding entry located from step 1.
If the unlock operation succeeds and there are no remaining entries in the Locks array, the server
initializes an SMB2 LOCK Response following the syntax specified in section 2.2.27, which then
MUST be sent to the client.
If the Locks array has more than one entry and the Flags field in any of these entries does not
have SMB2_LOCKFLAG_FAIL_IMMEDIATELY set, the server SHOULD<209> fail the request with
STATUS_INVALID_PARAMETER. For combinations of Lock Flags other than those that are defined in
the Flags field of section 2.2.26.1, the server SHOULD fail the request with
STATUS_INVALID_PARAMETER.
The server MUST issue a byte-range lock request to the underlying object store using
Open.LocalOpen and passing the Offset and Length (in bytes) from the SMB2_LOCK_ELEMENT
entry.<210> If SMB2_LOCKFLAG_SHARED_LOCK is set, the lock MUST be acquired in a manner
that allows read operations and other shared lock operations from other opens, but disallows writes
to the region specified by the lock. If SMB2_LOCKFLAG_EXCLUSIVE_LOCK is set, the lock MUST be
acquired in a manner that does not allow read, write, or lock operations from other opens for the
range specified.<211>
If the range being locked is already locked by another open in a way that does not allow this open to
take a lock on the range, and if SMB2_LOCKFLAG_FAIL_IMMEDIATELY is set, the server MUST fail
the request with STATUS_LOCK_NOT_GRANTED. Otherwise, the server MUST wait for the range in
question to become available before completing the request.
If the lock operation fails, the server MUST unlock any ranges locked as part of processing the
previous entries in the Locks array of this request. It MUST stop processing any remaining entries
in the Locks array and MUST fail the operation with the error code received from the lock operation.
If the lock operation succeeds, the server MUST increase Open.LockCount by 1. If there are
remaining entries in the Locks array, the server MUST continue processing the next entry in the
Locks array as described previously.
If the lock operation succeeds, and there are no remaining entries in the Locks array, and the
negotiate dialect is SMB 2.1, the server supports leasing, and Open.IsResilient is TRUE, the server
MUST set the lock sequence number in Open.LockSequenceArray[] through the following steps to
indicate the lock request with LockSequence has been successfully processed by the server:
226 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2. The server MUST take the 4 least significant bits as the lock sequence number and save it into
the corresponding entry located from step 1.
If the lock operation succeeds and there are no remaining entries in the Locks array, the server
MUST construct an SMB2_RESP_LOCK Response following the syntax specified in section 2.2.27,
which is then sent to the client.
When the server receives a request with an SMB2 header with a Command value equal to SMB2
IOCTL, message handling proceeds as follows:
The server MUST locate the session that is taking the action, using the SessionId in the SMB2
header of the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to Expired,
the server MUST fail the request with STATUS_NETWORK_SESSION_EXPIRED. If Session.State is
set to InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
Next, the server MUST locate the tree connect by performing a lookup in the
Session.TreeConnectTable, using the TreeId in the SMB2 header of the request. If no tree
connect is found, the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
If the Flags field of the request is not SMB2_0_IOCTL_IS_FSCTL the server MUST fail the request
with STATUS_NOT_SUPPORTED.
For CtlCode values other than FSCTL_DFS_GET_REFERRALS and FSCTL_PIPE_WAIT the server
MUST locate the open on which the client is requesting the operation by performing a lookup in
Session.OpenTable using the FileId.Volatile field of the request as the lookup key. If no open is
found or if Open.DurableFileId is not equal to FileId.Persistent, the server MUST fail the request
with STATUS_FILE_CLOSED.
Note that any padding inserted in the response message between the input buffer and output buffer,
to align the output buffer to an 8-byte boundary if necessary, is not included in the size of either the
input or the output buffer.
The server MUST NOT return an output buffer containing more bytes of data than the
MaxOutputResponse value specified by the client. If the underlying object store indicates an
insufficient buffer passed in with STATUS_BUFFER_OVERFLOW, the server SHOULD set the
OutputCount in the IOCTL response structure to the size of the data returned in that buffer by the
underlying object store and SHOULD<212> copy OutputCount bytes into the output buffer, and
MUST return a status of STATUS_BUFFER_OVERFLOW.
If the negotiate dialect is SMB 2.1 and the underlying TCP endpoint is on port 445, the server MUST
validate CreditCharge based on the maximum of (InputCount + OutputCount) and
(MaxInputResponse + MaxOutputResponse), as specified in section 3.3.5.2.4. If the validation
fails, it MUST fail the IOCTL request with STATUS_INVALID_PARAMETER.
227 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INSUFFICIENT_RESOURCES
STATUS_ACCESS_DENIED
STATUS_FILE_CLOSED
STATUS_NETWORK_NAME_DELETED
STATUS_USER_SESSION_DELETED
STATUS_NETWORK_SESSION_EXPIRED
STATUS_CANCELLED
STATUS_INVALID_PARAMETER
STATUS_BUFFER_OVERFLOW
STATUS_NOT_SUPPORTED
STATUS_BUFFER_TOO_SMALL
STATUS_OBJECT_NAME_NOT_FOUND
STATUS_END_OF_FILE
STATUS_INVALID_DEVICE_REQUEST
When the server receives a request with an SMB2 header with a Command value equal to SMB2
IOCTL, and a CtlCode of FSCTL_SRV_ENUMERATE_SNAPSHOTS, message handling proceeds as
follows:
The server MUST query the time stamps of available previous versions of the volume on which the
file resides from the object store.<214> If there are no previous versions available, the server
MUST construct a SRV_SNAPSHOT_ARRAY following the syntax specified in section 2.2.32.2, and
SHOULD<215> set NumberOfSnapShots to zero, NumberOfSnapShotsReturned to zero, and
SnapShotArraySize to zero.
If there are previous versions available, the server MUST calculate the size required to return the
SRV_SNAPSHOT_ARRAY structure containing the previous version array. If the size required is
larger than the maximum output buffer size received in the SMB2 IOCTL request, the server MUST
construct a SRV_SNAPSHOT_ARRAY following the syntax specified in section 2.2.32.2 with
NumberOfSnapShots set to the number of previous versions available,
NumberOfSnapShotsReturned to 0, and SnapShotArraySize to the SnapShots[] array size
required to receive all of the previous version timestamps. If the maximum output buffer size
228 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the size of the SRV_SNAPSHOT_ARRAY structure containing the previous version array is less
than or equal to the maximum output buffer size received in the SMB2 IOCTL request, the client
MUST construct a SRV_SNAPSHOT_ARRAY with NumberOfSnapShots set to the number of
previous versions available, NumberOfSnapShotsReturned set to the number of previous version
time stamps being returned in the buffer, and SnapShotArraySize set to the size, in bytes, of the
SnapShots buffer, which MUST then be filled in to hold the time stamps in textual GMT format for
the previous version time stamps.
The server MUST then construct an SMB2 IOCTL response following the syntax specified in section
2.2.32, with the following values:
The server MUST copy the constructed SRV_SNAPSHOT_ARRAY into the Buffer field at the
OutputOffset computed above.
When the server receives a request with an SMB2 header with a Command value equal to SMB2
IOCTL, and a CtlCode of FSCTL_DFS_GET_REFERRALS, message handling proceeds as follows:
The server MUST pass the following to Distributed File System (DFS):
The maximum size of the response data buffer that will be accepted by the client.
The processing of this request by the DFS server is as specified in [MS-DFSC] sections 3.2.5.1 and
3.3.5.1.
229 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If DFS returns success and a response buffer containing the referrals, the server MUST then
construct an SMB2 IOCTL response following the syntax specified in section 2.2.32, with the
following values:
The server MUST copy the buffer that was received from DFS into the Buffer field at the
OutputOffset computed above.
When the server receives a request with an SMB2 header with a Command value equal to SMB2
IOCTL, and a CtlCode of FSCTL_PIPE_TRANSCEIVE, message handling proceeds as follows.
The server MUST attempt to write the number of bytes specified in the request by the InputCount
field into the named pipe. If the write attempt fails, the server MUST fail the request returning the
error code received from the named pipe.
If the share on which the request is being executed is not a named pipe share, the server SHOULD
fail the request with STATUS_NOT_SUPPORTED.<219>
The server SHOULD<220> process the FSCTL_PIPE_TRANSCEIVE request and not return an input
buffer to the client, even if the MaxInputResponse field is nonzero.
The server MUST then attempt to read the number of bytes specified in the request by
MaxOutputResponse from the named pipe. If the read attempt fails, the server MUST fail the
request returning the error code received from the named pipe. For more information on reading
from a pipe, see section 3.3.5.12.
If the read/write attempt is not finished in 1 millisecond, the server MUST send an interim response
to the client. If the read/write attempt succeeds,<221>, the server MUST then construct an SMB2
IOCTL response following the syntax specified in section 2.2.32, with the following values:
230 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If any data was read from the pipe, OutputOffset MUST be set to InputOffset + InputCount,
rounded up to a multiple of 8. Otherwise, OutputOffset SHOULD<225> be set to zero.
OutputCount MUST be set to the number of bytes read from the pipe. If no data is to be
returned, the server MUST set OutputCount to zero.
The server MUST copy the bytes read into the Buffer field at the OutputOffset computed
above.
When the server receives a request with an SMB2 header with a Command value equal to SMB2
IOCTL, and a CtlCode of FSCTL_PIPE_PEEK, message handling proceeds as follows:
The server MUST attempt to read the number of bytes specified in the request by
MaxOutputResponse from the named pipe without removing the bytes from the pipe. If the read
attempt fails, the server MUST fail the request and return the error code received from the named
pipe. An FSCTL_PIPE_PEEK MUST never block. A MaxOutputResponse value of zero is allowed.
If the share on which the request is being executed is not a named pipe share, the server
SHOULD<226> fail the request with STATUS_NOT_SUPPORTED.
If the read attempt succeeds, the server MUST then construct an SMB2 IOCTL response by following
the syntax specified in section 2.2.32, with the following values:
If any data was read from the pipe, OutputOffset MUST be set to InputOffset + InputCount,
rounded up to a multiple of 8. Otherwise, OutputOffset SHOULD<228> be set to zero.
OutputCount MUST be set to the number of bytes read from the pipe.
The server MUST copy the bytes read into the Buffer field at the OutputOffset computed
above.
When the server receives a request with an SMB2 header with a Command value equal to SMB2
IOCTL, and a CtlCode of FSCTL_SRV_REQUEST_RESUME_KEY, message handling proceeds as
follows.
231 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server MUST provide a 24-byte value that is used to uniquely identify the open. The server
SHOULD use Open.DurableFileId, or alternately, MAY use an internally generated value that is
unique for all opens on the server.<230>
The server MUST construct an SMB2 IOCTL response following the syntax specified in section
2.2.32, with the following values:
The server MUST copy the constructed SRV_REQUEST_RESUME_KEY that is used to identify
the open into the Buffer field at the OutputOffset computed above.
When the server receives a request with an SMB2 header with a Command value equal to SMB2
IOCTL, and a CtlCode of FSCTL_SRV_COPYCHUNK or FSCTL_SRV_COPYCHUNK_WRITE, message
handling proceeds as follows:
The server MUST locate the source open from where data will be read by locating the open using the
SourceFile key received in the SRV_COPYCHUNK_COPY structure received in the buffer described
by InputCount and InputOffset of the SMB2 IOCTL Request. If the open is not found, the server
MUST fail the request with STATUS_OBJECT_NAME_NOT_FOUND.
If Open.GrantedAccess of the destination file does not include FILE_WRITE_DATA, then the
request MUST be failed with STATUS_ACCESS_DENIED. If Open.GrantedAccess of the destination
file does not include FILE_READ_DATA access and the CtlCode is FSCTL_SRV_COPYCHUNK, then
the request MUST be failed with STATUS_ACCESS_DENIED.
If the server is configured to limit the amount of data copied in a single server side copy operation,
and the size of data sent in the request exceeds the limit, the server MUST send an SMB2 IOCTL
Response as specified in Sending an Invalid Parameter Server-Side Copy Response (section
3.3.5.15.6.2).
232 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server MUST issue a write using the TargetOffset and Length in the range against the
destination file.<234> If the write fails, the server MUST send an SMB2 IOCTL response as specified
in Sending a Copy Failure Server-Side Copy Response (section 3.3.5.15.6.1).
If all ranges are copied successfully, the server MUST construct an SMB2 IOCTL Response following
the syntax specified in the section 2.2.32, with the following values:
The server MUST copy a SRV_COPYCHUNK_RESPONSE following the syntax specified in section
2.2.32.1 into the Buffer field at the OutputOffset computed above. ChunksWritten MUST be
set to the number of chunks processed. ChunkBytesWritten MUST be set to zero.
TotalBytesWritten MUST be set to the total number of bytes written to the destination file
across all chunk writes.
If a range is encountered that is not copied successfully, the server MUST construct an SMB2 IOCTL
Response following the syntax specified in section 2.2.32, with the following values:
Status in the SMB2 header MUST be set to one of the error codes listed in section 3.3.5.15.
233 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the server determines that the total chunk count is more than
ServerSideCopyMaxNumberofChunks, or the size of any chunk is more than
ServerSideCopyMaxChunkSize, or the total size of all chunks exceeds
ServerSideCopyMaxDataSize, the server MUST construct an SMB2 IOCTL Response, following the
syntax specified in section 2.2.32, with the following values:
The server MUST copy a SRV_COPYCHUNK_RESPONSE, following the syntax specified in section
2.2.32.1, into the Buffer field at the OutputOffset computed above, with the following
differences. ChunksWritten MUST be set ServerSideCopyMaxNumberofChunks.
ChunkBytesWritten MUST be set ServerSideCopyMaxChunkSize. TotalBytesWritten MUST
be set to ServerSideCopyMaxDataSize.
When the server receives a request with an SMB2 header with a Command value equal to SMB2
IOCTL, and a CtlCode of FSCTL_SRV_READ_HASH, message handling proceeds as follows:
If the operation fails, the server MUST fail the SRV_READ_HASH request with the error code
specified in the following cases:
If the server does not support SRV_READ_HASH requests, it MUST fail the request with
STATUS_NOT_SUPPORTED.<238>
234 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If ServerHashLevel is HashDisableAll, the server MUST fail the SRV_READ_HASH request with
error code STATUS_HASH_NOT_SUPPORTED.
If the Content Information is not present or no longer valid, the server MUST fail the
SRV_READ_HASH request with error code STATUS_HASH_NOT_PRESENT.
If the Offset field of the SRV_READ_HASH request is equal to or beyond the end of the Content
Information for the file, the server MUST fail the SRV_READ_HASH request with error code
STATUS_END_OF_FILE.
The server MUST request the Content Information from the object store for the object
represented by Open.LocalOpen with specified offset.<239>If the Content Information request
fails, the server MUST fail the SRV_READ_HASH request with the error code returned by object
store.
If the Content Information is read successfully, the server MUST construct an SMB2 IOCTL
response following the syntax specified in section 2.2.32, with the following values:
FileId.Volatile MUST be set to Open.FileId. This field MUST be the same as the FileId in the
SMB2 IOCTL Request.
OutputCount MUST be set to the size of SRV_READ_HASH Response, including the variable
length for Content Information.
The server MUST copy a SRV_READ_HASH Response following the syntax specified in section
2.2.32.4 into the Buffer field at the OutputOffset computed above.
Pass-through requests are I/O Control requests and File System Control (FSCTL) requests with a
CtlCode value that is not specified in section 2.2.31. As noted in section 3.3.5.15, the server MUST
fail I/O Control requests with STATUS_NOT_SUPPORTED.
Pass-through FSCTL requests fall further into two types, those for which a CtlCode value matches
an FSCTL function number defined in [MS-FSCC] section 2.3, and those that do not. When the latter
type of pass-through request does not meet the private FSCTL requirements of [MS-FSCC] section
235 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Otherwise, when the server receives a pass-through FSCTL request, the server SHOULD<241> pass
it through to the underlying object store.
The server MUST pass the following to the underlying object store: CtlCode, the input buffer
described by InputOffset and InputCount, the output buffer described by OutputOffset and
OutputCount, the MaxOutputResponse as the maximum output buffer size, in bytes, for the
response, and MaxInputResponse as the maximum input buffer size, in bytes, for the response.
Where the CtlCode value matches an FSCTL function number defined in [MS-FSCC], the server
SHOULD verify that the above buffers and sizes conform to the requirements of the corresponding
structures defined in [MS-FSCC] section 2.3, and use the FileId from the SMB2 IOCTL request to
obtain the handle described in [MS-FSCC] section 2.3 to pass to the object store. Where the
CtlCode value is not defined in [MS-FSCC], the server SHOULD<242> ensure that the other
requirements for private FSCTLs defined in [MS-FSCC] are met.
If the underlying object store returns a failure, the server MUST fail the request and send a
response with an error code, as specified in [MS-ERREF] section 2.2.
Note that a successful FSCTL pass-through request could return 0 bytes of output buffer data, and
have OutputCount set to 0. Similarly, it is possible for a valid FSCTL pass-through request to send
0 bytes of input buffer data, depending on the requirements of the FSCTL.
If the operation succeeds, the server MUST then construct an SMB2 IOCTL Response following the
syntax specified in section 2.2.32, with the following values:
If the underlying object store is returning input data to the client, InputOffset MUST be set to
the offset, in bytes, from the beginning of the SMB2 header to the Buffer[] field of the response.
Otherwise, InputOffset SHOULD<243> be set to zero.
InputCount MUST be set to the number of input bytes the object store is returning to the client.
If the object store is returning output data to the client, OutputOffset MUST be set to
InputOffset + InputCount, rounded up to a multiple of 8. Otherwise, OutputOffset
SHOULD<244> be set to zero.
The server MUST set the OutputCount to the actual number of bytes returned by the underlying
object store in the output buffer.
The server MUST copy the input and output response bytes into the ranges in Buffer described
by InputOffset/InputCount and OutputOffset/OutputCount.
When the server receives a request with an SMB2 header with a Command value equal to SMB2
IOCTL and a CtlCode FSCTL_LMR_REQUEST_RESILIENCY, message handling proceeds as follows.
236 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server MUST construct an SMB2 IOCTL response following the syntax specified in section
2.2.32, with the following values:
When the server receives a request with an SMB2 header with a Command value equal to SMB2
CANCEL, message handling proceeds as follows:
An SMB2 CANCEL Request is the only request received by the server that is not signed and does not
contain a sequence number that must be checked. Thus, the server MUST NOT process the received
packet as specified in sections 3.3.5.2.2 and 3.3.5.2.3.
The server MUST locate the request being canceled by searching the Connection.RequestList. If
SMB2_FLAGS_ASYNC_COMMAND is set in the Flags field of the SMB2 header of the cancel request,
the server MUST search for a request in Connection.AsyncCommandList that matches both the
MessageId and the AsyncId of the incoming cancel request. If SMB2_FLAGS_ASYNC_COMMAND is
not set, then the server MUST search for a request that matches the MessageId of the incoming
cancel request.
If a request is not found, the server MUST stop processing for this cancel request. No response is
sent.
If a request is found, the server MUST attempt to cancel the request that was found, referred to
here as the target request, by calling into the underlying object store.<247> If the target request is
successfully canceled, the target request MUST be failed by sending an ERROR response packet as
specified in section 2.2.2, with the status field of the SMB2 header (specified in section 2.2.1) set to
STATUS_CANCELLED. If the target request is not successfully canceled, processing MUST continue
as is typical for the target request. No response is sent to the cancel request.
237 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
When the server receives a request with an SMB2 header with a Command value equal to SMB2
ECHO, message handling proceeds as follows:
The server MUST construct an SMB2 ECHO Response following the syntax specified in section 2.2.29
and MUST send it to the client.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INVALID_PARAMETER
When the server receives a request with an SMB2 header with a Command value equal to SMB2
QUERY_DIRECTORY, message handling proceeds as follows:
The server MUST locate the session that is taking the action, using the SessionId in the SMB2
header of the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to Expired,
the server MUST fail the request with STATUS_NETWORK_SESSION_EXPIRED. If Session.State is
set to InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
Next, the server MUST locate the tree connect by performing a lookup in the
Session.TreeConnectTable, using the TreeId in the SMB2 header of the request. If no tree
connect is found, the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
Next, the server MUST locate the open for the directory to be queried by performing a lookup in the
Session.OpenTable, using the FileId.Volatile of the request as the lookup key. If no open is
found, or if Open.DurableFileId is not equal to FileId.Persistent, the server MUST fail the
request with STATUS_FILE_CLOSED.
If the open is not an open to a directory, the request MUST be failed with
STATUS_NOT_SUPPORTED.
If the negotiate dialect is SMB 2.1 and the underlying TCP endpoint is on port 445 and the
CreditCharge field in the SMB2 header is not 0, the server MUST validate CreditCharge based on
OutputBufferLength, as specified in section 3.3.5.2.4. If the validation fails, it MUST fail the
request with STATUS_INVALID_PARAMETER.
The information classes supported are specified in [MS-FSCC] section 2.4. The supported classes for
the query are:
FileDirectoryInformation
FileFullDirectoryInformation
238 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
FileIdFullDirectoryInformation
FileIdBothDirectoryInformation
FileNamesInformation
If any other information class is specified in the FileInformationClass field of the SMB2
QUERY_DIRECTORY Request, the server MUST fail the operation with
STATUS_INVALID_INFO_CLASS. If the information class requested is not supported by the server,
the server MUST fail the request with STATUS_NOT_SUPPORTED.
If SMB2_REOPEN is set in the Flags field of the SMB2 QUERY_DIRECTORY Request, the server
SHOULD<248> set Open.EnumerationLocation to 0 and Open.EnumerationSearchPattern to
an empty string.
If SMB2_RESTART_SCANS is set in the Flags field of the SMB2 QUERY_DIRECTORY Request, the
server MUST set Open.EnumerationLocation to 0.
If SMB2_INDEX_SPECIFIED is set in the Flags field of the SMB2 QUERY_DIRECTORY Request and
the underlying object store supports resuming enumerations by index number, the server MUST set
Open.EnumerationLocation to the FileIndex received in the SMB2 QUERY_DIRECTORY Request.
An underlying store MAY<250> choose to support resuming enumerations by index number.
If SMB2_INDEX_SPECIFIED is set and FileNameLength is not zero, the server MUST set
Open.EnumerationSearchPattern to the search pattern specified in the request by
FileNameOffset and FileNameLength.
The server MUST now enumerate the files and directories that are contained within the directory
specified by Open.LocalOpen, starting at the index Open.EnumerationLocation.<251> Each
entry MUST be formed as specified in [MS-FSCC] section 2.4. The server MUST fill in entries up to
the OutputBufferLength received in the client request. The server MUST only include entries that
match Open.EnumerationSearchPattern. For an explanation of wildcard evaluation for search
patterns, see [MS-CIFS] section 2.2.1.1.3. If SMB2_RETURN_SINGLE_ENTRY is set in the Flags
field of the request, the server MUST return only a single entry.
After populating the buffer, the server MUST set Open.EnumerationLocation to the location of the
next enumeration entry after the last one that was returned in the buffer. If there are no remaining
entries, the server MUST set Open.EnumerationLocation to an invalid value indicating that the
enumeration is complete.
If an error is encountered, the server MUST fail the request with the error code received from the
underlying object store by sending an error response as specified in section 2.2.2.
If there are no entries to return and this was the initial query (Open.EnumerationLocation was
zero before querying the object store), the server MUST fail the request with
STATUS_NO_SUCH_FILE.
239 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Otherwise, the server MUST construct an SMB2_QUERY_DIRECTORY Response following the syntax
specified in section 2.2.34, with the following values:
OutputBufferOffset MUST be set to the offset, in bytes, from the beginning of the SMB2 header
where the enumeration data is being placed, the offset to Buffer[].
OutputBufferLength MUST be set to the length, in bytes, of the result of the enumeration.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INSUFFICIENT_RESOURCES
STATUS_ACCESS_DENIED
STATUS_FILE_CLOSED
STATUS_NETWORK_NAME_DELETED
STATUS_USER_SESSION_DELETED
STATUS_NETWORK_SESSION_EXPIRED
STATUS_INVALID_PARAMETER
STATUS_INVALID_INFO_CLASS
STATUS_NO_SUCH_FILE
STATUS_CANCELLED
STATUS_NOT_SUPPORTED
STATUS_OBJECT_NAME_INVALID
STATUS_VOLUME_DISMOUNTED
STATUS_INVALID_INFO_CLASS
STATUS_FILE_CORRUPT_ERROR
STATUS_NO_MORE_FILES
When the server receives a request that has an SMB2 header with a Command value equal to
SMB2 CHANGE_NOTIFY, message handling proceeds as follows.
240 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Next, the server MUST locate the tree connect by performing a lookup in the
Session.TreeConnectTable, using the TreeId in the SMB2 header of the request. If no tree
connect is found, the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
Next, the server MUST locate the open on which the client is requesting a change notification by
performing a lookup in the Session.OpenTable, using the FileId.Volatile of the request as the
lookup key. If no open is found, or if Open.DurableFileId is not equal to FileId.Persistent, the
server MUST fail the request with STATUS_FILE_CLOSED.
If the negotiate dialect is SMB 2.1 and the underlying TCP endpoint is on port 445 and the
CreditCharge field in the SMB2 header is not 0, the server MUST validate CreditCharge based on
OutputBufferLength, as specified in section 3.3.5.2.4. If the validation fails, it MUST fail the
request with STATUS_INVALID_PARAMETER.
If the open is not an open to a directory, the request MUST be failed with
STATUS_INVALID_PARAMETER.
Because change notify operations are not guaranteed to complete within a deterministic amount of
time, the server SHOULD<252> handle this operation asynchronously as specified in section
3.3.4.2.
If the underlying object store does not support change notifications, the server MUST fail this
request with STATUS_NOT_SUPPORTED.
The server MUST register a change notification on the underlying object store for the directory that
is specified by Open.LocalOpen, using the completion filter supplied in the CompletionFilter field
of the client request.<253> If SMB2_WATCH_TREE is set in the Flags field of the client request, the
server MUST request that the change notify monitor all subtrees of the directory that is specified by
Open.LocalOpen. The server indicates the maximum amount of notification data that it can accept
by passing in the OutputBufferLength that is received from the client. An OutputBufferLength of
zero indicates that the client allows the occurrence of an event but the client does not allow the
notification data details. A Change notification request processed by the server with invalid bits in
the CompletionFilter field MUST ignore the invalid bits and process the valid bits. If there are no
valid bits in the CompletionFilter, the request will remain pending until the change notification is
canceled or the directory handle is closed.
Change notification processing in the object store MUST be handled as specified in section 3.3.1.3.
It is also outlined in [MS-CIFS] section 3.3.5.57.5.
If the server is unable to copy the results into the buffer of the SMB2 CHANGE_NOTIFY Response,
then the server MUST construct the response as described below, with an OutputBufferLength of
zero, and set the Status in the SMB2 header to STATUS_NOTIFY_ENUM_DIR.
If OutputBufferLength is larger than the server-configured value, the request MAY<254> be failed
with STATUS_INVALID_PARAMETER.
If the object store returns an error, the server MUST fail the request with the error code received.
241 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
OutputBufferOffset MUST be set to the offset, in bytes, from the beginning of the SMB2 header
where the enumeration data is being placed, the offset to Buffer[].
OutputBufferLength MUST be set to the length, in bytes, of the result of the enumeration. It is
valid for length to be 0, indicating a change occurred but it could not be fit within the buffer.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INSUFFICIENT_RESOURCES
STATUS_ACCESS_DENIED
STATUS_FILE_CLOSED
STATUS_NETWORK_NAME_DELETED
STATUS_USER_SESSION_DELETED
STATUS_NETWORK_SESSION_EXPIRED
STATUS_CANCELLED
STATUS_INVALID_PARAMETER
STATUS_NOTIFY_ENUM_DIR
When the server receives a request with an SMB2 header with a Command value equal to SMB2
QUERY_INFO, message handling proceeds as follows:
The server MUST locate the session that is taking the action, using the SessionId in the SMB2
header of the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to Expired,
the server MUST fail the request with STATUS_NETWORK_SESSION_EXPIRED. If Session.State is
set to InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
Next, the server MUST locate the tree connect by performing a lookup in the
Session.TreeConnectTable, using the TreeId in the SMB2 header of the request. If no tree
connect is found, the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
Next, the server MUST locate the open on which the client is requesting the information by
performing a lookup in the Session.OpenTable, using the FileId.Volatile of the request as the
lookup key. If no open is found, or if Open.DurableFileId is not equal to FileId.Persistent, the
server MUST fail the request with STATUS_FILE_CLOSED.
242 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The remaining processing for this request depends on the InfoType that is requested and described
below.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INSUFFICIENT_RESOURCES
STATUS_ACCESS_DENIED
STATUS_FILE_CLOSED
STATUS_NETWORK_NAME_DELETED
STATUS_USER_SESSION_DELETED
STATUS_NETWORK_SESSION_EXPIRED
STATUS_INVALID_PARAMETER
STATUS_INVALID_INFO_CLASS
STATUS_NOT_SUPPORTED
STATUS_EA_LIST_INCONSISTENT
STATUS_BUFFER_OVERFLOW
STATUS_CANCELLED
STATUS_INFO_LENGTH_MISMATCH
The information classes that are supported for querying files are listed in section 2.2.37.
Documentation for these is provided in [MS-FSCC] section 2.4.
Requests for information classes that are not listed in section 2.2.37 but which are documented in
section 2.4 of [MS-FSCC] SHOULD be failed with STATUS_NOT_SUPPORTED.
Requests for information classes not documented in [MS-FSCC] section 2.4 SHOULD<255> be failed
with STATUS_INVALID_INFO_CLASS.
If the request is for the FilePositionInformation information class, the SMB2 server SHOULD<256>
set the CurrentByteOffset field to zero. The CurrentByteOffset field is part of the
FILE_POSITION_INFORMATION structure specified in section 2.4.32 of [MS-FSCC].
If the object store supports security and the information class is FileBasicInformation,
FileAllInformation, FilePipeInformation, FilePipeLocalInformation, FilePipeRemoteInformation,
FileNetworkOpenInformation, or FileAttributeTagInformation, and Open.GrantedAccess does not
include FILE_READ_ATTRIBUTES, the server MUST fail the request with STATUS_ACCESS_DENIED.
243 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server MUST query the information requested from the underlying object store.<257> If the
store does not support the data requested, the server MUST fail the request with
STATUS_NOT_SUPPORTED.
Depending on the information class, the output data consists of a fixed portion followed by optional
variable length data. If the OutputBufferLength given in the client request is either zero or is
insufficient to hold the fixed length part of the information requested, the server MUST fail the
request with STATUS_INFO_LENGTH_MISMATCH and MUST return error data as specified in section
2.2.2 with ByteCount set to zero.
If the underlying object store returns an error, the server MUST fail the request with the error code
received.
If the underlying object store returns only a portion of the variable-length data, the server MUST
construct a response as described below but set the Status in the SMB2 header to
STATUS_BUFFER_OVERFLOW. If FileFullEaInformation is being queried and the requested entries
will not all fit in the Buffer field of the response, the server MUST construct a response as described
below but set the Status in the SMB2 header to STATUS_BUFFER_OVERFLOW.
If the underlying object store returns the information successfully, the server MUST construct an
SMB2 QUERY_INFO Response with the following values:
OutputBufferOffset MUST be set to the offset, in bytes, from the beginning of the SMB2 header
to the attribute data at Buffer[].
OutputBufferLength MUST be set to the length of the attribute data being returned to the
client.
FullEaList: The list of extended attribute entries maintained by underlying object store.
If the object store supports security and the information class is set to FileFullEaInformation, the
server MUST return one or more extended attribute information associated to the current Open, as
follows:
If EaList is specified by the client, the server MUST query the EA entries from FullEaList
through the EA names in EaList until the buffer is full or has run to the end of EaList. The
EaList is contained at the offset InputBufferOffset, starting from the SMB2 header with the
length set to InputBufferLength.
If SL_INDEX_SPECIFIED is not set in the Flags field and EaList is not specified, the server MUST
enumerate the EA entries from FullEaList starting at Open.CurrentEaIndex until the buffer is
full or has run out of the EA entries in FullEaList. Open.CurrentEaIndex MUST be incremented
by the number of EA entries returned to the client.
244 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If SL_INDEX_SPECIFIED is set in the Flags field, it SHOULD be ignored by the server if EaList is
specified by the client. Otherwise, the server MUST use EaIndex as the starting index in
FullEaList to enumerate the EA entries until the buffer is full or has run out of the EA entries in
FullEaList. If an out-of-range EaIndex is specified, the server MUST fail the request with
STATUS_NONEXISTENT_EA_ENTRY.
If SL_RETURN_SINGLE_ENTRY is set in the Flags field, the server MUST return the single EA
entry to the client.
The information classes that are supported for querying file systems are listed in section 2.2.37.
Documentation for these is provided in [MS-FSCC] section 2.5.
Requests for information classes not listed in section 2.2.37 but documented in [MS-FSCC] section
2.5 SHOULD be failed with STATUS_NOT_SUPPORTED.
Requests for information classes not documented in [MS-FSCC] section 2.5 SHOULD be failed with
STATUS_INVALID_INFO_CLASS.
The server MUST query the information requested from the underlying volume that hosts the open
in the object store.<258> If the store does not support the data requested, the server MUST fail the
request with STATUS_NOT_SUPPORTED.
Depending on the information class, the output data consists of a fixed portion followed by optional
variable-length data. If the OutputBufferLength given in the client request is either zero or is
insufficient to hold the fixed length part of the information requested, the server MUST fail the
request with STATUS_INFO_LENGTH_MISMATCH and MUST return error data, as specified in section
2.2.2 with ByteCount set to zero.
If the underlying object store returns an error, the server MUST fail the request with the error code
received.
If the underlying object store returns only a portion of the variable-length data, the server MUST
construct a success response as described below but set the Status in the SMB2 header to
STATUS_BUFFER_OVERFLOW.
If the underlying object store returns the information successfully, the server MUST construct an
SMB2 QUERY_INFO Response with the following values:
OutputBufferOffset MUST be set to the offset, in bytes, from the beginning of the SMB2 header
to the attribute data at Buffer[].
OutputBufferLength MUST be set to the length of the attribute data being returned to the
client.
245 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The following section assumes knowledge about security concepts, as described in [MS-WSO]
section 3.1.2 and specified in [MS-DTYP].
1. If the underlying object store does not support object security based on Access Control Lists (as
specified in [MS-DTYP] section 2.4.5), the server MUST return WorldSid for
OWNER_SECURITY_INFORMATION and GROUP_SECURITY_INFORMATION and a NULL value for
DACL_SECURITY_INFORMATION, SACL_SECURITY_INFORMATION and
LABEL_SECURITY_INFORMATION.
4. The server MUST call into the underlying object store to query the security descriptor for the
object.<260>
The fields required in the resulting security descriptor are denoted by the flags given in the
AdditionalInformation field of the request.
If the OutputBufferLength given in the client request is either zero or is insufficient to hold the
information requested, the server MUST fail the request with STATUS_BUFFER_TOO_SMALL. The
server MUST return error data containing the buffer size, in bytes, that would be required to return
the requested information, as specified in section 2.2.2 with ByteCount set to 4. The server MUST
NOT return STATUS_BUFFER_OVERFLOW with an incomplete security descriptor to the client as in
the previous cases. If the underlying object store returns an error, the server MUST fail the request
with the error code received.
If the underlying object store returns the information successfully, the server MUST construct an
SMB2 QUERY_INFO Response with the following values:
OutputBufferOffset MUST be set to the offset, in bytes, from the beginning of the SMB2 header
to the attribute data at Buffer[].
OutputBufferLength MUST be set to the length of the attribute data being returned to the
client.
The server's object store MAY support quotas that are associated with a security principal. If the
server exposes support for quotas, it MUST allow security principals to be identified using security
identifiers (SIDs) in the format that is specified in [MS-DTYP] section 2.4.2.<261>
If the underlying object store does not support user quotas, the server MUST fail the request with
STATUS_NOT_SUPPORTED.
246 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server MUST query the quota information retrieved from the underlying volume that hosts the
open in the object store.<262>
FullQuotaList: The list of the volume's quota information entries maintained by the underlying
object store.
If ReturnSingle is TRUE, the server MUST return at most a single quota information entry to the
client.
If SidListLength is nonzero, the server MUST ignore the values of StartSidOffset and
StartSidLength, and enumerate the quota information entries for all the SIDs specified in
SidList. If SidList is not a list of FILE_GET_QUOTA_INFORMATION structures linked via the
NextEntryOffset field, the server MUST fail the request with STATUS_INVALID_PARAMETER. If
the server can't find the corresponding quota information entry through the SID specified in the
FILE_GET_QUOTA_INFORMATION structure, then the server MUST return
FILE_QUOTA_INFORMATION for the SID with the fields ChangeTime and QuotaUsed set to
zero and the fields QuotaThreshold and QuotaLimit set to -1.
If SidListLength is zero, the server MUST determine the location in FullQuotaList of the
StartSid that is specified by StartSidOffset and StartSidLength and set
Open.CurrentQuotaIndex to the index of that SID.<263> If the server cannot find the
specified SID in FullQuotaList, then the server MUST fail the request with
STATUS_INVALID_PARAMETER. The server MUST use Open.CurrentQuotaIndex as the starting
index in FullQuotaList to enumerate the quota information entries until the buffer is full or has
run out of the quota information entries in FullQuotaList. Open.CurrentQuotaIndex MUST be
incremented by the number of quota information entries returned to the client.
If StartSidLength or StartSidOffset or SidListLength are nonzero, the server MUST ignore
the value of RestartScan.
If StartSidLength and StartSidOffset and SidListLength are all zero, the server MUST check
the value of RestartScan. If RestartScan is TRUE, the server MUST set
Open.CurrentQuotaIndex to 1. The server MUST use Open.CurrentQuotaIndex as the
starting index in FullQuotaList to enumerate the quota information entries until the buffer is full
or has run out of the quota information entries in FullQuotaList. Open.CurrentQuotaIndex
MUST be incremented by the number of quota information entries returned to the client.
If the OutputBufferLength given in the client request is either zero or is insufficient to hold single
FILE_QUOTA_INFORMATION entry, the server MUST fail the request with
STATUS_BUFFER_TOO_SMALL and return error data, as specified in section 2.2.2, with ByteCount
set to zero.
If the underlying object store returns an error, the server MUST fail the entire request with the error
code received.
247 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the underlying object store returns the information successfully, the server MUST construct an
SMB2 QUERY_INFO Response with the following values:
OutputBufferOffset MUST be set to the offset, in bytes, from the beginning of the SMB2 header
to the attribute data at Buffer[].
OutputBufferLength MUST be set to the length of the attribute data being returned to the
client.
When the server receives a request with an SMB2 header with a Command value equal to SMB2
SET_INFO, message handling proceeds as follows:
The server MUST locate the session taking the action using the SessionId in the SMB2 header of
the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to Expired,
the server MUST fail the request with STATUS_NETWORK_SESSION_EXPIRED. If Session.State is
set to InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
Next, the server MUST locate the tree connect by performing a lookup in
Session.TreeConnectTable using the TreeId in the SMB2 header of the request. If no tree
connect is found, the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
Next, the server MUST locate the open on which the client is requesting to set information by
performing a lookup in Session.OpenTable using FileId.Volatile of the request as the lookup key.
If no open is found, or if Open.DurableFileId is not equal to FileId.Persistent, the server MUST
fail the request with STATUS_FILE_CLOSED.
If the negotiate dialect is SMB 2.1 and the underlying TCP endpoint is on port 445 and the
CreditCharge field in SMB2 header is not 0, the server MUST validate CreditCharge based on
OutputBufferLength, as specified in section 3.3.5.2.4. If the validation fails, it MUST fail the
request with STATUS_INVALID_PARAMETER.
The remaining processing for this request depends on the InfoType requested, as described below.
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_SUCCESS
STATUS_INSUFFICIENT_RESOURCES
STATUS_ACCESS_DENIED
STATUS_FILE_CLOSED
STATUS_NETWORK_NAME_DELETED
248 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
STATUS_NETWORK_SESSION_EXPIRED
STATUS_INVALID_PARAMETER
STATUS_INVALID_INFO_CLASS
STATUS_NOT_SUPPORTED
STATUS_EA_LIST_INCONSISTENT
STATUS_CANCELLED
The information classes that are supported for setting file information are listed in section 2.2.39.
Documentation for these is provided in [MS-FSCC] section 2.4.
Requests for information classes documented in [MS-FSCC] section 2.4 with "Set" not specified in
the Uses column are not allowed and SHOULD be failed with STATUS_INVALID_INFO_CLASS.
Requests for information classes not documented in section 2.4 of [MS-FSCC] SHOULD<264> be
failed with STATUS_INVALID_INFO_CLASS.
Requests for information classes not listed in section 2.2.39 but documented in [MS-FSCC] section
2.4 with "Set" specified in the Uses column are not allowed and SHOULD be failed with
STATUS_NOT_SUPPORTED.
If the object store supports security and the information class is FileBasicInformation or
FilePipeInformation, and Open.GrantedAccess does not include FILE_WRITE_ATTRIBUTES, the
server MUST fail the request with STATUS_ACCESS_DENIED.
If the object store supports security and the information class is FileRenameInformation,
FileDispositionInformation, or FileShortNameInformation, and Open.GrantedAccess does not
include DELETE, the server MUST fail the request with STATUS_ACCESS_DENIED.
If the object store supports security and the information class is FileFullEaInformation, and
Open.GrantedAccess does not include FILE_WRITE_EA, the server MUST fail the request with
STATUS_ACCESS_DENIED.
If the object store supports security and the information class is FileFullEaInformation and the EA
buffer in the Buffer field is not in a valid format, the server MUST fail the request with
STATUS_EA_LIST_INCONSISTENT.
If the object store supports security and the information class is FileAllocationInformation,
FileEndOfFileInformation, or FileValidDataLengthInformation, and Open.GrantedAccess does not
include FILE_WRITE_DATA, the server MUST fail the request with STATUS_ACCESS_DENIED.
The server MUST apply the information requested to the underlying object store.<265> If the store
does not support the information class requested, the server MUST fail the request with
STATUS_NOT_SUPPORTED.
If the underlying object store returns an error, the server MUST fail the request with the error code
received.
Otherwise, the server MUST initialize an SMB2 SET_INFO Response following the syntax given in
section 2.2.40.
249 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The information classes that are supported for setting underlying object store information are listed
in section 2.2.39. Documentation for these is provided [MS-FSCC] section 2.5. Requests for
information classes not listed in section 2.2.39 but documented in section 2.5 of [MS-FSCC] for Uses
of "Set" or "LOCAL" MUST be failed with STATUS_NOT_SUPPORTED. Requests for information
classes not documented in section 2.5 of [MS-FSCC] or documented in section 2.5 of [MS-FSCC] for
Uses of only "Query" MUST be failed with STATUS_INVALID_INFO_CLASS.
If the object store supports security and the information class is FileFsControlInformation or
FileFsObjectIdInformation and Open.GrantedAccess does not include FILE_WRITE_DATA, the
server MUST fail the request with STATUS_ACCESS_DENIED.
The server MUST apply the information requested to the underlying object store.<266> If the
underlying object store returns an error, the server MUST fail the request with the error code
received. Otherwise, the server MUST initialize an SMB2 SET_INFO Response following the syntax
given in section 2.2.40. The response MUST then be sent to the client.
The following section assumes knowledge about security concepts as described in [MS-WSO] section
3.1.2 and specified in [MS-DTYP].<267>
4. The server MUST call into the underlying object store to set the security on the object.<268>
The fields being applied in the provided security descriptor are denoted by the flags given in the
AdditionalInformation field of the request.
If the underlying object store returns an error, the server MUST fail the request with the error code
received.
Otherwise, the server MUST initialize an SMB2 SET_INFO Response following the syntax given in
section 2.2.40.
250 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server's object store MAY support quotas associated with a security principal. If the server
exposes support for quotas, it MUST allow security principals to be identified using security
identifiers (SIDs) in the format specified in [MS-DTYP] section 2.4.2.<269>
If the object store does not support quotas, the server MUST fail the request with
STATUS_NOT_SUPPORTED.
If the user represented by Session.SecurityContext is not granted the right to manage quotas on
the underlying volume in the object store, the server MUST fail the request with
STATUS_ACCESS_DENIED.
The server MUST apply the provided quota information to the underlying volume that hosts the open
in the object store.<270>
If the underlying object store returns an error, the server MUST fail the request with the error code
received.
Otherwise, the server MUST initialize an SMB2 SET_INFO Response following the syntax given in
section 2.2.40.
When the server receives a request with an SMB2 header with a Command value equal to SMB2
OPLOCK_BREAK, message handling proceeds as follows:
If Connection.Dialect is not equal to "2.100" and the StructureSize of the request is equal to
36, the server MUST process the request as described in section 3.3.5.22.2.
Otherwise, the server MUST process the request as described in section 3.3.5.22.1.
The server MUST locate the session taking the action using the SessionId in the SMB2 header of
the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to
InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
Next, the server MUST locate the tree connect by performing a lookup in
Session.TreeConnectTable using the TreeId in the SMB2 header of the request. If no tree
connect is found, the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
Next, the server MUST locate the open on which the client is acknowledging an oplock break by
performing a lookup in Session.OpenTable using FileId.Volatile of the request as the lookup key.
If no open is found, or if Open.DurableFileId is not equal to FileId.Persistent, the server MUST
fail the request with STATUS_FILE_CLOSED.
If Open.OplockState is not Breaking, the server MUST fail the request with
STATUS_INVALID_DEVICE_STATE.
251 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server completes the oplock break request received from the object store as described in
section 3.3.4.6. If the OplockLevel of the request is SMB2_OPLOCK_LEVEL_II, the server MUST set
Open.OplockLevel to SMB2_OPLOCK_LEVEL_II and Open.OplockState to Held. If the
OplockLevel of the request is SMB2_OPLOCK_LEVEL_NONE, the server MUST set
Open.OplockLevel to SMB2_OPLOCK_LEVEL_NONE and Open.OplockState to None.
The server then MUST construct an oplock break response using the syntax specified in section
2.2.25 with the following value:
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_ACCESS_DENIED
STATUS_FILE_CLOSED
STATUS_INVALID_OPLOCK_PROTOCOL
STATUS_INVALID_PARAMETER
STATUS_INVALID_DEVICE_STATE
STATUS_NETWORK_NAME_DELETED
STATUS_USER_SESSION_DELETED
The server MUST locate the session that is taking the action by using the SessionId in the SMB2
header of the request to do a lookup on the GlobalSessionTable. If no session is found, or if
Session.Connection is not equal to the connection on which the request was received, the server
MUST fail the request with STATUS_USER_SESSION_DELETED. If Session.State is set to
InProgress, the server MUST fail the request with STATUS_ACCESS_DENIED.
Next, the server MUST locate the tree connect by performing a lookup in
Session.TreeConnectTable using the TreeId in the SMB2 header of the request. If no tree
connect is found, the server MUST fail the request with STATUS_NETWORK_NAME_DELETED.
Next, the server MUST locate the Lease Table by performing a lookup in GlobalLeaseTableList
using Connection.ClientGuid as the lookup key. If no lease table is found, the server MUST fail the
request with STATUS_FILE_CLOSED.
The server MUST locate the lease on which the client is acknowledging a lease break by performing
a lookup in LeaseTable.LeaseList using the LeaseKey of the request as the lookup key. If no
lease is found, the server MUST fail the request with STATUS_FILE_CLOSED.
If Lease.Breaking is FALSE, the server MUST fail the request with STATUS_UNSUCCESSFUL.
If LeaseState is not <= Lease.BreakToLeaseState, the server MUST fail the request with
STATUS_REQUEST_NOT_ACCEPTED.
252 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The server then MUST construct an oplock break response using the syntax specified in section
2.2.25 with the following values:
The status code returned by this operation MUST be one of those defined in [MS-ERREF]. Common
status codes returned by this operation include:
STATUS_ACCESS_DENIED
STATUS_FILE_CLOSED
STATUS_INVALID_OPLOCK_PROTOCOL
STATUS_INVALID_PARAMETER
STATUS_INVALID_DEVICE_STATE
STATUS_NETWORK_NAME_DELETED
STATUS_USER_SESSION_DELETED
The oplock break acknowledgment timer MUST be started when the server sends an SMB2
OPLOCK_BREAK Notification (as specified in section 2.2.23) to the client as a result of the
underlying object store indicating an oplock break or lease break on a file.
When the oplock break acknowledgment timer expires, the server MUST scan for oplock breaks that
have not been acknowledged by the client within the configured time. It does this by enumerating
all opens in the GlobalOpenTable. For each open, if Open.OplockState is Breaking and
Open.OplockTimeout is earlier than the current time, the server MUST acknowledge the oplock
break to the underlying object store represented by Open.LocalOpen, set Open.OplockLevel to
SMB2_OPLOCK_LEVEL_NONE, and set Open.OplockState to None.
If the server implements SMB 2.1 and supports leasing, the server MUST scan for lease breaks that
have not been acknowledged by the client within the configured time. It does this by enumerating
all lease tables in GlobalLeaseTableList. For each lease table, it enumerates all leases in
LeaseTable.LeaseList. For each lease, if Lease.Breaking is TRUE and
Lease.LeaseBreakTimeout is earlier than the current time, the server MUST acknowledge the
lease break to the underlying object store represented by the opens in Lease.LeaseOpens, and set
Lease.LeaseState to NONE.
The timer MUST then be restarted to expire again at the time of the next oplock time-out. If no
other opens have Open.OplockState equal to Breaking, and no leases (if implemented) have
Lease.Breaking set to TRUE, the timer MUST NOT be restarted.
253 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The durable open scavenger timer MUST be started when the connection or session associated with
a file is disconnected. When the durable open scavenger timer expires, the server MUST scan for
durable opens that have not been reclaimed by a client within the configured time. It does this by
enumerating all opens in the GlobalOpenTable. For each open, if Open.IsDurable is TRUE,
Open.Connection is NULL and Open.DurableOpenTimeout is earlier than the current time, the
server MUST close Open.LocalOpen, remove the open from the GlobalOpenTable, and free the
open object.
The timer MUST then be restarted to expire again at the time of the next durable open time-out. If
no other opens have Open.Connection equal to NULL, the timer MUST NOT be restarted.
When the session expiration timer expires, the server MUST walk each Session in the
GlobalSessionTable. If the Session.State is Active and the Session.ExpirationTime has passed,
the Session.State MUST be set to Expired.
If the server implements SMB 2.1 and supports resiliency, it MUST implement this timer event.
The resilient open scavenger timer MUST be started when the connection or session associated with
a file is disconnected. When the resilient open scavenger timer expires, the server MUST scan for
resilient opens that have not been reclaimed by a client within the configured time. It does this by
enumerating all opens in the GlobalOpenTable. For each open, if Open.IsResilient is TRUE,
Open.Connection is NULL and Open.ResilientOpenTimeout is earlier than the current time, the
server MUST close Open.LocalOpen, remove the open from GlobalOpenTable, and free the open
object.
The timer MUST then be restarted to expire again at the time of the next resilient open time-out. If
no other opens have Open.Connection equal to NULL, the timer MUST NOT be restarted.
When the transport indicates a disconnect, the server MUST enumerate the sessions established
over this connection in GlobalSessionTable.
For every such session in the table, the server MUST deregister every tree connect object in
Session.TreeConnectTable by invoking the event, as specified in [MS-SRVS] section 3.1.6.7. The
tree connect MUST then be removed from Session.TreeConnectTable and freed.
If the server implements SMB 2.1 and supports leasing and if Open.IsResilient is TRUE, the
open MUST be preserved for a reconnect. The open MUST be removed from
Session.OpenTable, Open.Connection is set to NULL, Open.Session is set to NULL,
Open.TreeConnect is set to NULL, and Open.ResilientOpenTimeOut is set to the current time
plus Open.ResiliencyTimeout.
254 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
If the Open is not being preserved for a reconnect, then Open.LocalOpen MUST be closed. The
open is removed from Session.OpenTable, and the open is freed. Then the session MUST be
removed from GlobalSessionTable and freed.
255 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The following diagram shows the steps taken by a client that is negotiating SMB2 by using an SMB-
style negotiate.
1. The client sends an SMB negotiate packet with the string "SMB 2.002" in the dialect string list,
along with the other SMB dialects the client supports.
Smb: C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups
3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002
Protocol: SMB
Command: Negotiate 114(0x72)
SMBHeader: Command, TID: 0xFFFF, PID: 0xFEFF, UID: 0x0000, MID: 0x0000
Flags: 24 (0x18)
256 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
257 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2. The server receives the SMB negotiate request and finds dialect "SMB 2.002". The server
responds with an SMB2 negotiate.
Smb2: R NEGOTIATE
SMB2Header:
Size: 64 (0x40)
Epoch: 0 (0x0)
Status: STATUS_SUCCESS
Command: NEGOTIATE
Credits: 1 (0x1)
Flags: 1 (0x1)
ServerToRedir: ...............................1 Server to Client
AsyncCommand: ..............................0. Command is not asynchronous
Related: .............................0.. Packet is single message
Signed: ............................0... Packet is not signed
Reserved: 0 (0x0)
DFS: 0............................... Command is not a DFS Operation
NextCommand: 0 (0x0)
MessageId: 0 (0x0)
ProcessId: 65279 (0xFEFF)
TreeId: 0 (0x0)
SessionId: 0 (0x0)
RNegotiate:
Size: 65 (0x41)
SecurityMode: Signing Enabled
DialectRevision: 0x0202
Reserved: 0 (0x0)
Guid: {3F5CF209-A4E5-0049-A7D6-6A456D5CA5CF}
Capabilities: 1 (0x1)
DFS: ...............................1 DFS available
MaxTransactSize: 65536 (0x10000)
MaxReadSize: 65536 (0x10000)
MaxWriteSize: 65536 (0x10000)
SystemTime: 127972992061679232 (0x1C6A6C21CAE2680)
ServerStartTime: 127972985895467232 (0x1C6A6C0AD2538E0)
SecurityBufferOffset: 128 (0x80)
SecurityBufferLength: 30 (0x1E)
Reserved2: 0 (0x0)
Buffer:
3. The client queries GSS for the authentication token and sends an SMB2 SESSION_SETUP Request
with the output token received from GSS.
258 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
4. The server processes the token received with GSS and gets a return code indicating a subsequent
round trip is required. The server responds to the client with an SMB2 SESSION_SETUP Response
with Status equal to STATUS_MORE_PROCESSING_REQUIRED and the response containing the
output token from GSS.
259 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
5. The client processes the received token with GSS and sends an SMB2 SESSION_SETUP Request
with the output token received from GSS and the SessionId received on the previous response.
6. The server processes the token received with GSS and gets a successful return code. The server
responds to client with an SMB2 SESSION_SETUP Response with Status equal to
STATUS_SUCCESS and the response containing the output token from GSS.
260 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
7. The client completes the authentication and sends an SMB2 TREE_CONNECT Request with the
SessionId for the session, and a tree connect request containing the Unicode share name
"\\smb2server\IPC$".
261 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Further operations can now continue, using the SessionId and TreeId generated in the connection
to this share.
The following diagram shows the steps taken by a client that is negotiating SMB 2.10 dialect by
using an SMB-style negotiate.
262 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
1. The client sends an SMB negotiate packet with the string "SMB 2.???" in the dialect string list,
along with the other SMB dialects the client supports.
Smb: C; Negotiate, Dialect = PC NETWORK PROGRAM 1.0, LANMAN1.0, Windows for Workgroups
3.1a, LM1.2X002, LANMAN2.1, NT LM 0.12, SMB 2.002, SMB 2.???
Protocol: SMB
Command: Negotiate 114(0x72)
NTStatus: 0x0, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS, Code =
(0) STATUS_SUCCESS
Code: (................0000000000000000) (0) STATUS_SUCCESS
Facility: (...0000000000000................) FACILITY_SYSTEM
Customer: (..0.............................) NOT Customer Defined
Severity: (00..............................) STATUS_SEVERITY_SUCCESS
SMBHeader: Command, TID: 0xFFFF, PID: 0xFEFF, UID: 0x0000, MID: 0x0000
Flags: 24 (0x18)
LockAndRead: (.......0) LOCK_AND_READ and WRITE_AND_UNLOCK NOT supported
(Obsolete) (SMB_FLAGS_LOCK_AND_READ_OK)
NoAck: (......0.) An ACK response is needed (SMB_FLAGS_SEND_NO_ACK[only
applicable when SMB transport is NetBIOS over IPX])
Reserved_bit2: (.....0..) Reserved (Must Be Zero)
CaseInsensitive: (....1...) SMB paths are caseinsensitive (SMB_FLAGS_CASE_INSENSITIVE)
Canonicalized: (...1....) Canonicalized File and pathnames (Obsolete)
(SMB_FLAGS_CANONICALIZED_PATHS)
Oplock: (..0.....) Oplocks NOT supported for OPEN, CREATE & CREATE_NEW
(Obsolete) (SMB_FLAGS_OPLOCK)
OplockNotify: (.0......) Notifications NOT supported for OPEN, CREATE & CREATE_NEW
(Obsolete) (SMB_FLAGS_OPLOCK_NOTIFY_ANY)
FromServer: (0.......) Command SMB is being sent from the client
(SMB_FLAGS_SERVER_TO_REDIR)
Flags2: 51283 (0xC853)
KnowsLongFiles: (...............1) Understands Long File Names
(SMB_FLAGS2_KNOWS_LONG_NAMES)
ExtendedAttribs: (..............1.) Understands extended attributes
(SMB_FLAGS2_KNOWS_EAS)
263 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2. The server receives the SMB negotiate request and finds the "SMB 2.???" string in the dialect
string list. The server responds with an SMB2 NEGOTIATE Response with the DialectRevision set
to 0x02ff.
264 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
3. The client receives the SMB2 NEGOTIATE Response. The client issues a new SMB2 NEGOTIATE
Request with a new dialect 0x0210 appended along with other SMB2 dialects.
265 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
4. The server receives the SMB2 negotiate request and finds dialect 0x0210. The server sends an
SMB2 NEGOTIATE Response with DialectRevision set to 0x0210.
266 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The following diagram shows the steps taken by a client that is negotiating SMB2 by using an SMB2
negotiate.
267 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
1. The client sends an SMB2 negotiate packet with the dialect 0x0202 in the Dialects array.
Smb2: C NEGOTIATE
SMB2Header:
Size: 64 (0x40)
Epoch: 0 (0x0)
Status: STATUS_SUCCESS
Command: NEGOTIATE
Credits: 126 (0x7E)
Flags: 0 (0x0)
ServerToRedir: ...............................0 Client to Server
AsyncCommand: ..............................0. Command is not asynchronous
Related: .............................0.. Packet is single message
Signed: ............................0... Packet is not signed
Reserved: 0 (0x0)
DFS: 0............................... Command is not a DFS Operation
NextCommand: 0 (0x0)
MessageId: 0 (0x0)
ProcessId: 65279 (0xFEFF)
TreeId: 0 (0x0)
SessionId: 0 (0x0)
268 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2. The server receives the SMB2 NEGOTIATE Request and finds dialect 0x0202. The server responds
with an SMB2 negotiate.
Smb2: R NEGOTIATE
SMB2Header:
Size: 64 (0x40)
Epoch: 0 (0x0)
Status: STATUS_SUCCESS
Command: NEGOTIATE
Credits: 1 (0x1)
Flags: 1 (0x1)
ServerToRedir: ...............................1 Server to Client
AsyncCommand: ..............................0. Command is not asynchronous
Related: .............................0.. Packet is single message
Signed: ............................0... Packet is not signed
Reserved: 0 (0x0)
DFS: 0............................... Command is not a DFS Operation
NextCommand: 0 (0x0)
MessageId: 0 (0x0)
ProcessId: 65279 (0xFEFF)
TreeId: 0 (0x0)
SessionId: 0 (0x0)
RNegotiate:
Size: 65 (0x41)
SecurityMode: Signing Enabled
DialectRevision: 514 (0x0202)
Reserved: 0 (0x0)
Guid: {3F5CF209-A4E5-0049-A7D6-6A456D5CA5CF}
Capabilities: 1 (0x1)
DFS: ...............................1 DFS available
MaxTransactSize: 65536 (0x10000)
MaxReadSize: 65536 (0x10000)
MaxWriteSize: 65536 (0x10000)
SystemTime: 127972992061679232 (0x1C6A6C21CAE2680)
ServerStartTime: 127972985895467232 (0x1C6A6C0AD2538E0)
SecurityBufferOffset: 128 (0x80)
SecurityBufferLength: 30 (0x1E)
Reserved2: 0 (0x0)
Buffer:
3. The client queries GSS for the authentication token and sends an SMB2 SESSION_SETUP Request
with the output token received from GSS.
269 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
4. The server processes the token received with GSS and gets a return code indicating a subsequent
round trip is required. The server responds to the client with an SMB2 SESSION_SETUP Response
with Status equal to STATUS_MORE_PROCESSING_REQUIRED and the response containing the
output token from GSS.
270 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
5. The client processes the received token with GSS and sends an SMB2 SESSION_SETUP Request
with the output token received from GSS and the SessionId received on the previous response.
6. The server processes the token received with GSS and gets a successful return code. The server
responds to the client with an SMB2 SESSION_SETUP Response with Status equal to
STATUS_SUCCESS and the response containing the output token from GSS.
271 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
7. The client completes the authentication and sends an SMB2 TREE_CONNECT Request with the
SessionId for the session, and a tree connect request containing the Unicode share name
"\\smb2server\IPC$".
272 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Further operations can now continue, using the SessionId and TreeId generated in the connection
to this share.
The following diagram demonstrates the steps taken to execute transactions over a named pipe
using both individual reads and writes, and the transact named pipe operation. Assume that this
sequence starts on a connection where the session and tree connect have been established as
described in previous sections with SessionId = 0x4000000000D and TreeId 0x1, and messages
have been exchanged such that the current MessageId is 9.
273 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
1. The client sends an SMB2 CREATE Request to open the named pipe "srvsvc".
274 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
275 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2. The server responds with an SMB2 CREATE Response with the FileId for the pipe open.
276 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
3. The client sends an SMB2 WRITE Request to write data into the pipe.
4. The server responds with an SMB2 WRITE Response indicating the data was written successfully.
277 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
5. The client sends an SMB2 READ Request to read data from the pipe.
278 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
7. The client sends an SMB2 IOCTL Request to perform a pipe transaction, writing data into the
buffer and then reading the response in a single operation.
Smb2: C IOCTL
SMB2Header:
Size: 64 (0x40)
Epoch: 0 (0x0)
Status: STATUS_SUCCESS
Command: IOCTL
Credits: 111 (0x6F)
Flags: 0 (0x0)
ServerToRedir: ...............................0 Client to Server
AsyncCommand: ..............................0. Command is not asynchronous
Related: .............................0.. Packet is single message
Signed: ............................0... Packet is not signed
Reserved: 0 (0x0)
DFS: 0............................... Command is not a DFS Operation
NextCommand: 0 (0x0)
MessageId: 12 (0xC)
ProcessId: 65279 (0xFEFF)
TreeId: 1 (0x1)
SessionId: 4398046511117 (0x4000000000D)
CIoCtl:
Size: 57 (0x39)
Reserved: 0 (0x0)
279 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
8. The server sends an SMB2 IOCTL Response with the data that was read.
Smb2: R IOCTL
SMB2Header:
Size: 64 (0x40)
Epoch: 0 (0x0)
Status: STATUS_SUCCESS
Command: IOCTL
Credits: 1 (0x1)
Flags: 1 (0x1)
ServerToRedir: ...............................1 Server to Client
AsyncCommand: ..............................0. Command is not asynchronous
Related: .............................0.. Packet is single message
Signed: ............................0... Packet is not signed
Reserved: 0 (0x0)
DFS: 0............................... Command is not a DFS Operation
NextCommand: 0 (0x0)
MessageId: 12 (0xC)
ProcessId: 65279 (0xFEFF)
TreeId: 1 (0x1)
SessionId: 4398046511117 (0x4000000000D)
RIoCtl:
Size: 49 (0x31)
Reserved: 0 (0x0)
Code: 0x0011c017
Method: ..............................11 Method neither
Function: 0x005
Access: ................11.............. Read/Write
Device: 0x0011
Fid:
Persistent: 5 (0x5)
Volatile: -4294967291 (0xFFFFFFFF00000005)
InputOffset: 112 (0x70)
InputCount: 68 (0x44)
OutputOffset: 184 (0xB8)
OutputCount: 112 (0x70)
Flags: 0 (0x0)
Reserved2: 0 (0x0)
Input: (68 bytes)
Output: (112 bytes)
280 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
10.The server sends an SMB2 CLOSE Response to indicate the close was successful.
Smb2: R CLOSE
SMB2Header:
Size: 64 (0x40)
Epoch: 0 (0x0)
Status: STATUS_SUCCESS
Command: CLOSE
Credits: 1 (0x1)
Flags: 1 (0x1)
ServerToRedir: ...............................1 Server to Client
AsyncCommand: ..............................0. Command is not asynchronous
Related: .............................0.. Packet is single message
Signed: ............................0... Packet is not signed
Reserved: 0 (0x0)
DFS: 0............................... Command is not a DFS Operation
NextCommand: 0 (0x0)
MessageId: 13 (0xD)
ProcessId: 65279 (0xFEFF)
TreeId: 1 (0x1)
SessionId: 4398046511117 (0x4000000000D)
RClose:
281 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The following diagram demonstrates the steps taken to open a remote file, read from it, and close it.
Assume that this sequence starts on a connection where the session and tree connect have been
established as described in previous sections with SessionId of 0x40000000011 and TreeId of
0x5, and messages have been exchanged such that the current MessageId is 10.
282 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
1. The client sends an SMB2 CREATE Request for the file "testfile.txt".
283 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2. The server responds with an SMB2 CREATE Response giving the FileId of the opened file.
284 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
3. The client sends an SMB2 READ Request to read data from the file.
285 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
4. The server responds with an SMB2 READ Response with the data read from the file.
286 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
6. The server sends an SMB2 CLOSE Response indicating the close was successful.
Smb2: R CLOSE
SMB2Header:
Size: 64 (0x40)
Epoch: 0 (0x0)
Status: STATUS_SUCCESS
Command: CLOSE
Credits: 1 (0x1)
Flags: 1 (0x1)
ServerToRedir: ...............................1 Server to Client
AsyncCommand: ..............................0. Command is not asynchronous
Related: .............................0.. Packet is single message
Signed: ............................0... Packet is not signed
Reserved: 0 (0x0)
DFS: 0............................... Command is not a DFS Operation
NextCommand: 0 (0x0)
MessageId: 12 (0xC)
ProcessId: 65279 (0xFEFF)
TreeId: 5 (0x5)
287 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The following diagram demonstrates the steps taken to open a remote file, write to it, and close it.
Assume that this sequence starts on a connection where the session and tree connect have been
established as described in previous sections, and messages have been exchanged such that the
current MessageId is 30. Let us assume TreeId is set to 0x1 and SessionId is set to
0x40000000015 for all requests and responses listed below.
288 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
1. The client sends an SMB2 CREATE Request for the file "test.dat".
289 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
290 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
2. The server responds with an SMB2 CREATE Response with the FileId of the opened file.
291 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
3. The client sends an SMB2 SET_INFO Request to set FileEndOfFileInformation (specified in MS-
FSCC section 2.4.13) to 0x2f000.
292 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
5. The client sends an SMB2 WRITE Request to write the first 0x10000 bytes.
6. The server responds with an SMB2 WRITE Response indicating 0x10000 bytes were written.
293 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
7. The client sends an SMB2 WRITE Request to write the next 0x10000 bytes.
294 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
8. The server responds with an SMB2 WRITE Response indicating 0x10000 bytes were written.
9. The client sends an SMB2 WRITE Request to write the final 0xf000 bytes.
295 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
10.The server responds with an SMB2 WRITE Response indicating 0xf000 bytes were written.
11.The client sends an SMB2 CLOSE Request to close the opened file.
296 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
12.The server sends an SMB2 CLOSE Response indicating the close was successful.
Smb2: R CLOSE
SMBIdentifier: SMB
SMB2Header:
Size: 64 (0x40)
Epoch: 0 (0x0)
Status: STATUS_SUCCESS
Command: CLOSE
Credits: 1 (0x1)
Flags: 1 (0x1)
ServerToRedir: ...............................1 Server to Client
AsyncCommand: ..............................0. Command not asynchronous
Related: .............................0.. Packet is single message
Signed: ............................0... Packet not signed
Reserved: 0 (0x0)
DFS: 0............................... Command not DFS Operation
NextCommand: 0 (0x0)
MessageId: 15 (0xF)
ProcessId: 65279 (0xFEFF)
TreeId: 1 (0x1)
SessionId: 4398046511125 (0x40000000015)
RClose:
Size: 60 (0x3C)
Flags: 1 (0x1)
Reserved: 0 (0x0)
CreationTime: 127972994486543232
(0x1C6A6C2AD36A380)
LastAccessTime: 127972994494343232
(0x1C6A6C2ADADA840)
LastWriteTime: 127965940833141721
(0x1C6A0585EB543D9)
ChangeTime: 127972993511484705
(0x1C6A6C273186D21)
AllocationSize: 196608 (0x30000)
297 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The following diagram demonstrates the steps taken to close a tree connect and log off a session.
Assume that this sequence starts on a connection where the session and tree connect have been
established as described in previous sections with SessionId of 0x40000000015 and TreeId of
0x1.
1. The client sends an SMB2 TREE_DISCONNECT Request for the tree connect.
298 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Smb2: C LOGOFF
SMB2Header:
Size: 64 (0x40)
Epoch: 0 (0x0)
Status: STATUS_SUCCESS
Command: LOGOFF
Credits: 111 (0x6F)
Flags: 0 (0x0)
299 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Smb2: R LOGOFF
SMB2Header:
Size: 64 (0x40)
Epoch: 0 (0x0)
Status: STATUS_SUCCESS
Command: LOGOFF
Credits: 1 (0x1)
Flags: 1 (0x1)
ServerToRedir: ...............................1 Server to Client
AsyncCommand: ..............................0. Command is not asynchronous
Related: .............................0.. Packet is single message
Signed: ............................0... Packet is not signed
Reserved: 0 (0x0)
DFS: 0............................... Command is not a DFS Operation
NextCommand: 0 (0x0)
MessageId: 33 (0x21)
ProcessId: 65279 (0xFEFF)
TreeId: 0 (0x0)
SessionId: 4398046511125 (0x40000000015)
RLogoff:
Size: 4 (0x4)
Reserved: 0 (0x0)
300 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The protocol does not sign oplock break requests from the server to the client if message signing is
enabled. This could allow attackers to affect performance but it does not allow them to deny access
or alter data.
The protocol does not require cancel requests from the client to the server to be signed if message
signing is enabled. This could allow attackers to cancel previously sent messages from the client to
the server on the same SMB2 transport connection.
The previous versions support does potentially allow access to versions of a file that have been
deleted or modified, and so could allow access to information that was not available without these
extensions. However, this access is still subject to the same access checks it would have normally
been subject to.
All data exchanged on the wire is not encrypted. For data that requires stricter security, either the
underlying transport must provide encryption of the data or a different protocol may be more
applicable.
301 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Exceptions, if any, are noted below. If a service pack number appears with the product version,
behavior changed in that service pack. The new behavior also applies to subsequent service packs of
the product unless otherwise specified.
Unless otherwise specified, any statement of optional behavior in this specification prescribed using
the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or
SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that product does not
follow the prescription.
<1> Section 1.6: The Server Message Block (SMB) Version 2.002 Protocol is available only in
Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. SMB Version 2.1
is available only in Windows 7 and Windows Server 2008 R2. Windows Vista, Windows Server 2008,
Windows 7 and Windows Server 2008 R2 default to using the highest common dialect of the SMB 2
Protocol when it is available. Windows 95, Windows 98, Windows Millennium Edition,
Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, support the SMB Protocol,
as specified in [MS-SMB], and thus use it by default.
<2> Section 2.2.1.1: Windows-based clients always set the SessionId field to 0 for these
commands, and Windows-based servers will ignore SessionId for these commands.
<3> Section 2.2.2: Windows–based SMB2 servers leave this one byte of ErrorData uninitialized
and it might contain any value.
<4> Section 2.2.2.1: Windows servers will never follow a symlink. It is the client's responsibility to
evaluate the symlink and access the actual file using the symlink. A Windows server only returns
STATUS_STOPPED_ON_SYMLINK when the open fails due to presence of a symlink.
<5> Section 2.2.2.1: Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 will return an absolute target to a local resource in the format of "\??\C:\..." where
C: is the drive mount point on the local system and ... is replaced by the remainder of the path to
the target.
<6> Section 2.2.3: Windows-based SMB2 servers fail the request and return
STATUS_INVALID_PARAMETER, if the DialectCount field is greater than 64.
<7> Section 2.2.3: A Windows Vista RTM–based client would send a value of zero in the Dialects
array in SMB2 NEGOTIATE Request and a Windows Vista RTM-based server would acknowledge with
a value of 6 in DialectRevision in SMB2 NEGOTIATE Response. This behavior is deprecated.
<8> Section 2.2.3: Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 support this dialect revision.
<9> Section 2.2.3: Only Windows 7 and Windows Server 2008 R2 support this dialect revision.
302 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<11> Section 2.2.4: Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 support this dialect revision.
<12> Section 2.2.4: Only Windows 7 and Windows Server 2008 R2 support this dialect revision.
<13> Section 2.2.4: The "SMB 2.???" dialect string is supported by SMB2 clients and servers in
Windows 7 and Windows Server 2008 R2.
<14> Section 2.2.4: Windows-based SMB2 servers may set this field to any value.
<15> Section 2.2.4: Windows–based SMB2 servers generate a new ServerGuid each time they are
started.
<16> Section 2.2.4: Windows clients do not enforce the MaxTransactSize value.
<17> Section 2.2.5: Windows-based clients always set the Capabilities field to
SMB2_GLOBAL_CAP_DFS(0x00000001) and the server will ignore them on receipt.
<18> Section 2.2.9: The Windows SMB 2 Protocol client translates any names of the form
\\server\pipe to \\server\IPC$ before sending a request on the network.
<20> Section 2.2.13: Windows-based clients never use exclusive oplocks. Because there are no
situations where the client would require an exclusive oplock where it would not also require an
SMB2_OPLOCK_LEVEL_BATCH, it always requests an SMB2_OPLOCK_LEVEL_BATCH.
<21> Section 2.2.13: Windows-based SMB2 servers impersonate with the Anonymous Logon
Security Principal SID(S-1-5-7), as described in [MS-LSAT] section 3.1.1.1.1.
<22> Section 2.2.13: When opening an existing file, Windows clients set this field to any value, and
Windows-based servers ignore this value.
<23> Section 2.2.13: When opening a printer file or a named pipe, Windows-based servers ignore
these ShareAccess values.
<24> Section 2.2.13: When opening a printer object, Windows-based servers ignore this value.
<25> Section 2.2.13: When opening a printer object, Windows-based servers ignore this value.
<26> Section 2.2.13: When opening a printer object, Windows-based servers ignore this value.
<27> Section 2.2.13: Windows server implementations reserve all bits that are not specified in the
table. If any of the reserved bits are set, STATUS_NOT_SUPPORTED is returned.
<28> Section 2.2.13: Windows SMB2 clients do not initialize this bit. The bit contains the value
specified by the caller when requesting the open.
<29> Section 2.2.13: Windows SMB2 clients do not initialize this bit. The bit contains the value
specified by the caller when requesting the open.
<30> Section 2.2.13: Windows SMB2 clients do not initialize this bit. The bit contains the value
specified by the caller when requesting the open.
303 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<32> Section 2.2.13: Windows SMB2 clients do not initialize this bit. The bit contains the value
specified by the caller when requesting the open.
<33> Section 2.2.13: Windows Vista, Windows Server 2008, and Windows 7-based clients will set
this bit when it is requested by the application.
<34> Section 2.2.13.1.1: Windows sets this flag to the value passed in by the higher-level
application.
<35> Section 2.2.13.1.1: Windows Server 2008 R2 fails the Create or Open request with
STATUS_ACCESS_DENIED if the caller does not have the SYNCHRONIZE privilege.
<36> Section 2.2.13.1.1: Windows fails the create request with STATUS_ACCESS_DENIED if the
caller does not have the AccessSystemAcl privilege.
<37> Section 2.2.13.1.2: Windows sets this flag to the value passed in by the higher-level
application.
<38> Section 2.2.13.2: If DataLength is 0, Windows-based clients set this field to any value.
<39> Section 2.2.13.2.8: Windows 7 and Windows Server 2008 R2 as SMB server support the
following combinations of values: 0, READ, READ | WRITE, READ | HANDLE, READ | WRITE |
HANDLE. Windows 7 and Windows Server 2008 R2 clients restrict requests accordingly.
<40> Section 2.2.14: Windows-based clients never use exclusive oplocks. Because there are no
situations where it would require an exclusive oplock where it would not also require an
SMB2_OPLOCK_LEVEL_BATCH, it always requests an SMB2_OPLOCK_LEVEL_BATCH.
<41> Section 2.2.14: Windows-based SMB2 servers always return FILE_OPENED for pipes with
successful opens.
<42> Section 2.2.14: Windows-based SMB2 servers may set this field to any value.
<43> Section 2.2.23.1: Windows-based clients never use exclusive oplocks. Because there are no
situations where it would require an exclusive oplock where it would not also require an
SMB2_OPLOCK_LEVEL_BATCH, it always requests an SMB2_OPLOCK_LEVEL_BATCH.
<44> Section 2.2.24.1: Windows-based clients never use exclusive oplocks. There are no situations
where an exclusive oplock would be used instead of using a SMB2_OPLOCK_LEVEL_BATCH.
<45> Section 2.2.24.2: Windows clients always set the LeaseState in the Lease Break
Acknowledgment to be equal to the LeaseState in the Lease Break Notification from the server.
<46> Section 2.2.31: If no input data is required for the FSCTL/IOCTL command being issued,
Windows-based clients set this field to any value.
<47> Section 2.2.31: Windows clients set the OutputOffset field equal to the InputOffset field.
<49> Section 2.2.31.2.1: Windows–based SMB2 servers and clients do not check
SourceFileName. It is ignored.
<50> Section 2.2.32: Windows–based SMB2 servers set the InputOffset field to the offset, in
bytes, from the beginning of the SMB2 header to the Buffer[] field of the response.
304 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
FSCTL_FIND_FILES_BY_SID
FSCTL_GET_RETRIEVAL_POINTERS
FSCTL_QUERY_ALLOCATED_RANGES
FSCTL_READ_FILE_USN_DATA
FSCTL_RECALL_FILE
FSCTL_WRITE_USN_CLOSE_RECORD
<53> Section 2.2.32.2: Windows-based SMB2 server will place 2 extra bytes set to zero in the
SRV_SNAPSHOT_ARRAY response, if NumberOfSnapShotsReturned is zero.
<54> Section 2.2.32.3: Windows-based servers Windows Vista, Windows Server 2008, Windows 7,
and Windows Server 2008 R2 always send 4 bytes of zero for the Context field.
<56> Section 2.2.37: Windows clients set this value to the offset from the start of the SMB2 header
to the beginning of the Buffer field.
<57> Section 2.2.37: Windows clients send a 1-byte buffer of 0 when InputBufferLength is set to
0.
<58> Section 2.2.37.1: Windows clients set this field to 1 for TRUE.
<59> Section 2.2.37.1: Windows clients set this field to 1 for TRUE.
<61> Section 2.2.37.1: Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 clients always send the request with the SidBuffer field containing a SidList and
never send the request with a StartSid.
<62> Section 3.1.3: By default, Windows-based servers set the RequireMessageSigning value to
TRUE for domain controllers and FALSE for all other machines.
<63> Section 3.2.1.2: Windows clients do not enforce the MaxTransactSize value.
<64> Section 3.2.2.1: The Windows-based client implements this timer with a default value of 60
seconds. The client does not enforce this timer for the following commands:
305 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<65> Section 3.2.2.2: The Windows-based clients scan existing connections every 10 seconds and
disconnect idle connects that have no open files and that have had no activity for 10 or more
seconds.
<66> Section 3.2.4.1.1: A client can selectively sign requests, and the server will sign the
corresponding responses. Windows-based clients do not selectively sign requests.
<67> Section 3.2.4.1.2: The Windows-based client will request credits up to a configured
maximum. That maximum is 128 by default. A Windows-based client sends a value of 0 for an SMB2
NEGOTIATE Request and expects the server to grant at least 1 credit.
<68> Section 3.2.4.1.4: Windows SMB2 Server allows a mix of related and unrelated compound
requests in the same transport send. Upon encountering a request with
SMB2_FLAGS_RELATED_OPERATIONS not set Windows SMB2 Server treats it as the start of a chain.
<69> Section 3.2.4.1.4: Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 will align their compounded requests and responses on 8-byte boundaries. Currently
they do not disconnect other machines that disobey this rule.
<70> Section 3.2.4.1.4: The Windows-based client does not send unrelated compounded requests.
<71> Section 3.2.4.1.4: Windows-based clients will compound certain related requests to improve
performance, by combining a Create with another operation, such as an attribute query.
<72> Section 3.2.4.1.5: Windows 7 client only sends multi-credit requests for read, write, and
directory enumeration.
<73> Section 3.2.4.2: Windows-based clients always set up a new transport connection when
establishing a new session to a server.
<74> Section 3.2.4.2: Windows will reuse an existing session if the access is by the same logged-on
user and the target server name matches exactly. This means that Windows will establish a new
session with the same credentials if the same user is logged on to the client multiple times, or if the
user is accessing the server through two different names that resolve to the same server. (NetBIOS
and fully qualified domain name, for example.)
<75> Section 3.2.4.2: Windows will establish a new connection for every SMB2 session being
created.
<76> Section 3.2.4.2: Windows establishes a new connection for each new session.
<77> Section 3.2.4.2.2: The Windows-based client will initiate a multi-protocol negotiation unless it
has previously negotiated with this server and determined that it supports the SMB 2 Protocol. In
the latter case, it will initiate an SMB2-only negotiate.
<78> Section 3.2.4.2.2.1: When a Windows-based client sends the deprecated "SMB 2.001" dialect,
a Windows Vista RTM–based server would acknowledge with a value of 6 in DialectRevision in the
SMB2 NEGOTIATE Response. This behavior is deprecated.
<79> Section 3.2.4.2.3: Windows-based clients implement the first option that is specified.
306 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<81> Section 3.2.4.2.3.1: Windows-based clients implement the first option that is specified.
<82> Section 3.2.4.2.3.1: All the GSS-API tokens used by Windows SMB2 clients are up to 4Kbytes
in size. SMB2 servers always instruct the GSS_API server to expect the GSS_C_FRAGMENT_TO_FIT.
<83> Section 3.2.4.3: Windows-based clients will request a batch oplock for file creates.
<85> Section 3.2.4.6: Windows-based clients will try to send multiple read commands at the same
time, starting at the lowest offset and working to the highest.
<86> Section 3.2.4.7: Windows-based clients always put the payload at the beginning of the Buffer
field and do not insert padding.
<87> Section 3.2.4.7: Windows-based clients will try to send multiple write commands at the same
time, starting at the lowest offset and working to the highest.
<88> Section 3.2.4.8: Windows clients set this value to the offset from the start of the SMB2
header to the beginning of the Buffer field.
<89> Section 3.2.4.10: Windows clients set this value to the offset from the start of the SMB2
header to the beginning of the Buffer field.
<90> Section 3.2.4.12: Windows clients set this value to the offset from the start of the SMB2
header to the beginning of the Buffer field.
<91> Section 3.2.4.14: Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 clients will set StartSidLength and StartSidOffset to any value.
<92> Section 3.2.4.14: Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 clients always use a SidList.
<93> Section 3.2.4.14: Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 clients set SidListLength to be StartSidOffset + StartSidLength instead of 0.
<95> Section 3.2.4.17: The Windows SMB2 server implementation closes and reopens the directory
handle in order to "reset" the enumeration state. So any outstanding operations on the directory
handle will be failed with a STATUS_FILE_CLOSED error.
<96> Section 3.2.4.20.1: Windows clients set this field to any value.
<97> Section 3.2.4.20.1: Windows clients set the OutputOffset field to InputOffset +
InputCount, rounded up to a multiple of 8 bytes.
<98> Section 3.2.4.20.2.1: Windows clients set this field to any value.
307 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<100> Section 3.2.4.20.2.2: Windows applications use FSCTL_SRV_COPYCHUNK if the target file
handle has FILE_READ_DATA access. Otherwise, they use the FSCTL_SRV_COPYCHUNK_WRITE.
<101> Section 3.2.4.20.2.2: Windows clients set the OutputOffset field to InputOffset +
InputCount, rounded up to a multiple of 8 bytes.
<102> Section 3.2.4.20.3: Windows clients set the OutputOffset field to InputOffset +
InputCount, rounded up to a multiple of 8 bytes.
<103> Section 3.2.4.20.4: Windows clients set the OutputOffset field to InputOffset +
InputCount, rounded up to a multiple of 8 bytes.
<104> Section 3.2.4.20.5: Windows clients set this field to any value.
<105> Section 3.2.4.20.5: Windows clients set the OutputOffset field to InputOffset +
InputCount, rounded up to a multiple of 8 bytes.
<106> Section 3.2.4.20.6: Windows-based SMB2 servers pass File System Control requests through
to the local object store but do not support I/O Control requests and fail such requests with
STATUS_NOT_SUPPORTED.
<107> Section 3.2.4.20.6: Windows clients set the OutputOffset field to InputOffset +
InputCount, rounded up to a multiple of 8 bytes.
<108> Section 3.2.4.20.7: Windows clients set the OutputOffset field to the sum of the values of
the InputOffset and the InputCount fields, rounded up to a multiple of 8 bytes.
<109> Section 3.2.4.20.8: Windows clients set the OutputOffset field to InputOffset +
InputCount, rounded up to a multiple of 8 bytes.
<110> Section 3.2.5.1.2: Windows-based clients will not disconnect the connection but simply
disregard the incorrectly signed response.
<111> Section 3.2.5.1.6: Windows-based clients will not disconnect the connection, but will simply
fail the request.
<112> Section 3.2.5.1.7: Windows-based SMB 2 Protocol clients do not check the validity of the
command in the response.
<113> Section 3.2.5.2: Windows-based clients will not use the MaxTransactSize and will use the
ServerGuid to determine if the client and server are the same machine.
<114> Section 3.2.5.14: If the OutputCount field in an SMB2 IOCTL Response is 0 and the
OutputOffset exceeds the size of the SMB2 response, Windows clients will return
STATUS_INVALID_NETWORK_RESPONSE to the application.
<115> Section 3.2.5.14.9: Windows clients enable TCP keepalives to detect broken connections.
<116> Section 3.2.5.19.1: Windows-based clients will not request exclusive oplocks.
<117> Section 3.2.6.1: Windows clients use a default time-out of 60 seconds for all requests with
the following exception. Windows clients do not enforce a time-out on SMB2 CHANGE_NOTIFY
requests, SMB2 LOCK requests without the SMB2_LOCKFLAG_FAIL_IMMEDIATELY flag, SMB2 READ
requests on named pipes, SMB2 WRITE requests on named pipes, and the FSCTL_PIPE_PEEK,
308 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<118> Section 3.2.6.1: Windows clients do not extend the default time-out.
<120> Section 3.2.6.1: The Windows-based clients will disconnect the connection.
<121> Section 3.2.6.2: The Windows-based client will disconnect idle connections that have no
open files and that have had no activity for 10 seconds.
<122> Section 3.3.1.1: Windows-based servers will limit the maximum range of sequence numbers.
If a client has been granted 10 credits, the server will not allow the difference between the smallest
available sequence number and the largest available sequence number to exceed 2*10 = 20.
Therefore, if the client has sequence number 10 available and does not send it, the server will stop
granting credits as the client nears sequence number 30, and eventually will grant no further credits
until the client sends sequence number 10.
<123> Section 3.3.1.2: Windows Vista SP1, Windows 7, and Windows Server 2008–based SMB2
clients require a minimum of 4 credits to be granted by the server.
<124> Section 3.3.1.2: A Windows-based server will grant some portion of the client request based
on available resources and the number of credits the client is currently taking advantage of. A
Windows–based server grants credits based on usage but will attempt to enforce fairness if there
are insufficient credits.
<125> Section 3.3.1.2: A Windows–based server does not currently scale credits based on quality
of service features.
<126> Section 3.3.1.4: Windows 7 and Windows Server 2008 R2-based SMB2 servers support only
the levels described above, and Windows 7 and Windows Server 2008 R2-based SMB2 clients
request only those levels.
<127> Section 3.3.1.6: Windows-based servers allow the sharing of both printers and traditional file
shares.
<128> Section 3.3.1.6: In Windows, this abstract state element contains the security descriptor for
the share.
<129> Section 3.3.1.10: Windows 7 and Windows Server 2008 R2 SMB 2.1 server support a
maximum extent of 64 entries in the Open.LockSequenceArray[].
<130> Section 3.3.2.1: This timer has a default value of 35 seconds, but its value could be changed
by system policy to any range between 5 seconds and infinite (4,294,967,295 seconds).
<131> Section 3.3.2.2: Windows-based SMB2 servers set this timer to a constant value of 16
minutes.
<132> Section 3.3.2.3: Windows-based servers implement this timer with a constant value of 45
seconds.
<133> Section 3.3.3: By default, Windows-based servers listen on both TCP-445 and NetBIOS.
They can be configured to use only TCP-445 by disabling NetBIOS over TCP. Likewise, they can also
pick up this setting via policy or DHCP configuration.
<134> Section 3.3.3: Windows-based SMB2 servers set this value to 256.
309 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<136> Section 3.3.3: Windows-based SMB2 servers set this value to 16 MB.
<137> Section 3.3.3: Windows servers initialize ServerHashLevel based on a stored value in the
registry.
<138> Section 3.3.3: Windows 7 and Windows Server 2008 R2 SMB2 servers provide a constant
maximum resiliency time-out of 300000 milliseconds.
<140> Section 3.3.4.1.2: For an asynchronously processed request, Windows Vista, Windows
Server 2008, Windows 7, and Windows Server 2008 R2 grant credits on the interim response and do
not grant credits on the final response. The interim response grants credits to keep the transaction
from stalling in case the client is out of credits.
<141> Section 3.3.4.1.3: The Windows-based server compounds responses for any received
compounded operations. Otherwise, it does not compound responses.
<142> Section 3.3.4.1.3: Windows-based servers grant all credits in the final response of the
compounded chain, and grant 0 credits in all responses other than the final response.
<143> Section 3.3.4.2: Windows-based servers send interim responses for the following operations
if they cannot be completed immediately:
SMB2_CREATE, when the server is in oplock break for the file under consideration
SMB2_CHANGE_NOTIFY
FSCTL_PIPE_TRANSCEIVE
<144> Section 3.3.4.2: Windows-based servers incorrectly process the FSCTL_PIPE_WAIT request
on named pipes synchronously.
<145> Section 3.3.4.2: Windows servers allot a certain number of blocking operations with a
statically configured blocking operation credit, which defaults to 50 but is configurable. If a client
attempts to exceed this maximum number of blocking operations, the server will fail the request.
<146> Section 3.3.4.2: Windows servers always fail requests that go to async mode in a compound
request with STATUS_INTERNAL_ERROR except for the following two cases: when a create request
in the compound request triggers an oplock break, or when the last request in the compound
request requires to go async mode. If a create request in a compound chain goes to async mode
due to oplock break, Windows servers only send one interim response to the client. If there are
other create requests in a compound chain already completed before the oplock break, the broken
oplock level will not be updated in these create responses in the compound chain.
310 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<148> Section 3.3.4.6: Windows based SMB2 servers set Open.OplockTimeout to the current
time plus 35000 milliseconds.
<149> Section 3.3.4.7: Windows Server 2008 R2 breaks to one of the following caching states:
NONE, R, RW, RH, RWH.
<150> Section 3.3.4.7: Windows based SMB2 servers set Lease.LeaseBreakTimeout to the
current time plus 35000 milliseconds.
<151> Section 3.3.5.2: Windows generates a unique IORequest Identifier for each request sent to
the object store. The IORequest is also stored in the Connection.RequestList entry until
completed by the object store, so that the pending IO operations can be canceled. Windows
performs cancellation of in-progress requests via the interface in [MS-FSA]section 3.1.5.19 Server
Requests Canceling an Operation. The IORequest parameter is obtained from the
Connection.RequestList as stored during the original object store operation invocation.
<152> Section 3.3.5.2.2: Windows-based servers will not fail the request with an error code but will
disconnect clients that send noncompounded requests with an invalid MessageId. When the
MessageId is invalid in the compounded requests, the server behavior is undefined.
<153> Section 3.3.5.2.3: Windows-based servers will not disconnect the connection due to a
mismatched signature.
<154> Section 3.3.5.2.3: Windows-based servers will not disconnect the connection due to an
unsigned packet.
<155> Section 3.3.5.2.5: Windows-based servers will disconnect the connection when it processes
packets that are smaller than the SMB2 header or packets that contain an invalid SMB2 command.
For all other validations, it will not disconnect the connection but simply return the error.
<156> Section 3.3.5.2.6: Windows–based SMB2 servers always fail requests that go to async mode
in a compound request with STATUS_INTERNAL_ERROR except for the following two cases: when a
create request in the compound request triggers an oplock break, or when the last request in the
compound request goes to async mode. If multiple requests in a compound message go to async
mode, only the first request will be responded to by Windows–based SMB2 servers. Subsequent
async requests will be ignored by Windows–based SMB2 server implementations. Responses for the
requests prior to the first async request are sent as part of a single response. Other responses are
returned in separate messages.
<157> Section 3.3.5.2.6: Windows-based SMB2 servers allow a mix of related and unrelated
compound requests in the same transport send. Upon encountering a request with
SMB2_FLAGS_RELATED_OPERATIONS not set, a Windows-based SMB2 server treats it as the start
of a chain.
<159> Section 3.3.5.2.6.2: Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 fail the compounded request with STATUS_INVALID_PARAMETER if the previous
request failed to create the FileId or the compounded request does not contain a FileId,
SessionId, or TreeId. If the previous session expired, Windows Vista, Windows Server 2008,
311 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<160> Section 3.3.5.3.1: Windows clients do not enforce the MaxTransactSize value.
<161> Section 3.3.5.3.1: If the negotiate dialect is SMB 2.1 and the underlying TCP endpoint is on
port 445, the default MaxTransactSize value is set to 1024KB. This default value can be
customized through registry configurations. Otherwise, the default MaxTransactSize value is set to
64KB.
<162> Section 3.3.5.3.1: If the negotiate dialect is SMB 2.1 and the underlying TCP endpoint is on
port 445, the default MaxReadSize value is set to 1024KB. This default value can be customized
through registry configurations. Otherwise, the default MaxReadSize value is set to 64KB.
<163> Section 3.3.5.3.1: If the negotiate dialect is SMB 2.1 and the underlying TCP endpoint is on
port 445, the default MaxWriteSize value is set to 1024KB. This default value can be customized
through registry configurations. Otherwise, the default MaxWriteSize value is set to 64K.
<164> Section 3.3.5.3.2: When a Windows-based client sends the deprecated "SMB 2.001" dialect,
a Windows Vista RTM-based server would acknowledge with a value of 6 in DialectRevision in the
SMB2 NEGOTIATE Response. This behavior is deprecated.
<166> Section 3.3.5.3.2: Windows clients do not enforce the MaxTransactSize value.
<167> Section 3.3.5.5.3: Windows 2000, Windows XP, Windows Server 2003, Windows Vista,
Windows Server 2008, Windows 7, and Windows Server 2008 R2 will also accept raw Kerberos
messages and implicit NTLM messages as part of GSS authentication.
<168> Section 3.3.5.9: Windows-SMB2 servers ignore the FILE_OPEN_REPARSE_POINT flag and
return STATUS_PATH_NOT_COVERED
<169> Section 3.3.5.9: If the target of the create request is a file, and any of the bits in the mask
0x0CE0FE00 are set, Windows allows the file open but does not allow any operations on the opened
file.
<170> Section 3.3.5.9: Windows-based servers ignore DesiredAccess values other than
FILE_WRITE_DATA, FILE_APPEND_DATA and GENERIC_WRITE if any one of these values is
specified.
<172> Section 3.3.5.9: Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 ignore create contexts having a NameLength greater than 4 and ignores create
contexts with length of 4 that are not specified in section 2.2.13.2.
<173> Section 3.3.5.9: Windows performs the following open/create mappings from SMB2
parameters to the object store as described in [MS-FSA] section 3.1.5.1 Server Requests an Open of
a File.
312 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
DesiredAccess DesiredAccess
DesiredFileAttributes FileAttributes
ShareAccess ShareAccess
CreateDisposition CreateDisposition
CreateOptions CreateOptions
Windows performs the following mappings from object store results to SMB2 response.
CreateAction CreateAction
Open FileId The FileID to Open mapping is computed and maintained by the
server
<174> Section 3.3.5.9: Windows-based servers will receive the data from the local create operation
for constructing the error response when a symbolic link is present in the target path name.
<175> Section 3.3.5.9: Windows Oplock acquisition is described in [MS-FSA] section 3.1.5.17.
Oplock acquisition is an optional step in open/create processing; the Open parameter passed is the
Open result from the open or create operation, and the Type parameter is mapped as follows.
LEVEL_BATCH SMB2_OPLOCK_LEVEL_BATCH
LEVEL_ONE SMB2_OPLOCK_LEVEL_EXCLUSIVE
LEVEL_TWO SMB2_OPLOCK_LEVEL_II
The Status code returned indicates whether the requested oplock was granted.
<176> Section 3.3.5.9: Windows obtains CreationTime from the object store FileBasicInformation
[MS-FSA] section 3.1.5.11.6 and [MS-FSCC] section 2.4.7.
313 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<178> Section 3.3.5.9: Windows obtains LastWriteTime from the object store
FileBasicInformation [MS-FSA] section 3.1.5.11.6 and and [MS-FSCC] section 2.4.7.
<179> Section 3.3.5.9: Windows obtains ChangeTime from the object store FileBasicInformation
[MS-FSA] section 3.1.5.11.6 and [MS-FSCC] section 2.4.7.
<180> Section 3.3.5.9: Windows obtains AllocationSize from the object store
FileStandardInformation [MS-FSA] section 3.1.5.11.27 and [MS-FSCC] section 2.4.38.
<181> Section 3.3.5.9: Windows-based SMB2 servers will set AllocationSize to any value for the
named pipe.
<182> Section 3.3.5.9: Windows obtains EndOfFile from the object store FileStandardInformation
[MS-FSA] section 3.1.5.11.27 and [MS-FSCC] section 2.4.38.
<183> Section 3.3.5.9: Windows-based SMB2 servers will set EndofFile to any value for the named
pipe.
<184> Section 3.3.5.9: Windows obtains FileAttributes from the object store FileBasicInformation
[MS-FSA] section 3.1.5.11.6 and [MS-FSCC] section 2.4.7.
<185> Section 3.3.5.9.1: Windows sets extended attributes on a newly created file with the
FSCTL_SET_OBJECT_ID_EXTENDED FSCTL [MS-FSA] section 3.1.5.9.24 and MS-FSCC section
2.3.53.
<186> Section 3.3.5.9.2: Windows sets security attributes on a newly created file with the
Application requests setting of security information [MS-FSA] section 3.1.5.16.
<187> Section 3.3.5.9.2: Windows will ignore security descriptors if the underlying object store
does not support them.
<189> Section 3.3.5.9.3: Windows sets allocation size on a newly created file with the
FileAllocationInformation [MS-FSA] section 3.1.5.14.1 and [MS-FSCC] section 2.4.4, after converting
bytes to volume cluster size.
<190> Section 3.3.5.9.4: Windows validates that a snapshot with the time stamp provided exists by
forming a FileBothDirectoryInformation object store request for the file including the provided
@GMT token in the path, as described in [MS-SMB] section 2.2.1.1.1 and [MS-FSA] section
3.1.5.5.4.1.
<191> Section 3.3.5.9.4: Windows opens a file on a snapshot with the time stamp provided by the
file including the provided @GMT token in the path, as described in [MS-SMB] section 2.2.1.1.1 and
[MS-FSA] section 3.1.5.1.
<192> Section 3.3.5.9.5: Windows computes the MaximalAccess to return by querying the security
attributes of the file with [MS-FSA] section 3.1.5.13, and performing an access check against the
credentials provided by the request.
<193> Section 3.3.5.9.8: The Lease.LeaseKey generated in section 3.3.5.9.8 is associated with
the LeaseTable.ClientGuid to generate a unique OplockKey which is passed to the object store
when processing continues at open/create time. A new or existing lease is thereby associated with
the resulting open.
314 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
READ_CACHING SMB2_LEASE_READ_CACHING
WRITE_CACHING SMB2_LEASE_WRITE_CACHING
HANDLE_CACHING SMB2_LEASE_HANDLE_CACHING
The Status code returned indicates whether the requested lease was granted.
<194> Section 3.3.5.10: Windows closes the open file with Server Requests Closing an Open [MS-
FSA] section 3.1.5.4.
<195> Section 3.3.5.10: Windows Lease break is described in [MS-FSA] section 3.1.5.17. The Open
parameter passed is the Open value from current close operation, the Type parameter is
LEVEL_GRANULAR to indicate a Lease request, and the RequestedOplockLevel parameter is zero.
<196> Section 3.3.5.10: Windows obtains attributes and end of file from the object store
FileBasicInformation [MS-FSA] section 3.1.5.11.6 and [MS-FSCC] section 2.4.7.
<197> Section 3.3.5.11: Windows flushes any cached data to the file with Server Requests Flushing
Cached Data [MS-FSA] section 3.1.5.6.
<198> Section 3.3.5.11: If the request target is a named pipe or file, Windows-based servers
handle this request asynchronously.
<199> Section 3.3.5.12: Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 fail the request with STATUS_BUFFER_OVERFLOW instead of
STATUS_INVALID_PARAMETER.
<200> Section 3.3.5.12: Windows reads from a file with Server Requests a Read [MS-FSA] section
3.1.5.2.
ByteOffset ByteOffset
ByteCount ByteCount
IsNonCached FALSE
<201> Section 3.3.5.12: Windows SMB2 servers send an interim response to the client and handle
the read asynchronously if the read is not finished in 0.5 milliseconds.
<202> Section 3.3.5.12: Windows-based servers handle the following commands asynchronously:
SMB2 Create (section 2.2.13) when this create would result in an oplock break, SMB2 IOCTL
Request (section 2.2.31) for FSCTL_PIPE_TRANSCEIVE if it blocks for more than 1 millisecond,
SMB2 IOCTL Request for FSCTL_SRV_COPYCHUNK or FSCTL_SRV_COPYCHUNK_WRITE (section
2.2.31) when oplock break happens, SMB2 Change_Notify Request (section 2.2.35) if it blocks for
more than 0.5 milliseconds, SMB2 Read request (section 2.2.19) for named pipes if it blocks for
315 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<203> Section 3.3.5.13: Windows SMB2 servers allow the operation when either
FILE_APPEND_DATA or FILE_WRITE_DATA is set in Open.GrantedAccess.
<204> Section 3.3.5.13: Windows Vista, Windows Server 2008, Windows 7, and Windows
Server 2008 R2 fail the request with STATUS_BUFFER_OVERFLOW instead of
STATUS_INVALID_PARAMETER.
<205> Section 3.3.5.13: Windows writes to a file with Server Requests a Write [MS-FSA] section
3.1.5.3.
ByteOffset ByteOffset
ByteCount ByteCount
IsNonCached FALSE
<206> Section 3.3.5.13: Windows-based servers handle the following commands asynchronously:
SMB2 CREATE Request (section 3.3.5.9) when this create would result in an oplock break.
SMB2 IOCTL Request (section 3.3.5.15) for FSCTL_PIPE_TRANSCEIVE if it blocks for more than 1
millisecond. For FSCTL_SRV_COPYCHUNK or FSCTL_SRV_COPYCHUNK_WRITE, when an oplock
break happens.
SMB2 CHANGE_NOTIFY Request (section 3.3.5.19) if it blocks for more than 0.5 milliseconds.
SMB2 READ Request (section 3.3.5.12) for named pipes if it blocks for more than 0.5
milliseconds.
SMB2 WRITE Request (section 3.3.5.13) for named pipes if it blocks for more than 0.5
milliseconds.
<207> Section 3.3.5.14.1: Windows-based servers ignore this value while processing Unlocks.
<208> Section 3.3.5.14.1: Windows processes unlock with Server Requests unlock of a Byte-Range
[MS-FSA] section 3.1.5.8.
FileOffset Offset
316 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Length Length
<210> Section 3.3.5.14.2: Refer to [FSBO] for implementation-specific details of how byte range
locks can be implemented.
<211> Section 3.3.5.14.2: Windows processes lock with Server Requests a Byte-Range Lock [MS-
FSA] section 3.1.5.7.
Object Store
parameter SMB2 parameter
FileOffset Offset
Length Length
<212> Section 3.3.5.15: Windows 7 and Windows Server 2008 R2 SMB2 servers copy the
OutputCount bytes into the output buffer for the following FSCTLs
FSCTL_GET_RETRIEVAL_POINTERS
FSCTL_GET_REPARSE_POINT
FSCTL_PIPE_TRANSCEIVE
FSCTL_PIPE_PEEK
FSCTL_DFS_GET_REFERRALS
Windows Vista and Windows Server 2008 SMB2 servers copy the OutputCount bytes into the
output buffer for the following FSCTLs
FSCTL_PIPE_TRANSCEIVE
FSCTL_PIPE_PEEK
FSCTL_DFS_GET_REFERRALS
All other FSCTL commands will be failed with error STATUS_BUFFER_OVERFLOW through error
response specified in section 2.2.2.
<213> Section 3.3.5.15: Windows Vista and Windows Server 2008 servers without KB 978491, and
Windows 7 and Windows Server 2008 R2 without Service Pack 1 ignore a
FSCTL_SRV_NOTIFY_TRANSACTION request specifying a valid FileId and don't send a response to
the client, and reply to a FSCTL_SRV_NOTIFY_TRANSACTION with an invalid or -1 FileId with
STATUS_INVALID_PARAMETER.
317 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<215> Section 3.3.5.15.1: Windows-based SMB2 server will place 2 extra bytes set to zero in
SnapShots array and set SnapShotArraySize to 2, if NumberOfSnapShots is zero.
<216> Section 3.3.5.15.1: Windows SMB2 servers set the InputOffset field to the offset, in bytes,
from the beginning of the SMB2 header to the Buffer[] field of the response.
<217> Section 3.3.5.15.2: A Windows-based DFS server does not return any data to the caller if
the buffer supplied to FSCTL_GET_DFS_REFERRALS is too small.
<218> Section 3.3.5.15.2: Windows–based servers set the InputOffset field to the offset, in bytes,
from the beginning of the SMB2 header to the Buffer[] field of the response.
<220> Section 3.3.5.15.3: Windows 7 and Windows Server 2008 R2 will not return the input buffer,
and InputCount is always zero. Windows Vista, Windows Vista SP1, Windows Server 2008 and
Windows Server 2008 SP1 will send back the input buffer based on the InputOffset and InputCount
indicated in the request.
<221> Section 3.3.5.15.3: Windows SMB2 servers send an interim response to the client if the
read/write attempt is not finished in 1 millisecond.
<222> Section 3.3.5.15.3: Windows–based SMB2 servers set the InputOffset field to the offset, in
bytes, from the beginning of the SMB2 header to the Buffer[] field of the response.
<223> Section 3.3.5.15.3: Windows–based SMB2 servers currently return the input buffer that was
received in the request as part of the response.
<224> Section 3.3.5.15.3: Windows–based SMB2 servers currently return the input buffer that was
received in the request as part of the response.
<227> Section 3.3.5.15.4: Windows SMB2 servers set the InputOffset field to the offset, in bytes,
from the beginning of the SMB2 header to the Buffer[] field of the response.
<228> Section 3.3.5.15.4: Windows SMB2 servers will set OutputOffset to InputOffset +
InputCount, rounded up to a multiple of 8.
<229> Section 3.3.5.15.5: Windows servers do not support any additional contexts.
<230> Section 3.3.5.15.5: Windows servers construct the 24-byte blob using Open.DurableFileId
and other pieces of information which include the process ID of the caller and a timestamp.
<231> Section 3.3.5.15.5: Windows SMB2 servers set the InputOffset field to the offset, in bytes,
from the beginning of the SMB2 header to the Buffer[] field of the response.
<232> Section 3.3.5.15.6: Windows performs server-side copy reads from a file with Server
Requests a Read [MS-FSA] section 3.1.5.2.
318 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
ByteOffset SourceOffset
ByteCount Length
IsNonCached FALSE
<234> Section 3.3.5.15.6: Windows performs server-side copy writes to a file with Application
Requests a Write [MS-FSA] section 3.1.5.3.
ByteOffset TargetOffset
ByteCount Length
IsWriteThrough FALSE
IsNonCached FALSE
<235> Section 3.3.5.15.6: Windows SMB2 servers set the InputOffset field to the offset, in bytes,
from the beginning of the SMB2 header to the Buffer[] field of the response.
<236> Section 3.3.5.15.6.1: Windows-based SMB2 servers set the InputOffset field to the offset,
in bytes, from the beginning of the SMB2 header to the Buffer[] field of the response.
<237> Section 3.3.5.15.6.2: Windows SMB2 servers set the InputOffset field to the offset, in
bytes, from the beginning of the SMB2 header to the Buffer[] field of the response.
<238> Section 3.3.5.15.7: Windows 7 and Windows Server 2008 R2 servers support the
FSCTL_SRV_READ_HASH request.
<239> Section 3.3.5.15.7: The File Content Information data structure for a server-side Read
Hash is described in [MS-PCCRC] section 2.3.
<240> Section 3.3.5.15.7: Windows SMB2 servers set the InputOffset field to the offset, in bytes,
from the beginning of the SMB2 header to the Buffer[] field of the response.
<241> Section 3.3.5.15.8: The following FSCTLs are explicitly blocked by Windows-based SMB2
server and not passed through to the object store. They are failed with STATUS_NOT_SUPPORTED.
FSCTL_REQUEST_OPLOCK_LEVEL_1 (0x00090000)
FSCTL_REQUEST_OPLOCK_LEVEL_2 (0x00090004)
FSCTL_REQUEST_BATCH_OPLOCK (0x00090008)
FSCTL_REQUEST_FILTER_OPLOCK (0x0009005C)
FSCTL_OPLOCK_BREAK_ACKNOWLEDGE (0x0009000C)
FSCTL_OPBATCH_ACK_CLOSE_PENDING (0x00090010)
FSCTL_OPLOCK_BREAK_NOTIFY (0x00090014)
319 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
FSCTL_MARK_HANDLE (0x000900FC)
FSCTL_QUERY_RETRIEVAL_POINTERS (0x0009003B)
FSCTL_PIPE_ASSIGN_EVENT (0x00110000)
FSCTL_GET_VOLUME_BITMAP (0x0009006F)
FSCTL_GET_NTFS_FILE_RECORD (0x00090068)
FSCTL_INVALIDATE_VOLUMES (0x00090054)
FSCTL_READ_USN_JOURNAL (0x000900BB)
FSCTL_CREATE_USN_JOURNAL (0x000900E7)
FSCTL_QUERY_USN_JOURNAL (0x000900F4)
FSCTL_DELETE_USN_JOURNAL (0x000900F8)
FSCTL_ENUM_USN_DATA (0x000900B3)
FSCTL_QUERY_DEPENDENT_VOLUME (0x000901F0)
FSCTL_SD_GLOBAL_CHANGE (0x000901F4)
FSCTL_GET_BOOT_AREA_INFO (0x00090230)
FSCTL_GET_RETRIEVAL_POINTER_BASE (0x00090234)
FSCTL_SET_PERSISTENT_VOLUME_STATE (0x00090238)
FSCTL_QUERY_PERSISTENT_VOLUME_STATE (0x0009023C)
FSCTL_REQUEST_OPLOCK (0x00090240)
FSCTL_TXFS_MODIFY_RM (0x00098144)
FSCTL_TXFS_QUERY_RM_INFORMATION (0x00094148)
FSCTL_TXFS_ROLLFORWARD_REDO (0x00098150)
FSCTL_TXFS_ROLLFORWARD_UNDO (0x00098154)
FSCTL_TXFS_START_RM (0x00098158)
FSCTL_TXFS_SHUTDOWN_RM (0x0009815C)
FSCTL_TXFS_READ_BACKUP_INFORMATION (0x00094160)
FSCTL_TXFS_WRITE_BACKUP_INFORMATION (0x00098164)
FSCTL_TXFS_CREATE_SECONDARY_RM (0x00098168)
FSCTL_TXFS_GET_METADATA_INFO (0x0009416C)
FSCTL_TXFS_GET_TRANSACTED_VERSION (0x00094170)
320 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
FSCTL_TXFS_CREATE_MINIVERSION (0x0009817C)
FSCTL_TXFS_TRANSACTION_ACTIVE (0x0009418C)
FSCTL_TXFS_LIST_TRANSACTIONS (0x000941E4)
FSCTL_TXFS_READ_BACKUP_INFORMATION2 (0x000901F8)
FSCTL_TXFS_WRITE_BACKUP_INFORMATION2 (0x00090200)
Windows-based SMB2 servers fail FSCTLs whose transfer type is METHOD_NEITHER with error
STATUS_NOT_SUPPORTED except the following ones. For more information about FSCTL transfer
type, see [MSDN-IoCtlCodes].
FSCTL_PIPE_TRANSCEIVE (0x0011C017)
FSCTL_QUERY_ALLOCATED_RANGES (0x000940CF)
FSCTL_WRITE_USN_CLOSE_RECORD (0x000900EF)
FSCTL_READ_FILE_USN_DATA (0x000900EB)
FSCTL_GET_RETRIEVAL_POINTERS (0x00090073)
FSCTL_FIND_FILES_BY_SID (0x0009008F)
FSCTL_SRV_READ_HASH (0x001441BB)
<242> Section 3.3.5.15.8: Windows performs passthrough FSCTL operations via Server Requests
an FsControl Request [MS-FSA] section 3.1.5.9.
<243> Section 3.3.5.15.8: Windows–based SMB2 servers set the InputOffset field to the offset, in
bytes, from the beginning of the SMB2 header to the Buffer[] field of the response.
<244> Section 3.3.5.15.8: Windows–based SMB2 servers will set OutputOffset to InputOffset +
InputCount, rounded up to a multiple of 8.
<245> Section 3.3.5.15.9: Windows 7 and Windows Server 2008 R2 servers support the
FSCTL_LMR_REQUEST_RESILIENCY request.
<246> Section 3.3.5.15.9: Windows SMB2 servers set the InputOffset field to the offset, in bytes,
from the beginning of the SMB2 header to the Buffer[] field of the response.
<247> Section 3.3.5.16: Windows performs cancellation of in-progress requests via the interface in
[MS-FSA] section 3.1.5.19 Server Requests Canceling an Operation. The IORequest parameter is
obtained from the Connection.RequestList as stored during the original object store operation
invocation.
<248> Section 3.3.5.18: The Windows SMB2 server implementation closes and reopens the
directory handle in order to "reset" the enumeration state. So any outstanding operations on the
directory handle will be failed with a STATUS_FILE_CLOSED error.
<249> Section 3.3.5.18: If the length of the received data is less than the size of SMB2 header
(0x40) plus size of SMB2 QUERY_DIRECTORY request (0x21), Windows servers fail the request with
STATUS_INVALID_PARAMETER. Otherwise, if FileNameLength is 0 and the underlying file system
is NTFS, Windows servers fail the request with STATUS_OBJECT_NAME_INVALID.
321 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<251> Section 3.3.5.18: Windows performs directory query information requests via the
corresponding interfaces in [MS-FSA] section 3.1.5.5.4:
<252> Section 3.3.5.19: Windows-based servers handle the following commands asynchronously:
SMB2 Create (section 2.2.13) when this create would result in an oplock break, SMB2 IOCTL
Request (section 2.2.31) for FSCTL_PIPE_TRANSCEIVE if it blocks for more than 1 millisecond,
SMB2 IOCTL Request for FSCTL_SRV_COPYCHUNK or FSCTL_SRV_COPYCHUNK_WRITE (section
2.2.31) when oplock break happens, SMB2 Change_Notify Request (section 2.2.35) if it blocks for
more than 0.5 milliseconds, SMB2 Read Request (section 2.2.19) for named pipes if it blocks for
more than 0.5 milliseconds, SMB2 Write Request (section 2.2.21) for named pipes if it blocks for
more than 0.5 milliseconds, SMB2 Write Request (section 2.2.21) for large file write, SMB2 lock
Request (section 2.2.26) if the SMB2_LOCKFLAG_FAIL_IMMEDIATELY flag is not set, and SMB2
FLUSH Request (section 2.2.17) for named pipes.
<253> Section 3.3.5.19: Windows requests ChangeNotify processing via Server Requests Change
Notifications for a Directory in [MS-FSA] section 3.1.5.10. If the SMB2_WATCH_TREE flag is set, the
WatchTree boolean is passed as TRUE. ChangeNotify notification is reported as described in [MS-
FSA] section 3.1.5.10.1.
<254> Section 3.3.5.19: Windows Vista and Windows Server 2008 limit OutputBufferLength size
to 256 KB. Windows 7 and Windows Server 2008 R2 limits OutputBufferLength size to 64 KB.
<255> Section 3.3.5.20.1: Windows-based SMB2 servers fail the following request levels with
STATUS_NOT_SUPPORTED instead of STATUS_INVALID_INFO_CLASS: 41, 42, 43, 47, 49, 51, 52,
and 53.
<256> Section 3.3.5.20.1: Windows-based SMB2 servers will set the CurrentByteOffset to any
value.
<259> Section 3.3.5.20.2: SetFsInfo calls to Windows servers fail with STATUS_ACCESS_DENIED
because Windows servers do not allow setting volume information over the network.
322 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
<264> Section 3.3.5.21.1: Windows-based SMB2 servers fail the following request levels with
STATUS_NOT_SUPPORTED instead of STATUS_INVALID_INFO_CLASS: 30, 41, 42, 43.
<267> Section 3.3.5.21.3: If the underlying object store does not support object security based on
Access Control Lists (as specified in [MS-DTYP] section 2.4.5), it returns STATUS_SUCCESS.
<271> Section 3.3.7.1: Windows-based SMB2 servers provide a statically configured durable handle
time-out, which defaults to 16 minutes.
<272> Section 3.3.7.1: Windows-based SMB2 servers provide a statically configured durable handle
time-out, which defaults to 16 minutes.
323 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
The revision class New means that a new document is being released.
The revision class Major means that the technical content in the document was significantly revised.
Major changes affect protocol interoperability or implementation. Examples of major changes are:
The revision class Minor means that the meaning of the technical content was clarified. Minor
changes do not affect protocol interoperability or implementation. Examples of minor changes are
updates to clarify ambiguity at the sentence, paragraph, or table level.
The revision class Editorial means that the language and formatting in the technical content was
changed. Editorial changes apply to grammatical, formatting, and style issues.
The revision class No change means that no new technical or language changes were introduced.
The technical content of the document is identical to the last released version, but minor editorial
and formatting changes, as well as updates to the header and footer information, and to the revision
summary, may have been made.
Major and minor changes can be described further using the following change types:
Content updated.
Content removed.
324 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Editorial changes are always classified with the change type "Editorially updated."
Some important terms used in revision type descriptions are defined as follows:
Protocol syntax refers to data elements (such as packets, structures, enumerations, and
methods) as well as interfaces.
Protocol revision refers to changes made to a protocol that affect the bits that are sent over
the wire.
The changes made to this document are listed in the following table. For more information, please
contact [email protected].
Major
chang
e
Tracking number (if applicable) (Y or Chang
Section and description N) e Type
325 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
CK. added.
326 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
327 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
328 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
d.
329 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
d.
330 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
331 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
field. d.
332 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
333 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
334 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
335 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
336 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
Global I
connections 113
data 112 Idle connection timer 117
structures 176 Idle connection timer event 172
Glossary 12 Implementer - security considerations 301
Incoming message - verifying 113
H Index of security parameters 301
Informative references 16
HASH_HEADER packet 89 Initialization
Higher-layer triggered events client (section 3.1.3 112, section 3.2.3 117)
client server (section 3.1.3 112, section 3.3.3 183)
overview 117 Introduction 12
re-establishing a durable open 129
requesting applying of file attributes 134 L
337 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
338 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
339 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
340 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification
341 / 341
[MS-SMB2] — v20100820
Server Message Block (SMB) Version 2 Protocol Specification