18.104.22.168 NT_TRANSACT_NOTIFY_CHANGE (0x0004)
This NT Transaction subcommand was introduced in the NT LAN Manager dialect.
This command notifies the client when the directory, specified by FID, is modified. It also returns the names of all file system objects that changed, and the ways in which they were modified. The command completes once the directory has been modified based on the supplied CompletionFilter. The command is a "single shot" and therefore needs to be reissued to watch for more directory changes.
The TotalParameterCount field of the server response indicates the number of bytes that are being returned. If too many files (that is, more entries than will fit in the response buffer) have changed since the last time that the command was issued, then zero bytes are returned and STATUS_NOTIFY_ENUM_DIR (ERRDOS/ERROR_NOTIFY_ENUM_DIR) is returned in the Status field of the server response header.
A directory file MUST be opened before this command can be used. After the directory is open, this command is used to watch files and subdirectories in the specified directory for changes. When the command is issued, the server creates a buffer that is used to collect directory changes between NT_TRANSACT_NOTIFY_CHANGE calls. The SMB_Parameters.Words.MaxParameterCount field in the SMB_COM_NT_TRANSACT Request (section 22.214.171.124.1) determines the size of the buffer that the server uses to store directory change information.