2.2.7.1.1 Request
The NT_TRANSACT_CREATE requestFILE_SEQUENTIAL_ONLY format is a special case of SMB_COM_NT_TRANSACT (section 2.2.4.62) SMB. The NT_TRANSACT_CREATE request specifics are described here.
-
NT_Trans_Parameters { ULONG Flags; ULONG RootDirectoryFID; ULONG DesiredAccess; LARGE_INTEGER AllocationSize; SMB_EXT_FILE_ATTR ExtFileAttributes; ULONG ShareAccess; ULONG CreateDisposition; ULONG CreateOptions; ULONG SecurityDescriptorLength; ULONG EALength; ULONG NameLength; ULONG ImpersonationLevel; UCHAR SecurityFlags; UCHAR Name[NameLength]; } NT_Trans_Data { SECURITY_DESCRIPTOR SecurityDescriptor; FILE_FULL_EA_INFORMATION ExtendedAttributes[]; }
SMB_Parameters:
-
-
WordCount (1 byte): This field MUST be 0x13.
-
Words (38 bytes): Array of USHORT
-
-
Function (2 bytes): USHORT This field MUST be NT_TRANSACT_CREATE (0x0001).
-
SetupCount (1 byte): This field MUST be 0x00.
-
-
-
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
NT_Trans_Parameters (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
NT_Trans_Data (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
NT_Trans_Parameters (variable): The format of the parameters is very similar to the SMB_COM_NT_CREATE_ANDX command.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1Flags
RootDirectoryFID
DesiredAccess
AllocationSize
...
ExtFileAttributes
ShareAccess
CreateDisposition
CreateOptions
SecurityDescriptorLength
EALength
NameLength
ImpersonationLevel
SecurityFlags
Name (variable)
...
-
Flags (4 bytes): ULONG A 32-bit field containing a set of flags that modify the client request. Unused bits SHOULD be set to 0 by the client when sending a message and MUST be ignored when received by the server.
-
Name and bitmask
Meaning
NT_CREATE_REQUEST_OPLOCK
0x00000002
Level I (exclusive) OpLock requested.
NT_CREATE_REQUEST_OPBATCH
0x00000004
Batch OpLock requested.
NT_CREATE_OPEN_TARGET_DIR
0x00000008
The parent directory of the target is to be opened.
-
-
RootDirectoryFID (4 bytes): ULONG If nonzero, this value is the FID of an opened root directory, and the Name field MUST be handled as relative to the directory specified by this FID. If this value is zero (0x00000000), the Name field MUST be handled as relative to the root of the share (the TID). The FID MUST have been acquired in a previous message exchange.
-
DesiredAccess (4 bytes): ULONG A 32-bit field containing standard, specific, and generic access rights. These rights are used in access-control entries (ACEs) and are the primary means of specifying the requested or granted access to an object. If this value is 0x00000000, it represents a request to query the attributes without accessing the file. If the value is not 0x00000000, the bits represent requests for the following types of access:
-
Name and bitmask
Meaning
FILE_READ_DATA
0x00000001
Indicates the right to read data from the file.
FILE_WRITE_DATA
0x00000002
Indicates the right to write data into the file beyond the end of the file.
FILE_APPEND_DATA
0x00000004
Indicates the right to append data to the file beyond the end of the file only.
FILE_READ_EA
0x00000008
Indicates the right to read the extended attributes of the file.
FILE_WRITE_EA
0x00000010
Indicates the right to write or change the extended attributes of the file.
FILE_EXECUTE
0x00000020
Indicates the right to execute the file.
FILE_READ_ATTRIBUTES
0x00000080
Indicates the right to read the attributes of the file.
FILE_WRITE_ATTRIBUTES
0x00000100
Indicates the right to change the attributes of the file.
DELETE
0x00010000
Indicates the right to delete or to rename the file.
READ_CONTROL
0x00020000
Indicates the right to read the security descriptor of the file.
WRITE_DAC
0x00040000
Indicates the right to change the discretionary access control list (DACL) in the security descriptor of the file.
WRITE_OWNER
0x00080000
Indicates the right to change the owner in the security descriptor of the file.
SYNCHRONIZE
0x00100000
SHOULD NOT be used by the sender and MUST be ignored by the receiver.
ACCESS_SYSTEM_SECURITY
0x01000000
Indicates the right to read or change the system access control list (SACL) in the security descriptor for the file. If the SE_SECURITY_NAME privilege ([MS-LSAD] section 3.1.1.2.1) is not set in the access token, the server MUST fail the open request and return STATUS_PRIVILEGE_NOT_HELD.
MAXIMUM_ALLOWED
0x02000000
Indicates that the client requests an open to the file with the highest level of access that the client has on this file. If no access is granted for the client on this file, the server MUST fail the open and return a STATUS_ACCESS_DENIED.
GENERIC_ALL
0x10000000
Indicates a request for all of the access flags that are previously listed, except MAXIMUM_ALLOWED and ACCESS_SYSTEM_SECURITY.
GENERIC_EXECUTE
0x20000000
Indicates a request for the following combination of access flags listed previously in this table:
FILE_READ_ATTRIBUTES, FILE_EXECUTE, SYNCHRONIZE, and READ_CONTROL.
GENERIC_WRITE
0x40000000
Indicates a request for the following combination of access flags listed previously in this table:
FILE_WRITE_DATA, FILE_APPEND_DATA, SYNCHRONIZE, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, and READ_CONTROL.
GENERIC_READ
0x80000000
Indicates a request for the following combination of access flags listed previously in this table:
FILE_WRITE_DATA, FILE_APPEND_DATA, SYNCHRONIZE, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, and READ_CONTROL.
-
AllocationSize (8 bytes): LARGE_INTEGER The client MUST set this value to the initial allocation size of the file in bytes. The server MUST ignore this field if this request is to open an existing file. This field MUST be used only if the file is created or overwritten. The value MUST be set to 0x0000000000000000 in all other cases. This does not apply to directory-related requests. This is the number of bytes to be allocated, represented as a 64-bit integer value.
ExtFileAttributes (4 bytes): This field contains the extended file attributes of the file being requested, encoded as an SMB_EXT_FILE_ATTR (section 2.2.1.2.3) data type.
ShareAccess (4 bytes): ULONG A 32-bit field that specifies how the file SHOULD be shared with other processes. The names in the table below are provided for reference use only. The value MUST be FILE_SHARE_NONE or some combination of the other values:
-
-
Name and bitmask
Meaning
FILE_SHARE_NONE
0x00000000
(No bits set.)
Prevents the file from being shared.
FILE_SHARE_READ
0x00000001
Other open operations can be performed on the file for read access.
FILE_SHARE_WRITE
0x00000002
Other open operations can be performed on the file for write access.
FILE_SHARE_DELETE
0x00000004
Other open operations can be performed on the file for delete access.
-
CreateDisposition (4 bytes): ULONG A 32-bit value that represents the action to take if the file already exists or if the file is a new file and does not already exist.
-
-
Name and Value
Meaning
FILE_SUPERSEDE
0x00000000
(No bits set.)
If the file already exists, it SHOULD be superseded (overwritten). If it does not already exist, it SHOULD be created.
FILE_OPEN
0x00000001
If the file already exists, it SHOULD be opened rather than creating a new file. If the file does not already exist, the operation MUST fail.
FILE_CREATE
0x00000002
If the file already exists, the operation MUST fail. If the file does not already exist, it SHOULD be created.
FILE_OPEN_IF
0x00000003
If the file already exists, it SHOULD be opened. If the file does not already exist, it SHOULD be created.
FILE_OVERWRITE
0x00000004
If the file already exists, it SHOULD be opened and truncated. If the file does not already exist, the operation MUST fail.
FILE_OVERWRITE_IF
0x00000005
If the file already exists, it SHOULD be opened and truncated. If the file does not already exist, it SHOULD be created.
-
-
CreateOptions (4 bytes): ULONG A 32-bit field containing flag options to use if creating the file or directory. This field MUST be set to 0x00000000 or a combination of the following possible values. Unused bit fields SHOULD be set to 0 by the client when sending a request and SHOULD be ignored when received by the server. Below is a list of the valid values and their associated behaviors.
-
Name and bitmask
Meaning
FILE_DIRECTORY_FILE
0x00000001
The file being created or opened is a directory file. With this option, the CreateDisposition field MUST be set to FILE_CREATE, FILE_OPEN, or FILE_OPEN_IF. When this bit field is set, other compatible CreateOptions include only the following: FILE_WRITE_THROUGH, FILE_OPEN_FOR_BACKUP_INTENT, and FILE_OPEN_BY_FILE_ID.
FILE_WRITE_THROUGH
0x00000002
Applications that write data to the file MUST actually transfer the data into the file before any write request qualifies as semantically complete. If FILE_NO_INTERMEDIATE_BUFFERING is set, the server MUST process the request as if FILE_WRITE_THROUGH is set in the create request, even if not set by the client.
FILE_SEQUENTIAL_ONLY
0x00000004
This option indicates that access to the file MAY be sequential. The server can use this information to influence its caching and read-ahead strategy for this file. The file MAY in fact be accessed randomly, but the server can optimize its caching and read-ahead policy for sequential access.
FILE_NO_INTERMEDIATE_BUFFERING
0x00000008
The file SHOULD NOT be cached or buffered in an internal buffer by the server. This option is incompatible when the FILE_APPEND_DATA bit field is set in the DesiredAccess field.
FILE_SYNCHRONOUS_IO_ALERT
0x00000010
This flag MUST be ignored by the server, and clients SHOULD set it to 0.
FILE_SYNCHRONOUS_IO_NONALERT
0x00000020
This flag MUST be ignored by the server, and clients SHOULD set it to 0.
FILE_NON_DIRECTORY_FILE
0x00000040
If the file being opened is a directory, the server MUST fail the request with STATUS_FILE_IS_A_DIRECTORY in the Status field of the SMB Header (section 2.2.3.1) in the server response.
FILE_CREATE_TREE_CONNECTION
0x00000080
This option SHOULD NOT be sent by the clients, and this option MUST be ignored by the server.
FILE_COMPLETE_IF_OPLOCKED
0x00000100
This option SHOULD NOT be sent by the clients, and this option MUST be ignored by the server.
FILE_NO_EA_KNOWLEDGE
0x00000200
The application that initiated the client's request does not support extended attributes (EAs). If the EAs on an existing file being opened indicate that the caller SHOULD support EAs to correctly interpret the file, the server SHOULD fail this request with STATUS_ACCESS_DENIED (ERRDOS/ERRnoaccess) in the Status field of the SMB Header in the server response.
FILE_OPEN_FOR_RECOVERY
0x00000400
This option SHOULD NOT be sent by the clients, and this option MUST be ignored if received by the server.
FILE_RANDOM_ACCESS
0x00000800
Indicates that access to the file MAY be random. The server MAY use this information to influence its caching and read-ahead strategy for this file. This is a hint to the server that sequential read-ahead operations might not be appropriate on the file.
FILE_DELETE_ON_CLOSE
0x00001000
The file SHOULD be automatically deleted when the last open request on this file is closed. When this option is set, the DesiredAccess field MUST include the DELETE flag. This option is often used for temporary files.
FILE_OPEN_BY_FILE_ID
0x00002000
Opens a file based on the FID. If this option is set, the server MUST fail the request with STATUS_NOT_SUPPORTED in the Status field of the SMB Header in the server response.
FILE_OPEN_FOR_BACKUP_INTENT
0x00004000
The file is opened or created for the purposes of either a backup or a restore operation. Thus, the server can check to ensure that the caller is capable of overriding whatever security checks have been placed on the file to allow a backup or restore operation to occur. The server can check for access rights to the file before checking the DesiredAccess field.
FILE_NO_COMPRESSION
0x00008000
When a new file is created, the file MUST NOT be compressed, even if it is on a compressed volume. The flag MUST be ignored when opening an existing file.
FILE_RESERVE_OPFILTER
0x00100000
This option SHOULD NOT be sent by the clients, and this option MUST be ignored if received by the server.
FILE_OPEN_NO_RECALL
0x00400000
In a hierarchical storage management environment, this option requests that the file SHOULD NOT be recalled from tertiary storage such as tape. A file recall can take up to several minutes in a hierarchical storage management environment. The clients can specify this option to avoid such delays.
FILE_OPEN_FOR_FREE_SPACE_QUERY
0x00800000
This option SHOULD NOT be sent by the clients, and this option MUST be ignored if received by the server.
-
-
SecurityDescriptorLength (4 bytes): ULONG Length of the NT_Trans_Data.SecurityDescriptor field, in bytes.
-
EALength (4 bytes): ULONG Length of the NT_Trans_Data.ExtendedAttributes field, in bytes.
-
NameLength (4 bytes): ULONG Length of the Name field in characters.
-
ImpersonationLevel (4 bytes): ULONG This field specifies the impersonation level requested by the application that is issuing the create request, and MUST contain one of the following values.
-
Impersonation is described in [MS-WPO] section 8.5.1; for more information about impersonation, see [MSDN-IMPERS].
-
Name and value
Meaning
SEC_ANONYMOUS
0x00000000
The application-requested impersonation level is Anonymous.
SEC_IDENTIFY
0x00000001
The application-requested impersonation level is Identification.
SEC_IMPERSONATE
0x00000002
The application-requested impersonation level is Impersonation.
-
-
SecurityFlags (1 byte): UCHAR An 8-bit field containing a set of options that specify the security tracking mode. These options specify whether the server is to be given a snapshot of the client's security context (called static tracking) or is to be continually updated to track changes to the client's security context (called dynamic tracking). When bit 0 of the SecurityFlags field is set to 0, static tracking is requested. When bit 0 the SecurityFlags field is set to 1, dynamic tracking is requested. Unused bit fields SHOULD be set to 0 by the client when sending a request and MUST be ignored when received by the server. This field MUST be set to 0x00 or a combination of the following possible values. Value names are provided for convenience only. Supported values are:
-
Name and value
Meaning
SMB_SECURITY_CONTEXT_TRACKING
0x01
When set, dynamic tracking is requested. When this bit field is not set, static tracking is requested.
SMB_SECURITY_EFFECTIVE_ONLY
0x02
Specifies that only the enabled aspects of the client's security context are available to the server. If this flag is not specified, all aspects of the client's security context are available. This flag allows the client to limit the groups and privileges that a server can use while impersonating the client.
-
-
Name (variable): The name of the file; not null-terminated. If SMB_FLAGS2_UNICODE is set in the Flags2 field of the SMB Header of the request, this field MUST be an array of 16-bit Unicode characters. Otherwise, it MUST be an array of extended ASCII (OEM) characters. If the Name consists of Unicode characters, this field MUST be aligned to start on a 2-byte boundary from the start of the NT_Trans_Parameters.
NT_Trans_Data (variable): The NT_Trans_Data provides the Security Descriptor and Extended Attributes data, if any.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1SecurityDescriptor (variable)
...
ExtendedAttributes (variable)
...
SecurityDescriptor (variable): SECURITY_DESCRIPTOR The security descriptor to use when requesting access to the file. The self-relative form of a SECURITY_DESCRIPTOR MUST be used. See SECURITY_DESCRIPTOR ([MS-DTYP] section 2.4.6) for details. This field MUST be NT_Trans_Parameters.SecurityDescriptorLength in bytes.
ExtendedAttributes (variable): The extended attributes that SHOULD be applied to the new file MUST be in the format that is specified for FILE_FULL_EA_INFORMATION in ([MS-FSCC] section 2.4.15).<148>