locked
SMB2: what is MsFteWds and Srvsvc files? RRS feed

  • Question

  • Hi,

    1. what is MsFteWds and Srvsvc files? in a regular capture there are a lot of "Create" message that responsible to create those files.


    2. How can i ignore them?

    Thursday, November 27, 2014 2:39 PM

All replies

  • Hi Itayav17,

    Thank you for your question. A member of the Protocol Documentation support team will respond to you soon.

    Regards,
    Vilmos Foltenyi - MSFT

    Thursday, November 27, 2014 7:28 PM
  • Hello Itayav - 

    I'll be helping you with this inquiry. Both MsFteWds and Srvsvc are named pipes and used for specific purpose. Refer these links - 

    http://msdn.microsoft.com/en-us/library/cc251785.aspx

    http://msdn.microsoft.com/en-us/library/cc247094.aspx

    Can you please provide more information as to what is your exact scenario ? Are both client and server windows ? Why do you want to ignore these files ?

    Regards.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Thursday, November 27, 2014 7:59 PM
  • Hi Tarun,

    When Read/Write command arrives, I know that i should to prepare to state of writing or reading.

    I might to write or read wrong data if named pipes messages arrive.

    so, how can i ignore from them?

    In SMB1 was a flag in Create Command that provide information regarding the issue.

    Thanks!

    Tuesday, December 2, 2014 7:45 AM
  • Thanks Itayav17. Which flag in SMB1 are you referring for Create Command ? Can you send me a network trace of these smb2 Creates to dochelp at Microsoft dot com. 


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Tuesday, December 2, 2014 6:11 PM
  • Hi,

    In create_andx(response) command, NMPipeStatus(2 bytes) reffers to named pipe.

    You can download the trace from here:

    https://www.wetransfer.com/downloads/79c1990e7254c6972fde1c72ce2046eb20141203080115/813128

    The GUID handle of pipe name is:

    00000001-0000-0000-0100-0000ffffffff

    Wednesday, December 3, 2014 8:04 AM
  • Hello -

    Thanks for the trace and information. This flag in create_response in SMB1 is used\validated at client side , hence I assume you are implementing client side. Is that correct ?

    If yes; as these file names are reserved for named pipes; I'm not sure why at first place your client is sending create for these files. 

    Thanks. 


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Wednesday, December 3, 2014 6:17 PM
  • Hi,

    I implementing the client and server side.

    Again, I need to know when Named pipe arrived in any scenario.

    Can you know about solution like the flag NMPipeStatus(2 bytes) in SMB1?

    Thanks.

    Sunday, December 7, 2014 4:57 PM
  • Hello -

    I didn't find any equivalent flag in SMB2, let me research more and get back.

    Thanks.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Monday, December 8, 2014 5:17 PM
  • Thanks Tarun!
    Tuesday, December 9, 2014 6:19 AM
  • Hi,

    There something new?

    Sunday, December 14, 2014 5:37 AM
  • I've reviewed code and there is no equivalent flag in smb2. We have set number of well defined named pipes, so if you can keep list of these and if open is from this list then you can deduce that operation is happening on named pipe and not for a normal file/directory.

    Tarun Chopra | Escalation Engineer | Open Specifications Support Team


    Sunday, December 14, 2014 6:27 AM
  • Hi, Tarun Chopra

    I got  smb share problem between samba and win7 but winxp have no problem, 
    wireshark result show win7 send "trans2" request and got error
    but xp instead send "trans" request and got no problem.

    "trans2" response error is "unknow smb, from NT 3.5 response",
    how to config win7 to use "trans" like winxp, so problem can be avoid ?

    samba in this scenario is linux hardware box which cannot upgrade or modify config.

    Can you take a look on wireshark result in below link ?

    https://social.technet.microsoft.com/Forums/windows/en-US/118dd8b6-5cc7-4ca9-8ed3-1b11af8d70db/windows-7-cannot-access-samba-smb-share-but-win-xp-can-compare-wireshark-result?forum=w7itpronetworking

    Thanks

    Thursday, July 16, 2015 9:48 AM
  • Hi snoopz1,

    Thanks for the follow-up question, someone from the Open Specifications team will respond shortly to work with you.

    Best regards,
    Tom Jebo
    Microsoft Open Specifications

    Thursday, July 16, 2015 4:27 PM
  • Hello snoopz1

    I'll be helping you with this inquiry. Please send a network trace between XP/Samba Server and Win7/Samba Server using SMB1 protocol (not SMB2) to - dochelp at Microsoft dot com - for review.

    Thanks.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Thursday, July 16, 2015 4:39 PM
  • Hi, Tarun Chopra

    I have e-mail you “WireShark result between XP/Samba Server and Win7/Samba Server using SMB1 protocol (not SMB2)”  in attached file with this e-mail

    Two wireshark result for win7, first one before disable smb2.0, second one after disable smb2.0

    And last file is for winxp which have no problem access samba share.


    https://social.technet.microsoft.com/Forums/windows/en-US/118dd8b6-5cc7-4ca9-8ed3-1b11af8d70db/windows-7-cannot-access-samba-smb-share-but-win-xp-can-compare-wireshark-result?forum=w7itpronetworking

    below is screenshot when I try to access samba share from win7 in this scenario.


    Best regards,

    Tum

    Friday, July 17, 2015 8:48 AM
  • Hello snoopz1

    Thanks for the artifacts. Let us continue to work through dochelp and post our findings on this thread later.

    Regards.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Friday, July 17, 2015 9:41 PM
  • Hi, Tarun Chopra

    I have send you e-mail on Saturday and again today, do you receive my e-mail ?

    In wireshark, type “smb”  in filter box and hit enter.

    Then right click any traffic “between 192.168.10.67 and .144”, 

    And select “Follow TCP stream”  to trace the traffic.

    I also do some additional test by use win7 to access win2008 server smb share,

    And find that win7 always issue trans2 request  before “trans” request like a sequence.

    But xp not issue any trans2 before trans request.    (is this behavior different between win7 and xp ? )


    Best regards,

    Tum



    • Edited by snoopz1 Monday, July 20, 2015 11:13 PM
    Monday, July 20, 2015 11:06 PM
  • Yes Snoopz1 and I replied back with my analysis at 6:03 PM PST today. Have you received my reply ?

    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Tuesday, July 21, 2015 6:16 AM
  • Samba server is linux hardware box which cannot upgrade or modify config
    Tuesday, July 21, 2015 6:28 AM
  • I just send you *.cab and wireshark result through e-mail
    Tuesday, July 21, 2015 6:50 AM
  • Hello Snoopz1 -

    I've received your files and update this thread after analysis.

    As we are having trouble interacting offline, let us continue to interact through this forum thread now onwards. 

    Thanks


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Tuesday, July 21, 2015 4:29 PM
  • Closing Notes –

    We worked with snoopz1 offline and verified that there is No way to trigger win7 to stop sending TRANS2 command in this particular case because of following reasons - 

    1.       Server advertised ‘NT LM 0.12’ as highest supported dialect and per documentation this dialect has to support TRANS2 commands.

    2.       There is no capability exchange built into the protocol to opt out of TRANS2 command.

    3.       There is No way to modify server behavior as it’s Linux hardware, hence, we can’t demote the dialect.


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Tuesday, January 5, 2016 10:03 PM