Last updated on February 11, 2014
Today I had to troubleshoot how some files/folders on a share are ending up hidden, so this took some digging into SMB and display filters in Microsoft Network Monitor. Since this wasn’t particularly easy to find I wanted to share it here. This is the filter for displaying when a file or folder is having its hidden attribute set (check box via Properties in Explorer or via attrib +h) over SMB:
SMB.CTransaction2.FileBasicDataBlock.Attributes.Hidden == 0x1
This can be combined with a search through the Description to find specific file or folder names. For example:
SMB.CTransaction2.FileBasicDataBlock.Attributes.Hidden == 0x1
AND
Contains(Property.Description, “handle.exe”)
For SMB2 the filter string is as follows:
SMB2.CSetInfo.FileInfo.FileBasicInformation.FileAttributes.FSSCFileAttribute.Hidden == 0x1
Unfortunately, with SMB2 the file/path info will not be included in the frame shown by the aforementioned filter. This can be identified by looking up the session ID (SMB2.SMB2Header.SessionId == NNNN) and filtering on that, looking at either the CREATE or CLOSE operations near the beginning and end of each session. So, I also capture the CREATE operations for the path I’m looking for, then manually correlate them (with a bit of filtering) after observing the issue. This results in the SMB2 portion of the filter looking something like this once combined with the related SMB filter:
( SMB.CTransaction2.FileBasicDataBlock.Attributes == 0x1
AND
Contains(Property.Description, “file_of_interest.txt”)
)
OR
SMB2.CSetInfo.FileInfo.FileBasicInformation.FileAttributes.FSCCFileAttribute.Hidden == 0x1
OR
( SMB2.SMB2Header.Command == 0x5
AND
Contains(SMB2.CCreate.Name, “file_of_interest.txt”)
)
Thanks Steve.