{"id":17780,"date":"2014-02-07T11:31:38","date_gmt":"2014-02-07T16:31:38","guid":{"rendered":"https:\/\/nuxx.net\/blog\/?p=17780"},"modified":"2014-02-11T12:40:59","modified_gmt":"2014-02-11T17:40:59","slug":"microsoft-network-monitor-filter-for-hidden-attribute","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2014\/02\/07\/microsoft-network-monitor-filter-for-hidden-attribute\/","title":{"rendered":"Microsoft Network Monitor Filter for Hidden Attribute"},"content":{"rendered":"<p><a href=\"https:\/\/nuxx.net\/gallery\/v\/computers\/screenshots\/microsoft_network_monitor_hidden_attribute_filter_2014-Feb-07.png.html?g2_imageViewsIndex=2\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" title=\"Microsoft Network Monitor capture filter to show the Hidden attribute being set remotely via SMB.\" alt=\"\" src=\"https:\/\/nuxx.net\/gallery\/d\/105699-2\/microsoft_network_monitor_hidden_attribute_filter_2014-Feb-07.png\" width=\"640\" height=\"205\" \/><\/a><\/p>\n<p>Today I had to troubleshoot how some files\/folders on a share are ending up hidden, so this took some digging into <a href=\"https:\/\/en.wikipedia.org\/wiki\/Server_Message_Block\">SMB<\/a> and display filters in <a href=\"https:\/\/en.wikipedia.org\/wiki\/Microsoft_Network_Monitor\">Microsoft Network Monitor<\/a>. Since this wasn&#8217;t particularly easy to find I wanted to share it here. This is the filter for displaying when a file or folder is having its hidden attribute set (check box via <em>Properties<\/em> in <em>Explorer<\/em> or via <span style=\"font-family: 'courier new', courier;\">attrib +h<\/span>) over SMB:<\/p>\n<p style=\"padding-left: 30px;\"><span style=\"font-family: 'courier new', courier;\">SMB.CTransaction2.FileBasicDataBlock.Attributes.Hidden == 0x1<\/span><\/p>\n<p>This can be combined with a search through the <em>Description<\/em> to find specific file or folder names. For example:<\/p>\n<p style=\"padding-left: 30px;\"><span style=\"font-family: 'courier new', courier;\">SMB.CTransaction2.FileBasicDataBlock.Attributes.Hidden == 0x1<\/span><br \/>\n<span style=\"font-family: 'courier new', courier;\">AND<\/span><br \/>\n<span style=\"font-family: 'courier new', courier;\">Contains(Property.Description, &#8220;handle.exe&#8221;)<\/span><\/p>\n<p>For SMB2 the filter string is as follows:<\/p>\n<p style=\"padding-left: 30px;\"><span style=\"font-family: 'courier new', courier;\">SMB2.CSetInfo.FileInfo.FileBasicInformation.FileAttributes.FSSCFileAttribute.Hidden == 0x1<\/span><\/p>\n<p>Unfortunately, with SMB2 the file\/path info will not be included in the frame shown by the aforementioned filter. This can be identified by looking up the session ID (<span style=\"font-family: 'courier new', courier;\">SMB2.SMB2Header.SessionId == NNNN<\/span>) \u00a0and filtering on that, looking at either the <span style=\"font-family: 'courier new', courier;\">CREATE<\/span> or <span style=\"font-family: 'courier new', courier;\">CLOSE<\/span> operations near the beginning and end of each session. So, I also capture the <span style=\"font-family: 'courier new', courier;\">CREATE<\/span> operations for the path I&#8217;m looking for, then manually correlate them (with a bit of filtering) after observing the issue. This results in the SMB2 portion of the filter looking something like this once combined with the related SMB filter:<\/p>\n<p style=\"padding-left: 30px;\"><span style=\"font-family: 'courier new', courier;\">( SMB.CTransaction2.FileBasicDataBlock.Attributes == 0x1<\/span><br \/>\n<span style=\"font-family: 'courier new', courier;\">\u00a0 AND<\/span><br \/>\n<span style=\"font-family: 'courier new', courier;\">\u00a0 Contains(Property.Description, &#8220;file_of_interest.txt&#8221;)<\/span><br \/>\n<span style=\"font-family: 'courier new', courier;\">)<\/span><br \/>\n<span style=\"font-family: 'courier new', courier;\">OR<\/span><br \/>\n<span style=\"font-family: 'courier new', courier;\">SMB2.CSetInfo.FileInfo.FileBasicInformation.FileAttributes.FSCCFileAttribute.Hidden == 0x1<\/span><br \/>\n<span style=\"font-family: 'courier new', courier;\">OR<\/span><br \/>\n<span style=\"font-family: 'courier new', courier;\">( SMB2.SMB2Header.Command == 0x5<\/span><br \/>\n<span style=\"font-family: 'courier new', courier;\">\u00a0 AND<\/span><br \/>\n<span style=\"font-family: 'courier new', courier;\">\u00a0 Contains(SMB2.CCreate.Name, &#8220;file_of_interest.txt&#8221;)<\/span><br \/>\n<span style=\"font-family: 'courier new', courier;\">)<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today I had to troubleshoot how some files\/folders on a share are ending up hidden, so this took some digging into SMB and display filters&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/nuxx.net\/blog\/2014\/02\/07\/microsoft-network-monitor-filter-for-hidden-attribute\/\">Continue reading<span class=\"screen-reader-text\">Microsoft Network Monitor Filter for Hidden Attribute<\/span><\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-17780","post","type-post","status-publish","format-standard","hentry","category-computers","entry"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/17780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=17780"}],"version-history":[{"count":8,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/17780\/revisions"}],"predecessor-version":[{"id":17796,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/17780\/revisions\/17796"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=17780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=17780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=17780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}