[2013/01/14 15:31:45.007400, 6] param/loadparm.c:7490(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Mon Jan 14 15:30:48 2013 [2013/01/14 15:31:45.007594, 5] smbd/reply.c:614(reply_special) init msg_type=0x81 msg_flags=0x0 [2013/01/14 15:31:45.008178, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 170 [2013/01/14 15:31:45.008262, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0xaa [2013/01/14 15:31:45.008324, 3] smbd/process.c:1662(process_smb) Transaction 0 of length 174 (0 toread) [2013/01/14 15:31:45.008386, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:45.008424, 5] lib/util.c:342(show_msg) size=170 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=3 smb_tid=0 smb_pid=51966 smb_uid=0 smb_mid=0 smt_wct=0 smb_bcc=135 [2013/01/14 15:31:45.008775, 10] ../lib/util/util.c:415(dump_data) [0000] 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 .PC NETW ORK PROG [0010] 52 41 4D 20 31 2E 30 00 02 58 45 4E 49 58 20 43 RAM 1.0. .XENIX C [0020] 4F 52 45 00 02 4D 49 43 52 4F 53 4F 46 54 20 4E ORE..MIC ROSOFT N [0030] 45 54 57 4F 52 4B 53 20 31 2E 30 33 00 02 4C 41 ETWORKS 1.03..LA [0040] 4E 4D 41 4E 31 2E 30 00 02 57 69 6E 64 6F 77 73 NMAN1.0. .Windows [0050] 20 66 6F 72 20 57 6F 72 6B 67 72 6F 75 70 73 20 for Wor kgroups [0060] 33 2E 31 61 00 02 4C 4D 31 2E 32 58 30 30 32 00 3.1a..LM 1.2X002. [0070] 02 4C 41 4E 4D 41 4E 32 2E 31 00 02 4E 54 20 4C .LANMAN2 .1..NT L [0080] 4D 20 30 2E 31 32 00 M 0.12. [2013/01/14 15:31:45.009420, 3] smbd/process.c:1467(switch_message) switch message SMBnegprot (pid 28678) conn 0x0 [2013/01/14 15:31:45.009488, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:45.009556, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:45.009621, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:45.009736, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:31:45.010275, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [PC NETWORK PROGRAM 1.0] [2013/01/14 15:31:45.010370, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [XENIX CORE] [2013/01/14 15:31:45.010435, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [MICROSOFT NETWORKS 1.03] [2013/01/14 15:31:45.010499, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [LANMAN1.0] [2013/01/14 15:31:45.010564, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [Windows for Workgroups 3.1a] [2013/01/14 15:31:45.010628, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [LM1.2X002] [2013/01/14 15:31:45.010692, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [LANMAN2.1] [2013/01/14 15:31:45.010756, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [NT LM 0.12] [2013/01/14 15:31:45.010824, 10] lib/util.c:1624(set_remote_arch) set_remote_arch: Client arch is 'WinNT' [2013/01/14 15:31:45.010922, 6] param/loadparm.c:7490(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Mon Jan 14 15:30:48 2013 [2013/01/14 15:31:45.011067, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 06700000FFFFFFFF [2013/01/14 15:31:45.011154, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb8d29860 [2013/01/14 15:31:45.011225, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 06700000FFFFFFFF [2013/01/14 15:31:45.011323, 6] param/loadparm.c:7490(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Mon Jan 14 15:30:48 2013 [2013/01/14 15:31:45.011472, 10] smbd/negprot.c:44(get_challenge) get challenge: creating negprot_global_auth_context [2013/01/14 15:31:45.011537, 5] auth/auth.c:475(make_auth_context_subsystem) Making default auth method list for security=domain [2013/01/14 15:31:45.011680, 5] auth/auth.c:48(smb_register_auth) Attempting to register auth backend sam [2013/01/14 15:31:45.011744, 5] auth/auth.c:60(smb_register_auth) Successfully added auth method 'sam' [2013/01/14 15:31:45.011805, 5] auth/auth.c:48(smb_register_auth) Attempting to register auth backend sam_ignoredomain [2013/01/14 15:31:45.011867, 5] auth/auth.c:60(smb_register_auth) Successfully added auth method 'sam_ignoredomain' [2013/01/14 15:31:45.011931, 5] auth/auth.c:48(smb_register_auth) Attempting to register auth backend unix [2013/01/14 15:31:45.011993, 5] auth/auth.c:60(smb_register_auth) Successfully added auth method 'unix' [2013/01/14 15:31:45.012055, 5] auth/auth.c:48(smb_register_auth) Attempting to register auth backend winbind [2013/01/14 15:31:45.012117, 5] auth/auth.c:60(smb_register_auth) Successfully added auth method 'winbind' [2013/01/14 15:31:45.012181, 5] auth/auth.c:48(smb_register_auth) Attempting to register auth backend wbc [2013/01/14 15:31:45.012243, 5] auth/auth.c:60(smb_register_auth) Successfully added auth method 'wbc' [2013/01/14 15:31:45.012307, 5] auth/auth.c:48(smb_register_auth) Attempting to register auth backend smbserver [2013/01/14 15:31:45.012369, 5] auth/auth.c:60(smb_register_auth) Successfully added auth method 'smbserver' [2013/01/14 15:31:45.012432, 5] auth/auth.c:48(smb_register_auth) Attempting to register auth backend trustdomain [2013/01/14 15:31:45.012495, 5] auth/auth.c:60(smb_register_auth) Successfully added auth method 'trustdomain' [2013/01/14 15:31:45.012556, 5] auth/auth.c:48(smb_register_auth) Attempting to register auth backend ntdomain [2013/01/14 15:31:45.012619, 5] auth/auth.c:60(smb_register_auth) Successfully added auth method 'ntdomain' [2013/01/14 15:31:45.012680, 5] auth/auth.c:48(smb_register_auth) Attempting to register auth backend guest [2013/01/14 15:31:45.012743, 5] auth/auth.c:60(smb_register_auth) Successfully added auth method 'guest' [2013/01/14 15:31:45.012804, 5] auth/auth.c:385(load_auth_module) load_auth_module: Attempting to find an auth method to match guest [2013/01/14 15:31:45.012867, 5] auth/auth.c:410(load_auth_module) load_auth_module: auth method guest has a valid init [2013/01/14 15:31:45.012929, 5] auth/auth.c:385(load_auth_module) load_auth_module: Attempting to find an auth method to match sam [2013/01/14 15:31:45.012992, 5] auth/auth.c:410(load_auth_module) load_auth_module: auth method sam has a valid init [2013/01/14 15:31:45.013054, 5] auth/auth.c:385(load_auth_module) load_auth_module: Attempting to find an auth method to match winbind:ntdomain [2013/01/14 15:31:45.013119, 5] auth/auth.c:385(load_auth_module) load_auth_module: Attempting to find an auth method to match ntdomain [2013/01/14 15:31:45.013182, 5] auth/auth.c:410(load_auth_module) load_auth_module: auth method ntdomain has a valid init [2013/01/14 15:31:45.013243, 5] auth/auth.c:410(load_auth_module) load_auth_module: auth method winbind has a valid init [2013/01/14 15:31:45.013305, 10] smbd/negprot.c:52(get_challenge) get challenge: getting challenge [2013/01/14 15:31:45.013368, 5] auth/auth.c:99(get_ntlm_challenge) auth_get_challenge: module guest did not want to specify a challenge [2013/01/14 15:31:45.013431, 5] auth/auth.c:99(get_ntlm_challenge) auth_get_challenge: module sam did not want to specify a challenge [2013/01/14 15:31:45.013493, 5] auth/auth.c:99(get_ntlm_challenge) auth_get_challenge: module winbind did not want to specify a challenge [2013/01/14 15:31:45.013583, 5] auth/auth.c:134(get_ntlm_challenge) auth_context challenge created by random [2013/01/14 15:31:45.013644, 5] auth/auth.c:135(get_ntlm_challenge) challenge is: [2013/01/14 15:31:45.013707, 5] ../lib/util/util.c:415(dump_data) [0000] 64 4C F2 4A F4 EC 1F D9 dL.J.... [2013/01/14 15:31:45.013816, 3] smbd/negprot.c:401(reply_nt1) not using SPNEGO [2013/01/14 15:31:45.013907, 3] smbd/negprot.c:704(reply_negprot) Selected protocol NT LM 0.12 [2013/01/14 15:31:45.013969, 5] smbd/negprot.c:711(reply_negprot) negprot index=7 [2013/01/14 15:31:45.014031, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:45.014067, 5] lib/util.c:342(show_msg) size=95 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=16387 smb_tid=0 smb_pid=51966 smb_uid=0 smb_mid=0 smt_wct=17 smb_vwv[ 0]= 7 (0x7) smb_vwv[ 1]=12803 (0x3203) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]= 1536 (0x600) smb_vwv[ 8]= 112 (0x70) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 227 (0xE3) smb_vwv[11]=16640 (0x4100) smb_vwv[12]=23694 (0x5C8E) smb_vwv[13]=38443 (0x962B) smb_vwv[14]=52722 (0xCDF2) smb_vwv[15]=11265 (0x2C01) smb_vwv[16]= 2049 (0x801) smb_bcc=26 [2013/01/14 15:31:45.014882, 10] ../lib/util/util.c:415(dump_data) [0000] 64 4C F2 4A F4 EC 1F D9 57 00 41 00 52 00 47 00 dL.J.... W.A.R.G. [0010] 41 00 4D 00 45 00 53 00 00 00 A.M.E.S. .. [2013/01/14 15:31:45.016713, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 180 [2013/01/14 15:31:45.016792, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0xb4 [2013/01/14 15:31:45.016854, 3] smbd/process.c:1662(process_smb) Transaction 1 of length 184 (0 toread) [2013/01/14 15:31:45.016917, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:45.016952, 5] lib/util.c:342(show_msg) size=180 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=0 smb_pid=51966 smb_uid=0 smb_mid=0 smt_wct=13 smb_vwv[ 0]= 117 (0x75) smb_vwv[ 1]= 132 (0x84) smb_vwv[ 2]=16644 (0x4104) smb_vwv[ 3]= 50 (0x32) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]=28678 (0x7006) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 1 (0x1) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 212 (0xD4) smb_vwv[12]= 0 (0x0) smb_bcc=71 [2013/01/14 15:31:45.017656, 10] ../lib/util/util.c:415(dump_data) [0000] 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 .....W.i .n.d.o.w [0010] 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 .s. .N.T . .1.3.8 [0020] 00 31 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F .1.....W .i.n.d.o [0030] 00 77 00 73 00 20 00 4E 00 54 00 20 00 34 00 2E .w.s. .N .T. .4.. [0040] 00 30 00 00 00 00 00 .0..... [2013/01/14 15:31:45.018045, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 28678) conn 0x0 [2013/01/14 15:31:45.018110, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:45.018173, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:45.018234, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:45.018339, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:31:45.018408, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=13 flg2=0x8003 [2013/01/14 15:31:45.018495, 3] smbd/sesssetup.c:1536(reply_sesssetup_and_X) Domain=[] NativeOS=[Windows NT 1381] NativeLanMan=[] PrimaryDomain=[Windows NT 4.0] [2013/01/14 15:31:45.018560, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/01/14 15:31:45.018623, 3] smbd/sesssetup.c:1552(reply_sesssetup_and_X) sesssetupX:name=[]\[]@[proserver] [2013/01/14 15:31:45.018724, 6] param/loadparm.c:7490(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Mon Jan 14 15:30:48 2013 [2013/01/14 15:31:45.018855, 3] smbd/sesssetup.c:151(check_guest_password) Got anonymous request [2013/01/14 15:31:45.018917, 5] auth/auth.c:475(make_auth_context_subsystem) Making default auth method list for security=domain [2013/01/14 15:31:45.019026, 5] auth/auth.c:385(load_auth_module) load_auth_module: Attempting to find an auth method to match guest [2013/01/14 15:31:45.019089, 5] auth/auth.c:410(load_auth_module) load_auth_module: auth method guest has a valid init [2013/01/14 15:31:45.019151, 5] auth/auth.c:385(load_auth_module) load_auth_module: Attempting to find an auth method to match sam [2013/01/14 15:31:45.019214, 5] auth/auth.c:410(load_auth_module) load_auth_module: auth method sam has a valid init [2013/01/14 15:31:45.019276, 5] auth/auth.c:385(load_auth_module) load_auth_module: Attempting to find an auth method to match winbind:ntdomain [2013/01/14 15:31:45.019340, 5] auth/auth.c:385(load_auth_module) load_auth_module: Attempting to find an auth method to match ntdomain [2013/01/14 15:31:45.019403, 5] auth/auth.c:410(load_auth_module) load_auth_module: auth method ntdomain has a valid init [2013/01/14 15:31:45.019464, 5] auth/auth.c:410(load_auth_module) load_auth_module: auth method winbind has a valid init [2013/01/14 15:31:45.019530, 5] auth/user_info.c:59(make_user_info) attempting to make a user_info for () [2013/01/14 15:31:45.019595, 5] auth/user_info.c:70(make_user_info) making strings for 's user_info struct [2013/01/14 15:31:45.019658, 5] auth/user_info.c:87(make_user_info) making blobs for 's user_info struct [2013/01/14 15:31:45.019720, 10] auth/user_info.c:123(make_user_info) made a user_info for () [2013/01/14 15:31:45.019782, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []\[]@[] with the new password interface [2013/01/14 15:31:45.019844, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: []\[]@[] [2013/01/14 15:31:45.019906, 10] auth/auth.c:231(check_ntlm_password) check_ntlm_password: auth_context challenge created by fixed [2013/01/14 15:31:45.019967, 10] auth/auth.c:233(check_ntlm_password) challenge is: [2013/01/14 15:31:45.020027, 5] ../lib/util/util.c:415(dump_data) [0000] 00 00 00 00 00 00 00 00 ........ [2013/01/14 15:31:45.020132, 10] auth/auth_builtin.c:44(check_guest_security) Check auth for: [] [2013/01/14 15:31:45.020220, 3] auth/auth.c:268(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2013/01/14 15:31:45.020283, 5] auth/auth.c:309(check_ntlm_password) check_ntlm_password: guest authentication for user [] -> [] -> [nobody] succeeded [2013/01/14 15:31:45.020365, 10] smbd/password.c:199(register_initial_vuid) register_initial_vuid: allocated vuid = 100 [2013/01/14 15:31:45.020433, 10] smbd/password.c:293(register_existing_vuid) register_existing_vuid: (65534,65534) nobody nobody HAWKING guest=1 [2013/01/14 15:31:45.020497, 3] smbd/password.c:298(register_existing_vuid) register_existing_vuid: User name: nobody Real name: [2013/01/14 15:31:45.020559, 3] smbd/password.c:308(register_existing_vuid) register_existing_vuid: UNIX uid 65534 is UNIX user nobody, and will be vuid 100 [2013/01/14 15:31:45.020651, 6] param/loadparm.c:7490(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Mon Jan 14 15:30:48 2013 [2013/01/14 15:31:45.020779, 3] smbd/process.c:1467(switch_message) switch message SMBtconX (pid 28678) conn 0x0 [2013/01/14 15:31:45.020845, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:45.020907, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:45.020967, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:45.021063, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:31:45.021134, 4] smbd/reply.c:794(reply_tcon_and_X) Client requested device type [?????] for share [IPC$] [2013/01/14 15:31:45.021256, 5] smbd/service.c:1354(make_connection) making a connection to 'normal' service ipc$ [2013/01/14 15:31:45.021335, 3] lib/access.c:338(allow_access) Allowed connection from 192.168.7.2 (192.168.7.2) [2013/01/14 15:31:45.021421, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user nobody [2013/01/14 15:31:45.021483, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is nobody [2013/01/14 15:31:45.021555, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [nobody]! [2013/01/14 15:31:45.021635, 10] smbd/service.c:162(set_conn_connectpath) set_conn_connectpath: service IPC$, connectpath = /tmp [2013/01/14 15:31:45.021702, 3] smbd/service.c:872(make_connection_snum) Connect path is '/tmp' for service [IPC$] [2013/01/14 15:31:45.021805, 10] ../libcli/security/access_check.c:58(se_map_generic) se_map_generic(): mapped mask 0x10000000 to 0x001f01ff [2013/01/14 15:31:45.021895, 10] ../libcli/security/access_check.c:178(se_access_check) se_access_check: MAX desired = 0x2000000, granted = 0x101f01ff, remaining = 0x101f01ff [2013/01/14 15:31:45.021970, 3] smbd/vfs.c:102(vfs_init_default) Initialising default vfs hooks [2013/01/14 15:31:45.022037, 10] smbd/vfs.c:53(vfs_find_backend_entry) vfs_find_backend_entry called for /[Default VFS]/ [2013/01/14 15:31:45.022100, 5] smbd/vfs.c:92(smb_register_vfs) Successfully added vfs backend '/[Default VFS]/' [2013/01/14 15:31:45.022166, 10] smbd/vfs.c:53(vfs_find_backend_entry) vfs_find_backend_entry called for posixacl [2013/01/14 15:31:45.022229, 5] smbd/vfs.c:92(smb_register_vfs) Successfully added vfs backend 'posixacl' [2013/01/14 15:31:45.022290, 3] smbd/vfs.c:128(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2013/01/14 15:31:45.022354, 10] smbd/vfs.c:53(vfs_find_backend_entry) vfs_find_backend_entry called for /[Default VFS]/ Successfully loaded vfs module [/[Default VFS]/] with the new modules system [2013/01/14 15:31:45.022449, 5] smbd/connection.c:134(claim_connection) claiming [IPC$] [2013/01/14 15:31:45.022674, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 06700000FFFFFFFFB069 [2013/01/14 15:31:45.022751, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb8d2a0a0 [2013/01/14 15:31:45.022890, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 06700000FFFFFFFFB069 [2013/01/14 15:31:45.023174, 10] smbd/service.c:162(set_conn_connectpath) set_conn_connectpath: service IPC$, connectpath = /tmp [2013/01/14 15:31:45.023256, 10] smbd/share_access.c:241(user_ok_token) user_ok_token: share IPC$ is ok for unix user nobody [2013/01/14 15:31:45.023323, 10] smbd/share_access.c:286(is_share_read_only_for_token) is_share_read_only_for_user: share IPC$ is read-only for unix user nobody [2013/01/14 15:31:45.023404, 10] ../libcli/security/access_check.c:58(se_map_generic) se_map_generic(): mapped mask 0x10000000 to 0x001f01ff [2013/01/14 15:31:45.023489, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:45.023557, 5] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (8): SID[ 0]: S-1-22-1-65534 SID[ 1]: S-1-22-2-65534 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-32-546 SID[ 5]: S-1-22-2-300002 SID[ 6]: S-1-22-2-300003 SID[ 7]: S-1-22-2-300170 Privileges (0x 0): Rights (0x 0): [2013/01/14 15:31:45.023923, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 65534 Primary group is 65534 and contains 4 supplementary groups Group[ 0]: 65534 Group[ 1]: 300002 Group[ 2]: 300003 Group[ 3]: 300170 [2013/01/14 15:31:45.024136, 5] smbd/uid.c:317(change_to_user_internal) Impersonated user: uid=(0,65534), gid=(0,65534) [2013/01/14 15:31:45.024205, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:45.024267, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:45.024370, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:45.024468, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:31:45.024541, 10] smbd/service.c:162(set_conn_connectpath) set_conn_connectpath: service IPC$, connectpath = /tmp [2013/01/14 15:31:45.024626, 3] smbd/service.c:1114(make_connection_snum) proserver (192.168.7.2) connect to service IPC$ initially as user nobody (uid=65534, gid=65534) (pid 28678) [2013/01/14 15:31:45.024710, 3] smbd/reply.c:871(reply_tcon_and_X) tconX service=IPC$ [2013/01/14 15:31:45.025548, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 222 [2013/01/14 15:31:45.025623, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0xde [2013/01/14 15:31:45.025686, 3] smbd/process.c:1662(process_smb) Transaction 2 of length 226 (0 toread) [2013/01/14 15:31:45.025749, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:45.025785, 5] lib/util.c:342(show_msg) size=222 smb_com=0x73 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=0 smb_pid=51966 smb_uid=0 smb_mid=64 smt_wct=13 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 222 (0xDE) smb_vwv[ 2]=16644 (0x4104) smb_vwv[ 3]= 50 (0x32) smb_vwv[ 4]= 1 (0x1) smb_vwv[ 5]=28678 (0x7006) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 24 (0x18) smb_vwv[ 8]= 24 (0x18) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 212 (0xD4) smb_vwv[12]= 0 (0x0) smb_bcc=161 [2013/01/14 15:31:45.026525, 10] ../lib/util/util.c:415(dump_data) [0000] 81 6B CA B2 AC 6B F0 F1 E5 AA 08 22 E0 C7 A0 53 .k...k.. ..."...S [0010] D9 11 C3 1C 70 8F A4 EE B4 58 8E 3D 7C C8 2D 2B ....p... .X.=|.-+ [0020] 7C 53 6B DD 66 20 3E EF BB 8A 1E 13 0B 48 EC 08 |Sk.f >. .....H.. [0030] 00 61 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 .a.d.m.i .n.i.s.t [0040] 00 72 00 61 00 74 00 6F 00 72 00 00 00 57 00 41 .r.a.t.o .r...W.A [0050] 00 52 00 47 00 41 00 4D 00 45 00 53 00 00 00 57 .R.G.A.M .E.S...W [0060] 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E .i.n.d.o .w.s. .N [0070] 00 54 00 20 00 31 00 33 00 38 00 31 00 00 00 00 .T. .1.3 .8.1.... [0080] 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 .W.i.n.d .o.w.s. [0090] 00 4E 00 54 00 20 00 34 00 2E 00 30 00 00 00 00 .N.T. .4 ...0.... [00A0] 00 . [2013/01/14 15:31:45.027298, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 28678) conn 0x0 [2013/01/14 15:31:45.027363, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:45.027426, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:45.027487, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:45.027584, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:31:45.027648, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=13 flg2=0x8003 [2013/01/14 15:31:45.027722, 3] smbd/sesssetup.c:1536(reply_sesssetup_and_X) Domain=[WARGAMES] NativeOS=[Windows NT 1381] NativeLanMan=[] PrimaryDomain=[Windows NT 4.0] [2013/01/14 15:31:45.027788, 3] smbd/sesssetup.c:1552(reply_sesssetup_and_X) sesssetupX:name=[WARGAMES]\[administrator]@[proserver] [2013/01/14 15:31:45.027891, 6] param/loadparm.c:7490(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Mon Jan 14 15:30:48 2013 [2013/01/14 15:31:45.028046, 4] auth/user_util.c:361(map_username) Scanning username map /etc/samba/smbusers [2013/01/14 15:31:45.028137, 10] auth/user_util.c:195(user_in_list) user_in_list: checking user administrator in list [2013/01/14 15:31:45.028203, 10] auth/user_util.c:200(user_in_list) user_in_list: checking user |administrator| against |administrator| [2013/01/14 15:31:45.028312, 3] auth/user_util.c:402(map_username) Mapped user administrator to root [2013/01/14 15:31:45.028380, 10] auth/user_util.c:195(user_in_list) user_in_list: checking user administrator in list [2013/01/14 15:31:45.028441, 10] auth/user_util.c:200(user_in_list) user_in_list: checking user |administrator| against |guest| [2013/01/14 15:31:45.028519, 5] auth/auth_util.c:110(make_user_info_map) Mapping user [WARGAMES]\[administrator] from workstation [proserver] [2013/01/14 15:31:45.030280, 5] auth/user_info.c:59(make_user_info) attempting to make a user_info for root (administrator) [2013/01/14 15:31:45.030355, 5] auth/user_info.c:70(make_user_info) making strings for root's user_info struct [2013/01/14 15:31:45.030421, 5] auth/user_info.c:87(make_user_info) making blobs for root's user_info struct [2013/01/14 15:31:45.030485, 10] auth/user_info.c:123(make_user_info) made a user_info for root (administrator) [2013/01/14 15:31:45.030549, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [WARGAMES]\[administrator]@[proserver] with the new password interface [2013/01/14 15:31:45.030618, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [WARGAMES]\[root]@[proserver] [2013/01/14 15:31:45.030681, 10] auth/auth.c:231(check_ntlm_password) check_ntlm_password: auth_context challenge created by random [2013/01/14 15:31:45.030744, 10] auth/auth.c:233(check_ntlm_password) challenge is: [2013/01/14 15:31:45.030805, 5] ../lib/util/util.c:415(dump_data) [0000] 64 4C F2 4A F4 EC 1F D9 dL.J.... [2013/01/14 15:31:45.030914, 10] auth/auth_builtin.c:44(check_guest_security) Check auth for: [root] [2013/01/14 15:31:45.030976, 10] auth/auth.c:259(check_ntlm_password) check_ntlm_password: guest had nothing to say [2013/01/14 15:31:45.031046, 10] auth/auth_sam.c:75(auth_samstrict_auth) Check auth for: [root] [2013/01/14 15:31:45.031107, 8] lib/util.c:1521(is_myname) is_myname("WARGAMES") returns 0 [2013/01/14 15:31:45.031170, 6] auth/auth_sam.c:88(auth_samstrict_auth) check_samstrict_security: WARGAMES is not one of my local names (ROLE_DOMAIN_MEMBER) [2013/01/14 15:31:45.031236, 10] auth/auth.c:259(check_ntlm_password) check_ntlm_password: sam had nothing to say [2013/01/14 15:31:45.031305, 10] auth/auth_winbind.c:50(check_winbind_security) Check auth for: [root] [2013/01/14 15:31:45.031369, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2013/01/14 15:31:45.031435, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2013/01/14 15:31:45.031498, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/01/14 15:31:45.031562, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:45.031623, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:45.056976, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:45.057136, 4] auth/user_util.c:361(map_username) Scanning username map /etc/samba/smbusers [2013/01/14 15:31:45.057223, 10] auth/user_util.c:195(user_in_list) user_in_list: checking user WARGAMES\administrator in list [2013/01/14 15:31:45.057287, 10] auth/user_util.c:200(user_in_list) user_in_list: checking user |WARGAMES\administrator| against |administrator| [2013/01/14 15:31:45.057356, 10] auth/user_util.c:195(user_in_list) user_in_list: checking user WARGAMES\administrator in list [2013/01/14 15:31:45.057418, 10] auth/user_util.c:200(user_in_list) user_in_list: checking user |WARGAMES\administrator| against |guest| [2013/01/14 15:31:45.057502, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user WARGAMES\administrator [2013/01/14 15:31:45.057566, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is wargames\administrator [2013/01/14 15:31:45.077959, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [WARGAMES\administrator]! [2013/01/14 15:31:45.078077, 3] auth/auth.c:268(check_ntlm_password) check_ntlm_password: winbind authentication for user [administrator] succeeded [2013/01/14 15:31:45.078152, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2013/01/14 15:31:45.078220, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2013/01/14 15:31:45.078284, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/01/14 15:31:45.078347, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:45.078410, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:45.078528, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:45.078592, 5] auth/auth.c:296(check_ntlm_password) check_ntlm_password: PAM Account for user [WARGAMES\administrator] succeeded [2013/01/14 15:31:45.078656, 2] auth/auth.c:309(check_ntlm_password) check_ntlm_password: authentication for user [administrator] -> [root] -> [WARGAMES\administrator] succeeded [2013/01/14 15:31:45.079131, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: WARGAMES\administrator => domain=[WARGAMES], name=[administrator] [2013/01/14 15:31:45.079203, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x073 [2013/01/14 15:31:45.081923, 10] passdb/lookup_sid.c:1573(sid_to_uid) sid S-1-5-21-546846319-217595157-9522986-500 -> uid 2500 [2013/01/14 15:31:45.082035, 10] passdb/lookup_sid.c:1635(sid_to_gid) sid S-1-5-21-546846319-217595157-9522986-513 -> gid 2513 [2013/01/14 15:31:45.082114, 10] auth/token_util.c:339(create_local_nt_token) Create local NT token for S-1-5-21-546846319-217595157-9522986-500 [2013/01/14 15:31:45.082196, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2013/01/14 15:31:45.082263, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2013/01/14 15:31:45.082326, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/01/14 15:31:45.082389, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:45.082449, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:45.082705, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:45.082792, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-546846319-217595157-9522986-500] [2013/01/14 15:31:45.082876, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-546846319-217595157-9522986-513] [2013/01/14 15:31:45.082955, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-22-2-2513] [2013/01/14 15:31:45.083033, 5] lib/privileges.c:175(get_privileges_for_sids) get_privileges_for_sids: sid = S-1-1-0 Privilege set: 0x0 [2013/01/14 15:31:45.083133, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-2] [2013/01/14 15:31:45.083208, 4] lib/privileges.c:97(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-11] [2013/01/14 15:31:45.083392, 10] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (10): SID[ 0]: S-1-5-21-546846319-217595157-9522986-500 SID[ 1]: S-1-5-21-546846319-217595157-9522986-513 SID[ 2]: S-1-22-2-2513 SID[ 3]: S-1-1-0 SID[ 4]: S-1-5-2 SID[ 5]: S-1-5-11 SID[ 6]: S-1-22-1-2500 SID[ 7]: S-1-22-2-300002 SID[ 8]: S-1-22-2-300003 SID[ 9]: S-1-22-2-300004 Privileges (0x 0): Rights (0x 0): [2013/01/14 15:31:45.083876, 10] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 2500 Primary group is 2513 and contains 4 supplementary groups Group[ 0]: 2513 Group[ 1]: 300002 Group[ 2]: 300003 Group[ 3]: 300004 [2013/01/14 15:31:45.084098, 10] smbd/password.c:199(register_initial_vuid) register_initial_vuid: allocated vuid = 101 [2013/01/14 15:31:45.084165, 10] smbd/password.c:293(register_existing_vuid) register_existing_vuid: (2500,2513) WARGAMES\administrator administrator WARGAMES guest=0 [2013/01/14 15:31:45.084230, 3] smbd/password.c:298(register_existing_vuid) register_existing_vuid: User name: WARGAMES\administrator Real name: [2013/01/14 15:31:45.084292, 3] smbd/password.c:308(register_existing_vuid) register_existing_vuid: UNIX uid 2500 is UNIX user WARGAMES\administrator, and will be vuid 101 [2013/01/14 15:31:45.084377, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 49442F32383637382F31 [2013/01/14 15:31:45.084457, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb8d26018 [2013/01/14 15:31:45.084594, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 49442F32383637382F31 [2013/01/14 15:31:45.084696, 7] param/loadparm.c:9834(lp_servicenumber) lp_servicenumber: couldn't find WARGAMES\administrator [2013/01/14 15:31:45.084760, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user WARGAMES\administrator [2013/01/14 15:31:45.084824, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is wargames\administrator [2013/01/14 15:31:45.084890, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [WARGAMES\administrator]! [2013/01/14 15:31:45.084953, 3] smbd/password.c:238(register_homes_share) Adding homes service for user 'WARGAMES\administrator' using home directory: '/home/WARGAMES/administrator' [2013/01/14 15:31:45.085037, 7] param/loadparm.c:9834(lp_servicenumber) lp_servicenumber: couldn't find homes [2013/01/14 15:31:45.085163, 6] param/loadparm.c:7490(lp_file_list_changed) lp_file_list_changed() file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Mon Jan 14 15:30:48 2013 [2013/01/14 15:31:45.086881, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 100 [2013/01/14 15:31:45.086959, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x64 [2013/01/14 15:31:45.087022, 3] smbd/process.c:1662(process_smb) Transaction 3 of length 104 (0 toread) [2013/01/14 15:31:45.087084, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:45.087120, 5] lib/util.c:342(show_msg) size=100 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=128 smt_wct=24 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 1536 (0x600) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]=40704 (0x9F00) smb_vwv[ 8]= 513 (0x201) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 768 (0x300) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 256 (0x100) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]= 512 (0x200) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 256 (0x100) smb_bcc=17 [2013/01/14 15:31:45.088120, 10] ../lib/util/util.c:415(dump_data) [0000] A4 5C 00 73 00 72 00 76 00 73 00 76 00 63 00 00 .\.s.r.v .s.v.c.. [0010] 00 . [2013/01/14 15:31:45.088279, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:45.088353, 10] smbd/share_access.c:241(user_ok_token) user_ok_token: share IPC$ is ok for unix user WARGAMES\administrator [2013/01/14 15:31:45.088422, 10] smbd/share_access.c:286(is_share_read_only_for_token) is_share_read_only_for_user: share IPC$ is read-only for unix user WARGAMES\administrator [2013/01/14 15:31:45.088568, 10] ../libcli/security/access_check.c:58(se_map_generic) se_map_generic(): mapped mask 0x10000000 to 0x001f01ff [2013/01/14 15:31:45.088663, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (2500, 2513) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:45.088731, 5] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (10): SID[ 0]: S-1-5-21-546846319-217595157-9522986-500 SID[ 1]: S-1-5-21-546846319-217595157-9522986-513 SID[ 2]: S-1-22-2-2513 SID[ 3]: S-1-1-0 SID[ 4]: S-1-5-2 SID[ 5]: S-1-5-11 SID[ 6]: S-1-22-1-2500 SID[ 7]: S-1-22-2-300002 SID[ 8]: S-1-22-2-300003 SID[ 9]: S-1-22-2-300004 Privileges (0x 0): Rights (0x 0): [2013/01/14 15:31:45.089156, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 2500 Primary group is 2513 and contains 4 supplementary groups Group[ 0]: 2513 Group[ 1]: 300002 Group[ 2]: 300003 Group[ 3]: 300004 [2013/01/14 15:31:45.089373, 5] smbd/uid.c:317(change_to_user_internal) Impersonated user: uid=(0,2500), gid=(0,2513) [2013/01/14 15:31:45.089446, 4] smbd/vfs.c:780(vfs_ChDir) vfs_ChDir to /tmp [2013/01/14 15:31:45.089558, 10] smbd/nttrans.c:500(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x6, access_mask = 0x2019f file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x0 root_dir_fid = 0x0, fname = srvsvc [2013/01/14 15:31:45.089634, 4] smbd/nttrans.c:288(nt_open_pipe) nt_open_pipe: Opening pipe \srvsvc. [2013/01/14 15:31:45.089728, 5] smbd/files.c:140(file_new) allocated file structure 6967, fnum = 11063 (1 used) [2013/01/14 15:31:45.089808, 10] smbd/files.c:705(file_name_hash) file_name_hash: /tmp/srvsvc hash 0x8e98a76a [2013/01/14 15:31:45.089897, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \srvsvc [2013/01/14 15:31:45.089986, 10] rpc_server/rpc_handles.c:116(init_pipe_handles) init_pipe_handle_list: created handle list for pipe \srvsvc [2013/01/14 15:31:45.090049, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe \srvsvc [2013/01/14 15:31:45.090127, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \srvsvc (pipes_open=0) [2013/01/14 15:31:45.090195, 5] smbd/nttrans.c:377(do_ntcreate_pipe_open) do_ntcreate_pipe_open: open pipe = \srvsvc [2013/01/14 15:31:45.090730, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 156 [2013/01/14 15:31:45.090909, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x9c [2013/01/14 15:31:45.090974, 3] smbd/process.c:1662(process_smb) Transaction 4 of length 160 (0 toread) [2013/01/14 15:31:45.091037, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:45.091072, 5] lib/util.c:342(show_msg) size=156 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=192 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11063 (0x2B37) smb_bcc=89 [2013/01/14 15:31:45.091852, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] A4 05 00 0B 00 10 00 00 00 48 00 00 00 00 00 00 ........ .H...... [0020] 00 30 16 30 16 00 00 00 00 01 00 00 00 00 00 01 .0.0.... ........ [0030] 00 C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 ..O2Kp.. ..xZG.n. [0040] 88 03 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 ......]. ........ [0050] 00 2B 10 48 60 02 00 00 00 .+.H`... . [2013/01/14 15:31:45.092388, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:45.092457, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:45.092547, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=72 params=0 setup=2 [2013/01/14 15:31:45.092617, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:45.092677, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:45.092743, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:45.092806, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b37) [2013/01/14 15:31:45.092871, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21110 max_trans_reply: 1024 [2013/01/14 15:31:45.092937, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 72 [2013/01/14 15:31:45.093007, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:45.093072, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:45.093136, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 72, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:45.093201, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:45.093262, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:45.093323, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 56 [2013/01/14 15:31:45.093393, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:45.093454, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:45.093515, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 56, incoming data = 56 [2013/01/14 15:31:45.093584, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:45.093681, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x00 (0) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000000 (0) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x1630 (5680) max_recv_frag : 0x1630 (5680) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 4b324fc8-1670-01d3-1278-5a47bf6ee188 if_version : 0x00000003 (3) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:45.094783, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 11 [2013/01/14 15:31:45.094850, 3] rpc_server/srv_pipe.c:889(api_pipe_bind_req) api_pipe_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:45.094915, 5] rpc_server/srv_pipe.c:923(api_pipe_bind_req) api_pipe_bind_req: make response. 923 [2013/01/14 15:31:45.094979, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \srvsvc [2013/01/14 15:31:45.095047, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:45.095140, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000000 (0) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\srvsvc' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : 0x0000 (0) reason : 0x0000 (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:45.096149, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 56 [2013/01/14 15:31:45.096245, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:45.096342, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \srvsvc: current_pdu_len = 68, current_pdu_sent = 0 returning 68 bytes. [2013/01/14 15:31:45.096409, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:45.096501, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 68 bytes. There is no more data outstanding [2013/01/14 15:31:45.096569, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..68] (align 0) [2013/01/14 15:31:45.096633, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:45.096669, 5] lib/util.c:342(show_msg) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=192 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2013/01/14 15:31:45.097286, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 00 00 00 ........ .D...... [0010] 00 B8 10 B8 10 F0 53 00 00 0D 00 5C 50 49 50 45 ......S. ...\PIPE [0020] 5C 73 72 76 73 76 63 00 00 01 00 00 00 00 00 00 \srvsvc. ........ [0030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [0040] 60 02 00 00 00 `.... [2013/01/14 15:31:45.099187, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 172 [2013/01/14 15:31:45.099332, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0xac [2013/01/14 15:31:45.099395, 3] smbd/process.c:1662(process_smb) Transaction 5 of length 176 (0 toread) [2013/01/14 15:31:45.099458, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:45.099493, 5] lib/util.c:342(show_msg) size=172 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=256 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 88 (0x58) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11063 (0x2B37) smb_bcc=105 [2013/01/14 15:31:45.100276, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] 3F 05 00 00 03 10 00 00 00 58 00 00 00 01 00 00 ?....... .X...... [0020] 00 40 00 00 00 00 00 10 00 D0 F7 83 01 0A 00 00 .@...... ........ [0030] 00 00 00 00 00 0A 00 00 00 5C 00 5C 00 48 00 61 ........ .\.\.H.a [0040] 00 77 00 6B 00 69 00 6E 00 67 00 00 00 06 00 00 .w.k.i.n .g...... [0050] 00 00 00 00 00 06 00 00 00 73 00 74 00 75 00 66 ........ .s.t.u.f [0060] 00 66 00 00 00 01 00 00 00 .f...... . [2013/01/14 15:31:45.100788, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:45.100853, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:45.100926, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=88 params=0 setup=2 [2013/01/14 15:31:45.100993, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:45.101052, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:45.101115, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:45.101177, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b37) [2013/01/14 15:31:45.101241, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21110 max_trans_reply: 1024 [2013/01/14 15:31:45.101306, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 88 [2013/01/14 15:31:45.101371, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 88 [2013/01/14 15:31:45.101433, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 88 [2013/01/14 15:31:45.101497, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 88, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:45.101565, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:45.101626, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:45.101687, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:45.101752, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:45.101813, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:45.101874, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 72, incoming data = 72 [2013/01/14 15:31:45.101939, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:45.102017, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0058 (88) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000040 (64) context_id : 0x0000 (0) opnum : 0x0010 (16) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=64 [0000] D0 F7 83 01 0A 00 00 00 00 00 00 00 0A 00 00 00 ........ ........ [0010] 5C 00 5C 00 48 00 61 00 77 00 6B 00 69 00 6E 00 \.\.H.a. w.k.i.n. [0020] 67 00 00 00 06 00 00 00 00 00 00 00 06 00 00 00 g....... ........ [0030] 73 00 74 00 75 00 66 00 66 00 00 00 01 00 00 00 s.t.u.f. f....... [2013/01/14 15:31:45.103183, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:45.103246, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:45.103312, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\srvsvc [2013/01/14 15:31:45.103378, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \srvsvc op 0x10 - api_rpcTNP: rpc command: SRVSVC_NETSHAREGETINFO [2013/01/14 15:31:45.103448, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[16].fn == 0xb71a3660 [2013/01/14 15:31:45.103524, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo in: struct srvsvc_NetShareGetInfo server_unc : * server_unc : '\\Hawking' share_name : 'stuff' level : 0x00000001 (1) [2013/01/14 15:31:45.108179, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1440(_srvsvc_NetShareGetInfo) _srvsvc_NetShareGetInfo: 1440 [2013/01/14 15:31:45.108286, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1510(_srvsvc_NetShareGetInfo) _srvsvc_NetShareGetInfo: 1510 [2013/01/14 15:31:45.108348, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo out: struct srvsvc_NetShareGetInfo info : * info : union srvsvc_NetShareInfo(case 1) info1 : * info1: struct srvsvc_NetShareInfo1 name : * name : 'stuff' type : STYPE_DISKTREE (0x0) comment : * comment : 'Assorted files' result : WERR_OK [2013/01/14 15:31:45.108830, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \srvsvc successfully [2013/01/14 15:31:45.108898, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 72 [2013/01/14 15:31:45.108991, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:45.109056, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \srvsvc: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 92. [2013/01/14 15:31:45.109139, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0074 (116) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000005c (92) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=92 [0000] 01 00 00 00 04 00 02 00 08 00 02 00 00 00 00 00 ........ ........ [0010] 0C 00 02 00 06 00 00 00 00 00 00 00 06 00 00 00 ........ ........ [0020] 73 00 74 00 75 00 66 00 66 00 00 00 0F 00 00 00 s.t.u.f. f....... [0030] 00 00 00 00 0F 00 00 00 41 00 73 00 73 00 6F 00 ........ A.s.s.o. [0040] 72 00 74 00 65 00 64 00 20 00 66 00 69 00 6C 00 r.t.e.d. .f.i.l. [0050] 65 00 73 00 00 00 00 00 00 00 00 00 e.s..... .... [2013/01/14 15:31:45.110466, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 66 [2013/01/14 15:31:45.110546, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 116 bytes. There is no more data outstanding [2013/01/14 15:31:45.110614, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..116] (align 0) [2013/01/14 15:31:45.110678, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:45.110713, 5] lib/util.c:342(show_msg) size=172 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=256 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 116 (0x74) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 116 (0x74) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=117 [2013/01/14 15:31:45.111332, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 74 00 00 00 01 00 00 ........ .t...... [0010] 00 5C 00 00 00 00 00 00 00 01 00 00 00 04 00 02 .\...... ........ [0020] 00 08 00 02 00 00 00 00 00 0C 00 02 00 06 00 00 ........ ........ [0030] 00 00 00 00 00 06 00 00 00 73 00 74 00 75 00 66 ........ .s.t.u.f [0040] 00 66 00 00 00 0F 00 00 00 00 00 00 00 0F 00 00 .f...... ........ [0050] 00 41 00 73 00 73 00 6F 00 72 00 74 00 65 00 64 .A.s.s.o .r.t.e.d [0060] 00 20 00 66 00 69 00 6C 00 65 00 73 00 00 00 00 . .f.i.l .e.s.... [0070] 00 00 00 00 00 ..... [2013/01/14 15:31:45.112331, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 42 [2013/01/14 15:31:45.112403, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x2a [2013/01/14 15:31:45.112466, 3] smbd/process.c:1662(process_smb) Transaction 6 of length 46 (0 toread) [2013/01/14 15:31:45.112529, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:45.112564, 5] lib/util.c:342(show_msg) size=42 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=320 smt_wct=3 smb_vwv[ 0]=11063 (0x2B37) smb_vwv[ 1]=65535 (0xFFFF) smb_vwv[ 2]=65535 (0xFFFF) smb_bcc=0 [2013/01/14 15:31:45.112994, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:45.113032, 3] smbd/process.c:1467(switch_message) switch message SMBclose (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:45.113097, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:45.113166, 3] smbd/reply.c:4848(reply_close) close fd=-1 fnum=11063 (numopen=1) [2013/01/14 15:31:45.113232, 6] smbd/close.c:532(set_close_write_time) close_write_time: Wed Dec 31 18:59:59 1969 [2013/01/14 15:31:45.113371, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe) close_policy_by_pipe: deleted handle list for pipe \srvsvc [2013/01/14 15:31:45.113446, 5] smbd/files.c:482(file_free) freed files structure 11063 (0 used) [2013/01/14 15:31:45.113511, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:45.113546, 5] lib/util.c:342(show_msg) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=320 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:45.113895, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:48.983050, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 100 [2013/01/14 15:31:48.983147, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x64 [2013/01/14 15:31:48.983210, 3] smbd/process.c:1662(process_smb) Transaction 7 of length 104 (0 toread) [2013/01/14 15:31:48.983272, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:48.983307, 5] lib/util.c:342(show_msg) size=100 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=384 smt_wct=24 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 1536 (0x600) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]=40704 (0x9F00) smb_vwv[ 8]= 513 (0x201) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 768 (0x300) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 256 (0x100) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]= 512 (0x200) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 256 (0x100) smb_bcc=17 [2013/01/14 15:31:48.984304, 10] ../lib/util/util.c:415(dump_data) [0000] A4 5C 00 73 00 72 00 76 00 73 00 76 00 63 00 00 .\.s.r.v .s.v.c.. [0010] 00 . [2013/01/14 15:31:48.984462, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:48.984528, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:48.984605, 10] smbd/nttrans.c:500(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x6, access_mask = 0x2019f file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x0 root_dir_fid = 0x0, fname = srvsvc [2013/01/14 15:31:48.984678, 4] smbd/nttrans.c:288(nt_open_pipe) nt_open_pipe: Opening pipe \srvsvc. [2013/01/14 15:31:48.984748, 5] smbd/files.c:140(file_new) allocated file structure 6968, fnum = 11064 (1 used) [2013/01/14 15:31:48.984822, 10] smbd/files.c:705(file_name_hash) file_name_hash: /tmp/srvsvc hash 0x8e98a76a [2013/01/14 15:31:48.984900, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \srvsvc [2013/01/14 15:31:48.984975, 10] rpc_server/rpc_handles.c:116(init_pipe_handles) init_pipe_handle_list: created handle list for pipe \srvsvc [2013/01/14 15:31:48.985038, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe \srvsvc [2013/01/14 15:31:48.985123, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \srvsvc (pipes_open=0) [2013/01/14 15:31:48.985190, 5] smbd/nttrans.c:377(do_ntcreate_pipe_open) do_ntcreate_pipe_open: open pipe = \srvsvc [2013/01/14 15:31:48.986752, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 156 [2013/01/14 15:31:48.986823, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x9c [2013/01/14 15:31:48.986885, 3] smbd/process.c:1662(process_smb) Transaction 8 of length 160 (0 toread) [2013/01/14 15:31:48.986948, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:48.986983, 5] lib/util.c:342(show_msg) size=156 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=448 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11064 (0x2B38) smb_bcc=89 [2013/01/14 15:31:48.987813, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] A4 05 00 0B 00 10 00 00 00 48 00 00 00 01 00 00 ........ .H...... [0020] 00 30 16 30 16 00 00 00 00 01 00 00 00 00 00 01 .0.0.... ........ [0030] 00 C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 ..O2Kp.. ..xZG.n. [0040] 88 03 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 ......]. ........ [0050] 00 2B 10 48 60 02 00 00 00 .+.H`... . [2013/01/14 15:31:48.988252, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:48.988317, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:48.988388, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=72 params=0 setup=2 [2013/01/14 15:31:48.988455, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:48.988514, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:48.988577, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:48.988638, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b38) [2013/01/14 15:31:48.988702, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21110 max_trans_reply: 1024 [2013/01/14 15:31:48.988767, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 72 [2013/01/14 15:31:48.988831, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:48.988893, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:48.988957, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 72, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:48.989022, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:48.989083, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:48.989145, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 56 [2013/01/14 15:31:48.989210, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:48.989271, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:48.989332, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 56, incoming data = 56 [2013/01/14 15:31:48.989397, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:48.989477, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x00 (0) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x1630 (5680) max_recv_frag : 0x1630 (5680) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 4b324fc8-1670-01d3-1278-5a47bf6ee188 if_version : 0x00000003 (3) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:48.990562, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 11 [2013/01/14 15:31:48.990626, 3] rpc_server/srv_pipe.c:889(api_pipe_bind_req) api_pipe_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:48.990689, 5] rpc_server/srv_pipe.c:923(api_pipe_bind_req) api_pipe_bind_req: make response. 923 [2013/01/14 15:31:48.990751, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \srvsvc [2013/01/14 15:31:48.990815, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:48.990902, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\srvsvc' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : 0x0000 (0) reason : 0x0000 (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:48.991904, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 56 [2013/01/14 15:31:48.991990, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:48.992054, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \srvsvc: current_pdu_len = 68, current_pdu_sent = 0 returning 68 bytes. [2013/01/14 15:31:48.992122, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:48.992196, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 68 bytes. There is no more data outstanding [2013/01/14 15:31:48.992262, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..68] (align 0) [2013/01/14 15:31:48.992355, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:48.992391, 5] lib/util.c:342(show_msg) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=448 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2013/01/14 15:31:48.993009, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 ........ .D...... [0010] 00 B8 10 B8 10 F0 53 00 00 0D 00 5C 50 49 50 45 ......S. ...\PIPE [0020] 5C 73 72 76 73 76 63 00 00 01 00 00 00 00 00 00 \srvsvc. ........ [0030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [0040] 60 02 00 00 00 `.... [2013/01/14 15:31:48.993783, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 172 [2013/01/14 15:31:48.993855, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0xac [2013/01/14 15:31:48.993917, 3] smbd/process.c:1662(process_smb) Transaction 9 of length 176 (0 toread) [2013/01/14 15:31:48.993979, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:48.994014, 5] lib/util.c:342(show_msg) size=172 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=512 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 88 (0x58) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11064 (0x2B38) smb_bcc=105 [2013/01/14 15:31:48.994795, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] 3F 05 00 00 03 10 00 00 00 58 00 00 00 01 00 00 ?....... .X...... [0020] 00 40 00 00 00 00 00 0F 00 FC 33 8E 00 0A 00 00 .@...... ..3..... [0030] 00 00 00 00 00 0A 00 00 00 5C 00 5C 00 48 00 61 ........ .\.\.H.a [0040] 00 77 00 6B 00 69 00 6E 00 67 00 00 00 01 00 00 .w.k.i.n .g...... [0050] 00 01 00 00 00 00 F6 98 01 00 00 00 00 00 00 00 ........ ........ [0060] 00 FF FF FF FF 00 00 00 00 ........ . [2013/01/14 15:31:48.995301, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:48.995365, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:48.995435, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=88 params=0 setup=2 [2013/01/14 15:31:48.995501, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:48.995561, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:48.995623, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:48.995684, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b38) [2013/01/14 15:31:48.995749, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21110 max_trans_reply: 1024 [2013/01/14 15:31:48.995813, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 88 [2013/01/14 15:31:48.995875, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 88 [2013/01/14 15:31:48.995937, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 88 [2013/01/14 15:31:48.996000, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 88, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:48.996065, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:48.996169, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:48.996230, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:48.996312, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:48.996374, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:48.996435, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 72, incoming data = 72 [2013/01/14 15:31:48.996500, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:48.996572, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0058 (88) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000040 (64) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=64 [0000] FC 33 8E 00 0A 00 00 00 00 00 00 00 0A 00 00 00 .3...... ........ [0010] 5C 00 5C 00 48 00 61 00 77 00 6B 00 69 00 6E 00 \.\.H.a. w.k.i.n. [0020] 67 00 00 00 01 00 00 00 01 00 00 00 00 F6 98 01 g....... ........ [0030] 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 ........ ........ [2013/01/14 15:31:48.997697, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:48.997759, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:48.997824, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\srvsvc [2013/01/14 15:31:48.997888, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \srvsvc op 0xf - api_rpcTNP: rpc command: SRVSVC_NETSHAREENUMALL [2013/01/14 15:31:48.997956, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[15].fn == 0xb71a3960 [2013/01/14 15:31:48.998044, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetShareEnumAll: struct srvsvc_NetShareEnumAll in: struct srvsvc_NetShareEnumAll server_unc : * server_unc : '\\Hawking' info_ctr : * info_ctr: struct srvsvc_NetShareInfoCtr level : 0x00000001 (1) ctr : union srvsvc_NetShareCtr(case 1) ctr1 : * ctr1: struct srvsvc_NetShareCtr1 count : 0x00000000 (0) array : NULL max_buffer : 0xffffffff (4294967295) resume_handle : NULL [2013/01/14 15:31:48.998547, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1381(_srvsvc_NetShareEnumAll) _srvsvc_NetShareEnumAll: 1381 [2013/01/14 15:31:48.998613, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:567(init_srv_share_info_ctr) init_srv_share_info_ctr [2013/01/14 15:31:48.998707, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(2500, 2513) : sec_ctx_stack_ndx = 1 [2013/01/14 15:31:48.998780, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(101) : conn_ctx_stack_ndx = 0 [2013/01/14 15:31:48.998843, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/01/14 15:31:48.998905, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:48.998967, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:48.999080, 8] smbd/service.c:248(load_registry_shares) load_registry_shares() [2013/01/14 15:31:48.999149, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (2500, 2513) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:48.999215, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:590(init_srv_share_info_ctr) NOT counting service printers [2013/01/14 15:31:48.999285, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service print$ [2013/01/14 15:31:48.999350, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service backup [2013/01/14 15:31:48.999415, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service stuff [2013/01/14 15:31:48.999481, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service pdf [2013/01/14 15:31:48.999545, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service IPC$ [2013/01/14 15:31:48.999611, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service Virtual_Printer-HC.A [2013/01/14 15:31:48.999677, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service Virtual_Printer-HC.W [2013/01/14 15:31:48.999742, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service Landscape_PDF-HC.A [2013/01/14 15:31:48.999808, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service HP4250-HC.A [2013/01/14 15:31:48.999874, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service ES283-HC.A [2013/01/14 15:31:49.000034, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1395(_srvsvc_NetShareEnumAll) _srvsvc_NetShareEnumAll: 1395 [2013/01/14 15:31:49.000097, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetShareEnumAll: struct srvsvc_NetShareEnumAll out: struct srvsvc_NetShareEnumAll info_ctr : * info_ctr: struct srvsvc_NetShareInfoCtr level : 0x00000001 (1) ctr : union srvsvc_NetShareCtr(case 1) ctr1 : * ctr1: struct srvsvc_NetShareCtr1 count : 0x0000000a (10) array : * array: ARRAY(10) array: struct srvsvc_NetShareInfo1 name : * name : 'print$' type : STYPE_DISKTREE (0x0) comment : * comment : 'Printer Drivers' array: struct srvsvc_NetShareInfo1 name : * name : 'backup' type : STYPE_DISKTREE (0x0) comment : * comment : 'backups' array: struct srvsvc_NetShareInfo1 name : * name : 'stuff' type : STYPE_DISKTREE (0x0) comment : * comment : 'Assorted files' array: struct srvsvc_NetShareInfo1 name : * name : 'pdf' type : STYPE_DISKTREE (0x0) comment : * comment : 'pdf printer output' array: struct srvsvc_NetShareInfo1 name : * name : 'IPC$' type : STYPE_IPC_HIDDEN (0x80000003) comment : * comment : 'IPC Service (hawking - the universe is expanding)' array: struct srvsvc_NetShareInfo1 name : * name : 'Virtual_Printer-HC.A' type : STYPE_PRINTQ (0x1) comment : * comment : 'PDF Printer on Hawking' array: struct srvsvc_NetShareInfo1 name : * name : 'Virtual_Printer-HC.W' type : STYPE_PRINTQ (0x1) comment : * comment : 'Virtual 'portrait' Printer' array: struct srvsvc_NetShareInfo1 name : * name : 'Landscape_PDF-HC.A' type : STYPE_PRINTQ (0x1) comment : * comment : 'Virtual Landscape PDF Printer' array: struct srvsvc_NetShareInfo1 name : * name : 'HP4250-HC.A' type : STYPE_PRINTQ (0x1) comment : * comment : 'HP LaserJet 4250tn' array: struct srvsvc_NetShareInfo1 name : * name : 'ES283-HC.A' type : STYPE_PRINTQ (0x1) comment : * comment : 'Toshiba e-Studio 283' totalentries : * totalentries : 0x0000000a (10) resume_handle : NULL result : WERR_OK [2013/01/14 15:31:49.002929, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \srvsvc successfully [2013/01/14 15:31:49.003002, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 72 [2013/01/14 15:31:49.003087, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:49.003151, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \srvsvc: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 1104. [2013/01/14 15:31:49.003233, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0468 (1128) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000450 (1104) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=1104 [0000] 01 00 00 00 01 00 00 00 08 00 02 00 0A 00 00 00 ........ ........ [0010] 0C 00 02 00 0A 00 00 00 10 00 02 00 00 00 00 00 ........ ........ [0020] 14 00 02 00 18 00 02 00 00 00 00 00 1C 00 02 00 ........ ........ [0030] 20 00 02 00 00 00 00 00 24 00 02 00 28 00 02 00 ....... $...(... [0040] 00 00 00 00 2C 00 02 00 30 00 02 00 03 00 00 80 ....,... 0....... [0050] 34 00 02 00 38 00 02 00 01 00 00 00 3C 00 02 00 4...8... ....<... [0060] 40 00 02 00 01 00 00 00 44 00 02 00 48 00 02 00 @....... D...H... [0070] 01 00 00 00 4C 00 02 00 50 00 02 00 01 00 00 00 ....L... P....... [0080] 54 00 02 00 58 00 02 00 01 00 00 00 5C 00 02 00 T...X... ....\... [0090] 07 00 00 00 00 00 00 00 07 00 00 00 70 00 72 00 ........ ....p.r. [00A0] 69 00 6E 00 74 00 24 00 00 00 00 00 10 00 00 00 i.n.t.$. ........ [00B0] 00 00 00 00 10 00 00 00 50 00 72 00 69 00 6E 00 ........ P.r.i.n. [00C0] 74 00 65 00 72 00 20 00 44 00 72 00 69 00 76 00 t.e.r. . D.r.i.v. [00D0] 65 00 72 00 73 00 00 00 07 00 00 00 00 00 00 00 e.r.s... ........ [00E0] 07 00 00 00 62 00 61 00 63 00 6B 00 75 00 70 00 ....b.a. c.k.u.p. [00F0] 00 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 ........ ........ [0100] 62 00 61 00 63 00 6B 00 75 00 70 00 73 00 00 00 b.a.c.k. u.p.s... [0110] 06 00 00 00 00 00 00 00 06 00 00 00 73 00 74 00 ........ ....s.t. [0120] 75 00 66 00 66 00 00 00 0F 00 00 00 00 00 00 00 u.f.f... ........ [0130] 0F 00 00 00 41 00 73 00 73 00 6F 00 72 00 74 00 ....A.s. s.o.r.t. [0140] 65 00 64 00 20 00 66 00 69 00 6C 00 65 00 73 00 e.d. .f. i.l.e.s. [0150] 00 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 ........ ........ [0160] 70 00 64 00 66 00 00 00 13 00 00 00 00 00 00 00 p.d.f... ........ [0170] 13 00 00 00 70 00 64 00 66 00 20 00 70 00 72 00 ....p.d. f. .p.r. [0180] 69 00 6E 00 74 00 65 00 72 00 20 00 6F 00 75 00 i.n.t.e. r. .o.u. [0190] 74 00 70 00 75 00 74 00 00 00 00 00 05 00 00 00 t.p.u.t. ........ [01A0] 00 00 00 00 05 00 00 00 49 00 50 00 43 00 24 00 ........ I.P.C.$. [01B0] 00 00 00 00 32 00 00 00 00 00 00 00 32 00 00 00 ....2... ....2... [01C0] 49 00 50 00 43 00 20 00 53 00 65 00 72 00 76 00 I.P.C. . S.e.r.v. [01D0] 69 00 63 00 65 00 20 00 28 00 68 00 61 00 77 00 i.c.e. . (.h.a.w. [01E0] 6B 00 69 00 6E 00 67 00 20 00 2D 00 20 00 74 00 k.i.n.g. .-. .t. [01F0] 68 00 65 00 20 00 75 00 6E 00 69 00 76 00 65 00 h.e. .u. n.i.v.e. [0200] 72 00 73 00 65 00 20 00 69 00 73 00 20 00 65 00 r.s.e. . i.s. .e. [0210] 78 00 70 00 61 00 6E 00 64 00 69 00 6E 00 67 00 x.p.a.n. d.i.n.g. [0220] 29 00 00 00 15 00 00 00 00 00 00 00 15 00 00 00 )....... ........ [0230] 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 5F 00 V.i.r.t. u.a.l._. [0240] 50 00 72 00 69 00 6E 00 74 00 65 00 72 00 2D 00 P.r.i.n. t.e.r.-. [0250] 48 00 43 00 2E 00 41 00 00 00 00 00 17 00 00 00 H.C...A. ........ [0260] 00 00 00 00 17 00 00 00 50 00 44 00 46 00 20 00 ........ P.D.F. . [0270] 50 00 72 00 69 00 6E 00 74 00 65 00 72 00 20 00 P.r.i.n. t.e.r. . [0280] 6F 00 6E 00 20 00 48 00 61 00 77 00 6B 00 69 00 o.n. .H. a.w.k.i. [0290] 6E 00 67 00 00 00 00 00 15 00 00 00 00 00 00 00 n.g..... ........ [02A0] 15 00 00 00 56 00 69 00 72 00 74 00 75 00 61 00 ....V.i. r.t.u.a. [02B0] 6C 00 5F 00 50 00 72 00 69 00 6E 00 74 00 65 00 l._.P.r. i.n.t.e. [02C0] 72 00 2D 00 48 00 43 00 2E 00 57 00 00 00 00 00 r.-.H.C. ..W..... [02D0] 1B 00 00 00 00 00 00 00 1B 00 00 00 56 00 69 00 ........ ....V.i. [02E0] 72 00 74 00 75 00 61 00 6C 00 20 00 27 00 70 00 r.t.u.a. l. .'.p. [02F0] 6F 00 72 00 74 00 72 00 61 00 69 00 74 00 27 00 o.r.t.r. a.i.t.'. [0300] 20 00 50 00 72 00 69 00 6E 00 74 00 65 00 72 00 .P.r.i. n.t.e.r. [0310] 00 00 00 00 13 00 00 00 00 00 00 00 13 00 00 00 ........ ........ [0320] 4C 00 61 00 6E 00 64 00 73 00 63 00 61 00 70 00 L.a.n.d. s.c.a.p. [0330] 65 00 5F 00 50 00 44 00 46 00 2D 00 48 00 43 00 e._.P.D. F.-.H.C. [0340] 2E 00 41 00 00 00 00 00 1E 00 00 00 00 00 00 00 ..A..... ........ [0350] 1E 00 00 00 56 00 69 00 72 00 74 00 75 00 61 00 ....V.i. r.t.u.a. [0360] 6C 00 20 00 4C 00 61 00 6E 00 64 00 73 00 63 00 l. .L.a. n.d.s.c. [0370] 61 00 70 00 65 00 20 00 50 00 44 00 46 00 20 00 a.p.e. . P.D.F. . [0380] 50 00 72 00 69 00 6E 00 74 00 65 00 72 00 00 00 P.r.i.n. t.e.r... [0390] 0C 00 00 00 00 00 00 00 0C 00 00 00 48 00 50 00 ........ ....H.P. [03A0] 34 00 32 00 35 00 30 00 2D 00 48 00 43 00 2E 00 4.2.5.0. -.H.C... [03B0] 41 00 00 00 13 00 00 00 00 00 00 00 13 00 00 00 A....... ........ [03C0] 48 00 50 00 20 00 4C 00 61 00 73 00 65 00 72 00 H.P. .L. a.s.e.r. [03D0] 4A 00 65 00 74 00 20 00 34 00 32 00 35 00 30 00 J.e.t. . 4.2.5.0. [03E0] 74 00 6E 00 00 00 00 00 0B 00 00 00 00 00 00 00 t.n..... ........ [03F0] 0B 00 00 00 45 00 53 00 32 00 38 00 33 00 2D 00 ....E.S. 2.8.3.-. [0400] 48 00 43 00 2E 00 41 00 00 00 00 00 15 00 00 00 H.C...A. ........ [0410] 00 00 00 00 15 00 00 00 54 00 6F 00 73 00 68 00 ........ T.o.s.h. [0420] 69 00 62 00 61 00 20 00 65 00 2D 00 53 00 74 00 i.b.a. . e.-.S.t. [0430] 75 00 64 00 69 00 6F 00 20 00 32 00 38 00 33 00 u.d.i.o. .2.8.3. [0440] 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [2013/01/14 15:31:49.010610, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 1024 bytes. There is more data outstanding [2013/01/14 15:31:49.010675, 5] smbd/ipc.c:103(send_trans_reply) send_trans_reply: buffer 1024 too large [2013/01/14 15:31:49.010739, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..1024] (align 0) [2013/01/14 15:31:49.010804, 3] smbd/error.c:81(error_packet_set) error packet at smbd/ipc.c(137) cmd=37 (SMBtrans) STATUS_BUFFER_OVERFLOW [2013/01/14 15:31:49.010873, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.010908, 5] lib/util.c:342(show_msg) size=1080 smb_com=0x25 smb_rcls=5 smb_reh=0 smb_err=32768 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=512 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 1024 (0x400) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 1024 (0x400) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=1025 [2013/01/14 15:31:49.011527, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 68 04 00 00 01 00 00 ........ .h...... [0010] 00 50 04 00 00 00 00 00 00 01 00 00 00 01 00 00 .P...... ........ [0020] 00 08 00 02 00 0A 00 00 00 0C 00 02 00 0A 00 00 ........ ........ [0030] 00 10 00 02 00 00 00 00 00 14 00 02 00 18 00 02 ........ ........ [0040] 00 00 00 00 00 1C 00 02 00 20 00 02 00 00 00 00 ........ . ...... [0050] 00 24 00 02 00 28 00 02 00 00 00 00 00 2C 00 02 .$...(.. .....,.. [0060] 00 30 00 02 00 03 00 00 80 34 00 02 00 38 00 02 .0...... .4...8.. [0070] 00 01 00 00 00 3C 00 02 00 40 00 02 00 01 00 00 .....<.. .@...... [0080] 00 44 00 02 00 48 00 02 00 01 00 00 00 4C 00 02 .D...H.. .....L.. [0090] 00 50 00 02 00 01 00 00 00 54 00 02 00 58 00 02 .P...... .T...X.. [00A0] 00 01 00 00 00 5C 00 02 00 07 00 00 00 00 00 00 .....\.. ........ [00B0] 00 07 00 00 00 70 00 72 00 69 00 6E 00 74 00 24 .....p.r .i.n.t.$ [00C0] 00 00 00 00 00 10 00 00 00 00 00 00 00 10 00 00 ........ ........ [00D0] 00 50 00 72 00 69 00 6E 00 74 00 65 00 72 00 20 .P.r.i.n .t.e.r. [00E0] 00 44 00 72 00 69 00 76 00 65 00 72 00 73 00 00 .D.r.i.v .e.r.s.. [00F0] 00 07 00 00 00 00 00 00 00 07 00 00 00 62 00 61 ........ .....b.a [0100] 00 63 00 6B 00 75 00 70 00 00 00 00 00 08 00 00 .c.k.u.p ........ [0110] 00 00 00 00 00 08 00 00 00 62 00 61 00 63 00 6B ........ .b.a.c.k [0120] 00 75 00 70 00 73 00 00 00 06 00 00 00 00 00 00 .u.p.s.. ........ [0130] 00 06 00 00 00 73 00 74 00 75 00 66 00 66 00 00 .....s.t .u.f.f.. [0140] 00 0F 00 00 00 00 00 00 00 0F 00 00 00 41 00 73 ........ .....A.s [0150] 00 73 00 6F 00 72 00 74 00 65 00 64 00 20 00 66 .s.o.r.t .e.d. .f [0160] 00 69 00 6C 00 65 00 73 00 00 00 00 00 04 00 00 .i.l.e.s ........ [0170] 00 00 00 00 00 04 00 00 00 70 00 64 00 66 00 00 ........ .p.d.f.. [0180] 00 13 00 00 00 00 00 00 00 13 00 00 00 70 00 64 ........ .....p.d [0190] 00 66 00 20 00 70 00 72 00 69 00 6E 00 74 00 65 .f. .p.r .i.n.t.e [01A0] 00 72 00 20 00 6F 00 75 00 74 00 70 00 75 00 74 .r. .o.u .t.p.u.t [01B0] 00 00 00 00 00 05 00 00 00 00 00 00 00 05 00 00 ........ ........ [01C0] 00 49 00 50 00 43 00 24 00 00 00 00 00 32 00 00 .I.P.C.$ .....2.. [01D0] 00 00 00 00 00 32 00 00 00 49 00 50 00 43 00 20 .....2.. .I.P.C. [01E0] 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 .S.e.r.v .i.c.e. [01F0] 00 28 00 68 00 61 00 77 00 6B 00 69 00 6E 00 67 .(.h.a.w .k.i.n.g [2013/01/14 15:31:49.015372, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 60 [2013/01/14 15:31:49.015445, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x3c [2013/01/14 15:31:49.015507, 3] smbd/process.c:1662(process_smb) Transaction 10 of length 64 (0 toread) [2013/01/14 15:31:49.015570, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.015604, 5] lib/util.c:342(show_msg) size=60 smb_com=0x2e smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32768 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=576 smt_wct=12 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]=11064 (0x2B38) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 104 (0x68) smb_vwv[ 6]= 104 (0x68) smb_vwv[ 7]=65535 (0xFFFF) smb_vwv[ 8]=65535 (0xFFFF) smb_vwv[ 9]= 104 (0x68) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_bcc=0 [2013/01/14 15:31:49.016279, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:49.016332, 3] smbd/process.c:1467(switch_message) switch message SMBreadX (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:49.016397, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:49.016470, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 104 [2013/01/14 15:31:49.016536, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \srvsvc: current_pdu_len = 1128, current_pdu_sent = 1024 returning 104 bytes. [2013/01/14 15:31:49.016605, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 619 [2013/01/14 15:31:49.016723, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 104 bytes. There is more data outstanding [2013/01/14 15:31:49.016787, 3] smbd/pipes.c:485(pipe_read_andx_done) readX-IPC min=104 max=104 nread=104 [2013/01/14 15:31:49.017247, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 42 [2013/01/14 15:31:49.017317, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x2a [2013/01/14 15:31:49.017379, 3] smbd/process.c:1662(process_smb) Transaction 11 of length 46 (0 toread) [2013/01/14 15:31:49.017442, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.017477, 5] lib/util.c:342(show_msg) size=42 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=640 smt_wct=3 smb_vwv[ 0]=11064 (0x2B38) smb_vwv[ 1]=65535 (0xFFFF) smb_vwv[ 2]=65535 (0xFFFF) smb_bcc=0 [2013/01/14 15:31:49.017911, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:49.017948, 3] smbd/process.c:1467(switch_message) switch message SMBclose (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:49.018011, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:49.018075, 3] smbd/reply.c:4848(reply_close) close fd=-1 fnum=11064 (numopen=1) [2013/01/14 15:31:49.018140, 6] smbd/close.c:532(set_close_write_time) close_write_time: Wed Dec 31 18:59:59 1969 [2013/01/14 15:31:49.018217, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe) close_policy_by_pipe: deleted handle list for pipe \srvsvc [2013/01/14 15:31:49.018291, 5] smbd/files.c:482(file_free) freed files structure 11064 (0 used) [2013/01/14 15:31:49.018355, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.018391, 5] lib/util.c:342(show_msg) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=640 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:49.018741, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:49.020569, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 100 [2013/01/14 15:31:49.020638, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x64 [2013/01/14 15:31:49.020700, 3] smbd/process.c:1662(process_smb) Transaction 12 of length 104 (0 toread) [2013/01/14 15:31:49.020763, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.020798, 5] lib/util.c:342(show_msg) size=100 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=704 smt_wct=24 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 1536 (0x600) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]=40704 (0x9F00) smb_vwv[ 8]= 513 (0x201) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 768 (0x300) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 256 (0x100) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]= 512 (0x200) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 256 (0x100) smb_bcc=17 [2013/01/14 15:31:49.021795, 10] ../lib/util/util.c:415(dump_data) [0000] 3F 5C 00 73 00 72 00 76 00 73 00 76 00 63 00 00 ?\.s.r.v .s.v.c.. [0010] 00 . [2013/01/14 15:31:49.021948, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:49.022011, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:49.022082, 10] smbd/nttrans.c:500(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x6, access_mask = 0x2019f file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x0 root_dir_fid = 0x0, fname = srvsvc [2013/01/14 15:31:49.022189, 4] smbd/nttrans.c:288(nt_open_pipe) nt_open_pipe: Opening pipe \srvsvc. [2013/01/14 15:31:49.022260, 5] smbd/files.c:140(file_new) allocated file structure 6969, fnum = 11065 (1 used) [2013/01/14 15:31:49.022333, 10] smbd/files.c:705(file_name_hash) file_name_hash: /tmp/srvsvc hash 0x8e98a76a [2013/01/14 15:31:49.022407, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \srvsvc [2013/01/14 15:31:49.022479, 10] rpc_server/rpc_handles.c:116(init_pipe_handles) init_pipe_handle_list: created handle list for pipe \srvsvc [2013/01/14 15:31:49.022542, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe \srvsvc [2013/01/14 15:31:49.022623, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \srvsvc (pipes_open=0) [2013/01/14 15:31:49.022689, 5] smbd/nttrans.c:377(do_ntcreate_pipe_open) do_ntcreate_pipe_open: open pipe = \srvsvc [2013/01/14 15:31:49.023087, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 156 [2013/01/14 15:31:49.023157, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x9c [2013/01/14 15:31:49.023219, 3] smbd/process.c:1662(process_smb) Transaction 13 of length 160 (0 toread) [2013/01/14 15:31:49.023282, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.023317, 5] lib/util.c:342(show_msg) size=156 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=768 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11065 (0x2B39) smb_bcc=89 [2013/01/14 15:31:49.024098, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] 3F 05 00 0B 00 10 00 00 00 48 00 00 00 00 00 00 ?....... .H...... [0020] 00 30 16 30 16 00 00 00 00 01 00 00 00 00 00 01 .0.0.... ........ [0030] 00 C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 ..O2Kp.. ..xZG.n. [0040] 88 03 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 ......]. ........ [0050] 00 2B 10 48 60 02 00 00 00 .+.H`... . [2013/01/14 15:31:49.024535, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:49.024600, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:49.024669, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=72 params=0 setup=2 [2013/01/14 15:31:49.024736, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:49.024796, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:49.024857, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:49.024919, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b39) [2013/01/14 15:31:49.024983, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21110 max_trans_reply: 1024 [2013/01/14 15:31:49.025046, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 72 [2013/01/14 15:31:49.025110, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:49.025172, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:49.025236, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 72, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:49.025301, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:49.025362, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:49.025460, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 56 [2013/01/14 15:31:49.025525, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:49.025586, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:49.025647, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 56, incoming data = 56 [2013/01/14 15:31:49.025712, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:49.025790, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x00 (0) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000000 (0) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x1630 (5680) max_recv_frag : 0x1630 (5680) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 4b324fc8-1670-01d3-1278-5a47bf6ee188 if_version : 0x00000003 (3) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:49.026864, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 11 [2013/01/14 15:31:49.026928, 3] rpc_server/srv_pipe.c:889(api_pipe_bind_req) api_pipe_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:49.026991, 5] rpc_server/srv_pipe.c:923(api_pipe_bind_req) api_pipe_bind_req: make response. 923 [2013/01/14 15:31:49.027053, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \srvsvc [2013/01/14 15:31:49.027117, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:49.027201, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000000 (0) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\srvsvc' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : 0x0000 (0) reason : 0x0000 (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:49.028234, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 56 [2013/01/14 15:31:49.028317, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:49.028382, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \srvsvc: current_pdu_len = 68, current_pdu_sent = 0 returning 68 bytes. [2013/01/14 15:31:49.028449, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:49.028524, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 68 bytes. There is no more data outstanding [2013/01/14 15:31:49.028589, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..68] (align 0) [2013/01/14 15:31:49.028653, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.028688, 5] lib/util.c:342(show_msg) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=768 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2013/01/14 15:31:49.029306, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 00 00 00 ........ .D...... [0010] 00 B8 10 B8 10 F0 53 00 00 0D 00 5C 50 49 50 45 ......S. ...\PIPE [0020] 5C 73 72 76 73 76 63 00 00 01 00 00 00 00 00 00 \srvsvc. ........ [0030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [0040] 60 02 00 00 00 `.... [2013/01/14 15:31:49.031148, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 148 [2013/01/14 15:31:49.031219, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x94 [2013/01/14 15:31:49.031281, 3] smbd/process.c:1662(process_smb) Transaction 14 of length 152 (0 toread) [2013/01/14 15:31:49.031344, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.031379, 5] lib/util.c:342(show_msg) size=148 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=832 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 64 (0x40) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 64 (0x40) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11065 (0x2B39) smb_bcc=81 [2013/01/14 15:31:49.032159, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] A4 05 00 00 03 10 00 00 00 40 00 00 00 01 00 00 ........ .@...... [0020] 00 28 00 00 00 00 00 15 00 18 4A 17 00 0A 00 00 .(...... ..J..... [0030] 00 00 00 00 00 0A 00 00 00 5C 00 5C 00 48 00 61 ........ .\.\.H.a [0040] 00 77 00 6B 00 69 00 6E 00 67 00 00 00 65 00 00 .w.k.i.n .g...e.. [0050] 00 . [2013/01/14 15:31:49.032584, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:49.032676, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:49.032747, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=64 params=0 setup=2 [2013/01/14 15:31:49.032813, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:49.032873, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:49.032934, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:49.032996, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b39) [2013/01/14 15:31:49.033060, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21110 max_trans_reply: 1024 [2013/01/14 15:31:49.033125, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 64 [2013/01/14 15:31:49.033187, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 64 [2013/01/14 15:31:49.033249, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 64 [2013/01/14 15:31:49.033313, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 64, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:49.033377, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:49.033439, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 48 [2013/01/14 15:31:49.033500, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 48 [2013/01/14 15:31:49.033565, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:49.033626, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 48 [2013/01/14 15:31:49.033687, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 48, incoming data = 48 [2013/01/14 15:31:49.033752, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:49.033823, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0040 (64) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000028 (40) context_id : 0x0000 (0) opnum : 0x0015 (21) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=40 [0000] 18 4A 17 00 0A 00 00 00 00 00 00 00 0A 00 00 00 .J...... ........ [0010] 5C 00 5C 00 48 00 61 00 77 00 6B 00 69 00 6E 00 \.\.H.a. w.k.i.n. [0020] 67 00 00 00 65 00 00 00 g...e... [2013/01/14 15:31:49.034832, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:49.034895, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:49.034959, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\srvsvc [2013/01/14 15:31:49.035024, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \srvsvc op 0x15 - api_rpcTNP: rpc command: SRVSVC_NETSRVGETINFO [2013/01/14 15:31:49.035120, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[21].fn == 0xb71a27f0 [2013/01/14 15:31:49.035199, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetSrvGetInfo: struct srvsvc_NetSrvGetInfo in: struct srvsvc_NetSrvGetInfo server_unc : * server_unc : '\\Hawking' level : 0x00000065 (101) [2013/01/14 15:31:49.037842, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1125(_srvsvc_NetSrvGetInfo) _srvsvc_NetSrvGetInfo: 1125 [2013/01/14 15:31:49.037921, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1203(_srvsvc_NetSrvGetInfo) _srvsvc_NetSrvGetInfo: 1203 [2013/01/14 15:31:49.037983, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetSrvGetInfo: struct srvsvc_NetSrvGetInfo out: struct srvsvc_NetSrvGetInfo info : * info : union srvsvc_NetSrvInfo(case 101) info101 : * info101: struct srvsvc_NetSrvInfo101 platform_id : PLATFORM_ID_NT (500) server_name : * server_name : 'HAWKING' version_major : 0x00000004 (4) version_minor : 0x00000009 (9) server_type : 0x00009b23 (39715) 1: SV_TYPE_WORKSTATION 1: SV_TYPE_SERVER 0: SV_TYPE_SQLSERVER 0: SV_TYPE_DOMAIN_CTRL 0: SV_TYPE_DOMAIN_BAKCTRL 1: SV_TYPE_TIME_SOURCE 0: SV_TYPE_AFP 0: SV_TYPE_NOVELL 1: SV_TYPE_DOMAIN_MEMBER 1: SV_TYPE_PRINTQ_SERVER 0: SV_TYPE_DIALIN_SERVER 1: SV_TYPE_SERVER_UNIX 1: SV_TYPE_NT 0: SV_TYPE_WFW 0: SV_TYPE_SERVER_MFPN 1: SV_TYPE_SERVER_NT 0: SV_TYPE_POTENTIAL_BROWSER 0: SV_TYPE_BACKUP_BROWSER 0: SV_TYPE_MASTER_BROWSER 0: SV_TYPE_DOMAIN_MASTER 0: SV_TYPE_SERVER_OSF 0: SV_TYPE_SERVER_VMS 0: SV_TYPE_WIN95_PLUS 0: SV_TYPE_DFS_SERVER 0: SV_TYPE_ALTERNATE_XPORT 0: SV_TYPE_LOCAL_LIST_ONLY 0: SV_TYPE_DOMAIN_ENUM comment : * comment : 'hawking - the universe is expanding' result : WERR_OK [2013/01/14 15:31:49.039466, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \srvsvc successfully [2013/01/14 15:31:49.039534, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 48 [2013/01/14 15:31:49.039621, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:49.039685, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \srvsvc: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 148. [2013/01/14 15:31:49.039764, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00ac (172) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000094 (148) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=148 [0000] 65 00 00 00 04 00 02 00 F4 01 00 00 08 00 02 00 e....... ........ [0010] 04 00 00 00 09 00 00 00 23 9B 00 00 0C 00 02 00 ........ #....... [0020] 08 00 00 00 00 00 00 00 08 00 00 00 48 00 41 00 ........ ....H.A. [0030] 57 00 4B 00 49 00 4E 00 47 00 00 00 24 00 00 00 W.K.I.N. G...$... [0040] 00 00 00 00 24 00 00 00 68 00 61 00 77 00 6B 00 ....$... h.a.w.k. [0050] 69 00 6E 00 67 00 20 00 2D 00 20 00 74 00 68 00 i.n.g. . -. .t.h. [0060] 65 00 20 00 75 00 6E 00 69 00 76 00 65 00 72 00 e. .u.n. i.v.e.r. [0070] 73 00 65 00 20 00 69 00 73 00 20 00 65 00 78 00 s.e. .i. s. .e.x. [0080] 70 00 61 00 6E 00 64 00 69 00 6E 00 67 00 00 00 p.a.n.d. i.n.g... [0090] 00 00 00 00 .... [2013/01/14 15:31:49.041420, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 48 [2013/01/14 15:31:49.041498, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 172 bytes. There is no more data outstanding [2013/01/14 15:31:49.041565, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..172] (align 0) [2013/01/14 15:31:49.041630, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.041665, 5] lib/util.c:342(show_msg) size=228 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=832 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 172 (0xAC) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 172 (0xAC) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=173 [2013/01/14 15:31:49.042286, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 AC 00 00 00 01 00 00 ........ ........ [0010] 00 94 00 00 00 00 00 00 00 65 00 00 00 04 00 02 ........ .e...... [0020] 00 F4 01 00 00 08 00 02 00 04 00 00 00 09 00 00 ........ ........ [0030] 00 23 9B 00 00 0C 00 02 00 08 00 00 00 00 00 00 .#...... ........ [0040] 00 08 00 00 00 48 00 41 00 57 00 4B 00 49 00 4E .....H.A .W.K.I.N [0050] 00 47 00 00 00 24 00 00 00 00 00 00 00 24 00 00 .G...$.. .....$.. [0060] 00 68 00 61 00 77 00 6B 00 69 00 6E 00 67 00 20 .h.a.w.k .i.n.g. [0070] 00 2D 00 20 00 74 00 68 00 65 00 20 00 75 00 6E .-. .t.h .e. .u.n [0080] 00 69 00 76 00 65 00 72 00 73 00 65 00 20 00 69 .i.v.e.r .s.e. .i [0090] 00 73 00 20 00 65 00 78 00 70 00 61 00 6E 00 64 .s. .e.x .p.a.n.d [00A0] 00 69 00 6E 00 67 00 00 00 00 00 00 00 .i.n.g.. ..... [2013/01/14 15:31:49.043592, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 42 [2013/01/14 15:31:49.043722, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x2a [2013/01/14 15:31:49.043785, 3] smbd/process.c:1662(process_smb) Transaction 15 of length 46 (0 toread) [2013/01/14 15:31:49.043848, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.043884, 5] lib/util.c:342(show_msg) size=42 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=896 smt_wct=3 smb_vwv[ 0]=11065 (0x2B39) smb_vwv[ 1]=65535 (0xFFFF) smb_vwv[ 2]=65535 (0xFFFF) smb_bcc=0 [2013/01/14 15:31:49.044378, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:49.044420, 3] smbd/process.c:1467(switch_message) switch message SMBclose (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:49.044486, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:49.044552, 3] smbd/reply.c:4848(reply_close) close fd=-1 fnum=11065 (numopen=1) [2013/01/14 15:31:49.044616, 6] smbd/close.c:532(set_close_write_time) close_write_time: Wed Dec 31 18:59:59 1969 [2013/01/14 15:31:49.044696, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe) close_policy_by_pipe: deleted handle list for pipe \srvsvc [2013/01/14 15:31:49.044776, 5] smbd/files.c:482(file_free) freed files structure 11065 (0 used) [2013/01/14 15:31:49.044844, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.044879, 5] lib/util.c:342(show_msg) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=896 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:49.045228, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:49.048121, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 100 [2013/01/14 15:31:49.048192, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x64 [2013/01/14 15:31:49.048254, 3] smbd/process.c:1662(process_smb) Transaction 16 of length 104 (0 toread) [2013/01/14 15:31:49.048317, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.048351, 5] lib/util.c:342(show_msg) size=100 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=960 smt_wct=24 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 1536 (0x600) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]=40704 (0x9F00) smb_vwv[ 8]= 513 (0x201) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 768 (0x300) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 256 (0x100) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]= 512 (0x200) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_bcc=17 [2013/01/14 15:31:49.049347, 10] ../lib/util/util.c:415(dump_data) [0000] 3F 5C 00 77 00 69 00 6E 00 72 00 65 00 67 00 00 ?\.w.i.n .r.e.g.. [0010] 00 . [2013/01/14 15:31:49.049502, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:49.049566, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:49.049638, 10] smbd/nttrans.c:500(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x6, access_mask = 0x2019f file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x0 root_dir_fid = 0x0, fname = winreg [2013/01/14 15:31:49.049711, 4] smbd/nttrans.c:288(nt_open_pipe) nt_open_pipe: Opening pipe \winreg. [2013/01/14 15:31:49.049782, 5] smbd/files.c:140(file_new) allocated file structure 6970, fnum = 11066 (1 used) [2013/01/14 15:31:49.049855, 10] smbd/files.c:705(file_name_hash) file_name_hash: /tmp/winreg hash 0x718d6f2 [2013/01/14 15:31:49.049931, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \winreg [2013/01/14 15:31:49.050010, 10] rpc_server/rpc_handles.c:116(init_pipe_handles) init_pipe_handle_list: created handle list for pipe \winreg [2013/01/14 15:31:49.050073, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe \winreg [2013/01/14 15:31:49.050156, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \winreg (pipes_open=0) [2013/01/14 15:31:49.050261, 5] smbd/nttrans.c:377(do_ntcreate_pipe_open) do_ntcreate_pipe_open: open pipe = \winreg [2013/01/14 15:31:49.050744, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 156 [2013/01/14 15:31:49.050814, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x9c [2013/01/14 15:31:49.050876, 3] smbd/process.c:1662(process_smb) Transaction 17 of length 160 (0 toread) [2013/01/14 15:31:49.050939, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.050974, 5] lib/util.c:342(show_msg) size=156 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1024 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11066 (0x2B3A) smb_bcc=89 [2013/01/14 15:31:49.051758, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] 3F 05 00 0B 00 10 00 00 00 48 00 00 00 01 00 00 ?....... .H...... [0020] 00 30 16 30 16 00 00 00 00 01 00 00 00 00 00 01 .0.0.... ........ [0030] 00 01 D0 8C 33 44 22 F1 31 AA AA 90 00 38 00 10 ....3D". 1....8.. [0040] 03 01 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 ......]. ........ [0050] 00 2B 10 48 60 02 00 00 00 .+.H`... . [2013/01/14 15:31:49.052233, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:49.052297, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:49.052368, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=72 params=0 setup=2 [2013/01/14 15:31:49.052435, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:49.052495, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:49.052557, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:49.052619, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "winreg" (pnum 2b3a) [2013/01/14 15:31:49.052683, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21110 max_trans_reply: 1024 [2013/01/14 15:31:49.052747, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 72 [2013/01/14 15:31:49.052812, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:49.052874, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:49.052938, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 72, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:49.053002, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:49.053063, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:49.053124, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 56 [2013/01/14 15:31:49.053190, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:49.053250, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:49.053312, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 56, incoming data = 56 [2013/01/14 15:31:49.053377, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:49.053454, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x00 (0) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x1630 (5680) max_recv_frag : 0x1630 (5680) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 338cd001-2244-31f1-aaaa-900038001003 if_version : 0x00000001 (1) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:49.054545, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 11 [2013/01/14 15:31:49.054609, 3] rpc_server/srv_pipe.c:889(api_pipe_bind_req) api_pipe_bind_req: \PIPE\winreg -> \PIPE\winreg [2013/01/14 15:31:49.054671, 5] rpc_server/srv_pipe.c:923(api_pipe_bind_req) api_pipe_bind_req: make response. 923 [2013/01/14 15:31:49.054733, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \winreg [2013/01/14 15:31:49.054797, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\winreg -> \PIPE\winreg [2013/01/14 15:31:49.054882, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\winreg' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : 0x0000 (0) reason : 0x0000 (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:49.055883, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 56 [2013/01/14 15:31:49.055966, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \winreg len: 1024 [2013/01/14 15:31:49.056059, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \winreg: current_pdu_len = 68, current_pdu_sent = 0 returning 68 bytes. [2013/01/14 15:31:49.056126, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:49.056201, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 68 bytes. There is no more data outstanding [2013/01/14 15:31:49.056267, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..68] (align 0) [2013/01/14 15:31:49.056349, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.056384, 5] lib/util.c:342(show_msg) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1024 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2013/01/14 15:31:49.057004, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 ........ .D...... [0010] 00 B8 10 B8 10 F0 53 00 00 0D 00 5C 50 49 50 45 ......S. ...\PIPE [0020] 5C 77 69 6E 72 65 67 00 00 01 00 00 00 00 00 00 \winreg. ........ [0030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [0040] 60 02 00 00 00 `.... [2013/01/14 15:31:49.058875, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 120 [2013/01/14 15:31:49.058945, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x78 [2013/01/14 15:31:49.059008, 3] smbd/process.c:1662(process_smb) Transaction 18 of length 124 (0 toread) [2013/01/14 15:31:49.059070, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.059105, 5] lib/util.c:342(show_msg) size=120 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1088 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 36 (0x24) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11066 (0x2B3A) smb_bcc=53 [2013/01/14 15:31:49.059889, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] A4 05 00 00 03 10 00 00 00 24 00 00 00 01 00 00 ........ .$...... [0020] 00 0C 00 00 00 00 00 02 00 70 FD EF 00 00 65 01 ........ .p....e. [0030] 00 00 00 00 02 ..... [2013/01/14 15:31:49.060207, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:49.060272, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:49.060341, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=36 params=0 setup=2 [2013/01/14 15:31:49.060407, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:49.060467, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:49.060529, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:49.060590, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "winreg" (pnum 2b3a) [2013/01/14 15:31:49.060654, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21110 max_trans_reply: 1024 [2013/01/14 15:31:49.060718, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 36 [2013/01/14 15:31:49.060781, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 36 [2013/01/14 15:31:49.060887, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 36 [2013/01/14 15:31:49.060951, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 36, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:49.061015, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:49.061076, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 20 [2013/01/14 15:31:49.061138, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 20 [2013/01/14 15:31:49.061202, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:49.061263, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 20 [2013/01/14 15:31:49.061324, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 20, incoming data = 20 [2013/01/14 15:31:49.061389, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:49.061461, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) opnum : 0x0002 (2) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=12 [0000] 70 FD EF 00 00 65 01 00 00 00 00 02 p....e.. .... [2013/01/14 15:31:49.062283, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:49.062345, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:49.062409, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\winreg [2013/01/14 15:31:49.062473, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \winreg op 0x2 - api_rpcTNP: rpc command: WINREG_OPENHKLM [2013/01/14 15:31:49.062541, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[2].fn == 0xb715f0b0 [2013/01/14 15:31:49.062614, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenHKLM: struct winreg_OpenHKLM in: struct winreg_OpenHKLM system_name : * system_name : 0x6500 (25856) access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2013/01/14 15:31:49.063074, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [HKLM] [2013/01/14 15:31:49.063148, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(2500, 2513) : sec_ctx_stack_ndx = 1 [2013/01/14 15:31:49.063246, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(101) : conn_ctx_stack_ndx = 0 [2013/01/14 15:31:49.063310, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/01/14 15:31:49.063373, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:49.063434, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:49.063673, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (2500, 2513) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:49.063745, 10] registry/reg_backend_db.c:602(regdb_open) regdb_open: registry db opened. refcount reset (1) [2013/01/14 15:31:49.063819, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM] [2013/01/14 15:31:49.063880, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM] [2013/01/14 15:31:49.063944, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2013/01/14 15:31:49.064005, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb779a460 for key [\HKLM] [2013/01/14 15:31:49.064136, 10] registry/reg_backend_db.c:1926(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM] [2013/01/14 15:31:49.064237, 10] ../libcli/security/access_check.c:178(se_access_check) se_access_check: MAX desired = 0x2000000, granted = 0x20019, remaining = 0x20019 [2013/01/14 15:31:49.064309, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[1] [0000] 00 00 00 00 17 00 00 00 00 00 00 00 F4 50 35 6B ........ .....P5k [0010] 06 70 00 00 .p.. [2013/01/14 15:31:49.064477, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenHKLM: struct winreg_OpenHKLM out: struct winreg_OpenHKLM handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000017-0000-0000-f450-356b06700000 result : WERR_OK [2013/01/14 15:31:49.064759, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \winreg successfully [2013/01/14 15:31:49.064827, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 20 [2013/01/14 15:31:49.064913, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \winreg len: 1024 [2013/01/14 15:31:49.064977, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \winreg: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 24. [2013/01/14 15:31:49.065057, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 17 00 00 00 00 00 00 00 F4 50 35 6B ........ .....P5k [0010] 06 70 00 00 00 00 00 00 .p...... [2013/01/14 15:31:49.065902, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:49.066017, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 48 bytes. There is no more data outstanding [2013/01/14 15:31:49.066085, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..48] (align 0) [2013/01/14 15:31:49.066149, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.066184, 5] lib/util.c:342(show_msg) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1088 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2013/01/14 15:31:49.066832, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 30 00 00 00 01 00 00 ........ .0...... [0010] 00 18 00 00 00 00 00 00 00 00 00 00 00 17 00 00 ........ ........ [0020] 00 00 00 00 00 F4 50 35 6B 06 70 00 00 00 00 00 ......P5 k.p..... [0030] 00 . [2013/01/14 15:31:49.067647, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 228 [2013/01/14 15:31:49.067720, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0xe4 [2013/01/14 15:31:49.067782, 3] smbd/process.c:1662(process_smb) Transaction 19 of length 232 (0 toread) [2013/01/14 15:31:49.067845, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.067880, 5] lib/util.c:342(show_msg) size=228 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1152 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 144 (0x90) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 144 (0x90) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11066 (0x2B3A) smb_bcc=161 [2013/01/14 15:31:49.068660, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] 3F 05 00 00 03 10 00 00 00 90 00 00 00 02 00 00 ?....... ........ [0020] 00 78 00 00 00 00 00 0F 00 00 00 00 00 17 00 00 .x...... ........ [0030] 00 00 00 00 00 F4 50 35 6B 06 70 00 00 46 00 46 ......P5 k.p..F.F [0040] 00 84 1B A8 52 23 00 00 00 00 00 00 00 23 00 00 ....R#.. .....#.. [0050] 00 53 00 4F 00 46 00 54 00 57 00 41 00 52 00 45 .S.O.F.T .W.A.R.E [0060] 00 5C 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F .\.M.i.c .r.o.s.o [0070] 00 66 00 74 00 5C 00 53 00 63 00 68 00 65 00 64 .f.t.\.S .c.h.e.d [0080] 00 75 00 6C 00 69 00 6E 00 67 00 41 00 67 00 65 .u.l.i.n .g.A.g.e [0090] 00 6E 00 74 00 00 00 00 00 00 00 00 00 3F 00 0F .n.t.... .....?.. [00A0] 00 . [2013/01/14 15:31:49.069428, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:49.069493, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:49.069567, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=144 params=0 setup=2 [2013/01/14 15:31:49.069634, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:49.069693, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:49.069756, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:49.069817, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "winreg" (pnum 2b3a) [2013/01/14 15:31:49.069882, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21110 max_trans_reply: 1024 [2013/01/14 15:31:49.069947, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 144 [2013/01/14 15:31:49.070010, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 144 [2013/01/14 15:31:49.070107, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 144 [2013/01/14 15:31:49.070170, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 144, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:49.070235, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:49.070296, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 128 [2013/01/14 15:31:49.070357, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 128 [2013/01/14 15:31:49.070422, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:49.070483, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 128 [2013/01/14 15:31:49.070544, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 128, incoming data = 128 [2013/01/14 15:31:49.070609, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:49.070684, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0090 (144) auth_length : 0x0000 (0) call_id : 0x00000002 (2) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000078 (120) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=120 [0000] 00 00 00 00 17 00 00 00 00 00 00 00 F4 50 35 6B ........ .....P5k [0010] 06 70 00 00 46 00 46 00 84 1B A8 52 23 00 00 00 .p..F.F. ...R#... [0020] 00 00 00 00 23 00 00 00 53 00 4F 00 46 00 54 00 ....#... S.O.F.T. [0030] 57 00 41 00 52 00 45 00 5C 00 4D 00 69 00 63 00 W.A.R.E. \.M.i.c. [0040] 72 00 6F 00 73 00 6F 00 66 00 74 00 5C 00 53 00 r.o.s.o. f.t.\.S. [0050] 63 00 68 00 65 00 64 00 75 00 6C 00 69 00 6E 00 c.h.e.d. u.l.i.n. [0060] 67 00 41 00 67 00 65 00 6E 00 74 00 00 00 00 00 g.A.g.e. n.t..... [0070] 00 00 00 00 3F 00 0F 00 ....?... [2013/01/14 15:31:49.072203, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:49.072265, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:49.072329, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\winreg [2013/01/14 15:31:49.072394, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \winreg op 0xf - api_rpcTNP: rpc command: WINREG_OPENKEY [2013/01/14 15:31:49.072461, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[15].fn == 0xb715cb30 [2013/01/14 15:31:49.072541, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey in: struct winreg_OpenKey parent_handle : * parent_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000017-0000-0000-f450-356b06700000 keyname: struct winreg_String name_len : 0x0046 (70) name_size : 0x0046 (70) name : * name : 'SOFTWARE\Microsoft\SchedulingAgent' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x000f003f (983103) 1: KEY_QUERY_VALUE 1: KEY_SET_VALUE 1: KEY_CREATE_SUB_KEY 1: KEY_ENUMERATE_SUB_KEYS 1: KEY_NOTIFY 1: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2013/01/14 15:31:49.073436, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 17 00 00 00 00 00 00 00 F4 50 35 6B ........ .....P5k [0010] 06 70 00 00 .p.. [2013/01/14 15:31:49.073606, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SOFTWARE] [2013/01/14 15:31:49.073670, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (1->2) [2013/01/14 15:31:49.073739, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE] [2013/01/14 15:31:49.073800, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SOFTWARE] [2013/01/14 15:31:49.073864, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2013/01/14 15:31:49.073925, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb779a460 for key [\HKLM\SOFTWARE] [2013/01/14 15:31:49.074048, 10] registry/reg_backend_db.c:1926(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM\SOFTWARE] [2013/01/14 15:31:49.074146, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Microsoft] [2013/01/14 15:31:49.074209, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (2->3) [2013/01/14 15:31:49.074277, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE\Microsoft] [2013/01/14 15:31:49.074339, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SOFTWARE\Microsoft] [2013/01/14 15:31:49.074402, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2013/01/14 15:31:49.074462, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb779a460 for key [\HKLM\SOFTWARE\Microsoft] [2013/01/14 15:31:49.074559, 10] registry/reg_backend_db.c:1926(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM\SOFTWARE\Microsoft] [2013/01/14 15:31:49.074658, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SchedulingAgent] [2013/01/14 15:31:49.074724, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2013/01/14 15:31:49.074794, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE\Microsoft\SchedulingAgent] [2013/01/14 15:31:49.074855, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SOFTWARE\Microsoft\SchedulingAgent] [2013/01/14 15:31:49.074919, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2013/01/14 15:31:49.074980, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb779a460 for key [\HKLM\SOFTWARE\Microsoft\SchedulingAgent] [2013/01/14 15:31:49.075063, 10] registry/reg_backend_db.c:1623(regdb_fetch_keys_internal) key [HKLM\SOFTWARE\Microsoft\SchedulingAgent] not found [2013/01/14 15:31:49.075127, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2013/01/14 15:31:49.075222, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (3->2) [2013/01/14 15:31:49.075286, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (2->1) [2013/01/14 15:31:49.075349, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey out: struct winreg_OpenKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_BADFILE [2013/01/14 15:31:49.075629, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \winreg successfully [2013/01/14 15:31:49.075696, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 128 [2013/01/14 15:31:49.075779, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \winreg len: 1024 [2013/01/14 15:31:49.075844, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \winreg: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 24. [2013/01/14 15:31:49.075921, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000002 (2) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 02 00 00 00 ........ [2013/01/14 15:31:49.076790, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:49.076865, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 48 bytes. There is no more data outstanding [2013/01/14 15:31:49.076931, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..48] (align 0) [2013/01/14 15:31:49.076995, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.077030, 5] lib/util.c:342(show_msg) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1152 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2013/01/14 15:31:49.077651, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 30 00 00 00 02 00 00 ........ .0...... [0010] 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 ........ ........ [0030] 00 . [2013/01/14 15:31:49.079461, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 128 [2013/01/14 15:31:49.079533, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x80 [2013/01/14 15:31:49.079631, 3] smbd/process.c:1662(process_smb) Transaction 20 of length 132 (0 toread) [2013/01/14 15:31:49.079694, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.079729, 5] lib/util.c:342(show_msg) size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1216 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 44 (0x2C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 44 (0x2C) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11066 (0x2B3A) smb_bcc=61 [2013/01/14 15:31:49.080510, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] A4 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 ........ .,...... [0020] 00 14 00 00 00 00 00 05 00 00 00 00 00 17 00 00 ........ ........ [0030] 00 00 00 00 00 F4 50 35 6B 06 70 00 00 ......P5 k.p.. [2013/01/14 15:31:49.080818, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:49.080883, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:49.080956, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=44 params=0 setup=2 [2013/01/14 15:31:49.081022, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:49.081082, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:49.081144, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:49.081206, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "winreg" (pnum 2b3a) [2013/01/14 15:31:49.081270, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21110 max_trans_reply: 1024 [2013/01/14 15:31:49.081335, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 44 [2013/01/14 15:31:49.081398, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 44 [2013/01/14 15:31:49.081460, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 44 [2013/01/14 15:31:49.081523, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 44, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:49.081588, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:49.081649, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 28 [2013/01/14 15:31:49.081711, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 28 [2013/01/14 15:31:49.081775, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:49.081836, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 28 [2013/01/14 15:31:49.081897, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 28, incoming data = 28 [2013/01/14 15:31:49.081962, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:49.082036, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x002c (44) auth_length : 0x0000 (0) call_id : 0x00000003 (3) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0005 (5) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=20 [0000] 00 00 00 00 17 00 00 00 00 00 00 00 F4 50 35 6B ........ .....P5k [0010] 06 70 00 00 .p.. [2013/01/14 15:31:49.082974, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:49.083037, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:49.083100, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\winreg [2013/01/14 15:31:49.083165, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \winreg op 0x5 - api_rpcTNP: rpc command: WINREG_CLOSEKEY [2013/01/14 15:31:49.083232, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[5].fn == 0xb715e7e0 [2013/01/14 15:31:49.083303, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000017-0000-0000-f450-356b06700000 [2013/01/14 15:31:49.083543, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 17 00 00 00 00 00 00 00 F4 50 35 6B ........ .....P5k [0010] 06 70 00 00 .p.. [2013/01/14 15:31:49.083709, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 17 00 00 00 00 00 00 00 F4 50 35 6B ........ .....P5k [0010] 06 70 00 00 .p.. [2013/01/14 15:31:49.083873, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2013/01/14 15:31:49.083937, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (1->0) [2013/01/14 15:31:49.084022, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2013/01/14 15:31:49.084292, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \winreg successfully [2013/01/14 15:31:49.084357, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 28 [2013/01/14 15:31:49.084439, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \winreg len: 1024 [2013/01/14 15:31:49.084503, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \winreg: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 24. [2013/01/14 15:31:49.084579, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000003 (3) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ [2013/01/14 15:31:49.085461, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:49.085538, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 48 bytes. There is no more data outstanding [2013/01/14 15:31:49.085604, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..48] (align 0) [2013/01/14 15:31:49.085668, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.085703, 5] lib/util.c:342(show_msg) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1216 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2013/01/14 15:31:49.086344, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 30 00 00 00 03 00 00 ........ .0...... [0010] 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0030] 00 . [2013/01/14 15:31:49.087069, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 42 [2013/01/14 15:31:49.087141, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x2a [2013/01/14 15:31:49.087203, 3] smbd/process.c:1662(process_smb) Transaction 21 of length 46 (0 toread) [2013/01/14 15:31:49.087266, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.087300, 5] lib/util.c:342(show_msg) size=42 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=1280 smt_wct=3 smb_vwv[ 0]=11066 (0x2B3A) smb_vwv[ 1]=65535 (0xFFFF) smb_vwv[ 2]=65535 (0xFFFF) smb_bcc=0 [2013/01/14 15:31:49.087732, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:49.087770, 3] smbd/process.c:1467(switch_message) switch message SMBclose (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:49.087834, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:49.087899, 3] smbd/reply.c:4848(reply_close) close fd=-1 fnum=11066 (numopen=1) [2013/01/14 15:31:49.087963, 6] smbd/close.c:532(set_close_write_time) close_write_time: Wed Dec 31 18:59:59 1969 [2013/01/14 15:31:49.088040, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe) close_policy_by_pipe: deleted handle list for pipe \winreg [2013/01/14 15:31:49.088114, 5] smbd/files.c:482(file_free) freed files structure 11066 (0 used) [2013/01/14 15:31:49.088179, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:49.088214, 5] lib/util.c:342(show_msg) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=1280 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:49.088563, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:51.334552, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 100 [2013/01/14 15:31:51.334679, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x64 [2013/01/14 15:31:51.334743, 3] smbd/process.c:1662(process_smb) Transaction 22 of length 104 (0 toread) [2013/01/14 15:31:51.334805, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.334840, 5] lib/util.c:342(show_msg) size=100 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1344 smt_wct=24 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 1536 (0x600) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]=40704 (0x9F00) smb_vwv[ 8]= 513 (0x201) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 768 (0x300) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 256 (0x100) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]= 512 (0x200) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 256 (0x100) smb_bcc=17 [2013/01/14 15:31:51.335906, 10] ../lib/util/util.c:415(dump_data) [0000] 3F 5C 00 73 00 72 00 76 00 73 00 76 00 63 00 00 ?\.s.r.v .s.v.c.. [0010] 00 . [2013/01/14 15:31:51.336072, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:51.336139, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:51.336216, 10] smbd/nttrans.c:500(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x6, access_mask = 0x2019f file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x0 root_dir_fid = 0x0, fname = srvsvc [2013/01/14 15:31:51.336303, 4] smbd/nttrans.c:288(nt_open_pipe) nt_open_pipe: Opening pipe \srvsvc. [2013/01/14 15:31:51.336375, 5] smbd/files.c:140(file_new) allocated file structure 6971, fnum = 11067 (1 used) [2013/01/14 15:31:51.336448, 10] smbd/files.c:705(file_name_hash) file_name_hash: /tmp/srvsvc hash 0x8e98a76a [2013/01/14 15:31:51.336527, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \srvsvc [2013/01/14 15:31:51.336603, 10] rpc_server/rpc_handles.c:116(init_pipe_handles) init_pipe_handle_list: created handle list for pipe \srvsvc [2013/01/14 15:31:51.336666, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe \srvsvc [2013/01/14 15:31:51.336751, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \srvsvc (pipes_open=0) [2013/01/14 15:31:51.336819, 5] smbd/nttrans.c:377(do_ntcreate_pipe_open) do_ntcreate_pipe_open: open pipe = \srvsvc [2013/01/14 15:31:51.338395, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 156 [2013/01/14 15:31:51.338466, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x9c [2013/01/14 15:31:51.338529, 3] smbd/process.c:1662(process_smb) Transaction 23 of length 160 (0 toread) [2013/01/14 15:31:51.338591, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.338626, 5] lib/util.c:342(show_msg) size=156 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1408 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11067 (0x2B3B) smb_bcc=89 [2013/01/14 15:31:51.339410, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] 3F 05 00 0B 00 10 00 00 00 48 00 00 00 32 00 00 ?....... .H...2.. [0020] 00 30 16 30 16 00 00 00 00 01 00 00 00 00 00 01 .0.0.... ........ [0030] 00 C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 ..O2Kp.. ..xZG.n. [0040] 88 03 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 ......]. ........ [0050] 00 2B 10 48 60 02 00 00 00 .+.H`... . [2013/01/14 15:31:51.339921, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:51.339987, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:51.340058, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=72 params=0 setup=2 [2013/01/14 15:31:51.340125, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:51.340184, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:51.340246, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:51.340308, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b3b) [2013/01/14 15:31:51.340372, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21110 max_trans_reply: 1024 [2013/01/14 15:31:51.340436, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 72 [2013/01/14 15:31:51.340501, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:51.340563, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:51.340627, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 72, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:51.340691, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:51.340752, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:51.340814, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 56 [2013/01/14 15:31:51.340879, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:51.340940, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:51.341001, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 56, incoming data = 56 [2013/01/14 15:31:51.341066, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:51.341144, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x00 (0) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000032 (50) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x1630 (5680) max_recv_frag : 0x1630 (5680) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 4b324fc8-1670-01d3-1278-5a47bf6ee188 if_version : 0x00000003 (3) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:51.342206, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 11 [2013/01/14 15:31:51.342299, 3] rpc_server/srv_pipe.c:889(api_pipe_bind_req) api_pipe_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:51.342363, 5] rpc_server/srv_pipe.c:923(api_pipe_bind_req) api_pipe_bind_req: make response. 923 [2013/01/14 15:31:51.342425, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \srvsvc [2013/01/14 15:31:51.342489, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:51.342577, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000032 (50) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\srvsvc' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : 0x0000 (0) reason : 0x0000 (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:51.343580, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 56 [2013/01/14 15:31:51.343664, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:51.343728, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \srvsvc: current_pdu_len = 68, current_pdu_sent = 0 returning 68 bytes. [2013/01/14 15:31:51.343795, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:51.343871, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 68 bytes. There is no more data outstanding [2013/01/14 15:31:51.343937, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..68] (align 0) [2013/01/14 15:31:51.344002, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.344037, 5] lib/util.c:342(show_msg) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1408 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2013/01/14 15:31:51.344658, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 32 00 00 ........ .D...2.. [0010] 00 B8 10 B8 10 F0 53 00 00 0D 00 5C 50 49 50 45 ......S. ...\PIPE [0020] 5C 73 72 76 73 76 63 00 00 01 00 00 00 00 00 00 \srvsvc. ........ [0030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [0040] 60 02 00 00 00 `.... [2013/01/14 15:31:51.345457, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 172 [2013/01/14 15:31:51.345564, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0xac [2013/01/14 15:31:51.345626, 3] smbd/process.c:1662(process_smb) Transaction 24 of length 176 (0 toread) [2013/01/14 15:31:51.345689, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.345723, 5] lib/util.c:342(show_msg) size=172 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1472 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 88 (0x58) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11067 (0x2B3B) smb_bcc=105 [2013/01/14 15:31:51.346523, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] A4 05 00 00 03 10 00 00 00 58 00 00 00 01 00 00 ........ .X...... [0020] 00 40 00 00 00 00 00 10 00 B0 E9 98 01 0A 00 00 .@...... ........ [0030] 00 00 00 00 00 0A 00 00 00 5C 00 5C 00 48 00 61 ........ .\.\.H.a [0040] 00 77 00 6B 00 69 00 6E 00 67 00 00 00 06 00 00 .w.k.i.n .g...... [0050] 00 00 00 00 00 06 00 00 00 73 00 74 00 75 00 66 ........ .s.t.u.f [0060] 00 66 00 00 00 01 00 00 00 .f...... . [2013/01/14 15:31:51.347070, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:51.347134, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:51.347206, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=88 params=0 setup=2 [2013/01/14 15:31:51.347272, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:51.347331, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:51.347393, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:51.347454, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b3b) [2013/01/14 15:31:51.347518, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21110 max_trans_reply: 1024 [2013/01/14 15:31:51.347582, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 88 [2013/01/14 15:31:51.347644, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 88 [2013/01/14 15:31:51.347706, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 88 [2013/01/14 15:31:51.347769, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 88, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:51.347834, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:51.347895, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:51.347956, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:51.348021, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:51.348081, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:51.348142, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 72, incoming data = 72 [2013/01/14 15:31:51.348207, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:51.348278, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0058 (88) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000040 (64) context_id : 0x0000 (0) opnum : 0x0010 (16) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=64 [0000] B0 E9 98 01 0A 00 00 00 00 00 00 00 0A 00 00 00 ........ ........ [0010] 5C 00 5C 00 48 00 61 00 77 00 6B 00 69 00 6E 00 \.\.H.a. w.k.i.n. [0020] 67 00 00 00 06 00 00 00 00 00 00 00 06 00 00 00 g....... ........ [0030] 73 00 74 00 75 00 66 00 66 00 00 00 01 00 00 00 s.t.u.f. f....... [2013/01/14 15:31:51.349435, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:51.349498, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:51.349562, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\srvsvc [2013/01/14 15:31:51.349626, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \srvsvc op 0x10 - api_rpcTNP: rpc command: SRVSVC_NETSHAREGETINFO [2013/01/14 15:31:51.349694, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[16].fn == 0xb71a3660 [2013/01/14 15:31:51.349766, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo in: struct srvsvc_NetShareGetInfo server_unc : * server_unc : '\\Hawking' share_name : 'stuff' level : 0x00000001 (1) [2013/01/14 15:31:51.349991, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1440(_srvsvc_NetShareGetInfo) _srvsvc_NetShareGetInfo: 1440 [2013/01/14 15:31:51.350090, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1510(_srvsvc_NetShareGetInfo) _srvsvc_NetShareGetInfo: 1510 [2013/01/14 15:31:51.350152, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo out: struct srvsvc_NetShareGetInfo info : * info : union srvsvc_NetShareInfo(case 1) info1 : * info1: struct srvsvc_NetShareInfo1 name : * name : 'stuff' type : STYPE_DISKTREE (0x0) comment : * comment : 'Assorted files' result : WERR_OK [2013/01/14 15:31:51.350595, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \srvsvc successfully [2013/01/14 15:31:51.350661, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 72 [2013/01/14 15:31:51.350746, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:51.350810, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \srvsvc: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 92. [2013/01/14 15:31:51.350889, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0074 (116) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000005c (92) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=92 [0000] 01 00 00 00 04 00 02 00 08 00 02 00 00 00 00 00 ........ ........ [0010] 0C 00 02 00 06 00 00 00 00 00 00 00 06 00 00 00 ........ ........ [0020] 73 00 74 00 75 00 66 00 66 00 00 00 0F 00 00 00 s.t.u.f. f....... [0030] 00 00 00 00 0F 00 00 00 41 00 73 00 73 00 6F 00 ........ A.s.s.o. [0040] 72 00 74 00 65 00 64 00 20 00 66 00 69 00 6C 00 r.t.e.d. .f.i.l. [0050] 65 00 73 00 00 00 00 00 00 00 00 00 e.s..... .... [2013/01/14 15:31:51.352161, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 66 [2013/01/14 15:31:51.352240, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 116 bytes. There is no more data outstanding [2013/01/14 15:31:51.352306, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..116] (align 0) [2013/01/14 15:31:51.352370, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.352406, 5] lib/util.c:342(show_msg) size=172 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1472 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 116 (0x74) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 116 (0x74) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=117 [2013/01/14 15:31:51.353027, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 74 00 00 00 01 00 00 ........ .t...... [0010] 00 5C 00 00 00 00 00 00 00 01 00 00 00 04 00 02 .\...... ........ [0020] 00 08 00 02 00 00 00 00 00 0C 00 02 00 06 00 00 ........ ........ [0030] 00 00 00 00 00 06 00 00 00 73 00 74 00 75 00 66 ........ .s.t.u.f [0040] 00 66 00 00 00 0F 00 00 00 00 00 00 00 0F 00 00 .f...... ........ [0050] 00 41 00 73 00 73 00 6F 00 72 00 74 00 65 00 64 .A.s.s.o .r.t.e.d [0060] 00 20 00 66 00 69 00 6C 00 65 00 73 00 00 00 00 . .f.i.l .e.s.... [0070] 00 00 00 00 00 ..... [2013/01/14 15:31:51.355120, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 42 [2013/01/14 15:31:51.355190, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x2a [2013/01/14 15:31:51.355253, 3] smbd/process.c:1662(process_smb) Transaction 25 of length 46 (0 toread) [2013/01/14 15:31:51.355315, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.355350, 5] lib/util.c:342(show_msg) size=42 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=1536 smt_wct=3 smb_vwv[ 0]=11067 (0x2B3B) smb_vwv[ 1]=65535 (0xFFFF) smb_vwv[ 2]=65535 (0xFFFF) smb_bcc=0 [2013/01/14 15:31:51.355781, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:51.355818, 3] smbd/process.c:1467(switch_message) switch message SMBclose (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:51.355883, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:51.355946, 3] smbd/reply.c:4848(reply_close) close fd=-1 fnum=11067 (numopen=1) [2013/01/14 15:31:51.356010, 6] smbd/close.c:532(set_close_write_time) close_write_time: Wed Dec 31 18:59:59 1969 [2013/01/14 15:31:51.356117, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe) close_policy_by_pipe: deleted handle list for pipe \srvsvc [2013/01/14 15:31:51.356189, 5] smbd/files.c:482(file_free) freed files structure 11067 (0 used) [2013/01/14 15:31:51.356254, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.356306, 5] lib/util.c:342(show_msg) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=1536 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:51.356655, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:51.357231, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 82 [2013/01/14 15:31:51.357300, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x52 [2013/01/14 15:31:51.357362, 3] smbd/process.c:1662(process_smb) Transaction 26 of length 86 (0 toread) [2013/01/14 15:31:51.357424, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.357458, 5] lib/util.c:342(show_msg) size=82 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=1600 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1 (0x1) smb_bcc=39 [2013/01/14 15:31:51.357916, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 5C 00 48 00 41 00 57 00 4B 00 49 00 4E .\.\.H.A .W.K.I.N [0010] 00 47 00 5C 00 53 00 54 00 55 00 46 00 46 00 00 .G.\.S.T .U.F.F.. [0020] 00 3F 3F 3F 3F 3F 00 .?????. [2013/01/14 15:31:51.358156, 3] smbd/process.c:1467(switch_message) switch message SMBtconX (pid 28678) conn 0x0 [2013/01/14 15:31:51.358220, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:51.358283, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:51.358344, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:51.358455, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:31:51.358541, 4] smbd/reply.c:794(reply_tcon_and_X) Client requested device type [?????] for share [STUFF] [2013/01/14 15:31:51.358628, 5] smbd/service.c:1354(make_connection) making a connection to 'normal' service stuff [2013/01/14 15:31:51.358703, 3] lib/access.c:338(allow_access) Allowed connection from 192.168.7.2 (192.168.7.2) [2013/01/14 15:31:51.358782, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) string_to_sid: SID +WARGAMES\Domain Admins is not in a valid format [2013/01/14 15:31:51.358850, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: WARGAMES\Domain Admins => domain=[WARGAMES], name=[Domain Admins] [2013/01/14 15:31:51.358914, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x077 [2013/01/14 15:31:51.370315, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) string_to_sid: SID WARGAMES\smythe is not in a valid format [2013/01/14 15:31:51.370397, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: WARGAMES\smythe => domain=[WARGAMES], name=[smythe] [2013/01/14 15:31:51.370460, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x073 [2013/01/14 15:31:51.380292, 10] smbd/share_access.c:219(user_ok_token) User WARGAMES\administrator not in 'valid users' [2013/01/14 15:31:51.380383, 2] smbd/service.c:627(create_connection_session_info) user 'WARGAMES\administrator' (from session setup) not permitted to access this share (stuff) [2013/01/14 15:31:51.380463, 1] smbd/service.c:805(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED [2013/01/14 15:31:51.380540, 3] smbd/error.c:81(error_packet_set) error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED [2013/01/14 15:31:51.380608, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.380684, 5] lib/util.c:342(show_msg) size=35 smb_com=0x75 smb_rcls=34 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=49155 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=1600 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:51.381036, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:51.383391, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 82 [2013/01/14 15:31:51.383508, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x52 [2013/01/14 15:31:51.383571, 3] smbd/process.c:1662(process_smb) Transaction 27 of length 86 (0 toread) [2013/01/14 15:31:51.383634, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.383670, 5] lib/util.c:342(show_msg) size=82 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=1664 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1 (0x1) smb_bcc=39 [2013/01/14 15:31:51.384131, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 5C 00 48 00 41 00 57 00 4B 00 49 00 4E .\.\.H.A .W.K.I.N [0010] 00 47 00 5C 00 53 00 54 00 55 00 46 00 46 00 00 .G.\.S.T .U.F.F.. [0020] 00 3F 3F 3F 3F 3F 00 .?????. [2013/01/14 15:31:51.384381, 3] smbd/process.c:1467(switch_message) switch message SMBtconX (pid 28678) conn 0x0 [2013/01/14 15:31:51.384447, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:51.384511, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:51.384573, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:51.384681, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:31:51.384771, 4] smbd/reply.c:794(reply_tcon_and_X) Client requested device type [?????] for share [STUFF] [2013/01/14 15:31:51.384868, 5] smbd/service.c:1354(make_connection) making a connection to 'normal' service stuff [2013/01/14 15:31:51.384946, 3] lib/access.c:338(allow_access) Allowed connection from 192.168.7.2 (192.168.7.2) [2013/01/14 15:31:51.385029, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) string_to_sid: SID +WARGAMES\Domain Admins is not in a valid format [2013/01/14 15:31:51.385098, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: WARGAMES\Domain Admins => domain=[WARGAMES], name=[Domain Admins] [2013/01/14 15:31:51.385161, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x077 [2013/01/14 15:31:51.386347, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) string_to_sid: SID WARGAMES\smythe is not in a valid format [2013/01/14 15:31:51.386420, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: WARGAMES\smythe => domain=[WARGAMES], name=[smythe] [2013/01/14 15:31:51.386483, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x073 [2013/01/14 15:31:51.387523, 10] smbd/share_access.c:219(user_ok_token) User WARGAMES\administrator not in 'valid users' [2013/01/14 15:31:51.387589, 2] smbd/service.c:627(create_connection_session_info) user 'WARGAMES\administrator' (from session setup) not permitted to access this share (stuff) [2013/01/14 15:31:51.387658, 1] smbd/service.c:805(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED [2013/01/14 15:31:51.387732, 3] smbd/error.c:81(error_packet_set) error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED [2013/01/14 15:31:51.387798, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.387833, 5] lib/util.c:342(show_msg) size=35 smb_com=0x75 smb_rcls=34 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=49155 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=1664 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:51.388184, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:51.388863, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 100 [2013/01/14 15:31:51.389013, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x64 [2013/01/14 15:31:51.389077, 3] smbd/process.c:1662(process_smb) Transaction 28 of length 104 (0 toread) [2013/01/14 15:31:51.389139, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.389174, 5] lib/util.c:342(show_msg) size=100 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1728 smt_wct=24 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 1536 (0x600) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]=40704 (0x9F00) smb_vwv[ 8]= 513 (0x201) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 768 (0x300) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 256 (0x100) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]= 512 (0x200) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 256 (0x100) smb_bcc=17 [2013/01/14 15:31:51.390185, 10] ../lib/util/util.c:415(dump_data) [0000] 3F 5C 00 73 00 72 00 76 00 73 00 76 00 63 00 00 ?\.s.r.v .s.v.c.. [0010] 00 . [2013/01/14 15:31:51.390348, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:51.390420, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (2500, 2513) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:51.390487, 5] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (10): SID[ 0]: S-1-5-21-546846319-217595157-9522986-500 SID[ 1]: S-1-5-21-546846319-217595157-9522986-513 SID[ 2]: S-1-22-2-2513 SID[ 3]: S-1-1-0 SID[ 4]: S-1-5-2 SID[ 5]: S-1-5-11 SID[ 6]: S-1-22-1-2500 SID[ 7]: S-1-22-2-300002 SID[ 8]: S-1-22-2-300003 SID[ 9]: S-1-22-2-300004 Privileges (0x 0): Rights (0x 0): [2013/01/14 15:31:51.390914, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 2500 Primary group is 2513 and contains 4 supplementary groups Group[ 0]: 2513 Group[ 1]: 300002 Group[ 2]: 300003 Group[ 3]: 300004 [2013/01/14 15:31:51.391133, 5] smbd/uid.c:317(change_to_user_internal) Impersonated user: uid=(0,2500), gid=(0,2513) [2013/01/14 15:31:51.391210, 10] smbd/nttrans.c:500(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x6, access_mask = 0x2019f file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x0 root_dir_fid = 0x0, fname = srvsvc [2013/01/14 15:31:51.391282, 4] smbd/nttrans.c:288(nt_open_pipe) nt_open_pipe: Opening pipe \srvsvc. [2013/01/14 15:31:51.391350, 5] smbd/files.c:140(file_new) allocated file structure 6972, fnum = 11068 (1 used) [2013/01/14 15:31:51.391423, 10] smbd/files.c:705(file_name_hash) file_name_hash: /tmp/srvsvc hash 0x8e98a76a [2013/01/14 15:31:51.391500, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \srvsvc [2013/01/14 15:31:51.391576, 10] rpc_server/rpc_handles.c:116(init_pipe_handles) init_pipe_handle_list: created handle list for pipe \srvsvc [2013/01/14 15:31:51.391639, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe \srvsvc [2013/01/14 15:31:51.391720, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \srvsvc (pipes_open=0) [2013/01/14 15:31:51.391787, 5] smbd/nttrans.c:377(do_ntcreate_pipe_open) do_ntcreate_pipe_open: open pipe = \srvsvc [2013/01/14 15:31:51.393304, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 156 [2013/01/14 15:31:51.393400, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x9c [2013/01/14 15:31:51.393464, 3] smbd/process.c:1662(process_smb) Transaction 29 of length 160 (0 toread) [2013/01/14 15:31:51.393569, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.393604, 5] lib/util.c:342(show_msg) size=156 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1792 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11068 (0x2B3C) smb_bcc=89 [2013/01/14 15:31:51.394392, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] 3F 05 00 0B 00 10 00 00 00 48 00 00 00 00 00 00 ?....... .H...... [0020] 00 30 16 30 16 00 00 00 00 01 00 00 00 00 00 01 .0.0.... ........ [0030] 00 C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 ..O2Kp.. ..xZG.n. [0040] 88 03 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 ......]. ........ [0050] 00 2B 10 48 60 02 00 00 00 .+.H`... . [2013/01/14 15:31:51.394871, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:51.394938, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:51.395017, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=72 params=0 setup=2 [2013/01/14 15:31:51.395084, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:51.395144, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:51.395206, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:51.395268, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b3c) [2013/01/14 15:31:51.395333, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21060 max_trans_reply: 1024 [2013/01/14 15:31:51.395398, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 72 [2013/01/14 15:31:51.395463, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:51.395525, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:51.395589, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 72, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:51.395654, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:51.395715, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:51.395776, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 56 [2013/01/14 15:31:51.395842, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:51.395903, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:51.395964, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 56, incoming data = 56 [2013/01/14 15:31:51.396029, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:51.396108, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x00 (0) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000000 (0) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x1630 (5680) max_recv_frag : 0x1630 (5680) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 4b324fc8-1670-01d3-1278-5a47bf6ee188 if_version : 0x00000003 (3) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:51.397211, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 11 [2013/01/14 15:31:51.397276, 3] rpc_server/srv_pipe.c:889(api_pipe_bind_req) api_pipe_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:51.397339, 5] rpc_server/srv_pipe.c:923(api_pipe_bind_req) api_pipe_bind_req: make response. 923 [2013/01/14 15:31:51.397400, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \srvsvc [2013/01/14 15:31:51.397467, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:51.397555, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000000 (0) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\srvsvc' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : 0x0000 (0) reason : 0x0000 (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:51.398559, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 56 [2013/01/14 15:31:51.398645, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:51.398709, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \srvsvc: current_pdu_len = 68, current_pdu_sent = 0 returning 68 bytes. [2013/01/14 15:31:51.398776, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:51.398851, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 68 bytes. There is no more data outstanding [2013/01/14 15:31:51.398946, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..68] (align 0) [2013/01/14 15:31:51.399011, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.399046, 5] lib/util.c:342(show_msg) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1792 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2013/01/14 15:31:51.399667, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 00 00 00 ........ .D...... [0010] 00 B8 10 B8 10 F0 53 00 00 0D 00 5C 50 49 50 45 ......S. ...\PIPE [0020] 5C 73 72 76 73 76 63 00 00 01 00 00 00 00 00 00 \srvsvc. ........ [0030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [0040] 60 02 00 00 00 `.... [2013/01/14 15:31:51.400480, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 172 [2013/01/14 15:31:51.400551, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0xac [2013/01/14 15:31:51.400613, 3] smbd/process.c:1662(process_smb) Transaction 30 of length 176 (0 toread) [2013/01/14 15:31:51.400676, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.400711, 5] lib/util.c:342(show_msg) size=172 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1856 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 88 (0x58) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11068 (0x2B3C) smb_bcc=105 [2013/01/14 15:31:51.401495, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] A4 05 00 00 03 10 00 00 00 58 00 00 00 01 00 00 ........ .X...... [0020] 00 40 00 00 00 00 00 10 00 0C D6 98 01 0A 00 00 .@...... ........ [0030] 00 00 00 00 00 0A 00 00 00 5C 00 5C 00 48 00 61 ........ .\.\.H.a [0040] 00 77 00 6B 00 69 00 6E 00 67 00 00 00 06 00 00 .w.k.i.n .g...... [0050] 00 00 00 00 00 06 00 00 00 73 00 74 00 75 00 66 ........ .s.t.u.f [0060] 00 66 00 00 00 01 00 00 00 .f...... . [2013/01/14 15:31:51.402046, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:51.402111, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:51.402181, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=88 params=0 setup=2 [2013/01/14 15:31:51.402247, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:51.402306, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:51.402368, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:51.402429, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b3c) [2013/01/14 15:31:51.402493, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21060 max_trans_reply: 1024 [2013/01/14 15:31:51.402557, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 88 [2013/01/14 15:31:51.402619, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 88 [2013/01/14 15:31:51.402681, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 88 [2013/01/14 15:31:51.402744, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 88, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:51.402841, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:51.402902, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:51.402963, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:51.403028, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:51.403089, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:51.403150, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 72, incoming data = 72 [2013/01/14 15:31:51.403214, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:51.403285, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0058 (88) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000040 (64) context_id : 0x0000 (0) opnum : 0x0010 (16) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=64 [0000] 0C D6 98 01 0A 00 00 00 00 00 00 00 0A 00 00 00 ........ ........ [0010] 5C 00 5C 00 48 00 61 00 77 00 6B 00 69 00 6E 00 \.\.H.a. w.k.i.n. [0020] 67 00 00 00 06 00 00 00 00 00 00 00 06 00 00 00 g....... ........ [0030] 73 00 74 00 75 00 66 00 66 00 00 00 01 00 00 00 s.t.u.f. f....... [2013/01/14 15:31:51.404408, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:51.404470, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:51.404534, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\srvsvc [2013/01/14 15:31:51.404599, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \srvsvc op 0x10 - api_rpcTNP: rpc command: SRVSVC_NETSHAREGETINFO [2013/01/14 15:31:51.404668, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[16].fn == 0xb71a3660 [2013/01/14 15:31:51.404739, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo in: struct srvsvc_NetShareGetInfo server_unc : * server_unc : '\\Hawking' share_name : 'stuff' level : 0x00000001 (1) [2013/01/14 15:31:51.404964, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1440(_srvsvc_NetShareGetInfo) _srvsvc_NetShareGetInfo: 1440 [2013/01/14 15:31:51.405061, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1510(_srvsvc_NetShareGetInfo) _srvsvc_NetShareGetInfo: 1510 [2013/01/14 15:31:51.405124, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo out: struct srvsvc_NetShareGetInfo info : * info : union srvsvc_NetShareInfo(case 1) info1 : * info1: struct srvsvc_NetShareInfo1 name : * name : 'stuff' type : STYPE_DISKTREE (0x0) comment : * comment : 'Assorted files' result : WERR_OK [2013/01/14 15:31:51.405601, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \srvsvc successfully [2013/01/14 15:31:51.405669, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 72 [2013/01/14 15:31:51.405751, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:51.405815, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \srvsvc: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 92. [2013/01/14 15:31:51.405893, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0074 (116) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000005c (92) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=92 [0000] 01 00 00 00 04 00 02 00 08 00 02 00 00 00 00 00 ........ ........ [0010] 0C 00 02 00 06 00 00 00 00 00 00 00 06 00 00 00 ........ ........ [0020] 73 00 74 00 75 00 66 00 66 00 00 00 0F 00 00 00 s.t.u.f. f....... [0030] 00 00 00 00 0F 00 00 00 41 00 73 00 73 00 6F 00 ........ A.s.s.o. [0040] 72 00 74 00 65 00 64 00 20 00 66 00 69 00 6C 00 r.t.e.d. .f.i.l. [0050] 65 00 73 00 00 00 00 00 00 00 00 00 e.s..... .... [2013/01/14 15:31:51.407162, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 66 [2013/01/14 15:31:51.407240, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 116 bytes. There is no more data outstanding [2013/01/14 15:31:51.407306, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..116] (align 0) [2013/01/14 15:31:51.407370, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.407405, 5] lib/util.c:342(show_msg) size=172 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1856 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 116 (0x74) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 116 (0x74) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=117 [2013/01/14 15:31:51.408025, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 74 00 00 00 01 00 00 ........ .t...... [0010] 00 5C 00 00 00 00 00 00 00 01 00 00 00 04 00 02 .\...... ........ [0020] 00 08 00 02 00 00 00 00 00 0C 00 02 00 06 00 00 ........ ........ [0030] 00 00 00 00 00 06 00 00 00 73 00 74 00 75 00 66 ........ .s.t.u.f [0040] 00 66 00 00 00 0F 00 00 00 00 00 00 00 0F 00 00 .f...... ........ [0050] 00 41 00 73 00 73 00 6F 00 72 00 74 00 65 00 64 .A.s.s.o .r.t.e.d [0060] 00 20 00 66 00 69 00 6C 00 65 00 73 00 00 00 00 . .f.i.l .e.s.... [0070] 00 00 00 00 00 ..... [2013/01/14 15:31:51.410160, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 42 [2013/01/14 15:31:51.410251, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x2a [2013/01/14 15:31:51.410314, 3] smbd/process.c:1662(process_smb) Transaction 31 of length 46 (0 toread) [2013/01/14 15:31:51.410377, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.410412, 5] lib/util.c:342(show_msg) size=42 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=1920 smt_wct=3 smb_vwv[ 0]=11068 (0x2B3C) smb_vwv[ 1]=65535 (0xFFFF) smb_vwv[ 2]=65535 (0xFFFF) smb_bcc=0 [2013/01/14 15:31:51.410843, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:51.410881, 3] smbd/process.c:1467(switch_message) switch message SMBclose (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:51.410945, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:51.411009, 3] smbd/reply.c:4848(reply_close) close fd=-1 fnum=11068 (numopen=1) [2013/01/14 15:31:51.411073, 6] smbd/close.c:532(set_close_write_time) close_write_time: Wed Dec 31 18:59:59 1969 [2013/01/14 15:31:51.411152, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe) close_policy_by_pipe: deleted handle list for pipe \srvsvc [2013/01/14 15:31:51.411225, 5] smbd/files.c:482(file_free) freed files structure 11068 (0 used) [2013/01/14 15:31:51.411291, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.411326, 5] lib/util.c:342(show_msg) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=1920 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:51.411675, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:51.413065, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 100 [2013/01/14 15:31:51.413133, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x64 [2013/01/14 15:31:51.413196, 3] smbd/process.c:1662(process_smb) Transaction 32 of length 104 (0 toread) [2013/01/14 15:31:51.413258, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.413293, 5] lib/util.c:342(show_msg) size=100 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=1984 smt_wct=24 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 1536 (0x600) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]=40704 (0x9F00) smb_vwv[ 8]= 513 (0x201) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 768 (0x300) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 256 (0x100) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]= 512 (0x200) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 256 (0x100) smb_bcc=17 [2013/01/14 15:31:51.414293, 10] ../lib/util/util.c:415(dump_data) [0000] 3F 5C 00 73 00 72 00 76 00 73 00 76 00 63 00 00 ?\.s.r.v .s.v.c.. [0010] 00 . [2013/01/14 15:31:51.414452, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:51.414516, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:51.414582, 10] smbd/nttrans.c:500(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x6, access_mask = 0x2019f file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x0 root_dir_fid = 0x0, fname = srvsvc [2013/01/14 15:31:51.414652, 4] smbd/nttrans.c:288(nt_open_pipe) nt_open_pipe: Opening pipe \srvsvc. [2013/01/14 15:31:51.414719, 5] smbd/files.c:140(file_new) allocated file structure 6973, fnum = 11069 (1 used) [2013/01/14 15:31:51.414788, 10] smbd/files.c:705(file_name_hash) file_name_hash: /tmp/srvsvc hash 0x8e98a76a [2013/01/14 15:31:51.414909, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \srvsvc [2013/01/14 15:31:51.414980, 10] rpc_server/rpc_handles.c:116(init_pipe_handles) init_pipe_handle_list: created handle list for pipe \srvsvc [2013/01/14 15:31:51.415042, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe \srvsvc [2013/01/14 15:31:51.415120, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \srvsvc (pipes_open=0) [2013/01/14 15:31:51.415186, 5] smbd/nttrans.c:377(do_ntcreate_pipe_open) do_ntcreate_pipe_open: open pipe = \srvsvc [2013/01/14 15:31:51.416689, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 156 [2013/01/14 15:31:51.416759, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x9c [2013/01/14 15:31:51.416822, 3] smbd/process.c:1662(process_smb) Transaction 33 of length 160 (0 toread) [2013/01/14 15:31:51.416885, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.416920, 5] lib/util.c:342(show_msg) size=156 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2048 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11069 (0x2B3D) smb_bcc=89 [2013/01/14 15:31:51.417706, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] 3F 05 00 0B 00 10 00 00 00 48 00 00 00 69 00 6E ?....... .H...i.n [0020] 00 30 16 30 16 00 00 00 00 01 00 00 00 00 00 01 .0.0.... ........ [0030] 00 C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 ..O2Kp.. ..xZG.n. [0040] 88 03 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 ......]. ........ [0050] 00 2B 10 48 60 02 00 00 00 .+.H`... . [2013/01/14 15:31:51.418179, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:51.418243, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:51.418314, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=72 params=0 setup=2 [2013/01/14 15:31:51.418380, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:51.418440, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:51.418502, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:51.418564, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b3d) [2013/01/14 15:31:51.418627, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21060 max_trans_reply: 1024 [2013/01/14 15:31:51.418692, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 72 [2013/01/14 15:31:51.418757, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:51.418819, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:51.418883, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 72, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:51.418948, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:51.419009, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:51.419070, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 56 [2013/01/14 15:31:51.419172, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:51.419234, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:51.419295, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 56, incoming data = 56 [2013/01/14 15:31:51.419360, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:51.419440, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x00 (0) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x006e0069 (7209065) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x1630 (5680) max_recv_frag : 0x1630 (5680) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 4b324fc8-1670-01d3-1278-5a47bf6ee188 if_version : 0x00000003 (3) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:51.420505, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 11 [2013/01/14 15:31:51.420570, 3] rpc_server/srv_pipe.c:889(api_pipe_bind_req) api_pipe_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:51.420633, 5] rpc_server/srv_pipe.c:923(api_pipe_bind_req) api_pipe_bind_req: make response. 923 [2013/01/14 15:31:51.420695, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \srvsvc [2013/01/14 15:31:51.420760, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:51.420848, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x006e0069 (7209065) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\srvsvc' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : 0x0000 (0) reason : 0x0000 (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:51.421882, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 56 [2013/01/14 15:31:51.421968, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:51.422033, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \srvsvc: current_pdu_len = 68, current_pdu_sent = 0 returning 68 bytes. [2013/01/14 15:31:51.422100, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:51.422176, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 68 bytes. There is no more data outstanding [2013/01/14 15:31:51.422242, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..68] (align 0) [2013/01/14 15:31:51.422306, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.422341, 5] lib/util.c:342(show_msg) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2048 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2013/01/14 15:31:51.422961, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 69 00 6E ........ .D...i.n [0010] 00 B8 10 B8 10 F0 53 00 00 0D 00 5C 50 49 50 45 ......S. ...\PIPE [0020] 5C 73 72 76 73 76 63 00 00 01 00 00 00 00 00 00 \srvsvc. ........ [0030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [0040] 60 02 00 00 00 `.... [2013/01/14 15:31:51.423754, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 172 [2013/01/14 15:31:51.423825, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0xac [2013/01/14 15:31:51.423888, 3] smbd/process.c:1662(process_smb) Transaction 34 of length 176 (0 toread) [2013/01/14 15:31:51.423950, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.423985, 5] lib/util.c:342(show_msg) size=172 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2112 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 88 (0x58) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11069 (0x2B3D) smb_bcc=105 [2013/01/14 15:31:51.424770, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] A4 05 00 00 03 10 00 00 00 58 00 00 00 01 00 00 ........ .X...... [0020] 00 40 00 00 00 00 00 10 00 90 F0 98 01 0A 00 00 .@...... ........ [0030] 00 00 00 00 00 0A 00 00 00 5C 00 5C 00 48 00 61 ........ .\.\.H.a [0040] 00 77 00 6B 00 69 00 6E 00 67 00 00 00 06 00 00 .w.k.i.n .g...... [0050] 00 00 00 00 00 06 00 00 00 73 00 74 00 75 00 66 ........ .s.t.u.f [0060] 00 66 00 00 00 01 00 00 00 .f...... . [2013/01/14 15:31:51.425317, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:51.425382, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:51.425483, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=88 params=0 setup=2 [2013/01/14 15:31:51.425549, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:51.425609, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:51.425670, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:51.425732, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b3d) [2013/01/14 15:31:51.425797, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21060 max_trans_reply: 1024 [2013/01/14 15:31:51.425860, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 88 [2013/01/14 15:31:51.425922, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 88 [2013/01/14 15:31:51.425984, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 88 [2013/01/14 15:31:51.426048, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 88, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:51.426113, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:51.426174, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:51.426235, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:51.426317, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:51.426378, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:51.426439, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 72, incoming data = 72 [2013/01/14 15:31:51.426504, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:51.426576, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0058 (88) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000040 (64) context_id : 0x0000 (0) opnum : 0x0010 (16) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=64 [0000] 90 F0 98 01 0A 00 00 00 00 00 00 00 0A 00 00 00 ........ ........ [0010] 5C 00 5C 00 48 00 61 00 77 00 6B 00 69 00 6E 00 \.\.H.a. w.k.i.n. [0020] 67 00 00 00 06 00 00 00 00 00 00 00 06 00 00 00 g....... ........ [0030] 73 00 74 00 75 00 66 00 66 00 00 00 01 00 00 00 s.t.u.f. f....... [2013/01/14 15:31:51.427702, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:51.427764, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:51.427829, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\srvsvc [2013/01/14 15:31:51.427893, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \srvsvc op 0x10 - api_rpcTNP: rpc command: SRVSVC_NETSHAREGETINFO [2013/01/14 15:31:51.427961, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[16].fn == 0xb71a3660 [2013/01/14 15:31:51.428056, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo in: struct srvsvc_NetShareGetInfo server_unc : * server_unc : '\\Hawking' share_name : 'stuff' level : 0x00000001 (1) [2013/01/14 15:31:51.428282, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1440(_srvsvc_NetShareGetInfo) _srvsvc_NetShareGetInfo: 1440 [2013/01/14 15:31:51.428379, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1510(_srvsvc_NetShareGetInfo) _srvsvc_NetShareGetInfo: 1510 [2013/01/14 15:31:51.428442, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetShareGetInfo: struct srvsvc_NetShareGetInfo out: struct srvsvc_NetShareGetInfo info : * info : union srvsvc_NetShareInfo(case 1) info1 : * info1: struct srvsvc_NetShareInfo1 name : * name : 'stuff' type : STYPE_DISKTREE (0x0) comment : * comment : 'Assorted files' result : WERR_OK [2013/01/14 15:31:51.428887, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \srvsvc successfully [2013/01/14 15:31:51.428954, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 72 [2013/01/14 15:31:51.429037, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:51.429102, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \srvsvc: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 92. [2013/01/14 15:31:51.429180, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0074 (116) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x0000005c (92) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=92 [0000] 01 00 00 00 04 00 02 00 08 00 02 00 00 00 00 00 ........ ........ [0010] 0C 00 02 00 06 00 00 00 00 00 00 00 06 00 00 00 ........ ........ [0020] 73 00 74 00 75 00 66 00 66 00 00 00 0F 00 00 00 s.t.u.f. f....... [0030] 00 00 00 00 0F 00 00 00 41 00 73 00 73 00 6F 00 ........ A.s.s.o. [0040] 72 00 74 00 65 00 64 00 20 00 66 00 69 00 6C 00 r.t.e.d. .f.i.l. [0050] 65 00 73 00 00 00 00 00 00 00 00 00 e.s..... .... [2013/01/14 15:31:51.430427, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 66 [2013/01/14 15:31:51.430505, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 116 bytes. There is no more data outstanding [2013/01/14 15:31:51.430572, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..116] (align 0) [2013/01/14 15:31:51.430636, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.430671, 5] lib/util.c:342(show_msg) size=172 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2112 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 116 (0x74) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 116 (0x74) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=117 [2013/01/14 15:31:51.431321, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 74 00 00 00 01 00 00 ........ .t...... [0010] 00 5C 00 00 00 00 00 00 00 01 00 00 00 04 00 02 .\...... ........ [0020] 00 08 00 02 00 00 00 00 00 0C 00 02 00 06 00 00 ........ ........ [0030] 00 00 00 00 00 06 00 00 00 73 00 74 00 75 00 66 ........ .s.t.u.f [0040] 00 66 00 00 00 0F 00 00 00 00 00 00 00 0F 00 00 .f...... ........ [0050] 00 41 00 73 00 73 00 6F 00 72 00 74 00 65 00 64 .A.s.s.o .r.t.e.d [0060] 00 20 00 66 00 69 00 6C 00 65 00 73 00 00 00 00 . .f.i.l .e.s.... [0070] 00 00 00 00 00 ..... [2013/01/14 15:31:51.433407, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 42 [2013/01/14 15:31:51.433479, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x2a [2013/01/14 15:31:51.433541, 3] smbd/process.c:1662(process_smb) Transaction 35 of length 46 (0 toread) [2013/01/14 15:31:51.433604, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.433639, 5] lib/util.c:342(show_msg) size=42 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=2176 smt_wct=3 smb_vwv[ 0]=11069 (0x2B3D) smb_vwv[ 1]=65535 (0xFFFF) smb_vwv[ 2]=65535 (0xFFFF) smb_bcc=0 [2013/01/14 15:31:51.434071, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:51.434108, 3] smbd/process.c:1467(switch_message) switch message SMBclose (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:51.434172, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:51.434236, 3] smbd/reply.c:4848(reply_close) close fd=-1 fnum=11069 (numopen=1) [2013/01/14 15:31:51.434299, 6] smbd/close.c:532(set_close_write_time) close_write_time: Wed Dec 31 18:59:59 1969 [2013/01/14 15:31:51.434375, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe) close_policy_by_pipe: deleted handle list for pipe \srvsvc [2013/01/14 15:31:51.434447, 5] smbd/files.c:482(file_free) freed files structure 11069 (0 used) [2013/01/14 15:31:51.434512, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.434547, 5] lib/util.c:342(show_msg) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=2176 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:51.434896, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:51.435458, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 82 [2013/01/14 15:31:51.435528, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x52 [2013/01/14 15:31:51.435591, 3] smbd/process.c:1662(process_smb) Transaction 36 of length 86 (0 toread) [2013/01/14 15:31:51.435653, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.435688, 5] lib/util.c:342(show_msg) size=82 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=2240 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1 (0x1) smb_bcc=39 [2013/01/14 15:31:51.436146, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 5C 00 48 00 41 00 57 00 4B 00 49 00 4E .\.\.H.A .W.K.I.N [0010] 00 47 00 5C 00 53 00 54 00 55 00 46 00 46 00 00 .G.\.S.T .U.F.F.. [0020] 00 3F 3F 3F 3F 3F 00 .?????. [2013/01/14 15:31:51.436401, 3] smbd/process.c:1467(switch_message) switch message SMBtconX (pid 28678) conn 0x0 [2013/01/14 15:31:51.436500, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:51.436564, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:51.436625, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:51.436732, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:31:51.436816, 4] smbd/reply.c:794(reply_tcon_and_X) Client requested device type [?????] for share [STUFF] [2013/01/14 15:31:51.436903, 5] smbd/service.c:1354(make_connection) making a connection to 'normal' service stuff [2013/01/14 15:31:51.436978, 3] lib/access.c:338(allow_access) Allowed connection from 192.168.7.2 (192.168.7.2) [2013/01/14 15:31:51.437056, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) string_to_sid: SID +WARGAMES\Domain Admins is not in a valid format [2013/01/14 15:31:51.437123, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: WARGAMES\Domain Admins => domain=[WARGAMES], name=[Domain Admins] [2013/01/14 15:31:51.437186, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x077 [2013/01/14 15:31:51.438427, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) string_to_sid: SID WARGAMES\smythe is not in a valid format [2013/01/14 15:31:51.438500, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: WARGAMES\smythe => domain=[WARGAMES], name=[smythe] [2013/01/14 15:31:51.438563, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x073 [2013/01/14 15:31:51.439599, 10] smbd/share_access.c:219(user_ok_token) User WARGAMES\administrator not in 'valid users' [2013/01/14 15:31:51.439665, 2] smbd/service.c:627(create_connection_session_info) user 'WARGAMES\administrator' (from session setup) not permitted to access this share (stuff) [2013/01/14 15:31:51.439733, 1] smbd/service.c:805(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED [2013/01/14 15:31:51.439806, 3] smbd/error.c:81(error_packet_set) error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED [2013/01/14 15:31:51.439872, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.439907, 5] lib/util.c:342(show_msg) size=35 smb_com=0x75 smb_rcls=34 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=49155 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=2240 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:51.440258, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:51.443333, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 82 [2013/01/14 15:31:51.443407, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x52 [2013/01/14 15:31:51.443470, 3] smbd/process.c:1662(process_smb) Transaction 37 of length 86 (0 toread) [2013/01/14 15:31:51.443532, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.443567, 5] lib/util.c:342(show_msg) size=82 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=2304 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1 (0x1) smb_bcc=39 [2013/01/14 15:31:51.444028, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 5C 00 48 00 41 00 57 00 4B 00 49 00 4E .\.\.H.A .W.K.I.N [0010] 00 47 00 5C 00 53 00 54 00 55 00 46 00 46 00 00 .G.\.S.T .U.F.F.. [0020] 00 3F 3F 3F 3F 3F 00 .?????. [2013/01/14 15:31:51.444273, 3] smbd/process.c:1467(switch_message) switch message SMBtconX (pid 28678) conn 0x0 [2013/01/14 15:31:51.444337, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:51.444400, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:51.444461, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:51.444605, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:31:51.444686, 4] smbd/reply.c:794(reply_tcon_and_X) Client requested device type [?????] for share [STUFF] [2013/01/14 15:31:51.444772, 5] smbd/service.c:1354(make_connection) making a connection to 'normal' service stuff [2013/01/14 15:31:51.444845, 3] lib/access.c:338(allow_access) Allowed connection from 192.168.7.2 (192.168.7.2) [2013/01/14 15:31:51.444919, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) string_to_sid: SID +WARGAMES\Domain Admins is not in a valid format [2013/01/14 15:31:51.444986, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: WARGAMES\Domain Admins => domain=[WARGAMES], name=[Domain Admins] [2013/01/14 15:31:51.445049, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x077 [2013/01/14 15:31:51.446154, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) string_to_sid: SID WARGAMES\smythe is not in a valid format [2013/01/14 15:31:51.446223, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: WARGAMES\smythe => domain=[WARGAMES], name=[smythe] [2013/01/14 15:31:51.446307, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x073 [2013/01/14 15:31:51.447396, 10] smbd/share_access.c:219(user_ok_token) User WARGAMES\administrator not in 'valid users' [2013/01/14 15:31:51.447462, 2] smbd/service.c:627(create_connection_session_info) user 'WARGAMES\administrator' (from session setup) not permitted to access this share (stuff) [2013/01/14 15:31:51.447531, 1] smbd/service.c:805(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED [2013/01/14 15:31:51.447602, 3] smbd/error.c:81(error_packet_set) error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED [2013/01/14 15:31:51.447667, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.447703, 5] lib/util.c:342(show_msg) size=35 smb_com=0x75 smb_rcls=34 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=49155 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=2304 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:51.448054, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:51.449797, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 82 [2013/01/14 15:31:51.449869, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x52 [2013/01/14 15:31:51.449932, 3] smbd/process.c:1662(process_smb) Transaction 38 of length 86 (0 toread) [2013/01/14 15:31:51.449995, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.450029, 5] lib/util.c:342(show_msg) size=82 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=2368 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1 (0x1) smb_bcc=39 [2013/01/14 15:31:51.450490, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 5C 00 48 00 41 00 57 00 4B 00 49 00 4E .\.\.H.A .W.K.I.N [0010] 00 47 00 5C 00 53 00 54 00 55 00 46 00 46 00 00 .G.\.S.T .U.F.F.. [0020] 00 3F 3F 3F 3F 3F 00 .?????. [2013/01/14 15:31:51.450735, 3] smbd/process.c:1467(switch_message) switch message SMBtconX (pid 28678) conn 0x0 [2013/01/14 15:31:51.450799, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:51.450861, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:51.450922, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:51.451022, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:31:51.451100, 4] smbd/reply.c:794(reply_tcon_and_X) Client requested device type [?????] for share [STUFF] [2013/01/14 15:31:51.451186, 5] smbd/service.c:1354(make_connection) making a connection to 'normal' service stuff [2013/01/14 15:31:51.451308, 3] lib/access.c:338(allow_access) Allowed connection from 192.168.7.2 (192.168.7.2) [2013/01/14 15:31:51.451384, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) string_to_sid: SID +WARGAMES\Domain Admins is not in a valid format [2013/01/14 15:31:51.451452, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: WARGAMES\Domain Admins => domain=[WARGAMES], name=[Domain Admins] [2013/01/14 15:31:51.451515, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x077 [2013/01/14 15:31:51.452620, 3] ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) string_to_sid: SID WARGAMES\smythe is not in a valid format [2013/01/14 15:31:51.452689, 10] passdb/lookup_sid.c:76(lookup_name) lookup_name: WARGAMES\smythe => domain=[WARGAMES], name=[smythe] [2013/01/14 15:31:51.452754, 10] passdb/lookup_sid.c:77(lookup_name) lookup_name: flags = 0x073 [2013/01/14 15:31:51.453828, 10] smbd/share_access.c:219(user_ok_token) User WARGAMES\administrator not in 'valid users' [2013/01/14 15:31:51.453896, 2] smbd/service.c:627(create_connection_session_info) user 'WARGAMES\administrator' (from session setup) not permitted to access this share (stuff) [2013/01/14 15:31:51.453965, 1] smbd/service.c:805(make_connection_snum) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED [2013/01/14 15:31:51.454034, 3] smbd/error.c:81(error_packet_set) error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED [2013/01/14 15:31:51.454100, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:51.454135, 5] lib/util.c:342(show_msg) size=35 smb_com=0x75 smb_rcls=34 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=49155 smb_tid=0 smb_pid=51966 smb_uid=101 smb_mid=2368 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:51.454487, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:53.902260, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 100 [2013/01/14 15:31:53.902391, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x64 [2013/01/14 15:31:53.902455, 3] smbd/process.c:1662(process_smb) Transaction 39 of length 104 (0 toread) [2013/01/14 15:31:53.902518, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.902553, 5] lib/util.c:342(show_msg) size=100 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2432 smt_wct=24 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 1536 (0x600) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]=40704 (0x9F00) smb_vwv[ 8]= 513 (0x201) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 768 (0x300) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 256 (0x100) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]= 512 (0x200) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 256 (0x100) smb_bcc=17 [2013/01/14 15:31:53.903558, 10] ../lib/util/util.c:415(dump_data) [0000] 3F 5C 00 73 00 72 00 76 00 73 00 76 00 63 00 00 ?\.s.r.v .s.v.c.. [0010] 00 . [2013/01/14 15:31:53.903724, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.903800, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (2500, 2513) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:53.903868, 5] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (10): SID[ 0]: S-1-5-21-546846319-217595157-9522986-500 SID[ 1]: S-1-5-21-546846319-217595157-9522986-513 SID[ 2]: S-1-22-2-2513 SID[ 3]: S-1-1-0 SID[ 4]: S-1-5-2 SID[ 5]: S-1-5-11 SID[ 6]: S-1-22-1-2500 SID[ 7]: S-1-22-2-300002 SID[ 8]: S-1-22-2-300003 SID[ 9]: S-1-22-2-300004 Privileges (0x 0): Rights (0x 0): [2013/01/14 15:31:53.904299, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 2500 Primary group is 2513 and contains 4 supplementary groups Group[ 0]: 2513 Group[ 1]: 300002 Group[ 2]: 300003 Group[ 3]: 300004 [2013/01/14 15:31:53.904607, 5] smbd/uid.c:317(change_to_user_internal) Impersonated user: uid=(0,2500), gid=(0,2513) [2013/01/14 15:31:53.904698, 10] smbd/nttrans.c:500(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x6, access_mask = 0x2019f file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x0 root_dir_fid = 0x0, fname = srvsvc [2013/01/14 15:31:53.904770, 4] smbd/nttrans.c:288(nt_open_pipe) nt_open_pipe: Opening pipe \srvsvc. [2013/01/14 15:31:53.904840, 5] smbd/files.c:140(file_new) allocated file structure 6974, fnum = 11070 (1 used) [2013/01/14 15:31:53.904914, 10] smbd/files.c:705(file_name_hash) file_name_hash: /tmp/srvsvc hash 0x8e98a76a [2013/01/14 15:31:53.904991, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \srvsvc [2013/01/14 15:31:53.905067, 10] rpc_server/rpc_handles.c:116(init_pipe_handles) init_pipe_handle_list: created handle list for pipe \srvsvc [2013/01/14 15:31:53.905130, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe \srvsvc [2013/01/14 15:31:53.905212, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \srvsvc (pipes_open=0) [2013/01/14 15:31:53.905281, 5] smbd/nttrans.c:377(do_ntcreate_pipe_open) do_ntcreate_pipe_open: open pipe = \srvsvc [2013/01/14 15:31:53.906839, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 156 [2013/01/14 15:31:53.906910, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x9c [2013/01/14 15:31:53.906973, 3] smbd/process.c:1662(process_smb) Transaction 40 of length 160 (0 toread) [2013/01/14 15:31:53.907035, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.907070, 5] lib/util.c:342(show_msg) size=156 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2496 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11070 (0x2B3E) smb_bcc=89 [2013/01/14 15:31:53.907856, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] 3F 05 00 0B 00 10 00 00 00 48 00 00 00 01 00 00 ?....... .H...... [0020] 00 30 16 30 16 00 00 00 00 01 00 00 00 00 00 01 .0.0.... ........ [0030] 00 C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 ..O2Kp.. ..xZG.n. [0040] 88 03 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 ......]. ........ [0050] 00 2B 10 48 60 02 00 00 00 .+.H`... . [2013/01/14 15:31:53.908331, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.908396, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:53.908465, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=72 params=0 setup=2 [2013/01/14 15:31:53.908531, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:53.908591, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:53.908653, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:53.908715, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b3e) [2013/01/14 15:31:53.908778, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21060 max_trans_reply: 1024 [2013/01/14 15:31:53.908843, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 72 [2013/01/14 15:31:53.908952, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:53.909015, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:53.909079, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 72, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:53.909144, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:53.909205, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:53.909266, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 56 [2013/01/14 15:31:53.909332, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:53.909392, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:53.909453, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 56, incoming data = 56 [2013/01/14 15:31:53.909518, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:53.909596, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x00 (0) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x1630 (5680) max_recv_frag : 0x1630 (5680) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 4b324fc8-1670-01d3-1278-5a47bf6ee188 if_version : 0x00000003 (3) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:53.910652, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 11 [2013/01/14 15:31:53.910716, 3] rpc_server/srv_pipe.c:889(api_pipe_bind_req) api_pipe_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:53.910779, 5] rpc_server/srv_pipe.c:923(api_pipe_bind_req) api_pipe_bind_req: make response. 923 [2013/01/14 15:31:53.910841, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \srvsvc [2013/01/14 15:31:53.910905, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:53.910992, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\srvsvc' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : 0x0000 (0) reason : 0x0000 (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:53.912022, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 56 [2013/01/14 15:31:53.912108, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:53.912173, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \srvsvc: current_pdu_len = 68, current_pdu_sent = 0 returning 68 bytes. [2013/01/14 15:31:53.912239, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:53.912315, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 68 bytes. There is no more data outstanding [2013/01/14 15:31:53.912380, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..68] (align 0) [2013/01/14 15:31:53.912445, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.912480, 5] lib/util.c:342(show_msg) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2496 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2013/01/14 15:31:53.913100, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 ........ .D...... [0010] 00 B8 10 B8 10 F0 53 00 00 0D 00 5C 50 49 50 45 ......S. ...\PIPE [0020] 5C 73 72 76 73 76 63 00 00 01 00 00 00 00 00 00 \srvsvc. ........ [0030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [0040] 60 02 00 00 00 `.... [2013/01/14 15:31:53.913893, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 172 [2013/01/14 15:31:53.913964, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0xac [2013/01/14 15:31:53.914027, 3] smbd/process.c:1662(process_smb) Transaction 41 of length 176 (0 toread) [2013/01/14 15:31:53.914089, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.914124, 5] lib/util.c:342(show_msg) size=172 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2560 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 88 (0x58) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 88 (0x58) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11070 (0x2B3E) smb_bcc=105 [2013/01/14 15:31:53.914949, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] A4 05 00 00 03 10 00 00 00 58 00 00 00 01 00 00 ........ .X...... [0020] 00 40 00 00 00 00 00 0F 00 FC 33 8E 00 0A 00 00 .@...... ..3..... [0030] 00 00 00 00 00 0A 00 00 00 5C 00 5C 00 48 00 61 ........ .\.\.H.a [0040] 00 77 00 6B 00 69 00 6E 00 67 00 00 00 01 00 00 .w.k.i.n .g...... [0050] 00 01 00 00 00 00 F6 98 01 00 00 00 00 00 00 00 ........ ........ [0060] 00 FF FF FF FF 00 00 00 00 ........ . [2013/01/14 15:31:53.915500, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.915565, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:53.915636, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=88 params=0 setup=2 [2013/01/14 15:31:53.915702, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:53.915762, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:53.915823, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:53.915884, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b3e) [2013/01/14 15:31:53.915948, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21060 max_trans_reply: 1024 [2013/01/14 15:31:53.916012, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 88 [2013/01/14 15:31:53.916074, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 88 [2013/01/14 15:31:53.916136, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 88 [2013/01/14 15:31:53.916199, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 88, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:53.916264, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:53.916340, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:53.916402, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:53.916466, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:53.916527, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:53.916588, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 72, incoming data = 72 [2013/01/14 15:31:53.916653, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:53.916725, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0058 (88) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000040 (64) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=64 [0000] FC 33 8E 00 0A 00 00 00 00 00 00 00 0A 00 00 00 .3...... ........ [0010] 5C 00 5C 00 48 00 61 00 77 00 6B 00 69 00 6E 00 \.\.H.a. w.k.i.n. [0020] 67 00 00 00 01 00 00 00 01 00 00 00 00 F6 98 01 g....... ........ [0030] 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00 ........ ........ [2013/01/14 15:31:53.917884, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:53.917947, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:53.918011, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\srvsvc [2013/01/14 15:31:53.918076, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \srvsvc op 0xf - api_rpcTNP: rpc command: SRVSVC_NETSHAREENUMALL [2013/01/14 15:31:53.918144, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[15].fn == 0xb71a3960 [2013/01/14 15:31:53.918220, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetShareEnumAll: struct srvsvc_NetShareEnumAll in: struct srvsvc_NetShareEnumAll server_unc : * server_unc : '\\Hawking' info_ctr : * info_ctr: struct srvsvc_NetShareInfoCtr level : 0x00000001 (1) ctr : union srvsvc_NetShareCtr(case 1) ctr1 : * ctr1: struct srvsvc_NetShareCtr1 count : 0x00000000 (0) array : NULL max_buffer : 0xffffffff (4294967295) resume_handle : NULL [2013/01/14 15:31:53.918713, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1381(_srvsvc_NetShareEnumAll) _srvsvc_NetShareEnumAll: 1381 [2013/01/14 15:31:53.918777, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:567(init_srv_share_info_ctr) init_srv_share_info_ctr [2013/01/14 15:31:53.918839, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(2500, 2513) : sec_ctx_stack_ndx = 1 [2013/01/14 15:31:53.918911, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(101) : conn_ctx_stack_ndx = 0 [2013/01/14 15:31:53.918974, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/01/14 15:31:53.919036, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:53.919097, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:53.919202, 8] smbd/service.c:248(load_registry_shares) load_registry_shares() [2013/01/14 15:31:53.919272, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (2500, 2513) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:53.919337, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:590(init_srv_share_info_ctr) NOT counting service printers [2013/01/14 15:31:53.919406, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service print$ [2013/01/14 15:31:53.919472, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service backup [2013/01/14 15:31:53.919537, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service stuff [2013/01/14 15:31:53.919602, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service pdf [2013/01/14 15:31:53.919667, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service IPC$ [2013/01/14 15:31:53.919733, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service Virtual_Printer-HC.A [2013/01/14 15:31:53.919799, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service Virtual_Printer-HC.W [2013/01/14 15:31:53.919865, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service Landscape_PDF-HC.A [2013/01/14 15:31:53.919931, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service HP4250-HC.A [2013/01/14 15:31:53.920023, 10] rpc_server/srvsvc/srv_srvsvc_nt.c:585(init_srv_share_info_ctr) counting service ES283-HC.A [2013/01/14 15:31:53.920185, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1395(_srvsvc_NetShareEnumAll) _srvsvc_NetShareEnumAll: 1395 [2013/01/14 15:31:53.920247, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetShareEnumAll: struct srvsvc_NetShareEnumAll out: struct srvsvc_NetShareEnumAll info_ctr : * info_ctr: struct srvsvc_NetShareInfoCtr level : 0x00000001 (1) ctr : union srvsvc_NetShareCtr(case 1) ctr1 : * ctr1: struct srvsvc_NetShareCtr1 count : 0x0000000a (10) array : * array: ARRAY(10) array: struct srvsvc_NetShareInfo1 name : * name : 'print$' type : STYPE_DISKTREE (0x0) comment : * comment : 'Printer Drivers' array: struct srvsvc_NetShareInfo1 name : * name : 'backup' type : STYPE_DISKTREE (0x0) comment : * comment : 'backups' array: struct srvsvc_NetShareInfo1 name : * name : 'stuff' type : STYPE_DISKTREE (0x0) comment : * comment : 'Assorted files' array: struct srvsvc_NetShareInfo1 name : * name : 'pdf' type : STYPE_DISKTREE (0x0) comment : * comment : 'pdf printer output' array: struct srvsvc_NetShareInfo1 name : * name : 'IPC$' type : STYPE_IPC_HIDDEN (0x80000003) comment : * comment : 'IPC Service (hawking - the universe is expanding)' array: struct srvsvc_NetShareInfo1 name : * name : 'Virtual_Printer-HC.A' type : STYPE_PRINTQ (0x1) comment : * comment : 'PDF Printer on Hawking' array: struct srvsvc_NetShareInfo1 name : * name : 'Virtual_Printer-HC.W' type : STYPE_PRINTQ (0x1) comment : * comment : 'Virtual 'portrait' Printer' array: struct srvsvc_NetShareInfo1 name : * name : 'Landscape_PDF-HC.A' type : STYPE_PRINTQ (0x1) comment : * comment : 'Virtual Landscape PDF Printer' array: struct srvsvc_NetShareInfo1 name : * name : 'HP4250-HC.A' type : STYPE_PRINTQ (0x1) comment : * comment : 'HP LaserJet 4250tn' array: struct srvsvc_NetShareInfo1 name : * name : 'ES283-HC.A' type : STYPE_PRINTQ (0x1) comment : * comment : 'Toshiba e-Studio 283' totalentries : * totalentries : 0x0000000a (10) resume_handle : NULL result : WERR_OK [2013/01/14 15:31:53.923045, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \srvsvc successfully [2013/01/14 15:31:53.923117, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 72 [2013/01/14 15:31:53.923200, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:53.923264, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \srvsvc: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 1104. [2013/01/14 15:31:53.923347, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0468 (1128) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000450 (1104) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=1104 [0000] 01 00 00 00 01 00 00 00 08 00 02 00 0A 00 00 00 ........ ........ [0010] 0C 00 02 00 0A 00 00 00 10 00 02 00 00 00 00 00 ........ ........ [0020] 14 00 02 00 18 00 02 00 00 00 00 00 1C 00 02 00 ........ ........ [0030] 20 00 02 00 00 00 00 00 24 00 02 00 28 00 02 00 ....... $...(... [0040] 00 00 00 00 2C 00 02 00 30 00 02 00 03 00 00 80 ....,... 0....... [0050] 34 00 02 00 38 00 02 00 01 00 00 00 3C 00 02 00 4...8... ....<... [0060] 40 00 02 00 01 00 00 00 44 00 02 00 48 00 02 00 @....... D...H... [0070] 01 00 00 00 4C 00 02 00 50 00 02 00 01 00 00 00 ....L... P....... [0080] 54 00 02 00 58 00 02 00 01 00 00 00 5C 00 02 00 T...X... ....\... [0090] 07 00 00 00 00 00 00 00 07 00 00 00 70 00 72 00 ........ ....p.r. [00A0] 69 00 6E 00 74 00 24 00 00 00 00 00 10 00 00 00 i.n.t.$. ........ [00B0] 00 00 00 00 10 00 00 00 50 00 72 00 69 00 6E 00 ........ P.r.i.n. [00C0] 74 00 65 00 72 00 20 00 44 00 72 00 69 00 76 00 t.e.r. . D.r.i.v. [00D0] 65 00 72 00 73 00 00 00 07 00 00 00 00 00 00 00 e.r.s... ........ [00E0] 07 00 00 00 62 00 61 00 63 00 6B 00 75 00 70 00 ....b.a. c.k.u.p. [00F0] 00 00 00 00 08 00 00 00 00 00 00 00 08 00 00 00 ........ ........ [0100] 62 00 61 00 63 00 6B 00 75 00 70 00 73 00 00 00 b.a.c.k. u.p.s... [0110] 06 00 00 00 00 00 00 00 06 00 00 00 73 00 74 00 ........ ....s.t. [0120] 75 00 66 00 66 00 00 00 0F 00 00 00 00 00 00 00 u.f.f... ........ [0130] 0F 00 00 00 41 00 73 00 73 00 6F 00 72 00 74 00 ....A.s. s.o.r.t. [0140] 65 00 64 00 20 00 66 00 69 00 6C 00 65 00 73 00 e.d. .f. i.l.e.s. [0150] 00 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 ........ ........ [0160] 70 00 64 00 66 00 00 00 13 00 00 00 00 00 00 00 p.d.f... ........ [0170] 13 00 00 00 70 00 64 00 66 00 20 00 70 00 72 00 ....p.d. f. .p.r. [0180] 69 00 6E 00 74 00 65 00 72 00 20 00 6F 00 75 00 i.n.t.e. r. .o.u. [0190] 74 00 70 00 75 00 74 00 00 00 00 00 05 00 00 00 t.p.u.t. ........ [01A0] 00 00 00 00 05 00 00 00 49 00 50 00 43 00 24 00 ........ I.P.C.$. [01B0] 00 00 00 00 32 00 00 00 00 00 00 00 32 00 00 00 ....2... ....2... [01C0] 49 00 50 00 43 00 20 00 53 00 65 00 72 00 76 00 I.P.C. . S.e.r.v. [01D0] 69 00 63 00 65 00 20 00 28 00 68 00 61 00 77 00 i.c.e. . (.h.a.w. [01E0] 6B 00 69 00 6E 00 67 00 20 00 2D 00 20 00 74 00 k.i.n.g. .-. .t. [01F0] 68 00 65 00 20 00 75 00 6E 00 69 00 76 00 65 00 h.e. .u. n.i.v.e. [0200] 72 00 73 00 65 00 20 00 69 00 73 00 20 00 65 00 r.s.e. . i.s. .e. [0210] 78 00 70 00 61 00 6E 00 64 00 69 00 6E 00 67 00 x.p.a.n. d.i.n.g. [0220] 29 00 00 00 15 00 00 00 00 00 00 00 15 00 00 00 )....... ........ [0230] 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 5F 00 V.i.r.t. u.a.l._. [0240] 50 00 72 00 69 00 6E 00 74 00 65 00 72 00 2D 00 P.r.i.n. t.e.r.-. [0250] 48 00 43 00 2E 00 41 00 00 00 00 00 17 00 00 00 H.C...A. ........ [0260] 00 00 00 00 17 00 00 00 50 00 44 00 46 00 20 00 ........ P.D.F. . [0270] 50 00 72 00 69 00 6E 00 74 00 65 00 72 00 20 00 P.r.i.n. t.e.r. . [0280] 6F 00 6E 00 20 00 48 00 61 00 77 00 6B 00 69 00 o.n. .H. a.w.k.i. [0290] 6E 00 67 00 00 00 00 00 15 00 00 00 00 00 00 00 n.g..... ........ [02A0] 15 00 00 00 56 00 69 00 72 00 74 00 75 00 61 00 ....V.i. r.t.u.a. [02B0] 6C 00 5F 00 50 00 72 00 69 00 6E 00 74 00 65 00 l._.P.r. i.n.t.e. [02C0] 72 00 2D 00 48 00 43 00 2E 00 57 00 00 00 00 00 r.-.H.C. ..W..... [02D0] 1B 00 00 00 00 00 00 00 1B 00 00 00 56 00 69 00 ........ ....V.i. [02E0] 72 00 74 00 75 00 61 00 6C 00 20 00 27 00 70 00 r.t.u.a. l. .'.p. [02F0] 6F 00 72 00 74 00 72 00 61 00 69 00 74 00 27 00 o.r.t.r. a.i.t.'. [0300] 20 00 50 00 72 00 69 00 6E 00 74 00 65 00 72 00 .P.r.i. n.t.e.r. [0310] 00 00 00 00 13 00 00 00 00 00 00 00 13 00 00 00 ........ ........ [0320] 4C 00 61 00 6E 00 64 00 73 00 63 00 61 00 70 00 L.a.n.d. s.c.a.p. [0330] 65 00 5F 00 50 00 44 00 46 00 2D 00 48 00 43 00 e._.P.D. F.-.H.C. [0340] 2E 00 41 00 00 00 00 00 1E 00 00 00 00 00 00 00 ..A..... ........ [0350] 1E 00 00 00 56 00 69 00 72 00 74 00 75 00 61 00 ....V.i. r.t.u.a. [0360] 6C 00 20 00 4C 00 61 00 6E 00 64 00 73 00 63 00 l. .L.a. n.d.s.c. [0370] 61 00 70 00 65 00 20 00 50 00 44 00 46 00 20 00 a.p.e. . P.D.F. . [0380] 50 00 72 00 69 00 6E 00 74 00 65 00 72 00 00 00 P.r.i.n. t.e.r... [0390] 0C 00 00 00 00 00 00 00 0C 00 00 00 48 00 50 00 ........ ....H.P. [03A0] 34 00 32 00 35 00 30 00 2D 00 48 00 43 00 2E 00 4.2.5.0. -.H.C... [03B0] 41 00 00 00 13 00 00 00 00 00 00 00 13 00 00 00 A....... ........ [03C0] 48 00 50 00 20 00 4C 00 61 00 73 00 65 00 72 00 H.P. .L. a.s.e.r. [03D0] 4A 00 65 00 74 00 20 00 34 00 32 00 35 00 30 00 J.e.t. . 4.2.5.0. [03E0] 74 00 6E 00 00 00 00 00 0B 00 00 00 00 00 00 00 t.n..... ........ [03F0] 0B 00 00 00 45 00 53 00 32 00 38 00 33 00 2D 00 ....E.S. 2.8.3.-. [0400] 48 00 43 00 2E 00 41 00 00 00 00 00 15 00 00 00 H.C...A. ........ [0410] 00 00 00 00 15 00 00 00 54 00 6F 00 73 00 68 00 ........ T.o.s.h. [0420] 69 00 62 00 61 00 20 00 65 00 2D 00 53 00 74 00 i.b.a. . e.-.S.t. [0430] 75 00 64 00 69 00 6F 00 20 00 32 00 38 00 33 00 u.d.i.o. .2.8.3. [0440] 00 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [2013/01/14 15:31:53.930815, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 1024 bytes. There is more data outstanding [2013/01/14 15:31:53.930880, 5] smbd/ipc.c:103(send_trans_reply) send_trans_reply: buffer 1024 too large [2013/01/14 15:31:53.930944, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..1024] (align 0) [2013/01/14 15:31:53.931009, 3] smbd/error.c:81(error_packet_set) error packet at smbd/ipc.c(137) cmd=37 (SMBtrans) STATUS_BUFFER_OVERFLOW [2013/01/14 15:31:53.931075, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.931109, 5] lib/util.c:342(show_msg) size=1080 smb_com=0x25 smb_rcls=5 smb_reh=0 smb_err=32768 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2560 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 1024 (0x400) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 1024 (0x400) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=1025 [2013/01/14 15:31:53.931732, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 68 04 00 00 01 00 00 ........ .h...... [0010] 00 50 04 00 00 00 00 00 00 01 00 00 00 01 00 00 .P...... ........ [0020] 00 08 00 02 00 0A 00 00 00 0C 00 02 00 0A 00 00 ........ ........ [0030] 00 10 00 02 00 00 00 00 00 14 00 02 00 18 00 02 ........ ........ [0040] 00 00 00 00 00 1C 00 02 00 20 00 02 00 00 00 00 ........ . ...... [0050] 00 24 00 02 00 28 00 02 00 00 00 00 00 2C 00 02 .$...(.. .....,.. [0060] 00 30 00 02 00 03 00 00 80 34 00 02 00 38 00 02 .0...... .4...8.. [0070] 00 01 00 00 00 3C 00 02 00 40 00 02 00 01 00 00 .....<.. .@...... [0080] 00 44 00 02 00 48 00 02 00 01 00 00 00 4C 00 02 .D...H.. .....L.. [0090] 00 50 00 02 00 01 00 00 00 54 00 02 00 58 00 02 .P...... .T...X.. [00A0] 00 01 00 00 00 5C 00 02 00 07 00 00 00 00 00 00 .....\.. ........ [00B0] 00 07 00 00 00 70 00 72 00 69 00 6E 00 74 00 24 .....p.r .i.n.t.$ [00C0] 00 00 00 00 00 10 00 00 00 00 00 00 00 10 00 00 ........ ........ [00D0] 00 50 00 72 00 69 00 6E 00 74 00 65 00 72 00 20 .P.r.i.n .t.e.r. [00E0] 00 44 00 72 00 69 00 76 00 65 00 72 00 73 00 00 .D.r.i.v .e.r.s.. [00F0] 00 07 00 00 00 00 00 00 00 07 00 00 00 62 00 61 ........ .....b.a [0100] 00 63 00 6B 00 75 00 70 00 00 00 00 00 08 00 00 .c.k.u.p ........ [0110] 00 00 00 00 00 08 00 00 00 62 00 61 00 63 00 6B ........ .b.a.c.k [0120] 00 75 00 70 00 73 00 00 00 06 00 00 00 00 00 00 .u.p.s.. ........ [0130] 00 06 00 00 00 73 00 74 00 75 00 66 00 66 00 00 .....s.t .u.f.f.. [0140] 00 0F 00 00 00 00 00 00 00 0F 00 00 00 41 00 73 ........ .....A.s [0150] 00 73 00 6F 00 72 00 74 00 65 00 64 00 20 00 66 .s.o.r.t .e.d. .f [0160] 00 69 00 6C 00 65 00 73 00 00 00 00 00 04 00 00 .i.l.e.s ........ [0170] 00 00 00 00 00 04 00 00 00 70 00 64 00 66 00 00 ........ .p.d.f.. [0180] 00 13 00 00 00 00 00 00 00 13 00 00 00 70 00 64 ........ .....p.d [0190] 00 66 00 20 00 70 00 72 00 69 00 6E 00 74 00 65 .f. .p.r .i.n.t.e [01A0] 00 72 00 20 00 6F 00 75 00 74 00 70 00 75 00 74 .r. .o.u .t.p.u.t [01B0] 00 00 00 00 00 05 00 00 00 00 00 00 00 05 00 00 ........ ........ [01C0] 00 49 00 50 00 43 00 24 00 00 00 00 00 32 00 00 .I.P.C.$ .....2.. [01D0] 00 00 00 00 00 32 00 00 00 49 00 50 00 43 00 20 .....2.. .I.P.C. [01E0] 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 .S.e.r.v .i.c.e. [01F0] 00 28 00 68 00 61 00 77 00 6B 00 69 00 6E 00 67 .(.h.a.w .k.i.n.g [2013/01/14 15:31:53.934885, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 60 [2013/01/14 15:31:53.935088, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x3c [2013/01/14 15:31:53.935152, 3] smbd/process.c:1662(process_smb) Transaction 42 of length 64 (0 toread) [2013/01/14 15:31:53.935215, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.935251, 5] lib/util.c:342(show_msg) size=60 smb_com=0x2e smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32768 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=2624 smt_wct=12 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]=11070 (0x2B3E) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 104 (0x68) smb_vwv[ 6]= 104 (0x68) smb_vwv[ 7]=65535 (0xFFFF) smb_vwv[ 8]=65535 (0xFFFF) smb_vwv[ 9]= 104 (0x68) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_bcc=0 [2013/01/14 15:31:53.935930, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:53.935972, 3] smbd/process.c:1467(switch_message) switch message SMBreadX (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.936038, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:53.936115, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 104 [2013/01/14 15:31:53.936187, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \srvsvc: current_pdu_len = 1128, current_pdu_sent = 1024 returning 104 bytes. [2013/01/14 15:31:53.936261, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 619 [2013/01/14 15:31:53.936394, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 104 bytes. There is more data outstanding [2013/01/14 15:31:53.936459, 3] smbd/pipes.c:485(pipe_read_andx_done) readX-IPC min=104 max=104 nread=104 [2013/01/14 15:31:53.938009, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 42 [2013/01/14 15:31:53.938080, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x2a [2013/01/14 15:31:53.938143, 3] smbd/process.c:1662(process_smb) Transaction 43 of length 46 (0 toread) [2013/01/14 15:31:53.938205, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.938240, 5] lib/util.c:342(show_msg) size=42 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=2688 smt_wct=3 smb_vwv[ 0]=11070 (0x2B3E) smb_vwv[ 1]=65535 (0xFFFF) smb_vwv[ 2]=65535 (0xFFFF) smb_bcc=0 [2013/01/14 15:31:53.938672, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:53.938709, 3] smbd/process.c:1467(switch_message) switch message SMBclose (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.938774, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:53.938838, 3] smbd/reply.c:4848(reply_close) close fd=-1 fnum=11070 (numopen=1) [2013/01/14 15:31:53.938902, 6] smbd/close.c:532(set_close_write_time) close_write_time: Wed Dec 31 18:59:59 1969 [2013/01/14 15:31:53.938981, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe) close_policy_by_pipe: deleted handle list for pipe \srvsvc [2013/01/14 15:31:53.939055, 5] smbd/files.c:482(file_free) freed files structure 11070 (0 used) [2013/01/14 15:31:53.939121, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.939156, 5] lib/util.c:342(show_msg) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=2688 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:53.939587, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:53.941417, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 100 [2013/01/14 15:31:53.941488, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x64 [2013/01/14 15:31:53.941551, 3] smbd/process.c:1662(process_smb) Transaction 44 of length 104 (0 toread) [2013/01/14 15:31:53.941613, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.941648, 5] lib/util.c:342(show_msg) size=100 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2752 smt_wct=24 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 1536 (0x600) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]=40704 (0x9F00) smb_vwv[ 8]= 513 (0x201) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 768 (0x300) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 256 (0x100) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]= 512 (0x200) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 256 (0x100) smb_bcc=17 [2013/01/14 15:31:53.942652, 10] ../lib/util/util.c:415(dump_data) [0000] A4 5C 00 73 00 72 00 76 00 73 00 76 00 63 00 00 .\.s.r.v .s.v.c.. [0010] 00 . [2013/01/14 15:31:53.942815, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.942880, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:53.942954, 10] smbd/nttrans.c:500(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x6, access_mask = 0x2019f file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x0 root_dir_fid = 0x0, fname = srvsvc [2013/01/14 15:31:53.943027, 4] smbd/nttrans.c:288(nt_open_pipe) nt_open_pipe: Opening pipe \srvsvc. [2013/01/14 15:31:53.943097, 5] smbd/files.c:140(file_new) allocated file structure 6975, fnum = 11071 (1 used) [2013/01/14 15:31:53.943170, 10] smbd/files.c:705(file_name_hash) file_name_hash: /tmp/srvsvc hash 0x8e98a76a [2013/01/14 15:31:53.943248, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \srvsvc [2013/01/14 15:31:53.943321, 10] rpc_server/rpc_handles.c:116(init_pipe_handles) init_pipe_handle_list: created handle list for pipe \srvsvc [2013/01/14 15:31:53.943383, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe \srvsvc [2013/01/14 15:31:53.943468, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \srvsvc (pipes_open=0) [2013/01/14 15:31:53.943535, 5] smbd/nttrans.c:377(do_ntcreate_pipe_open) do_ntcreate_pipe_open: open pipe = \srvsvc [2013/01/14 15:31:53.943992, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 156 [2013/01/14 15:31:53.944062, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x9c [2013/01/14 15:31:53.944125, 3] smbd/process.c:1662(process_smb) Transaction 45 of length 160 (0 toread) [2013/01/14 15:31:53.944187, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.944222, 5] lib/util.c:342(show_msg) size=156 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2816 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11071 (0x2B3F) smb_bcc=89 [2013/01/14 15:31:53.945046, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] A4 05 00 0B 00 10 00 00 00 48 00 00 00 01 00 00 ........ .H...... [0020] 00 30 16 30 16 00 00 00 00 01 00 00 00 00 00 01 .0.0.... ........ [0030] 00 C8 4F 32 4B 70 16 D3 01 12 78 5A 47 BF 6E E1 ..O2Kp.. ..xZG.n. [0040] 88 03 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 ......]. ........ [0050] 00 2B 10 48 60 02 00 00 00 .+.H`... . [2013/01/14 15:31:53.945519, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.945584, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:53.945657, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=72 params=0 setup=2 [2013/01/14 15:31:53.945724, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:53.945784, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:53.945846, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:53.945908, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b3f) [2013/01/14 15:31:53.945972, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21060 max_trans_reply: 1024 [2013/01/14 15:31:53.946036, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 72 [2013/01/14 15:31:53.946100, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:53.946163, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:53.946227, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 72, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:53.946311, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:53.946372, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:53.946433, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 56 [2013/01/14 15:31:53.946500, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:53.946561, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:53.946622, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 56, incoming data = 56 [2013/01/14 15:31:53.946687, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:53.946766, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x00 (0) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x1630 (5680) max_recv_frag : 0x1630 (5680) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 4b324fc8-1670-01d3-1278-5a47bf6ee188 if_version : 0x00000003 (3) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:53.947861, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 11 [2013/01/14 15:31:53.947926, 3] rpc_server/srv_pipe.c:889(api_pipe_bind_req) api_pipe_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:53.947990, 5] rpc_server/srv_pipe.c:923(api_pipe_bind_req) api_pipe_bind_req: make response. 923 [2013/01/14 15:31:53.948052, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \srvsvc [2013/01/14 15:31:53.948116, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\srvsvc -> \PIPE\srvsvc [2013/01/14 15:31:53.948204, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\srvsvc' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : 0x0000 (0) reason : 0x0000 (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:53.949210, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 56 [2013/01/14 15:31:53.949293, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:53.949358, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \srvsvc: current_pdu_len = 68, current_pdu_sent = 0 returning 68 bytes. [2013/01/14 15:31:53.949425, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:53.949499, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 68 bytes. There is no more data outstanding [2013/01/14 15:31:53.949565, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..68] (align 0) [2013/01/14 15:31:53.949629, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.949664, 5] lib/util.c:342(show_msg) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2816 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2013/01/14 15:31:53.950314, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 ........ .D...... [0010] 00 B8 10 B8 10 F0 53 00 00 0D 00 5C 50 49 50 45 ......S. ...\PIPE [0020] 5C 73 72 76 73 76 63 00 00 01 00 00 00 00 00 00 \srvsvc. ........ [0030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [0040] 60 02 00 00 00 `.... [2013/01/14 15:31:53.952166, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 148 [2013/01/14 15:31:53.952239, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x94 [2013/01/14 15:31:53.952302, 3] smbd/process.c:1662(process_smb) Transaction 46 of length 152 (0 toread) [2013/01/14 15:31:53.952364, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.952399, 5] lib/util.c:342(show_msg) size=148 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2880 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 64 (0x40) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 64 (0x40) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11071 (0x2B3F) smb_bcc=81 [2013/01/14 15:31:53.953185, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] 3F 05 00 00 03 10 00 00 00 40 00 00 00 01 00 00 ?....... .@...... [0020] 00 28 00 00 00 00 00 15 00 18 4A 17 00 0A 00 00 .(...... ..J..... [0030] 00 00 00 00 00 0A 00 00 00 5C 00 5C 00 48 00 61 ........ .\.\.H.a [0040] 00 77 00 6B 00 69 00 6E 00 67 00 00 00 65 00 00 .w.k.i.n .g...e.. [0050] 00 . [2013/01/14 15:31:53.953645, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.953709, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:53.953781, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=64 params=0 setup=2 [2013/01/14 15:31:53.953847, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:53.953907, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:53.953969, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:53.954030, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "srvsvc" (pnum 2b3f) [2013/01/14 15:31:53.954094, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21060 max_trans_reply: 1024 [2013/01/14 15:31:53.954158, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 64 [2013/01/14 15:31:53.954221, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 64 [2013/01/14 15:31:53.954283, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 64 [2013/01/14 15:31:53.954347, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 64, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:53.954411, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:53.954472, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 48 [2013/01/14 15:31:53.954533, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 48 [2013/01/14 15:31:53.954598, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:53.954659, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 48 [2013/01/14 15:31:53.954720, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 48, incoming data = 48 [2013/01/14 15:31:53.954816, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:53.954888, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0040 (64) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000028 (40) context_id : 0x0000 (0) opnum : 0x0015 (21) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=40 [0000] 18 4A 17 00 0A 00 00 00 00 00 00 00 0A 00 00 00 .J...... ........ [0010] 5C 00 5C 00 48 00 61 00 77 00 6B 00 69 00 6E 00 \.\.H.a. w.k.i.n. [0020] 67 00 00 00 65 00 00 00 g...e... [2013/01/14 15:31:53.955900, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:53.955962, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:53.956027, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\srvsvc [2013/01/14 15:31:53.956092, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \srvsvc op 0x15 - api_rpcTNP: rpc command: SRVSVC_NETSRVGETINFO [2013/01/14 15:31:53.956160, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[21].fn == 0xb71a27f0 [2013/01/14 15:31:53.956230, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetSrvGetInfo: struct srvsvc_NetSrvGetInfo in: struct srvsvc_NetSrvGetInfo server_unc : * server_unc : '\\Hawking' level : 0x00000065 (101) [2013/01/14 15:31:53.956442, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1125(_srvsvc_NetSrvGetInfo) _srvsvc_NetSrvGetInfo: 1125 [2013/01/14 15:31:53.956515, 5] rpc_server/srvsvc/srv_srvsvc_nt.c:1203(_srvsvc_NetSrvGetInfo) _srvsvc_NetSrvGetInfo: 1203 [2013/01/14 15:31:53.956576, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) srvsvc_NetSrvGetInfo: struct srvsvc_NetSrvGetInfo out: struct srvsvc_NetSrvGetInfo info : * info : union srvsvc_NetSrvInfo(case 101) info101 : * info101: struct srvsvc_NetSrvInfo101 platform_id : PLATFORM_ID_NT (500) server_name : * server_name : 'HAWKING' version_major : 0x00000004 (4) version_minor : 0x00000009 (9) server_type : 0x00009b23 (39715) 1: SV_TYPE_WORKSTATION 1: SV_TYPE_SERVER 0: SV_TYPE_SQLSERVER 0: SV_TYPE_DOMAIN_CTRL 0: SV_TYPE_DOMAIN_BAKCTRL 1: SV_TYPE_TIME_SOURCE 0: SV_TYPE_AFP 0: SV_TYPE_NOVELL 1: SV_TYPE_DOMAIN_MEMBER 1: SV_TYPE_PRINTQ_SERVER 0: SV_TYPE_DIALIN_SERVER 1: SV_TYPE_SERVER_UNIX 1: SV_TYPE_NT 0: SV_TYPE_WFW 0: SV_TYPE_SERVER_MFPN 1: SV_TYPE_SERVER_NT 0: SV_TYPE_POTENTIAL_BROWSER 0: SV_TYPE_BACKUP_BROWSER 0: SV_TYPE_MASTER_BROWSER 0: SV_TYPE_DOMAIN_MASTER 0: SV_TYPE_SERVER_OSF 0: SV_TYPE_SERVER_VMS 0: SV_TYPE_WIN95_PLUS 0: SV_TYPE_DFS_SERVER 0: SV_TYPE_ALTERNATE_XPORT 0: SV_TYPE_LOCAL_LIST_ONLY 0: SV_TYPE_DOMAIN_ENUM comment : * comment : 'hawking - the universe is expanding' result : WERR_OK [2013/01/14 15:31:53.958079, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \srvsvc successfully [2013/01/14 15:31:53.958146, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 48 [2013/01/14 15:31:53.958230, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \srvsvc len: 1024 [2013/01/14 15:31:53.958294, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \srvsvc: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 148. [2013/01/14 15:31:53.958372, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x00ac (172) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000094 (148) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=148 [0000] 65 00 00 00 04 00 02 00 F4 01 00 00 08 00 02 00 e....... ........ [0010] 04 00 00 00 09 00 00 00 23 9B 00 00 0C 00 02 00 ........ #....... [0020] 08 00 00 00 00 00 00 00 08 00 00 00 48 00 41 00 ........ ....H.A. [0030] 57 00 4B 00 49 00 4E 00 47 00 00 00 24 00 00 00 W.K.I.N. G...$... [0040] 00 00 00 00 24 00 00 00 68 00 61 00 77 00 6B 00 ....$... h.a.w.k. [0050] 69 00 6E 00 67 00 20 00 2D 00 20 00 74 00 68 00 i.n.g. . -. .t.h. [0060] 65 00 20 00 75 00 6E 00 69 00 76 00 65 00 72 00 e. .u.n. i.v.e.r. [0070] 73 00 65 00 20 00 69 00 73 00 20 00 65 00 78 00 s.e. .i. s. .e.x. [0080] 70 00 61 00 6E 00 64 00 69 00 6E 00 67 00 00 00 p.a.n.d. i.n.g... [0090] 00 00 00 00 .... [2013/01/14 15:31:53.959991, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 48 [2013/01/14 15:31:53.960068, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 172 bytes. There is no more data outstanding [2013/01/14 15:31:53.960134, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..172] (align 0) [2013/01/14 15:31:53.960231, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.960266, 5] lib/util.c:342(show_msg) size=228 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=2880 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 172 (0xAC) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 172 (0xAC) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=173 [2013/01/14 15:31:53.960889, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 AC 00 00 00 01 00 00 ........ ........ [0010] 00 94 00 00 00 00 00 00 00 65 00 00 00 04 00 02 ........ .e...... [0020] 00 F4 01 00 00 08 00 02 00 04 00 00 00 09 00 00 ........ ........ [0030] 00 23 9B 00 00 0C 00 02 00 08 00 00 00 00 00 00 .#...... ........ [0040] 00 08 00 00 00 48 00 41 00 57 00 4B 00 49 00 4E .....H.A .W.K.I.N [0050] 00 47 00 00 00 24 00 00 00 00 00 00 00 24 00 00 .G...$.. .....$.. [0060] 00 68 00 61 00 77 00 6B 00 69 00 6E 00 67 00 20 .h.a.w.k .i.n.g. [0070] 00 2D 00 20 00 74 00 68 00 65 00 20 00 75 00 6E .-. .t.h .e. .u.n [0080] 00 69 00 76 00 65 00 72 00 73 00 65 00 20 00 69 .i.v.e.r .s.e. .i [0090] 00 73 00 20 00 65 00 78 00 70 00 61 00 6E 00 64 .s. .e.x .p.a.n.d [00A0] 00 69 00 6E 00 67 00 00 00 00 00 00 00 .i.n.g.. ..... [2013/01/14 15:31:53.962166, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 42 [2013/01/14 15:31:53.962236, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x2a [2013/01/14 15:31:53.962299, 3] smbd/process.c:1662(process_smb) Transaction 47 of length 46 (0 toread) [2013/01/14 15:31:53.962361, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.962396, 5] lib/util.c:342(show_msg) size=42 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=2944 smt_wct=3 smb_vwv[ 0]=11071 (0x2B3F) smb_vwv[ 1]=65535 (0xFFFF) smb_vwv[ 2]=65535 (0xFFFF) smb_bcc=0 [2013/01/14 15:31:53.962829, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:53.962866, 3] smbd/process.c:1467(switch_message) switch message SMBclose (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.962931, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:53.962995, 3] smbd/reply.c:4848(reply_close) close fd=-1 fnum=11071 (numopen=1) [2013/01/14 15:31:53.963058, 6] smbd/close.c:532(set_close_write_time) close_write_time: Wed Dec 31 18:59:59 1969 [2013/01/14 15:31:53.963134, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe) close_policy_by_pipe: deleted handle list for pipe \srvsvc [2013/01/14 15:31:53.963207, 5] smbd/files.c:482(file_free) freed files structure 11071 (0 used) [2013/01/14 15:31:53.963272, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.963307, 5] lib/util.c:342(show_msg) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=2944 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:53.963657, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:53.965299, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 100 [2013/01/14 15:31:53.965370, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x64 [2013/01/14 15:31:53.965432, 3] smbd/process.c:1662(process_smb) Transaction 48 of length 104 (0 toread) [2013/01/14 15:31:53.965494, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.965529, 5] lib/util.c:342(show_msg) size=100 smb_com=0xa2 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=3008 smt_wct=24 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 3584 (0xE00) smb_vwv[ 3]= 1536 (0x600) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]=40704 (0x9F00) smb_vwv[ 8]= 513 (0x201) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_vwv[14]= 0 (0x0) smb_vwv[15]= 768 (0x300) smb_vwv[16]= 0 (0x0) smb_vwv[17]= 256 (0x100) smb_vwv[18]= 0 (0x0) smb_vwv[19]= 0 (0x0) smb_vwv[20]= 0 (0x0) smb_vwv[21]= 512 (0x200) smb_vwv[22]= 0 (0x0) smb_vwv[23]= 0 (0x0) smb_bcc=17 [2013/01/14 15:31:53.966581, 10] ../lib/util/util.c:415(dump_data) [0000] A4 5C 00 77 00 69 00 6E 00 72 00 65 00 67 00 00 .\.w.i.n .r.e.g.. [0010] 00 . [2013/01/14 15:31:53.966741, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.966805, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:53.966876, 10] smbd/nttrans.c:500(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x6, access_mask = 0x2019f file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x0 root_dir_fid = 0x0, fname = winreg [2013/01/14 15:31:53.966946, 4] smbd/nttrans.c:288(nt_open_pipe) nt_open_pipe: Opening pipe \winreg. [2013/01/14 15:31:53.967015, 5] smbd/files.c:140(file_new) allocated file structure 6976, fnum = 11072 (1 used) [2013/01/14 15:31:53.967087, 10] smbd/files.c:705(file_name_hash) file_name_hash: /tmp/winreg hash 0x718d6f2 [2013/01/14 15:31:53.967161, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \winreg [2013/01/14 15:31:53.967234, 10] rpc_server/rpc_handles.c:116(init_pipe_handles) init_pipe_handle_list: created handle list for pipe \winreg [2013/01/14 15:31:53.967297, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe \winreg [2013/01/14 15:31:53.967378, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \winreg (pipes_open=0) [2013/01/14 15:31:53.967444, 5] smbd/nttrans.c:377(do_ntcreate_pipe_open) do_ntcreate_pipe_open: open pipe = \winreg [2013/01/14 15:31:53.967528, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:53.967592, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:53.967654, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:53.967764, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:31:53.967904, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 156 [2013/01/14 15:31:53.967972, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x9c [2013/01/14 15:31:53.968035, 3] smbd/process.c:1662(process_smb) Transaction 49 of length 160 (0 toread) [2013/01/14 15:31:53.968098, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.968133, 5] lib/util.c:342(show_msg) size=156 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=3072 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 72 (0x48) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 72 (0x48) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11072 (0x2B40) smb_bcc=89 [2013/01/14 15:31:53.968922, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] A4 05 00 0B 00 10 00 00 00 48 00 00 00 01 00 00 ........ .H...... [0020] 00 30 16 30 16 00 00 00 00 01 00 00 00 00 00 01 .0.0.... ........ [0030] 00 01 D0 8C 33 44 22 F1 31 AA AA 90 00 38 00 10 ....3D". 1....8.. [0040] 03 01 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 ......]. ........ [0050] 00 2B 10 48 60 02 00 00 00 .+.H`... . [2013/01/14 15:31:53.969428, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.969499, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (2500, 2513) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:53.969565, 5] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (10): SID[ 0]: S-1-5-21-546846319-217595157-9522986-500 SID[ 1]: S-1-5-21-546846319-217595157-9522986-513 SID[ 2]: S-1-22-2-2513 SID[ 3]: S-1-1-0 SID[ 4]: S-1-5-2 SID[ 5]: S-1-5-11 SID[ 6]: S-1-22-1-2500 SID[ 7]: S-1-22-2-300002 SID[ 8]: S-1-22-2-300003 SID[ 9]: S-1-22-2-300004 Privileges (0x 0): Rights (0x 0): [2013/01/14 15:31:53.969991, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 2500 Primary group is 2513 and contains 4 supplementary groups Group[ 0]: 2513 Group[ 1]: 300002 Group[ 2]: 300003 Group[ 3]: 300004 [2013/01/14 15:31:53.970201, 5] smbd/uid.c:317(change_to_user_internal) Impersonated user: uid=(0,2500), gid=(0,2513) [2013/01/14 15:31:53.970274, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=72 params=0 setup=2 [2013/01/14 15:31:53.970341, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:53.970400, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:53.970462, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:53.970524, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "winreg" (pnum 2b40) [2013/01/14 15:31:53.970587, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21060 max_trans_reply: 1024 [2013/01/14 15:31:53.970651, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 72 [2013/01/14 15:31:53.970714, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2013/01/14 15:31:53.970776, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 72 [2013/01/14 15:31:53.970839, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 72, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:53.970904, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:53.970965, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:53.971026, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 56 [2013/01/14 15:31:53.971090, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:53.971152, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2013/01/14 15:31:53.971213, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 56, incoming data = 56 [2013/01/14 15:31:53.971278, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:53.971352, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x00 (0) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x1630 (5680) max_recv_frag : 0x1630 (5680) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 338cd001-2244-31f1-aaaa-900038001003 if_version : 0x00000001 (1) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:53.972437, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 11 [2013/01/14 15:31:53.972502, 3] rpc_server/srv_pipe.c:889(api_pipe_bind_req) api_pipe_bind_req: \PIPE\winreg -> \PIPE\winreg [2013/01/14 15:31:53.972565, 5] rpc_server/srv_pipe.c:923(api_pipe_bind_req) api_pipe_bind_req: make response. 923 [2013/01/14 15:31:53.972627, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \winreg [2013/01/14 15:31:53.972692, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\winreg -> \PIPE\winreg [2013/01/14 15:31:53.972773, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0044 (68) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000d (13) secondary_address : '\PIPE\winreg' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : 0x0000 (0) reason : 0x0000 (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2013/01/14 15:31:53.973790, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 56 [2013/01/14 15:31:53.973872, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \winreg len: 1024 [2013/01/14 15:31:53.973937, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \winreg: current_pdu_len = 68, current_pdu_sent = 0 returning 68 bytes. [2013/01/14 15:31:53.974004, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:53.974079, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 68 bytes. There is no more data outstanding [2013/01/14 15:31:53.974144, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..68] (align 0) [2013/01/14 15:31:53.974239, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.974274, 5] lib/util.c:342(show_msg) size=124 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=3072 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 68 (0x44) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 68 (0x44) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=69 [2013/01/14 15:31:53.974893, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 0C 03 10 00 00 00 44 00 00 00 01 00 00 ........ .D...... [0010] 00 B8 10 B8 10 F0 53 00 00 0D 00 5C 50 49 50 45 ......S. ...\PIPE [0020] 5C 77 69 6E 72 65 67 00 00 01 00 00 00 00 00 00 \winreg. ........ [0030] 00 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 ..]..... .....+.H [0040] 60 02 00 00 00 `.... [2013/01/14 15:31:53.975656, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 120 [2013/01/14 15:31:53.975726, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x78 [2013/01/14 15:31:53.975789, 3] smbd/process.c:1662(process_smb) Transaction 50 of length 124 (0 toread) [2013/01/14 15:31:53.975851, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.975886, 5] lib/util.c:342(show_msg) size=120 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=3136 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 36 (0x24) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 36 (0x24) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11072 (0x2B40) smb_bcc=53 [2013/01/14 15:31:53.976689, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] 3F 05 00 00 03 10 00 00 00 24 00 00 00 01 00 00 ?....... .$...... [0020] 00 0C 00 00 00 00 00 02 00 70 FD EF 00 68 74 01 ........ .p...ht. [0030] 00 00 00 00 02 ..... [2013/01/14 15:31:53.977008, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.977073, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:53.977143, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=36 params=0 setup=2 [2013/01/14 15:31:53.977210, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:53.977269, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:53.977331, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:53.977392, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "winreg" (pnum 2b40) [2013/01/14 15:31:53.977456, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21060 max_trans_reply: 1024 [2013/01/14 15:31:53.977519, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 36 [2013/01/14 15:31:53.977582, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 36 [2013/01/14 15:31:53.977644, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 36 [2013/01/14 15:31:53.977708, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 36, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:53.977772, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:53.977833, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 20 [2013/01/14 15:31:53.977928, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 20 [2013/01/14 15:31:53.977993, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:53.978054, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 20 [2013/01/14 15:31:53.978115, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 20, incoming data = 20 [2013/01/14 15:31:53.978180, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:53.978251, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0024 (36) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x0000000c (12) context_id : 0x0000 (0) opnum : 0x0002 (2) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=12 [0000] 70 FD EF 00 68 74 01 00 00 00 00 02 p...ht.. .... [2013/01/14 15:31:53.979074, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:53.979137, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:53.979200, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\winreg [2013/01/14 15:31:53.979266, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \winreg op 0x2 - api_rpcTNP: rpc command: WINREG_OPENHKLM [2013/01/14 15:31:53.979333, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[2].fn == 0xb715f0b0 [2013/01/14 15:31:53.979399, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenHKLM: struct winreg_OpenHKLM in: struct winreg_OpenHKLM system_name : * system_name : 0x7468 (29800) access_mask : 0x02000000 (33554432) 0: KEY_QUERY_VALUE 0: KEY_SET_VALUE 0: KEY_CREATE_SUB_KEY 0: KEY_ENUMERATE_SUB_KEYS 0: KEY_NOTIFY 0: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2013/01/14 15:31:53.979851, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [HKLM] [2013/01/14 15:31:53.979921, 4] smbd/sec_ctx.c:214(push_sec_ctx) push_sec_ctx(2500, 2513) : sec_ctx_stack_ndx = 1 [2013/01/14 15:31:53.979991, 4] smbd/uid.c:460(push_conn_ctx) push_conn_ctx(101) : conn_ctx_stack_ndx = 0 [2013/01/14 15:31:53.980053, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2013/01/14 15:31:53.980116, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:31:53.980176, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:31:53.980401, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (2500, 2513) - sec_ctx_stack_ndx = 0 [2013/01/14 15:31:53.980498, 10] registry/reg_backend_db.c:602(regdb_open) regdb_open: registry db opened. refcount reset (1) [2013/01/14 15:31:53.980568, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM] [2013/01/14 15:31:53.980629, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM] [2013/01/14 15:31:53.980693, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2013/01/14 15:31:53.980754, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb779a460 for key [\HKLM] [2013/01/14 15:31:53.980875, 10] registry/reg_backend_db.c:1926(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM] [2013/01/14 15:31:53.980974, 10] ../libcli/security/access_check.c:178(se_access_check) se_access_check: MAX desired = 0x2000000, granted = 0x20019, remaining = 0x20019 [2013/01/14 15:31:53.981046, 4] rpc_server/rpc_handles.c:197(create_rpc_handle_internal) Opened policy hnd[1] [0000] 00 00 00 00 18 00 00 00 00 00 00 00 F4 50 39 6B ........ .....P9k [0010] 06 70 00 00 .p.. [2013/01/14 15:31:53.981214, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenHKLM: struct winreg_OpenHKLM out: struct winreg_OpenHKLM handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000018-0000-0000-f450-396b06700000 result : WERR_OK [2013/01/14 15:31:53.981491, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \winreg successfully [2013/01/14 15:31:53.981558, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 20 [2013/01/14 15:31:53.981644, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \winreg len: 1024 [2013/01/14 15:31:53.981708, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \winreg: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 24. [2013/01/14 15:31:53.981786, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 18 00 00 00 00 00 00 00 F4 50 39 6B ........ .....P9k [0010] 06 70 00 00 00 00 00 00 .p...... [2013/01/14 15:31:53.982634, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:53.982711, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 48 bytes. There is no more data outstanding [2013/01/14 15:31:53.982777, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..48] (align 0) [2013/01/14 15:31:53.982840, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.982875, 5] lib/util.c:342(show_msg) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=3136 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2013/01/14 15:31:53.983531, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 30 00 00 00 01 00 00 ........ .0...... [0010] 00 18 00 00 00 00 00 00 00 00 00 00 00 18 00 00 ........ ........ [0020] 00 00 00 00 00 F4 50 39 6B 06 70 00 00 00 00 00 ......P9 k.p..... [0030] 00 . [2013/01/14 15:31:53.985352, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 228 [2013/01/14 15:31:53.985425, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0xe4 [2013/01/14 15:31:53.985488, 3] smbd/process.c:1662(process_smb) Transaction 51 of length 232 (0 toread) [2013/01/14 15:31:53.985550, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.985585, 5] lib/util.c:342(show_msg) size=228 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=3200 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 144 (0x90) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 144 (0x90) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11072 (0x2B40) smb_bcc=161 [2013/01/14 15:31:53.986390, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] A4 05 00 00 03 10 00 00 00 90 00 00 00 02 00 00 ........ ........ [0020] 00 78 00 00 00 00 00 0F 00 00 00 00 00 18 00 00 .x...... ........ [0030] 00 00 00 00 00 F4 50 39 6B 06 70 00 00 46 00 46 ......P9 k.p..F.F [0040] 00 84 1B A8 52 23 00 00 00 00 00 00 00 23 00 00 ....R#.. .....#.. [0050] 00 53 00 4F 00 46 00 54 00 57 00 41 00 52 00 45 .S.O.F.T .W.A.R.E [0060] 00 5C 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F .\.M.i.c .r.o.s.o [0070] 00 66 00 74 00 5C 00 53 00 63 00 68 00 65 00 64 .f.t.\.S .c.h.e.d [0080] 00 75 00 6C 00 69 00 6E 00 67 00 41 00 67 00 65 .u.l.i.n .g.A.g.e [0090] 00 6E 00 74 00 00 00 00 00 00 00 00 00 3F 00 0F .n.t.... .....?.. [00A0] 00 . [2013/01/14 15:31:53.987159, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.987225, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:53.987298, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=144 params=0 setup=2 [2013/01/14 15:31:53.987365, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:53.987424, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:53.987486, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:53.987548, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "winreg" (pnum 2b40) [2013/01/14 15:31:53.987613, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21060 max_trans_reply: 1024 [2013/01/14 15:31:53.987677, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 144 [2013/01/14 15:31:53.987740, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 144 [2013/01/14 15:31:53.987802, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 144 [2013/01/14 15:31:53.987865, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 144, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:53.987929, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:53.987990, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 128 [2013/01/14 15:31:53.988087, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 128 [2013/01/14 15:31:53.988152, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:53.988212, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 128 [2013/01/14 15:31:53.988273, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 128, incoming data = 128 [2013/01/14 15:31:53.988338, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:53.988411, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0090 (144) auth_length : 0x0000 (0) call_id : 0x00000002 (2) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000078 (120) context_id : 0x0000 (0) opnum : 0x000f (15) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=120 [0000] 00 00 00 00 18 00 00 00 00 00 00 00 F4 50 39 6B ........ .....P9k [0010] 06 70 00 00 46 00 46 00 84 1B A8 52 23 00 00 00 .p..F.F. ...R#... [0020] 00 00 00 00 23 00 00 00 53 00 4F 00 46 00 54 00 ....#... S.O.F.T. [0030] 57 00 41 00 52 00 45 00 5C 00 4D 00 69 00 63 00 W.A.R.E. \.M.i.c. [0040] 72 00 6F 00 73 00 6F 00 66 00 74 00 5C 00 53 00 r.o.s.o. f.t.\.S. [0050] 63 00 68 00 65 00 64 00 75 00 6C 00 69 00 6E 00 c.h.e.d. u.l.i.n. [0060] 67 00 41 00 67 00 65 00 6E 00 74 00 00 00 00 00 g.A.g.e. n.t..... [0070] 00 00 00 00 3F 00 0F 00 ....?... [2013/01/14 15:31:53.989931, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:53.989993, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:53.990057, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\winreg [2013/01/14 15:31:53.990122, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \winreg op 0xf - api_rpcTNP: rpc command: WINREG_OPENKEY [2013/01/14 15:31:53.990189, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[15].fn == 0xb715cb30 [2013/01/14 15:31:53.990262, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey in: struct winreg_OpenKey parent_handle : * parent_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000018-0000-0000-f450-396b06700000 keyname: struct winreg_String name_len : 0x0046 (70) name_size : 0x0046 (70) name : * name : 'SOFTWARE\Microsoft\SchedulingAgent' options : 0x00000000 (0) 0: REG_OPTION_VOLATILE 0: REG_OPTION_CREATE_LINK 0: REG_OPTION_BACKUP_RESTORE 0: REG_OPTION_OPEN_LINK access_mask : 0x000f003f (983103) 1: KEY_QUERY_VALUE 1: KEY_SET_VALUE 1: KEY_CREATE_SUB_KEY 1: KEY_ENUMERATE_SUB_KEYS 1: KEY_NOTIFY 1: KEY_CREATE_LINK 0: KEY_WOW64_64KEY 0: KEY_WOW64_32KEY [2013/01/14 15:31:53.991147, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 18 00 00 00 00 00 00 00 F4 50 39 6B ........ .....P9k [0010] 06 70 00 00 .p.. [2013/01/14 15:31:53.991316, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SOFTWARE] [2013/01/14 15:31:53.991379, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (1->2) [2013/01/14 15:31:53.991447, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE] [2013/01/14 15:31:53.991508, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SOFTWARE] [2013/01/14 15:31:53.991572, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2013/01/14 15:31:53.991632, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb779a460 for key [\HKLM\SOFTWARE] [2013/01/14 15:31:53.991757, 10] registry/reg_backend_db.c:1926(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM\SOFTWARE] [2013/01/14 15:31:53.991855, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [Microsoft] [2013/01/14 15:31:53.991918, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (2->3) [2013/01/14 15:31:53.991986, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE\Microsoft] [2013/01/14 15:31:53.992047, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SOFTWARE\Microsoft] [2013/01/14 15:31:53.992110, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2013/01/14 15:31:53.992169, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb779a460 for key [\HKLM\SOFTWARE\Microsoft] [2013/01/14 15:31:53.992266, 10] registry/reg_backend_db.c:1926(regdb_get_secdesc) regdb_get_secdesc: Getting secdesc of key [HKLM\SOFTWARE\Microsoft] [2013/01/14 15:31:53.992365, 7] registry/reg_api.c:141(regkey_open_onelevel) regkey_open_onelevel: name = [SchedulingAgent] [2013/01/14 15:31:53.992431, 10] registry/reg_backend_db.c:583(regdb_open) regdb_open: incrementing refcount (3->4) [2013/01/14 15:31:53.992501, 10] registry/reg_cachehook.c:122(reghook_cache_find) reghook_cache_find: Searching for keyname [\HKLM\SOFTWARE\Microsoft\SchedulingAgent] [2013/01/14 15:31:53.992562, 10] lib/adt_tree.c:367(pathtree_find) pathtree_find: Enter [\HKLM\SOFTWARE\Microsoft\SchedulingAgent] [2013/01/14 15:31:53.992626, 10] lib/adt_tree.c:440(pathtree_find) pathtree_find: Exit [2013/01/14 15:31:53.992686, 10] registry/reg_cachehook.c:127(reghook_cache_find) reghook_cache_find: found ops 0xb779a460 for key [\HKLM\SOFTWARE\Microsoft\SchedulingAgent] [2013/01/14 15:31:53.992768, 10] registry/reg_backend_db.c:1623(regdb_fetch_keys_internal) key [HKLM\SOFTWARE\Microsoft\SchedulingAgent] not found [2013/01/14 15:31:53.992832, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (4->3) [2013/01/14 15:31:53.992899, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (3->2) [2013/01/14 15:31:53.992963, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (2->1) [2013/01/14 15:31:53.993026, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_OpenKey: struct winreg_OpenKey out: struct winreg_OpenKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_BADFILE [2013/01/14 15:31:53.993331, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \winreg successfully [2013/01/14 15:31:53.993397, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 128 [2013/01/14 15:31:53.993480, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \winreg len: 1024 [2013/01/14 15:31:53.993544, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \winreg: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 24. [2013/01/14 15:31:53.993620, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000002 (2) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 02 00 00 00 ........ [2013/01/14 15:31:53.994467, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:53.994541, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 48 bytes. There is no more data outstanding [2013/01/14 15:31:53.994606, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..48] (align 0) [2013/01/14 15:31:53.994670, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.994705, 5] lib/util.c:342(show_msg) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=3200 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2013/01/14 15:31:53.995326, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 30 00 00 00 02 00 00 ........ .0...... [0010] 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 ........ ........ [0030] 00 . [2013/01/14 15:31:53.996063, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 128 [2013/01/14 15:31:53.996134, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x80 [2013/01/14 15:31:53.996197, 3] smbd/process.c:1662(process_smb) Transaction 52 of length 132 (0 toread) [2013/01/14 15:31:53.996258, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:53.996312, 5] lib/util.c:342(show_msg) size=128 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=3264 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 44 (0x2C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 44 (0x2C) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=11072 (0x2B40) smb_bcc=61 [2013/01/14 15:31:53.997130, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 50 00 49 00 50 00 45 00 5C 00 00 00 00 .\.P.I.P .E.\.... [0010] 3F 05 00 00 03 10 00 00 00 2C 00 00 00 03 00 00 ?....... .,...... [0020] 00 14 00 00 00 00 00 05 00 00 00 00 00 18 00 00 ........ ........ [0030] 00 00 00 00 00 F4 50 39 6B 06 70 00 00 ......P9 k.p.. [2013/01/14 15:31:53.997439, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:53.997504, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:53.997577, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=44 params=0 setup=2 [2013/01/14 15:31:53.997644, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2013/01/14 15:31:53.997703, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2013/01/14 15:31:53.997765, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2013/01/14 15:31:53.997827, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "winreg" (pnum 2b40) [2013/01/14 15:31:53.997891, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0xb8d21060 max_trans_reply: 1024 [2013/01/14 15:31:53.997955, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 44 [2013/01/14 15:31:53.998018, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 44 [2013/01/14 15:31:53.998080, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 44 [2013/01/14 15:31:53.998144, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 44, len_needed_to_complete_hdr = 16, receive_len = 0 [2013/01/14 15:31:53.998208, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2013/01/14 15:31:53.998269, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 28 [2013/01/14 15:31:53.998330, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 28 [2013/01/14 15:31:53.998395, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2013/01/14 15:31:53.998456, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 28 [2013/01/14 15:31:53.998517, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 28, incoming data = 28 [2013/01/14 15:31:53.998581, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2013/01/14 15:31:53.998653, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x002c (44) auth_length : 0x0000 (0) call_id : 0x00000003 (3) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000014 (20) context_id : 0x0000 (0) opnum : 0x0005 (5) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=20 [0000] 00 00 00 00 18 00 00 00 00 00 00 00 F4 50 39 6B ........ .....P9k [0010] 06 70 00 00 .p.. [2013/01/14 15:31:53.999589, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2013/01/14 15:31:53.999651, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2013/01/14 15:31:53.999715, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\winreg [2013/01/14 15:31:53.999780, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \winreg op 0x5 - api_rpcTNP: rpc command: WINREG_CLOSEKEY [2013/01/14 15:31:53.999847, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[5].fn == 0xb715e7e0 [2013/01/14 15:31:53.999914, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey in: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000018-0000-0000-f450-396b06700000 [2013/01/14 15:31:54.000154, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 18 00 00 00 00 00 00 00 F4 50 39 6B ........ .....P9k [0010] 06 70 00 00 .p.. [2013/01/14 15:31:54.000320, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 18 00 00 00 00 00 00 00 F4 50 39 6B ........ .....P9k [0010] 06 70 00 00 .p.. [2013/01/14 15:31:54.000485, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy [2013/01/14 15:31:54.000548, 10] registry/reg_backend_db.c:619(regdb_close) regdb_close: decrementing refcount (1->0) [2013/01/14 15:31:54.000632, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) winreg_CloseKey: struct winreg_CloseKey out: struct winreg_CloseKey handle : * handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : WERR_OK [2013/01/14 15:31:54.000906, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \winreg successfully [2013/01/14 15:31:54.000971, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 28 [2013/01/14 15:31:54.001054, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \winreg len: 1024 [2013/01/14 15:31:54.001118, 10] rpc_server/srv_pipe_hnd.c:346(read_from_internal_pipe) read_from_pipe: \winreg: fault_state = 0 : data_sent_length = 0, p->out_data.rdata.length = 24. [2013/01/14 15:31:54.001194, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_RESPONSE (2) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0030 (48) auth_length : 0x0000 (0) call_id : 0x00000003 (3) u : union dcerpc_payload(case 2) response: struct dcerpc_response alloc_hint : 0x00000018 (24) context_id : 0x0000 (0) cancel_count : 0x00 (0) _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=24 [0000] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0010] 00 00 00 00 00 00 00 00 ........ [2013/01/14 15:31:54.002038, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 24 [2013/01/14 15:31:54.002143, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 48 bytes. There is no more data outstanding [2013/01/14 15:31:54.002209, 5] smbd/ipc.c:62(copy_trans_params_and_data) copy_trans_params_and_data: params[0..0] data[0..48] (align 0) [2013/01/14 15:31:54.002272, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:54.002307, 5] lib/util.c:342(show_msg) size=104 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51584 smb_uid=101 smb_mid=3264 smt_wct=10 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 48 (0x30) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 56 (0x38) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 48 (0x30) smb_vwv[ 7]= 56 (0x38) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_bcc=49 [2013/01/14 15:31:54.002925, 10] ../lib/util/util.c:415(dump_data) [0000] 00 05 00 02 03 10 00 00 00 30 00 00 00 03 00 00 ........ .0...... [0010] 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0020] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [0030] 00 . [2013/01/14 15:31:54.004626, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 42 [2013/01/14 15:31:54.004697, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x2a [2013/01/14 15:31:54.004760, 3] smbd/process.c:1662(process_smb) Transaction 53 of length 46 (0 toread) [2013/01/14 15:31:54.004822, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:54.004857, 5] lib/util.c:342(show_msg) size=42 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=32771 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=3328 smt_wct=3 smb_vwv[ 0]=11072 (0x2B40) smb_vwv[ 1]=65535 (0xFFFF) smb_vwv[ 2]=65535 (0xFFFF) smb_bcc=0 [2013/01/14 15:31:54.005289, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:31:54.005326, 3] smbd/process.c:1467(switch_message) switch message SMBclose (pid 28678) conn 0xb8d20d18 [2013/01/14 15:31:54.005391, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2013/01/14 15:31:54.005455, 3] smbd/reply.c:4848(reply_close) close fd=-1 fnum=11072 (numopen=1) [2013/01/14 15:31:54.005519, 6] smbd/close.c:532(set_close_write_time) close_write_time: Wed Dec 31 18:59:59 1969 [2013/01/14 15:31:54.005597, 10] rpc_server/rpc_handles.c:307(close_policy_by_pipe) close_policy_by_pipe: deleted handle list for pipe \winreg [2013/01/14 15:31:54.005670, 5] smbd/files.c:482(file_free) freed files structure 11072 (0 used) [2013/01/14 15:31:54.005735, 5] lib/util.c:332(show_msg) [2013/01/14 15:31:54.005770, 5] lib/util.c:342(show_msg) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49155 smb_tid=1 smb_pid=51966 smb_uid=101 smb_mid=3328 smt_wct=0 smb_bcc=0 [2013/01/14 15:31:54.006120, 10] ../lib/util/util.c:415(dump_data) [2013/01/14 15:32:08.209496, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:32:08.209655, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:32:08.209718, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:32:08.209834, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:32:08.209914, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:32:08.209976, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:32:08.210036, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:32:08.210130, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:32:08.210261, 3] smbd/service.c:1378(close_cnum) proserver (192.168.7.2) closed connection to service IPC$ [2013/01/14 15:32:08.210343, 3] smbd/connection.c:35(yield_connection) Yielding connection to IPC$ [2013/01/14 15:32:08.210569, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 06700000FFFFFFFFB069 [2013/01/14 15:32:08.210668, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb8d33320 [2013/01/14 15:32:08.210781, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 06700000FFFFFFFFB069 [2013/01/14 15:32:08.211007, 4] smbd/vfs.c:780(vfs_ChDir) vfs_ChDir to / [2013/01/14 15:32:08.211079, 4] smbd/sec_ctx.c:314(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2013/01/14 15:32:08.211142, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2013/01/14 15:32:08.211202, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2013/01/14 15:32:08.211298, 5] smbd/uid.c:400(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2013/01/14 15:32:08.211394, 10] lib/dbwrap_tdb.c:102(db_tdb_fetch_locked) Locking key 49442F32383637382F31 [2013/01/14 15:32:08.211477, 10] lib/dbwrap_tdb.c:131(db_tdb_fetch_locked) Allocated locked data 0x0xb8d26018 [2013/01/14 15:32:08.211565, 10] lib/dbwrap_tdb.c:44(db_tdb_record_destr) Unlocking key 49442F32383637382F31 [2013/01/14 15:32:08.211784, 3] smbd/server_exit.c:181(exit_server_common) Server exit (termination signal)