Hi All,
I’m trying to track down a bizarre (to me at least) issue here. I have a Server 2016 machine, call it \server, and a win 10 client machine, call it \client. On \client I am creating a file and writing to it using the path \server\c$\test\test.dat. I am running procmon on \server and it sees nothing other than a subsequent AV scan of test.dat by msmpeng.exe. No other create, write, or any other occurences of test.dat in any activity from any process.
Running wireshark on \server I see some SMB2 activity where there is a FSCTL_QUERY_NETWORK_INTERFACE_INFO followed by a create file request (on test.dat), followed by multiple FILE_INFO/SMB2_FILE_ALLOCATION_INFO requests.
I got here initially trying to figure out why my minifilter (running on \server) wasn’t seeing any activity, whether UNC name based or drive-letter name based, for these files getting created on \server. It was as if they were appearing without ever having been created/written. Running procmon showed the same thing that my filter was seeing, perhaps not surprisingly. So my question is how are we supposed to handle filtering this method of file creation? And is this type of SMB2 file create documented somewhere as a new addition to recent Win server versions or has this been present all along and I somehow just never came across it?
-JT
