????

Your IP : 52.14.154.79

Current Path : C:/Windows/System32/drivers/en-US/
Upload File :
Current File : C:/Windows/System32/drivers/en-US/srv2.sys.mui

MZ����@���	�!�L�!This program cannot be run in DOS mode.

$��<߱�R���R���R�U�����R�U�P���R�Rich��R�PEL�!�

�}k@ $�8.rdata�@@.rsrc� �@@Q<�
T88Q<�$��8.rdata8x.rdata$zzzdbg �.rsrc$01�&�.rsrc$02 r�"����7�L1d�D��)7��.�Q<���0�H�P�h�������?��@��A��B�C(�D@�EX�Fp�G��H��I��J��K��L�~�0��H��`��x������������������� ��8��P��h�����	�	�	�	�	�			 	0	@	P	`	p	�	�	�	�	�	�	�	�			 	0	@	P	`	p	�	�	�	�	��&���'��|*N��,��\.:��0&��4��D6��:d�x?h��D��dI��HM��QL�LU���Y���^l�,a���cH�<fd��i��<l���n���q���v��|"�������`��*�4����X�h���@�P�����MUI���~�\��B9�/�lCÙB�b�6���IyP���MUIen-USSMB Server SharesSMB Server SharesuThis counter set displays information about SMB server shares that are shared using SMB protocol version 2 or higher.Received Bytes/secReceived Bytes/sec�The rate at which bytes are being received for requests related to this share. This value includes application data as well as SMB protocol data (such as packet headers).PARequests/secRequests/sec<The rate at which requests are being received for this shareTree Connect CountTree Connect Count1The current number of tree connects to this shareCurrent Open File CountCurrent Open File Count@The number of file handles that are currently open in this sharePA�The rate, in seconds, at which bytes are being sent from the SMB File Server related to this share to its clients. This value includes both data bytes and protocol bytes.Sent Bytes/secSent Bytes/sec@The sum of Sent Bytes/sec and Received Bytes/sec for this share.Transferred Bytes/secTransferred Bytes/seceThe number of requests related to this share that are waiting to be processed by the SMB File Server.Current Pending RequestsCurrent Pending RequestsPA�The average number of seconds that elapse between the time at which the SMB File Server receives a request for this share and the time at which the SMB File Server sends the corresponding response.Avg. sec/RequestAvg. sec/Request3Write requests processed/sec related to this share.Write Requests/secWrite Requests/sec�The average number of seconds that elapse between the time at which a write request to this share is received and the time at which the SMB File Server sends the corresponding response.Avg. sec/WritePAAvg. sec/WriteCThe rate, in seconds, at which data is being written to this share.Write Bytes/secWrite Bytes/sec2Read requests processed/sec related to this share.Read Requests/secRead Requests/sec�The average number of seconds that elapse between the time at which a read request to this share is received and the time at which the SMB File Server sends the corresponding response.
Avg. sec/Read
Avg. sec/ReadBThe rate, in seconds, at which data is being read from this share.Read Bytes/secRead Bytes/sec�The number of files that have been opened by the SMB File Server on behalf of its clients on this share since the server started.Total File Open CountPATotal File Open CountfThe rate, in seconds, at which files are being opened for the SMB File Server s clients on this share.Files Opened/secFiles Opened/secHThe number of durable file handles that are currently open on this shareCurrent Durable Open File CountCurrent Durable Open File Count�The number of durable opens on this share that have been recovered after a temporary network disconnect since the SMB File Server started.!Total Durable Handle Reopen Count!Total Durable Handle Reopen Count�The number of durable opens on this share that could not be recovered after a temporary network disconnect since the SMB File Server Started.(Total Failed Durable Handle Reopen Count(Total Failed Durable Handle Reopen CountEThe percentage of total opens for which clients requested resiliency.% Resilient Handles% Resilient Handles�The number of resilient opens on this share that have been recovered after a temporary network disconnect since the SMB File Server started.#Total Resilient Handle Reopen Count#Total Resilient Handle Reopen Count�The number of resilient opens on this share that could not be recovered after a temporary network disconnect since the SMB File Server Started.*Total Failed Resilient Handle Reopen Count*Total Failed Resilient Handle Reopen CountHThe percentage of total handles for which clients requested persistency.% Persistent Handles% Persistent Handles�The number of persistent opens on this share that have been recovered after a temporary network disconnect since the SMB File Server started.$Total Persistent Handle Reopen Count$Total Persistent Handle Reopen Count�The number of persistent opens on this share that could not be recovered after a temporary network disconnect since the SMB File Server Started.+Total Failed Persistent Handle Reopen Count+Total Failed Persistent Handle Reopen CountNThe rate, in seconds, at which metadata requests are being sent to this share.Metadata Requests/secMetadata Requests/sec�The average number of seconds that elapse between the time at which a read or write request to this share is received and the time at which the SMB File Server processes the request.Avg. sec/Data RequestAvg. sec/Data Request6The average number of bytes per read or write request.Avg. Data Bytes/RequestAvg. Data Bytes/Request-The average number of bytes per read request.Avg. Bytes/ReadAvg. Bytes/Read.The average number of bytes per write request.Avg. Bytes/WriteAvg. Bytes/WriteDThe average number of read requests that were queued for this share.Avg. Read Queue LengthAvg. Read Queue LengthEThe average number of write requests that were queued for this share.Avg. Write Queue LengthAvg. Write Queue LengthNThe average number of read and write requests that were queued for this share.Avg. Data Queue LengthAvg. Data Queue LengthPThe rate, in seconds, at which data is being written to or read from this share.Data Bytes/secPAData Bytes/secRThe rate, in seconds, at which read or write requests are received for this share.Data Requests/secData Requests/secGThe current number of read or write requests outstanding on this share.Current Data Queue LengthCurrent Data Queue Length?Write requests processed/sec related to this share through RDMAPThe rate, in seconds, at which data is being written to this share through RDMA.>Read requests processed/sec related to this share through RDMANThe rate, in seconds, at which data is being read from this share through RDMAKThe number of Bypass CSV file handles that are currently open on this share<Write requests processed/sec related to this share ByPassCSV;Read requests processed/sec related to this share ByPassCSV-Write Requests transmitted via SMB Direct/sec-Write Requests transmitted via SMB Direct/sec*Write Bytes transmitted via SMB Direct/sec*Write Bytes transmitted via SMB Direct/sec,Read Requests transmitted via SMB Direct/sec,Read Requests transmitted via SMB Direct/sec)Read Bytes transmitted via SMB Direct/sec)Read Bytes transmitted via SMB Direct/secCurrent Bypass Open File CountCurrent Bypass Open File Count,Write Requests transmitted via BypassCSV/sec,Write Requests transmitted via BypassCSV/sec+Read Requests transmitted via BypassCSV/sec+Read Requests transmitted via BypassCSV/sec$Read Bytes transmitted ByPassCSV/sec$Read Bytes transmitted ByPassCSV/secKThe rate, in seconds, at which data is being read from this share ByPassCSVLThe rate, in seconds, at which data is being written to this share ByPassCSV%Write Bytes transmitted ByPassCSV/sec%Write Bytes transmitted ByPassCSV/secXThe number of bytes per second that were compressed before transmission over the networkBytes Compressed/secPABytes Compressed/sec`The number of SMB responses per second that were compressed before transmission over the networkCompressed Responses/secCompressed Responses/secTThe number of SMB requests per second that were received compressed over the networkCompressed Requests/secCompressed Requests/secfThis counter set displays information about SMB server sessions using SMB protocol version 2 or higherSMB Server SessionsSMB Server Sessions�The rate at which bytes are being received for requests in this session. This value includes application data as well as SMB protocol data (such as packet headers).Received Bytes/secReceived Bytes/sec=The rate at which requests are being received in this sessionRequests/secRequests/sec+The number of tree connects in this sessionTree Connect CountTree Connect CountBThe number of file handles that are currently open in this sessionCurrent Open File CountCurrent Open File Count�The rate, in seconds, at which bytes are being sent from the SMB File Server in this session to the client. This value includes both data bytes and protocol bytes.Sent Bytes/secSent Bytes/secBThe sum of Sent Bytes/sec and Received Bytes/sec for this session.Transferred Bytes/secTransferred Bytes/sec_The number of requests in this session that are waiting to be processed by the SMB File Server.Current Pending RequestsCurrent Pending Requests�The average number of seconds that elapse between the time at which the SMB File Server receives a request in this session and the time at which the SMB File Server sends the corresponding response.Avg. sec/RequestAvg. sec/Request-Write requests processed/sec in this session.Write Requests/secPAWrite Requests/sec�The average number of seconds that elapse between the time at which a write request in this session is received and the time at which the SMB File Server sends the corresponding response.Avg. sec/WriteAvg. sec/WriteEThe rate, in seconds, at which data is being written in this session.Write Bytes/secWrite Bytes/sec,Read requests processed/sec in this session.Read Requests/secRead Requests/sec�The average number of seconds that elapse between the time at which a read request in this session is received and the time at which the SMB File Server sends the corresponding response.
Avg. sec/Read
Avg. sec/ReadBThe rate, in seconds, at which data is being read in this session.Read Bytes/secRead Bytes/sec�The number of files that have been opened by the SMB File Server on behalf of its clients in this session since the server started.Total File Open CountTotal File Open CountFThe rate, in seconds, at which files are being opened in this session.Files Opened/secFiles Opened/secJThe number of durable file handles that are currently open in this sessionCurrent Durable Open File CountCurrent Durable Open File Count�The number of durable opens in this session that have been recovered after a temporary network disconnect since the SMB File Server started.PA!Total Durable Handle Reopen Count!Total Durable Handle Reopen Count�The number of durable opens in this session that could not be recovered after a temporary network disconnect since the SMB File Server Started.(Total Failed Durable Handle Reopen Count(Total Failed Durable Handle Reopen CountEThe percentage of total opens for which clients requested resiliency.% Resilient Handles% Resilient Handles�The number of resilient opens in this session that have been recovered after a temporary network disconnect since the SMB File Server started.#Total Resilient Handle Reopen Count#Total Resilient Handle Reopen Count�The number of resilient opens in this session that could not be recovered after a temporary network disconnect since the SMB File Server Started.PA*Total Failed Resilient Handle Reopen Count*Total Failed Resilient Handle Reopen CountFThe percentage of total opens for which clients requested persistency.% Persistent Handles% Persistent Handles�The number of persistent opens in this session that have been recovered after a temporary network disconnect since the SMB File Server started.$Total Persistent Handle Reopen Count$Total Persistent Handle Reopen Count�The number of persistent opens in this session that could not be recovered after a temporary network disconnect since the SMB File Server Started.+Total Failed Persistent Handle Reopen Count+Total Failed Persistent Handle Reopen CountPAPThe rate, in seconds, at which metadata requests are being sent in this session.Metadata Requests/secMetadata Requests/sec�The average number of seconds that elapse between the time at which a read or write request to this session is received and the time at which the SMB File Server processes the request.Avg. sec/Data RequestAvg. sec/Data Request6The average number of bytes per read or write request.Avg. Data Bytes/RequestAvg. Data Bytes/Request-The average number of bytes per read request.PAAvg. Bytes/ReadAvg. Bytes/Read.The average number of bytes per write request.Avg. Bytes/WriteAvg. Bytes/WriteEThe average number of read requests that were queued in this session.Avg. Read Queue LengthAvg. Read Queue LengthFThe average number of write requests that were queued in this session.Avg. Write Queue LengthAvg. Write Queue LengthOThe average number of read and write requests that were queued in this session.Avg. Data Queue LengthAvg. Data Queue LengthMThe rate, in seconds, at which data is being written or read in this session.Data Bytes/secData Bytes/secSThe rate, in seconds, at which read or write requests are received in this session.Data Requests/secData Requests/secIThe current number of read or write requests outstanding in this session.Current Data Queue LengthCurrent Data Queue LengthPAgThe SMB Server performance counters measure file server activity for SMB protocol versions 2 and higher
SMB Server
SMB ServerTRead Bytes/sec is the rate at which data is being read to satisfy SMB read requests.Read Bytes/secPARead Bytes/secLRead Requests/sec is the rate at which SMB read requests are being received.Read Requests/secRead Requests/secYWrite Bytes/sec is the rate at which data is being written to satisfy SMB write requests.Write Bytes/secWrite Bytes/secNWrite Requests/sec is the rate at which SMB write requests are being received.Write Requests/secWrite Requests/sec�Send Bytes/sec is the rate at which data is being transmitted on the network. This value includes application data as well as SMB protocol data (such as packet headers).Send Bytes/secSend Bytes/sec�Receive Bytes/sec is the rate at which data is being received from the network. This value includes application data as well as SMB protocol data (such as packet headers).Receive Bytes/secReceive Bytes/secPA!55�00�	0	0�PP��P���������&�+��X�]�x����`
���������x����$��X�����l�u���w�w�t�������������������@��@����'�'�������������|���D�����X���p�e�j��l�q�d�s�z���'�'�t�����<��x��$Audit Failure

Info

Start

Stop

Send

Error

Warning

 Information

XMicrosoft-Windows-SMBServer/Performance

TMicrosoft-Windows-SMBServer/Analytic

XMicrosoft-Windows-SMBServer/Operational

XMicrosoft-Windows-SMBServer/Diagnostic

TMicrosoft-Windows-SMBServer/Security

\Microsoft-Windows-SMBServer/Connectivity

LMicrosoft-Windows-SMBServer/Audit

PSMB2 Work Item Component Transition

<SMB2 Work Item allocated

8SMB2 Work Item released

PSMB2 Work Item activity id transfer

\SMB2 Work Item external activity id stop

<SMB2 Connection accepted

TSMB2 Connection Disconnected by Peer

@SMB2 Connection Terminated

8SMB2 Session Allocated

PSmb Session Authentication Failure

PSMB2 Session Authentication Success

LSMB2 Session Bound to Connection

8SMB2 Session Terminated

4SMB2 Session Closed.

@SMB2 TreeConnect Allocated

DSMB2 TreeConnect Disconnected

@SMB2 TreeConnect Terminated

�SMB2 TreeConnect Failed due to Cluster Endpoint Initializing

�A client connection to a continuously available share has been marked so that the client will be forced to reconnect to the server node with best possible storage connectivity. %n%nSession ID: %1%nTreeConnect ID: %2%nShare: %4%n

�A client request on a continuously available share has been failed so that the client will be forced to reconnect to the server node with best possible storage connectivity. %n%nSession ID: %1%nTreeConnect ID: %2%nShare: %4%n

4SMB2 Open established

PSMB2 Open Disconnected - Preserved

4SMB2 Open Reconnected

HSMB2 Open Suspended - Preserved

,SMB2 Open Closed

0SMB2 Open Timed Out

4SMB2 Open Terminated

`SMB2 Open Clustered Client Failover Closed

�File handle for file "%8\%2" was invalidated by user %4 from computer %6

,SMB2 Share Added

0SMB2 Share Modified

0SMB2 Share Deleted

XS4U2Self authentication failure - The client could not be reauthenticated with S4U2Self to obtain claims.  This may be expected if the account is not a domain account.

�SRV Disabled - The SMB1 negotiate request fails due to SMB1 is disabled.

�RKF failure - SRV2 failed to get acknowledgement from Resume Key filter for persistent handle request.

�The server received an unencrypted message. Message was rejected.%n%nClient Name: %4%n%nGuidance:%n%nThis event indicates that a client is sending unencrypted data even though the SMB share requires encryption.

|The server received an incorrectly signed message. Message was rejected.%n%nClient Name: %2%n%nGuidance:%n%nThis event indicates that a client is sending an incorrectly signed request.

�The server failed to validate negotiation from client %2. Connection was terminated.

p	The share denied access to the client.%n%nClient Name: %10%nClient Address: %6%nUser Name: %8%nSession ID: %17%nShare Name: %2%nShare Path: %4%nStatus: %16 (%15)%nMapped Access: %11%nGranted Access: %12%nSecurity Descriptor: %14%n%nGuidance:%n%nYou should expect access denied errors when a principal accesses a share without the necessary permissions. Usually, this indicates that the principal does not have direct security permissions or lacks membership in a group that has direct access permissions. To determine and correct the permissions on the specified share, an administrator can use the Security tab in File Explorer Properties dialog, the SMBSHARE Windows PowerShell module, or the NET SHARE command. You can also use the Effective Access tab in File Explorer to help diagnose the issue.%n%nApplications may generate access denied errors if they attempt to open files in a writable mode first, and then reopen the files in a read-only mode. In this case, no user action is required.%n%nIf access to the share is denied and this event is not logged, you can examine the file and folder NTFS/REFS permissions.%n%nThis error does not indicate a problem with authentication, only authorization.

<The share denied anonymous access to the client.%n%nClient Name: %8%nClient Address: %6%nShare Name: %2%nShare Path: %4%n%nGuidance:%n%nYou should expect this error when a client attempts to connect to shares and does not provide any credentials. This indicates that the client is not providing a user name (and domain credentials, if necessary). By default, anonymous access to shares is denied.%n%nThis error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.

8The server denied anonymous access to the client.%n%nClient Name: %4%n Client Address: %2%nSession ID: %5%n%nGuidance:%n%nYou should expect this error when a client attempts to connect to shares and does not provide any credentials. This indicates that the client is not providing a user name (and domain credentials, if necessary). By default, Windows Server denies anonymous access to shares.%n%nThis error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.

0Endpoint added.%n%nName: %2%nDomain Name: %4%nTransport Name: %6%nTransport Flags: %7%n%nGuidance:%n%nYou should expect this event when the server starts listening on an interface, such as during system restart or when enabling a network adaptor. No user action is required.

�Endpoint removed.%n%nName: %2%nDomain Name: %4%nTransport Name: %6%n%nGuidance:%n%nYou should expect this event when the server stops listening on an interface, such as during shutdown or when disabling a network adaptor. No user action is required.

�The network name information changed.%n%nChange Type: %1%nNet Name: %3%nIP Address: %9%nFlags: %4%nInterface Index: %5%nCapability: %6%nLink Speed: %7%n%nGuidance:%n%nYou should expect this event on a Windows Failover Cluster node during failover operations, at system startup, or during network configuration. No user action is required.

�Endpoint coming online.%n%nEndpoint Name: %2%nTransport Name: %4%n%nGuidance:%n%nYou should expect this event on a Windows Failover Cluster node during failover operations. No user action is required.

�Endpoint going offline.%n%nEndpoint Name: %2%nTransport Name: %4%n%nGuidance:%n%nYou should expect this event on a Windows Failover Cluster node during failover operations. No user action is required.

�Decrypt call failed.%n%nClient Name: %2%nClient Address: %4%nSession ID: %7%nStatus: %6 (%5)%n%nGuidance:%n%nThis event commonly occurs because a previous SMB session no longer exists. It may also be caused by packets that are altered on the network between the computers due to either errors or a "man-in-the-middle" attack.

`Reopen failed.%n%nClient Name: %7%nClient Address: %9%nUser Name: %13%nSession ID: %14%nShare Name: %11%nFile Name: %16%nResume Key: %20%nStatus: %2 (%1)%nRKF Status: %4 (%3)%nDurable: %17%nResilient: %18%nPersistent: %19%nReason: %21%n%nGuidance:%n%nThe client attempted to reopen a continuously available handle, but the attempt failed. This typically indicates a problem with the network or underlying file being re-opened.

�Handle scavenged.%n%nShare Name: %7%nFile Name: %9%nResume Key: %5%nPersistent File ID: %3%nVolatile File ID: %4%nDurable: %1%nResilient or Persistent: %2%n%nGuidance:%n%nThe server closed a handle that was previously reserved for a client after 60 seconds. You should expect this event on a computer that is continuously available where a client did not gracefully close its session. For instance, this may occur when the client unexpectedly restarted.

�Backchannel invalidation of session completed.%n%nSession ID: %1%nStatus: %3 (%2)%nTask Status: %5 (%4)%n%nGuidance:%n%nYou should expect this event on a computer that is continuously available. No user action is required

�Backchannel invalidation of file completed.%n%nResume Key: %1%nStatus: %3 (%2)%nTask Status: %5 (%4)%n%nGuidance:%n%nYou should expect this event on a computer that is continuously available. No user action is required

,File system operation has taken longer than expected.%n%nClient Name: %8%nClient Address: %10%nUser Name: %6%nSession ID: %3%nShare Name: %12%nFile Name: %14%nCommand: %1%nDuration (in milliseconds): %15%nWarning Threshold (in milliseconds): %16%n%nGuidance:%n%nThe underlying file system has taken too long to respond to an operation. This typically indicates a problem with the storage and not SMB.

LmCompatibilityLevel value is different from the default.%n%nConfigured LM Compatibility Level: %1%nDefault LM Compatibility Level: %2%n%nGuidance:%n%nLAN Manager (LM) authentication is the protocol used to authenticate Windows clients for network operations. This includes joining a domain, accessing network resources, and authenticating users or computers. This determines which challenge/response authentication protocol is negotiated between the client and the server computers. Specifically, the LM authentication level determines which authentication protocols the client will try to negotiate or the server will accept. The value set for LmCompatibilityLevel determines which challenge/response authentication protocol is used for network logons. This value affects the level of authentication protocol that clients use, the level of session security negotiated, and the level of authentication accepted by servers.%n%nValue (Setting) - Description%n%n0 (Send LM & NTLM responses) - Clients use LM and NTLM authentication and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication.%n%n1 (Send LM & NTLM - use NTLMv2 session security if negotiated) - Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.%n%n2 (Send NTLM response only) - Clients use NTLM authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.%n%n3 (Send NTLM v2 response only) - Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.%n%n4 (Send NTLMv2 response only/refuse LM) - Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and accept only NTLM and NTLMv2 authentication.%n%n5 (Send NTLM v2 response only/refuse LM & NTLM) - Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and NTLM and accept only NTLMv2 authentication.%n%nIncompatibly configured  LmCompatibility levels between a client and server (such as 0 on a client and 5 on a server) prevent access to the server. Non-Microsoft clients and servers also provide these configuration settings.

0File and printer sharing firewall rule enabled.%n%nGuidance:%n%nYou should expect this event when Windows Firewall is configured to enable the File and Printer Sharing rule, which allows inbound SMB traffic. This event occurs on a computer that has custom shares configured.

�One or more shares present on this server have access based enumeration enabled.%n%nGuidance:%n%nYou should expect this event when enabling access-based enumeration on one or more shares by using either Server Manager or the Set-SmbShare Windows PowerShell cmdlet. Access-based enumeration can raise CPU utilization when clients connect to shares with folders containing many peer-level resources to which a user does not have access. You can control the CPU utilization by configuring the ABELevel value in the Windows registry:%n%nHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\ABELevel [DWORD]%n%nYou can set the value for ABELevel to greater depths to minimize CPU overhead, but doing so diminishes the effectiveness of access-based enumeration:%n%nValue = 0: access-based enumeration is enabled for all levels%n%nValue = 1: access-based enumeration is enabled for a depth of 1 (example: \server\share)%n%nValue = 2: access-based enumeration is enabled for a depth of 2 (example: \server\share\folder)%n%nYou can continue setting values for multiple depth levels.

SMB2 and SMB3 have been disabled on this server.  This results in reduced functionality and performance.%n%nRegistry Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters%nRegistry Value: Smb2%nDefault Value: 1 (or not present)%nCurrent Value: 0%n%nGuidance:%n%nYou should expect this event when disabling SMB2/SMB3. Microsoft does not recommend disabling SMB2/SMB3. When SMB3 is disabled, you cannot use features such as SMB Transparent Failover, SMB Scale Out, SMB Multichannel, SMB Direct (RDMA), SMB Encryption, VSS for SMB file shares, and SMB Directory Leasing. In most scenarios, SMB provides a troubleshooting workaround as an alternative to disabling SMB2/SMB3. Use the Set-SmbServerConfiguration Windows PowerShell cmdlet to enable SMB2/SMB3.

One or more named pipes or shares have been marked for access by anonymous users.  This increases the security risk of the computer by allowing unauthenticated users to connect to this server.%n%nRegistry Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters%nRegistry Values: NullSessionPipes, NullSessionShares%nDefault Value: Empty (or not present)%nCurrent Value: Non-empty%n%nGuidance:%n%nYou should expect this event when modifying the default values of NullSessionShares and NullSessionPipes. On a typical file server, these settings do not exist or do not contain values, which is the most secure configuration. By default, domain controllers populate the NullSessionShares entry with netlogon, samr, and lsarpc to allow legacy access methods.

TFile leasing has been disabled for the SMB2 and SMB3 protocols.  This reduces functionality and can decrease performance.%n%nRegistry Key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters%nRegistry Value: DisableLeasing%nDefault Value: 0 (or not present)%nCurrent Value: non-zero%n%nGuidance:%n%nYou should expect this event when disabling SMB 3 Leasing. Microsoft does not recommend disabling SMB Leasing. Once disabled, traffic from client to server may increase since metadata and data may no longer be retrieved from a local cache.

The file and printer sharing firewall ports are currently closed.  This is the default configuration for a system that is not sharing content or is on a Public network.%n%nGuidance:%n%nYou should expect this event when Windows Firewall is not configured to enable the File and Printer Sharing rule, which allows inbound SMB traffic. This event occurs on a computer that does not have custom shares configured. Clients cannot access SMB shares on this computer until SMB traffic is allowed through the firewall.

�The maximum cluster-supported SMB dialect has changed.%n%nNewMaxDialect: %1%nOldMaxDialect: %2%n%nGuidance:%n%nYou should expect this event during a Windows Failover Cluster upgrade. No user action is required.

�The Cipher Suite Order group policy setting is invalid.%n%nGuidance:%n%nThis event indicates that an administrator has configured an invalid value for the "Computer Configuration\Administrative Templates\Network\Lanman Server\Cipher Suite Order" group policy setting. The server will use the default cipher suite order "%1" until this error is resolved.

$An MDL read or write completion request failed.%n%nServer Name: %2%nShare Name: %4%nFile Name: %6%nIsRead: %7%nStatus: %8%n%nGuidance:%n%nThe SMB server sends MDL completion requests to a file system upon completion of a buffered I/O to release system resources. The file system and its filter drivers must not fail MDL completion requests. Failures may result in memory leaks and degraded system performance and stability. Non-Microsoft file system filter drivers are the most common cause of failed MDL completion requests.

�The server detected a problem and has captured a live kernel dump to collect debug information.%n%nReason: %1%nDump Location: %SystemRoot%\LiveKernelReports%n%nGuidance:%n%nThe server supports the Live Dump feature, where the detection of a problem results in a kernel memory dump, but no bugcheck and reboot. This allows Microsoft Support to examine memory dumps without requiring a reboot or manual intervention. The reason code indicates the type of problem that was detected.%n%nStalled I/O%n%nAn I/O is taking an unreasonably long time to complete. Malfunctioning third-party file system minifilter drivers are a common source of this problem. Other causes include failed disks or a client-driven I/O workload that greatly exceeds the server's capacity.

�	The server detected a problem but was unable to capture a live kernel dump to collect debug information.%n%nReason: %1%n%nGuidance:%n%nThe server supports the Live Dump feature, where the detection of a problem results in a kernel memory dump, but no bugcheck and reboot. This allows Microsoft Support to examine memory dumps without requiring a reboot or manual intervention. The reason code indicates the type of problem that was detected. In this case, the server's request to create a live kernel dump was rejected. This is usually due to the live kernel dump throttle, which prevents frequent dumps from consuming too much disk space. Either wait for the throttle limit to expire (by default, 7 days), or contact Microsoft Support for steps to override the throttle. This event is written to the log no more than once per day. The problem that caused the server to the request a live kernel dump may be occuring more frequently.%n%nStalled I/O%n%nAn I/O is taking an unreasonably long time to complete. Malfunctioning third-party file system minifilter drivers are a common source of this problem. Other causes include failed disks or a client-driven I/O workload that greatly exceeds the server's capacity.

tSent RDMA %1 event to LanmanServer for interface %3.

dSend RDMA Endpoint notification failure - %1

\RDMA Endpoint %4 for interface %2 was %1.

�RDMA Endpoint allocation failure - Endpoint allocation failed for interface %1. %2

PRDMA listener creation failure - %1

�RDMA Send endpoint notification RPC failure for device %3 - %1

�Received Nsi notification type %1 for interface %2 with NdkOperationalState %3

pReceived Mib notification type %1 for interface %2

�Error reading FSCTL properties information from the registry. Registry value entry %3 will be ignored. Error: %1

�The certificate for the server is about to expire. %n%nSubject: %2%nThumbprint: %4%nExpires on %5.%n%nGuidance:%n%nThis event indicates the certificate is about to expire. %n%nRenew or issue new certificates to avoid service interruption.

0RDMA connection disconnected.%n%nTransport name: %3%nMilliseconds spent closing the connection: %1%n%nGuidance:%n%nClosing an RDMA connection should not take longer than 2 minutes. An RDMA IO that takes an abnormally long time to complete indicates a problem with the RDMA network adapters on this computer or its remote host. Contact your RDMA vendor for an updated driver and further troubleshooting.

�Quic connection shutdown.%n%nError: %1%nReason: %2%nEndpoint Name: %4%nTransport Name: %6%n%nGuidance:%n%nThis event indicates that the winquic connection is shutting down by the server. This event commonly occurs because the server certificate mapping is not created. It may also be caused by the server failed to configure the winquic connections.

�The server failed to update server certificate mapping.%n%nName: %2%nSubject: %4%nThumbprint: %6%n%nThe certificate can't be used for the server due to error %7%n%nThe server certificate mapping %9 removed.

�The server received a request and the server requires encryption, but the server and client did not negotiate an encryption cipher, nor does server allow unencrypted access.%n%nRequest: %10%nClient Name: %4%nClient Address: %8%nUser Name: %6%nSession ID: %9%nShare Name: %2%n%nGuidance:%n%nThis event indicates that client is trying to access a server that requires encryption, but no cipher was negotiated, and server does not allow unencrypted access. Check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\RejectUnencryptedAccess to see if the value has been changed.

`The server received a %2 request but is taking an abnormal amount of time to process it.%n%nInstance Id: %1%nCommand: %2%nPerfBlock: %3%nDuration(s): %4%nThreshold(s): %5

XThe server processed a %1 request. Times taken to complete each stage below.%n%nCommand: %1%nAcquireLockTime(s): %2%nIoTime(s): %3%nTotalTime(s): %4%nThreshold(s): %5

�Found %1 endpoint(s) related to interface ID %2, closed %3 of which.

�The SMB negotiate request processing failed on the server to select the encryption cipher for the client and server. Please ensure there is a common cipher between the client and server.%n%nClient encryption cipher suite order (most to least preferred): %2%nServer encryption cipher suite order (most to least preferred): %4%n

CA failure - Failed to set continuously available property on a new or existing file share as the file share is not a cluster share.

lCA failure - Failed to set continuously available property on a new or existing file share as Resume Key filter is not started or has failed to attach to the underlying volume.

�The server failed to reserve the next ID region in the cluster registry.

�The security descriptor differs from the default value.%n%n

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\%1%n%n

Guidance:%n%n

This is typically caused by an administrator or a third party changing the security on the object manually. To reset the security back to the default value, delete the path shown above.%n

Microsoft does not recommend changing the default security of %1 as it may cause application incompatibilities or security concerns.

4TDI mode enabled: %1

�Failed to allocate an NSI table for network interface enumeration: %1

�Received notification of a newly-started network interface with Luid %2 on address family %1 (IPv4 == 2, IPv6 == 23)

�Received notification of a stopped network interface with Luid %2 on address family %1 (IPv4 == 2, IPv6 == 23)

xFailed to open network interface with Luid %1: error %2

�The server closed the session as part of periodic system cleanup.%n%nSession Id: %1%nInstance Id: %2%nReason: %3%n

DSession key for connection is weaker than required. Connection will be closed as a result.%n%nClient: %2%nUser: %6%nSession key length: %3%nRequired Session key length: %4%n%nGuidance:%nTo establish a connection with a shorter session key, set the following registry DWORD value name with the value as decimal bits:%n[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]%n"MinimumSessionKeyLength"%n%nImportant: If you have configured the 'Network security: Configure encryption types allowed for Kerberos' security policy to prevent use of 256-bit keys but also set the MinimumSessionKeyLength greater than 128 bits, the computer will not be able to make SMB connections. Setting MinimumSessionKeyLength higher than 128 bits will also prevent SMB connections using NTLM.

�Server received STATUS_STOPPED_ON_SYMLINK but the reparse buffer is NULL.

�Custom FSCTL allow list was not successfully loaded after several retries.

dSend QUIC Endpoint notification failure - %1

HServer Certificate failure - %1

@Packet Fragment (%2 bytes)

�SMB1 access%n%nClient Address: %1%n%nGuidance:%n%nThis event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.

�Access Denied%n%nServer certificate mapping name: %2%nClient socket address: %4%n%nClient certificate chain:%n%nSubject, Issuer, Serial Number, %6%n%8%nDeny entries:%n%n%10%nAllow Entries:%n%n%12%nGuidance:%n%nThe server denied access to the client during mutual authentication. If you did not expect this result, examine the deny and allow entries above. For more information on troubleshooting this behavior, review https://go.microsoft.com/fwlink/?linkid=2243808

�Access Allowed%n%nServer certificate mapping name: %2%nClient socket address: %4%n%nClient certificate chain:%n%nSubject, Issuer, Serial Number, %6%n%8%nDeny entries:%n%n%10%nAllow Entries:%n%n%12%nGuidance:%n%nThe server allowed access to the client during mutual authentication. If you did not expect this result, examine the deny and allow entries above. For more information on troubleshooting this behavior, review https://go.microsoft.com/fwlink/?linkid=2243809

pAn error occurred while checking client certificate chain access during mutual authentication. Win32 error code: %1%n%nServer certificate mapping name: %3%nClient socket address: %5%n%nGuidance:%n%nFor more information on troubleshooting this behavior, review https://go.microsoft.com/fwlink/?linkid=2243709

,Packet (%4 bytes)

0SMB Session Authentication Failure%n%nClient Name: %11%nClient Address: %6%nUser Name: %9%nSession ID: %7%nStatus: %4 (%3)%n%nGuidance:%n%nYou should expect this error when attempting to connect to shares using incorrect credentials.%n%nThis error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.%n%nThis error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled

�A client attempted to access the server using SMB1 and was rejected because SMB1 file sharing support is disabled or has been uninstalled.%n%nGuidance:%n%nAn administrator has disabled or uninstalled server support for SMB1. Clients running Windows XP / Windows Server 2003 R2 and earlier will not be able to access this server. Clients running Windows Vista / Windows Server 2008 and later no longer require SMB1. To determine which clients are attempting to access this server using SMB1, use the Windows PowerShell cmdlet Set-SmbServerConfiguration to enable SMB1 access auditing.

�The server received an unencrypted message from client when encryption was required. Message was rejected.%n%nClient Name: %4%nClient Address: %8%nUser Name: %6%nSession ID: %9%nShare Name: %2%n%nGuidance:%n%nThis event indicates that a client is sending unencrypted data even though the SMB share requires encryption.

�The server rejected an incorrectly signed message.%n%nClient Name: %2%nClient Address: %6%nUser Name: %4%nSession ID: %7%n%nGuidance:%n%nThis event indicates that a client is sending an incorrectly signed request.

�The server rejected an invalid negotiation request. Connection was terminated.%n%nClient Name: %2%nClient Address: %6%nUser Name: %4%nSession ID: %13%nExpected Dialect: %7%nExpected Capabilities: %8%nExpected Security Mode: %9%nReceived Dialect: %10%nReceived Capabilities: %11%nReceived Security Mode: %12%n%nGuidance:%n%nThis event indicates that a client is attempting to negotiate a second connection using a mismatched dialect or capabilities.

No SMB1 usage detected in the last 20 minutes.%n%nGuidance:%n%nThis event indicates that no attempt was made to contact this computer via the SMB1 protocol. After %1 online days of no SMB1 contact attempts, the SMB1 Server service will automatically uninstall.

 A remote device attempted SMB1 connection to this computer.%n%nClient Address: %1%n%nGuidance:%n%nThis event indicates that a client attempted to access the server using SMB1. To stop auditing SMB1 access, use the Windows PowerShell cmdlet Set-SmbServerConfiguration.

�SMB1 server service has been automatically uninstalled.n%nGuidance:%n%nThis event indicates that after detecting no attempts to contact this computer via the SMB1 protocol for %1 online days, the SMB1 Server service was automatically uninstalled.

8SMB2 Request Negotiate

@SMB2 Request Session Setup

0SMB2 Request Logoff

<SMB2 Request Tree Connect

DSMB2 Request Tree Disconnect

,SMB2 Request Echo

0SMB2 Request Cancel

0SMB2 Request Create

0SMB2 Request Close

0SMB2 Request Flush

,SMB2 Request Read

0SMB2 Request Write

<SMB2 Request Break Oplock

HSMB2 Request Notify Break Lease

TSMB2 Request Acknowledge Break Lease

,SMB2 Request Lock

0SMB2 Request Ioctl

DSMB2 Request Query Directory

@SMB2 Request Change Notify

8SMB2 Request Query Info

4SMB2 Request Set Info

8SMB2 Response Negotiate

@SMB2 Response Session Setup

4SMB2 Response Logoff

@SMB2 Response Tree Connect

DSMB2 Response Tree Disconnect

0SMB2 Response Echo

4SMB2 Response Create

0SMB2 Response Close

0SMB2 Response Flush

0SMB2 Response Read

0SMB2 Response Write

@SMB2 Response Break Oplock

TSMB2 Response Acknowledge Break Lease

0SMB2 Response Lock

0SMB2 Response Ioctl

DSMB2 Response Query Directory

@SMB2 Response Change Notify

<SMB2 Response Query Info

8SMB2 Response Set Info

0SMB2 Response Error

�SMB Session Authentication Failure%n%nClient Name: %11%nClient Address: %6%nUser Name: %9%nSession ID: %7%nStatus: %4 (%3)%nSPN: %12%nSPN Validation Policy: %13%n%nGuidance:%n%nYou should expect this error when attempting to connect to shares using incorrect credentials.%n%nThis error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.%n%nThis error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, an incorrect service principal name, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled

�Negotiate integrity check failed.%n%nStatus: %2%nClient Name: %4%nClient Address: %8%nUser Name: %6%nSession ID: %9%n%nGuidance:%n%nThis event indicates that the client's negotiate request was altered on the network between the client and server due to errors or a "man-in-the-middle" attack. The client has been disconnected to prevent a security downgrade.

DSPN optional / no validation

TSPN optional / validate service name

DSPN optional / validate full

TSPN required / validate service name

DSPN required / validate full

 Stalled I/O

DReopen durable handle failed

Tdi

Wsk

Rdma

Vmbus

Quic

Add

Update

Remove

None

8Reconnect durable file

,RKF resume create

4Build create response

N/A

2.0.2

2.1

3.0

3.0.2

3.1.1

closed

created

disabled

enabled

�Error getting unicast ip address table for interface %2. %3

�Error getting unicast ip address entry for interface %2. %3

\Error finding or adding the interface %2.

�DadState is different from IpDadStatePreferred for interface %2. Current DadState: %6.

lError getting Nsi parameters for interface %2. %3

DError allocating pool memory

lError updating transport list for device %5. %3.

XError allocating and getting table. %3.

|Notification type %6 is not supported. Nothing was done.

�Error getting Address from TransportName for interface %2. %3

lError finding the address of the interface %2. %3

�Error because SMB Direct is not supported in interface %2. %3

`Error initializing SMB in interface %2. %3

XError initilizing the async handle. %4

8XsActSrv is not active.

,Pnp exception. %4

XTimeout on comleting pnp operation. %4

�Pnp operation took too long and it was never completed so it must be cancelled. %4

LError cancelling Pnp opearion. %4

<NsiParameterNotification

(NsiAddInstance

,NsiDeleteInstance

8NsiInitialNotification

<MibParameterNotification

(MibAddInstance

,MibDeleteInstance

8MibInitialNotification

�Registry value defines properties for an FSCTL that has already been defined in another registry value.

�Registry value specifying FSCTL properties must also specify a non-zero FSCTL code.

�Registry value specifying FSCTL properties have the wrong format.

�Error getting unicast ip address table for interface %2. %3

\Error finding or adding the interface %2.

lError getting Nsi parameters for interface %2. %3

�Error certificate for mapping not found in store. %n%nName: %4%nThumbprint: %6%n

�Error not enough memory to complete certificate routine %n%nName: %4%nThumbprint: %6%n

�Error certificate is already registered %n%nName: %4%nThumbprint: %6%n

LConnection state has not changed.

4Connection timed out.

XThe connection was idle and timed out.

8The server is stopping.

<The endpoint is closing.

HThe connection is disconnected.

LThe idle connection is time out.

<All channels are closed.

8Decrypt message error.

4Irrecoverable error.

TUnauthenticated connection is closed.

\Failed to send an interim async response.

8Insufficient resources.

\Connection/Stream shutdown without error.

\Connection/Stream shutdown unknown error.

TThe event received is not supported.

0Invalid Parameter.

<The object is not found.

8Insufficient resources.

HThe certificate is not trusted.

@The certificate is expired.

@The certificate is revoked.

DMutual authentication failed.

�The SMB client was denied access to the SMB server during mutual authentication.

TServer can't create a new connection.

xServer can't set bidi stream count for the connection.

PServer can't get the local address.

DServer close the connection.

tThe client certificate validation by Schannel failed.

`The client certificate access check failed.

hThe client certificate access check RPC failed.

�QUIC returned an error during the asynchronous client certificate validation.

None

NTLM

Kerberos

PKU2U

Negotiate

$Session setup

Logoff

$Tree connect

(Tree disconnect

Create

Close

Flush

Read

Write

Lock

Ioctl

Cancel

Echo

(Query directory

$Change notify

 Query info

Set info

$Oplock break

�4VS_VERSION_INFO��
�|O
�|O?�StringFileInfo�040904B0LCompanyNameMicrosoft CorporationTFileDescriptionSmb 2.0 Server drivern'FileVersion10.0.20348.3207 (WinBuild.160101.0800)2	InternalNameSRV2.SYS�.LegalCopyright� Microsoft Corporation. All rights reserved.B
OriginalFilenameSRV2.SYS.MUIj%ProductNameMicrosoft� Windows� Operating SystemDProductVersion10.0.20348.3207DVarFileInfo$Translation	�PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD