Hi, In regard to this blog: http://blogs.technet.com/b/thenetworker/archive/2007/12/09/of-file-access-from-the-command-prompt-and-trace-analysis.aspx how can I identify an image path or file/process name associated with the SMB process ID [ Process ID: 65279 ]? For example, comparing the sysinternals process monitor and wireshark logs done at the same time, process monitor does not reveal any activity related to that PID. Nor does the Windows task manager. Reading this KB article [ http://support.microsoft.com/kb/935741/en-us ], I see the PID might be related to a kernel level process, Have been unable to find any relevant information here either [ http://msdn.microsoft.com/en-us/library/ee442092%28PROT.10%29.aspx ] Thanks.

Hi Srv999, Thank you for your post. ProcessID field in SMB packet just identifies the client-side packet. Client-side ProcessID must set to 65279. The ProcessID cannot be associated with PID in process monitor. 2.2.1.2 SMB2 Packet Header - SYNC ProcessId (4 bytes): The client-side identification of the process that issued the request. The client MUST set this field to 0xFEFF. The server MUST set this field to the ProcessId value received in the corresponding request, if any, or to 0 otherwise. The client MUST ignore this field on receipt. 3.3.5.3.2 SMB 2.002 Support The server MUST set the command of the SMB2 header to SMB2 NEGOTIATE and MUST set the ProcessId to 0. If there are more inquiries on this issue, please feel free to let us know.Regards, Rick Tan