Display Filter Reference: EFS (pidl)
Protocol field name: efs
Versions: 1.0.0 to 4.0.0
Back to Display Filter Reference
| Field name | Description | Type | Versions |
|---|---|---|---|
| efs.EFS_CERTIFICATE_BLOB.cbData | CbData | Unsigned integer (4 bytes) | 1.0.0 to 4.0.0 |
| efs.EFS_CERTIFICATE_BLOB.dwCertEncodingType | DwCertEncodingType | Unsigned integer (4 bytes) | 1.0.0 to 4.0.0 |
| efs.EFS_CERTIFICATE_BLOB.pbData | PbData | Unsigned integer (1 byte) | 1.0.0 to 4.0.0 |
| efs.EFS_HASH_BLOB.cbData | CbData | Unsigned integer (4 bytes) | 1.0.0 to 4.0.0 |
| efs.EFS_HASH_BLOB.pbData | PbData | Unsigned integer (1 byte) | 1.0.0 to 4.0.0 |
| efs.EfsRpcAddUsersToFile.FileName | FileName | Character string | 1.0.0 to 4.0.0 |
| efs.EfsRpcCloseRaw.pvContext | PvContext | Byte sequence | 1.0.0 to 4.0.0 |
| efs.EfsRpcDecryptFileSrv.FileName | FileName | Character string | 1.0.0 to 4.0.0 |
| efs.EfsRpcDecryptFileSrv.Reserved | Reserved | Unsigned integer (4 bytes) | 1.0.0 to 4.0.0 |
| efs.EfsRpcEncryptFileSrv.Filename | Filename | Character string | 1.0.0 to 4.0.0 |
| efs.EfsRpcOpenFileRaw.FileName | FileName | Character string | 1.0.0 to 4.0.0 |
| efs.EfsRpcOpenFileRaw.Flags | Flags | Unsigned integer (4 bytes) | 1.0.0 to 4.0.0 |
| efs.EfsRpcOpenFileRaw.pvContext | PvContext | Byte sequence | 1.0.0 to 4.0.0 |
| efs.EfsRpcQueryRecoveryAgents.FileName | FileName | Character string | 1.0.0 to 4.0.0 |
| efs.EfsRpcQueryRecoveryAgents.pRecoveryAgents | PRecoveryAgents | Label | 1.0.0 to 4.0.0 |
| efs.EfsRpcQueryUsersOnFile.FileName | FileName | Character string | 1.0.0 to 4.0.0 |
| efs.EfsRpcQueryUsersOnFile.pUsers | PUsers | Label | 1.0.0 to 4.0.0 |
| efs.EfsRpcReadFileRaw.pvContext | PvContext | Byte sequence | 1.0.0 to 4.0.0 |
| efs.EfsRpcRemoveUsersFromFile.FileName | FileName | Character string | 1.0.0 to 4.0.0 |
| efs.EfsRpcSetFileEncryptionKey.pEncryptionCertificate | PEncryptionCertificate | Label | 1.0.0 to 4.0.0 |
| efs.EfsRpcWriteFileRaw.pvContext | PvContext | Byte sequence | 1.0.0 to 4.0.0 |
| efs.ENCRYPTION_CERTIFICATE.pCertBlob | PCertBlob | Label | 1.0.0 to 4.0.0 |
| efs.ENCRYPTION_CERTIFICATE.pUserSid | PUserSid | Label | 1.0.0 to 4.0.0 |
| efs.ENCRYPTION_CERTIFICATE.TotalLength | TotalLength | Unsigned integer (4 bytes) | 1.0.0 to 4.0.0 |
| efs.ENCRYPTION_CERTIFICATE_HASH.cbTotalLength | CbTotalLength | Unsigned integer (4 bytes) | 1.0.0 to 4.0.0 |
| efs.ENCRYPTION_CERTIFICATE_HASH.lpDisplayInformation | LpDisplayInformation | Character string | 1.0.0 to 4.0.0 |
| efs.ENCRYPTION_CERTIFICATE_HASH.pHash | PHash | Label | 1.0.0 to 4.0.0 |
| efs.ENCRYPTION_CERTIFICATE_HASH.pUserSid | PUserSid | Label | 1.0.0 to 4.0.0 |
| efs.ENCRYPTION_CERTIFICATE_HASH_LIST.nCert_Hash | NCert Hash | Unsigned integer (4 bytes) | 1.0.0 to 4.0.0 |
| efs.ENCRYPTION_CERTIFICATE_HASH_LIST.pUsers | PUsers | Label | 1.0.0 to 4.0.0 |
| efs.opnum | Operation | Unsigned integer (2 bytes) | 1.0.0 to 4.0.0 |
| efs.werror | Windows Error | Unsigned integer (4 bytes) | 1.0.0 to 4.0.0 |