2.2.2.2.2 EFSX Datum

 

The EFSX Datum represents the base type for every datum within the Version 4 and Version 5 EFSRPC Metadata and MUST be formatted as follows.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

StructureSize

Role

Type

Flags

StructureSize (2 bytes): The size in bytes of the EFSX Datum. It MUST be a 16-bit unsigned integer in little-endian format.

Role (2 bytes): Specifies the EFSX Datum role. It MUST be a 16-bit unsigned integer in little-endian format.

Value

Meaning

0x0000

The EFSX Datum has no defined role.

0x0001

The EFSX Datum contains a reference to a user's certificate store. This reference could be, for example, a certificate hash or the public key from a certificate.

0x0002

The EFSX Datum contains data specific to a protector type. See section 2.2.2.2.5 for valid protector types and their associated protector data format.

0x0003

The EFSX Datum contains information that is suitable for user display. For example, this could be the user name associated with a protector.

0x0004

The EFSX Datum contains information that identifies a private key container.

0x0005

The EFSX Datum contains information that identifies the provider name of a CSP or KSP.

0x0006

The EFSX Datum contains a user SID.

0x0007

The EFSX Datum contains the encrypted File Master Key (FMK).

0x0008

The EFSX Datum contains a user's public key.

0x0009

The EFSX Datum contains an ephemeral public key.

0x000a

The EFSX Datum contains the encrypted File Encryption Key (FEK).

0x000b

The EFSX Datum contains the file Initialization Vector (IV).

0x000c

The EFSX Datum contains a protector descriptor string.<14> This datum role MUST only be used when EFS_VERSION is 5.

Type (2 bytes): Specifies the EFSX Datum type. It MUST be a 16-bit unsigned integer in little-endian format.

Value

Meaning

Reserved

0x0000

Reserved. Local use only.

EFSX_TYPE_BLOB

0x0001

The EFSX Datum MUST be formatted as specified in section 2.2.2.2.3.

EFSX_TYPE_DESCRIPTOR

0x0002

The EFSX Datum MUST be formatted as specified in section 2.2.2.2.4.

EFSX_TYPE_KEY_PROTECTOR

0x0003

The EFSX Datum MUST be formatted as specified in section 2.2.2.2.5.

EFSX_TYPE_PROTECTOR_INFO

0x0004

The EFSX Datum MUST be formatted as specified in section 2.2.2.2.6.

EFSX_TYPE_KEY_AGMT_DATA

0x0005

The EFSX Datum MUST be formatted as specified in section 2.2.2.2.7.

EFSX_TYPE_FEK_INFO

0x0006

The EFSX Datum MUST be formatted as specified in section 2.2.2.2.8.

EFSX_TYPE_DPAPI_NG_DATA
0x0007

The EFSX Datum MUST be formatted as specified in section 2.2.2.2.9. This type MUST only be used when EFS_VERSION is 5.<15>

Flags (2 bytes): Specifies datum flags. It MUST be a 16-bit unsigned integer in little-endian format. The value of this field MUST be zero (0x0000) or a union of one or more of the following values.

Value

Meaning

0x0001

The EFSX Datum is nested inside a parent structure.

0x0002

The EFSX Datum is a complex datum containing nested datum structures.