4.2 Previous File Version Enumeration
The following example shows how the client accesses a previous version of the share root folder. It is assumed that the client has already authenticated, established a tree connect to the target share, and opened a handle to the root directory, as specified in [MS-CIFS]. Thus, Frame 1 is not truly the first frame for the connection, but it is referred to as the starting point for this operation.

Figure 5: Previous file version enumeration sequence
The first step is to enumerate the list of available snapshots on the server by using the FSCTL_SRV_ENUMERATE_SNAPSHOT command. The client requests the list of snapshots that are available on the server by using the root handle Fid. The server returns the list of snapshots in the format that is defined in the preceding figure. In this example, the server has one snapshot total for the root folder, the payload contains one snapshot string, the payload size is 0x34 bytes, and the snapshot name is @GMT-2006.04.26-04-08-27. The last 2 bytes of the payload are the snapshot strings 16-bit Unicode NULL delimiter.
FRAME 1. Client requests FSCTL_SRV_ENUMERATE_SNAPSHOTS
-
Client -> Server: Command = SMB_COM_NT_TRANSACT NT IOCTL Function Code 0x00144064 FSCTL_SRV_ENUMERATE_SNAPSHOTS File ID (Fid) = 16391 (0x4007)
FRAME 2. Server response with list of snapshots
-
Server -> Client: Command = SMB_COM_NT_TRANSACT NT status code = 0x0, STATUS_SUCCESS Payload contained in Data buffer as defined in section 3.1.5.4: 00090: 01 00 00 00 01 00 00 00 34 00 00 00 40 00 ..........4...@. 000A0: 47 00 4D 00 54 00 2D 00 32 00 30 00 30 00 36 00 G.M.T.-.2.0.0.6. 000B0: 2E 00 30 00 34 00 2E 00 32 00 36 00 2D 00 30 00 ..0.4...2.6.-.0. 000C0: 34 00 2E 00 30 00 38 00 2E 00 32 00 37 00 00 00 4...0.8...2.7... 000D0: 00 00
The client uses standard SMB commands to access the snapshot. The client also indicates in the header Flags2 that the name in the request is tokenized with the previous version information. This indicates to the server that the client is accessing a previous version of the path. The server processes the request and returns the path information for the snapshot directory rather than to the current directory.
FRAME 3. Client requests path information for snapshot 2006/04/26 04:08:27 AM
-
Client -> Server: Command = SMB_COM_TRANSACTION2 Flags2 Summary = 52231 (0xCC07) 1100 1100 0000 0111 .... .1.. .... .... = File name is tokenized with Previous Version Information Transact2 function = Query path info File name =\@GMT-2006.04.26-04.08.27 00080: 5C 00 40 00 ……............\.@. 00090: 47 00 4D 00 54 00 2D 00 32 00 30 00 30 00 36 00 G.M.T.-.2.0.0.6. 000A0: 2E 00 30 00 34 00 2E 00 32 00 36 00 2D 00 30 00 ..0.4...2.6.-.0. 000B0: 34 00 2E 00 30 00 38 00 2E 00 32 00 37 00 00 00 4...0.8...2.7...
FRAME 4. Server response with snapshot path information
-
Server -> Client: Command = SMB_COM_TRANSACTION2 NT status code = 0x0, STATUS_SUCCESS Data bytes = 40 (0x28)
Payload contains path information for specified snapshot version
Similar to its behavior during the query path exchange, the client specifies the previous version of the root folder in an open request. The server processes the request and returns an Fid for the specified previous version of the path.
FRAME 5. Client open request for version 2006/04/26 04:08:27 AM on "\"
-
Client -> Server: Command = SMB_COM_NT_CREATE_ANDX Flags2 Summary = 52231 (0xCC07) 1100 1100 0000 0111 .... .1.. .... .... = File name is tokenized with Previous Version Information Create Disposition = Open: If exist, Open, else fail File name =\@GMT-2006.04.26-04.08.27
FRAME 6. Server open root folder and returns Fid
-
Server -> Client: Command = SMB_COM_NT_CREATE_ANDX NT status code = 0x0, STATUS_SUCCESS File ID (Fid) = 16392 (0x4008) Create Action = File Opened
These similar steps can be used to open a file rather than a directory on a remote volume. In that case, the @GMT token is contained in the relative path, such as \directory\@GMT-2006.04.26-04.08.27\file.txt. This path can be used to query attributes or to open a file. The resulting Fid is used to read its contents.
Likewise, the @GMT token path in the example can be used as part of a TRANS2_FIND_FIRST2 and TRANS2_FIND_NEXT2 to enumerate the contents of the volume at the time of the snapshot.