This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org. Win_File_Object 2.0 04/08/2013 The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. Copyright (c) 2012-2013, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included. The Windows_File object is intended to characterize Windows files. The WindowsFileObjectType type is intended to characterize Windows files. The Filename_Accessed_Time field specifies the date/time the filename of the Windows file was last accessed. The Filename_Created_Time field specifies the date/time the filename of the Windows file was created. The Filename_Modified_Time field specifies the date/time the filename of the Windows file was last modified. The Drive field specifies the drive letter of the drive that the file resides on. The Security_ID field specifies the Security ID (SID) value assigned to the file. The Security_Type field specifies the type of Security ID (SID) assigned to the file. The Stream_List field specifies any alternate data streams contained within the file. The StreamObjectType type is intended to characterize NTFS alternate data streams. The Name field specifies the name of the alternate data stream. The Size_In_Bytes field specifies the size of the alternate data stream, in bytes. The StreamListType type specifies a list of NTFS alternate data streams. The Stream field characterizes a single NTFS alternate data stream. The WindowsFileAttributesType type specifies Windows file attributes. It imports and extends the FileAttributeType from the CybOX File Object. The WindowsFileAttributeType specifies a single Windows file attribute. WindowsFileAttributeType specifies Windows file attributes via a union of the FileAttributesEnum type and the atomic xs:string type. Its base type is the CybOX Core BaseObjectPropertyType, for permitting complex (i.e. regular-expression based) specifications. This attribute is optional and specifies the expected type for the value of the specified property. The WindowsFilePermissionsType type specifies Windows file permissions. It imports and extends the FilePermissionsType from the CybOX File Object. The Full_Control field specifies whether reading, writing, changing and deleting of the file is perfmitted. The Modify field specifies whether reading and writing or deletion of the file is permitted. The Read field specifies whether viewing or accessing of the file's contents is permitted. The Read_And_Execute field specifies whether viewing and accessing of the file's contents as well as executing of the file is permitted. The Write field specifies whether writing to the file is permitted. The FileAttributesEnum type is an enumeration of Windows file attributes. These refer to the constants specified in http://msdn.microsoft.com/en-us/library/gg258117(v=vs.85).aspx. Specifies a file is read only, as denoted by the constant value, 0x1. Applications can read the file, but cannot write to it or delete it. This attribute is not honored on directories. For more information as to why, see http://go.microsoft.com/FWLink/?LinkId=125896. Specifies a file or directory is hidden, as denoted by the constant value, 0x2. It is not included in an ordinary directory listing. Specifies a file or directory that the operating system uses a part of, or uses exclusively, as denoted by the constant value, 0x4. Specifies a directory, as denoted by the constant value, 0x10. Specifies a file or directory that is an archive file or directory, as denoted by the constant value, 0x20. Applications typically use this attribute to mark files for backup or removal. Specifies a reserved system value, as denoted by the constant value, 0x40. Specifies a file that has no other attributes set, and is only valid when this attribute is used alone, as denoted by the constant value, 0x80. Specifies a file being used for temporary storage, as denoted by the constant value, 0x100. Specifies a sparse file, as denoted by the constant value, 0x200. Specifies a file or directory that has an associated reparse point, or a file that is a symbolic link, as denoted by the constant value, 0x400. Specifies a file or directory that is compressed, as denoted by the constant value, 0x800. For a file, all of the data in the file is compressed. For a directory, compression is the default for newly created files and subdirectories. Specifies that the data of a file is not available immediately, as denoted by the constant value, 0x1000. This attribute indicates that the file data is physically moved to offline storage. This attribute is used by Remote Storage, which is the hierarchical storage management software. Applications should not arbitrarily change this attribute. Specifies that a file is not to be indexed by the content indexing service, as denoted by the constant value, 0x2000. Specifies a file or directory that is encrypted, as denoted by the constant value, 0x4000. For a file, all data streams in the file are encrypted. For a directory, encryption is the default for newly created files and subdirectories. Specifies a file or directory that is marked as deleted. Specifies the directory or user data stream is configured with integrity (only supported on ReFS volumes), as denoted by the constant value, 0x8000. It is not included in an ordinary directory listing. The integrity setting persists with the file if it's renamed. If a file is copied the destination file will have integrity set if either the source file or destination directory have integrity set. NOTE: This flag is supported ONLY for Windows Server 8 Beta and later. Specifies a reserved system value, as denoted by the constant value, 0x10000. The user data stream not to be read by the background data integrity scanner (AKA scrubber), as denoted by the constant value, 0x20000. When set on a directory it only provides inheritance. This flag is only supported on Storage Spaces and ReFS volumes in Windows 8 and Windows Server 8 Beta and later. It is not included in an ordinary directory listing.