Michael,

> > 7ffbff1fb78e758b6a809f4d840b0724412ee1df0402000000 000000
> > 7ffbff1f1b796f7e41acad489ffed5da29e26c4ef801000000 000000
> >
> > It doesn't look like the values are completely random, but they are
> > definately not a constant either.

>
> Minus the first 2-4 bytes it looks pretty "random" to me.


nope, you're just looking at it the wrong way. It clearly has
structure.

For example, look at the two sequences "b78" and "b79". I really doubt
that is a coincidence. Instead, I expect to find that its some sort of
compression or encoding scheme, or some sort of really crappy
encryption.

I expect that some sections of the data are truly random, but perhaps
the random sections are not at the same offset (such as happens with
some of the common ASN.1 encoding schemes).

Possible sources of commonality include:

- hardware ethernet address (like a GUID uses in some schemes)
- timestamps (both machines installed within a few weeks of
each other)
- OS version

I expect we'll eventually work out what the encoding is. Ways to
approach this include:

- try generating random values, see what error codes we get
- try sending minor varients on the w2k3 values, like flipping
individual bits. See which bits change behaviour.
- mark the packet as big-endian, to see if this involves any byte
order dependent encoding (thats how you can prove that GUIDs have
internal structure)

Cheers, Tridge