locked
BSOD in mrxsmb10.sys post Nov 2009 Bulletins RRS feed

  • Question

  • Yesterday my Vista Ultimate SP2 x86 system BSOD after attempting to open a jpg file saved on a mapped network drive connected to a local share (T: mapped to \\mycomputer\share\subfolder).  After submitting error report (solution suggested upgrading to Vista SP1, yet I have Vista SP2), I made a copy of the file and attempted to open the copy, same BSOD.
    The details on the screen are only displayed a couple of seconds but the error occurs in RDR_FILE_SYSTEM and with driver MRXSMB10.SYS.  The driver version is 6.0.6002.18005 which appears to be the correct SP2 binary.

    - jpg causing error was created from screenshot in MSPaint, 31 KB
    - Disabling all VirusScan 8.5i options and setting 3 McAfee services to disabled did not fix the issue
    - Error only occurs when double clicking the jpg file to open
    - Error does not occur when opening jpg from physical drive, only with mapped drive T:
    - Error does not occur when renaming jpg to .jpg.txt and opening with notepad
    - Error does not occur when right clicking file and choosing Open With, all JPG viewers work ok without error even the default viewer used by double clicking
    - C:\>ftype jpegfile
         jpegfile=%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll", ImageView_Fullscreen %1
    - C:\>assoc .jpg 
         .jpg=jpegfile

    - Similar errors occurred with VirusScan 8.7i last year, complete removal and replacement by 8.5i fixed that issue  (8.7i Patch 2 may fix this issue per McAfee KB)

    - No changes have occurred to system except installing all November 2009 Security Bulletins last week
    - I will attempt to find additional jpg files on T: as well as on remote servers to see if BSOD re-occurs
    - appx 6 Windows Error Reports (one for each BSOD) have been submitted
    - Why do I have a mapped drive to a local hard drive? Long file names get cut off due to the deep path, and the mapped drive seems to be an easier solution than the the ancient DOS subst command

    Note: unlike the newsgroup forums, I do not see a method to attach files to this message/post, please re-enable TechNet Managed Newsgroups! 
    Friday, November 20, 2009 5:37 PM

All replies

  • Latest BSOD details (McAfee turned off), this time re-created by opening a PNG file instead of a JPG from T:

    Problem signature:
      Problem Event Name:    BlueScreen
      OS Version:    6.0.6002.2.2.0.256.1
      Locale ID:    1033

    Additional information about the problem:
      BCCode:    27
      BCP1:    BAAD0075
      BCP2:    AC3F439C
      BCP3:    AC3F4098
      BCP4:    AB884DCA
      OS Version:    6_0_6002
      Service Pack:    2_0
      Product:    256_1

    Files that help describe the problem:
      C:\Windows\Minidump\Mini112009-12.dmp
      C:\Users\myusername\AppData\Local\Temp\WER-56737-0.sysdata.xml
      C:\Users\myusername\AppData\Local\Temp\WERF48B.tmp.version.txt

    Read our privacy statement:
      http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409
     
    - GIF files opened without problem
    - JPG file that causes BSOD opens correctly from mapped network drive on remote computer
    - Error occurs when file opened from unc path as well as mapped drive letter
    - Error does not occur when file opened from drive connected via SUBST
    - Error does not occur on a Windows XP SP2 system
    Friday, November 20, 2009 6:25 PM
  • Hi Mltwwlco,

     

    Before moving on, please allow me explain background information regarding the blue screen stop problem.

     

    What is the blue screen stop?

     

    Generally speaking, this should actually be a blue screen stop issue or stop error issue. Windows 2000 and later (including Windows Vista) uses separated user mode and kernel mode memory space. The blue screen stop errors are always caused by kernel portion components, such as a device drivers, backup software or anti-virus services (buggy services).

     

    To be more specific, the system goes to a blue screen because there is some exceptions happened in the kernel (a device drivers, backup software or anti-virus services, etc.), and Windows implements this mechanism: When it detects some errors occur in the kernel, it will kill the box in case some more severe damage happens. Then we get a blue screen or the system reboots (it depends on what the system settings are).

     

    Windows 2000, Windows XP and Windows Vista act similarly when kernel mode crash problem occurs.

     

    How to troubleshoot the blue screen stop problem?

     

    To solid troubleshoot this kind of kernel crash issue, we need to debug the crashed system dump and analyze the related source code if needed. Unfortunately, debugging is beyond what we can do in the forum. I'd like to recommend that you contact Microsoft Customer Support Service (CSS) for assistance so that this problem can be resolved efficiently. To obtain the phone numbers for specific technology request please take a look at the web site listed below:

     

    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

     

    If you are outside the US please see http://support.microsoft.com for regional support phone numbers.

     

    Having said that, I'd still like to provide the following general troubleshooting steps for your reference. You can try them first before calling Microsoft CSS:

     

    Note: Please perform a complete system backup first. If any unexpected issue occurs, we can quickly restore the system to the current status.

     

    1. Scan your system to make sure that the system is virus free. Temporarily disable your anti-virus software to see if this problem is gone.

     

    2. If you have recently installed any software, hardware or drivers, please remove them. 

     

    3. Disable all the third party startup programs and services by using the MSConfig.exe utility shipped with system. To use this tool, you can refer to the following Microsoft Knowledge Base article:

     

    How to perform a clean boot procedure to determine whether background programs are interfering with a game or a program that you currently use

    http://support.microsoft.com/kb/331796

     

    4. However, if the issue still persists, please contact Microsoft Customer Support Service (CSS) for further troubleshooting. I hope the problem will be resolved soon.

    Hope it helps.

    Tuesday, November 24, 2009 2:10 AM
    Moderator
  • After a couple of weeks of troubleshooting and removing both
    antivirus and VPN software, I found the problem was due to Security Advisory
    975497, specifically applying the MicrosoftFixit50304.msi (digital signature
    signed 2009-09-09 20:05:55). Fixit 50304 disables SMB 2.0 and was
    recommended as a work-around until security bulletin MS09-050 was issued.
    icrosoftFixit50307.msi can optionally be used to
    re-enable SMB 2.0 (aka reverse Fixit 50304) since the vulnerability is
    patched (I forgot to re-enable it).
    The reproducible sequence of events that cause this BSOD:
    1. Installed MicrosoftFixit50304.msi at 2009-09-21 18:00:23 per Application
    log
    2. 2009-10-14 MS09-050 installed with all other applicable October 2009
    Security Bulletins
    3. 2009-11-19 13_39 attempted to open JPG file created in MSPaint on T:
    mapped to a local share on my computer, BSOD, windows error report sent on
    next reboot
    4. 2009-11-20 additional testing and multiple BSOD WER (WER = Windows Error
    Report aka Problem Reports and Solutions) sent, initial report made to
    newsgroup/forum TechNet.en-US.itprovistasecurity
    5. 2009-12-15 uninstalled McAfee 8.5i and Cisco VPN, cold boot, BSOD still
    occurs
    6. 2009-12-15 verified registry setting for SMB 2.0 per MS07-063:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
    "Smb2"=dword:00000000
    15 Remembered / found MicrosoftFixit50304.msi was applied, backed
    up SMB 2.0 registry keys with current settings, applied
    MicrosoftFixit50307.msi to re-enable SMB 2.0, power off and cold reboot
    performed
    8. 2009-12-15 Tested accessing JPG file from T: SYSTEM DID NOT BSOD -
    PROBLEM SOLVED!
    9. 2009-12-15 Backed up SMB 2.0 registry keys, applied
    MicrosoftFixit50304.msi, reboot, BSOD re-occurs as expected, rebooted and
    error report sent to Microsoft
    10. 2009-12-15 applied MicrosoftFixit50307.msi to re-enable SMB 2.0, power
    off and cold reboot performed, no additional BSOD.
    11. Changed registry key
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
    "Smb2"=dword:00000001
    to "Smb2"=dword:00000000
    which should manually disable SMB 2.0 per KB950836
    12. Tested accessing JPG file from T:, SMB 2.0 off no problems, rebooted and
    still no problems!
    13. Re-ran MicrosoftFixit50307.msi to re-enable SMB 2.0
    14. 2009-12-17 Reported findings to Microsoft

    assist others with this issue and close this
    problem:

    * Contact Fixit group to verify my test results ( I have spent over 10 hours
    troubleshooting this issue plus lost work due to unexpected BSOD)
    * Fix MicrosoftFixit50304.msi, it seems to be the root cause of this crash
    * Update WER to suggest re-enabling SMB 2.0 and/or applying
    MicrosoftFixit50307.msi to solve this problem and fix incorrect WER
    suggestion to install Vista SP1 on computers when Vista SP2 is already
    installed
    * Update KB975517 with this known issue, document all registry settings and
    any other changes made by MicrosoftFixit50304.msi and
    MicrosoftFixit50307.msi
    * Clarify required changes to disable SMB 2.0 made by MicrosoftFixit50304
    vs. KB950836, they appear to be different
    * Forward this information to MSRC to have them test and see if the reported
    BSOD in RDR_FILE_SYSTEM might be regression errors from the fixes made for
    MS09-050 / MS07-063 and possible upcoming patch for Microsoft Security
    y in SMB Could Allow Denial of Service

    =========
    "Robinson Zhang - MSFT" wrote in message
    news:721b0334-bc92-439d-9246-f83340a07c83...
    Hi Mltwwlco,
    < Snipped >

    Thursday, December 17, 2009 8:33 PM
  •     Microsoft, I would appreciate a reply per the terms in "TechNet Managed Newsgroups and Forums" h ttp://technet.microsoft.com/en-us/subscriptions/ms788697.aspx and "

    Managed newsgroup support, with guaranteed response times.
    Get expert technical answers by the next business day -guaranteed -through more than 100 managed newsgroups.

    " ht tp://technet.microsoft.com/en-us/subscriptions/default.aspx
    </F ONT>
     
    "Mltwwlco" wrote in message news:66d72557-5009-410 3-af61-c9d2bd9fb0e3...
    After a couple of weeks of troubleshooting and removing both
    antivirus and VPN software, I found the problem was due to Security Advisory
    975497, specifically applying the MicrosoftFixit50304.msi (digital signature
    signed 2009-09-09 20:05:55). Fixit 50304 disables SMB 2.0 and was
    recommended as a work-around until security bulletin MS09-050 was issued.
    icrosoftFixit50307.msi can optionally be used to
    re-enable SMB 2.0 (aka reverse Fixit 50304) since the vulnerability is
    patched (I forgot to re-enable it).
    The reproducible sequence of events that cause this BSOD:
    1. Installed MicrosoftFixit50304.msi at 2009-09-21 18:00:23 per Application
    log
    2. 2009-10-14 MS09-050 installed with all other applicable October 2009
    Security Bulletins
    3. 2009-11-19 13_39 attempted to open JPG file created in MSPaint on T:
    mapped to a local share on my computer, BSOD, windows error report sent on
    next reboot
    4. 2009-11-20 additional testing and multiple BSOD WER (WER = Windows Error
    Report aka Problem Reports and Solutions) sent, initial report made to
    newsgroup/forum TechNet.en-US.itprovistasecurity
    5. 2009-12-15 uninstalled McAfee 8.5i and Cisco VPN, cold boot, BSOD still
    occurs
    6. 2009-12-15 verified registry setting for SMB 2.0 per MS07-063:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanman Server\Parameters]
    "Smb2"=dword:00000000
    15 Remembered / found MicrosoftFixit50304.msi was applied, backed
    up SMB 2.0 registry keys with current settings, applied
    MicrosoftFixit50307.msi to re-enable SMB 2.0, power off and cold reboot
    performed
    8. 2009-12-15 Tested accessing JPG file from T: SYSTEM DID NOT BSOD -
    PROBLEM SOLVED!
    9. 2009-12-15 Backed up SMB 2.0 registry keys, applied
    MicrosoftFixit50304.msi, reboot, BSOD re-occurs as expected, rebooted and
    error report sent to Microsoft
    10. 2009-12-15 applied MicrosoftFixit50307.msi to re-enable SMB 2.0, power
    off and cold reboot performed, no additional BSOD.
    11. Changed registry key
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ Parameters
    "Smb2"=dword:00000001
    to "Smb2"=dword:00000000
    which should manually disable SMB 2.0 per KB950836
    12. Tested accessing JPG file from T:, SMB 2.0 off no problems, rebooted and
    still no problems!
    13. Re-ran MicrosoftFixit50307.msi to re-enable SMB 2.0
    14. 2009-12-17 Reported findings to Microsoft

    assist others with this issue and close this
    problem:

    * Contact Fixit group to verify my test results ( I have spent over 10 hours
    troubleshooting this issue plus lost work due to unexpected BSOD)
    * Fix MicrosoftFixit50304.msi, it seems to be the root cause of this crash
    * Update WER to suggest re-enabling SMB 2.0 and/or applying
    MicrosoftFixit50307.msi to solve this problem and fix incorrect WER
    suggestion to install Vista SP1 on computers when Vista SP2 is already
    installed
    * Update KB975517 with this known issue, document all registry settings and
    any other changes made by MicrosoftFixit50304.msi and
    MicrosoftFixit50307.msi
    * Clarify required changes to disable SMB 2.0 made by MicrosoftFixit50304
    vs. KB950836, they appear to be different
    * Forward this information to MSRC to have them test and see if the reported
    BSOD in RDR_FILE_SYSTEM might be regression errors from the fixes made for
    MS09-050 / MS07-063 and possible upcoming patch for Microsoft Security
    y in SMB Could Allow Denial of Service

    =========
    "Robinson Zhang - MSFT" wrote in message
    news:721b0334-bc92-439d-9246-f83340a07c83...
    Hi Mltwwlco,
    < Snipped >

    Thursday, December 31, 2009 9:39 PM
  •     Another week has passed, I require a response to this issue ASAP!
    "Mltwwlco" wrote in message news:dcfb05dd-6010-431 2-8c0c-c89ff6c1adcd...
        Microsoft, I would appreciate a reply per the terms in "TechNet Managed Newsgroups and Forums" h ttp://technet.microsoft.com/en-us/subscriptions/ms788697.aspx and "

    Managed newsgroup support, with guaranteed response times.
    Get expert technical answers by the next business day -guaranteed -through more than 100 managed newsgroups.

    " ht tp://technet.microsoft.com/en-us/subscriptions/default.aspx
    < ;/F ONT>
     
    "Mltwwlco" wrote in message news:66d72557-5009-410 3-af61-c9d2bd9fb0e3...
    After a couple of weeks of troubleshooting and removing both
    antivirus and VPN software, I found the problem was due to Security Advisory
    975497, specifically applying the MicrosoftFixit50304.msi (digital signature
    signed 2009-09-09 20:05:55). Fixit 50304 disables SMB 2.0 and was
    recommended as a work-around until security bulletin MS09-050 was issued.
    icrosoftFixit50307.msi can optionally be used to
    re-enable SMB 2.0 (aka reverse Fixit 50304) since the vulnerability is
    patched (I forgot to re-enable it).
    The reproducible sequence of events that cause this BSOD:
    1. Installed MicrosoftFixit50304.msi at 2009-09-21 18:00:23 per Application
    log
    2. 2009-10-14 MS09-050 installed with all other applicable October 2009
    Security Bulletins
    3. 2009-11-19 13_39 attempted to open JPG file created in MSPaint on T:
    mapped to a local share on my computer, BSOD, windows error report sent on
    next reboot
    4. 2009-11-20 additional testing and multiple BSOD WER (WER = Windows Error
    Report aka Problem Reports and Solutions) sent, initial report made to
    newsgroup/forum TechNet.en-US.itprovistasecurity
    5. 2009-12-15 uninstalled McAfee 8.5i and Cisco VPN, cold boot, BSOD still
    occurs
    6. 2009-12-15 verified registry setting for SMB 2.0 per MS07-063:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanman Server\Parameters]
    "Smb2"=dword:00000000
    15 Remembered / found MicrosoftFixit50304.msi was applied, backed
    up SMB 2.0 registry keys with current settings, applied
    MicrosoftFixit50307.msi to re-enable SMB 2.0, power off and cold reboot
    performed
    8. 2009-12-15 Tested accessing JPG file from T: SYSTEM DID NOT BSOD -
    PROBLEM SOLVED!
    9. 2009-12-15 Backed up SMB 2.0 registry keys, applied
    MicrosoftFixit50304.msi, reboot, BSOD re-occurs as expected, rebooted and
    error report sent to Microsoft
    10. 2009-12-15 applied MicrosoftFixit50307.msi to re-enable SMB 2.0, power
    off and cold reboot performed, no additional BSOD.
    11. Changed registry key
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ Parameters
    "Smb2"=dword:00000001
    to "Smb2"=dword:00000000
    which should manually disable SMB 2.0 per KB950836
    12. Tested accessing JPG file from T:, SMB 2.0 off no problems, rebooted and
    still no problems!
    13. Re-ran MicrosoftFixit50307.msi to re-enable SMB 2.0
    14. 2009-12-17 Reported findings to Microsoft

    assist others with this issue and close this
    problem:

    * Contact Fixit group to verify my test results ( I have spent over 10 hours
    troubleshooting this issue plus lost work due to unexpected BSOD)
    * Fix MicrosoftFixit50304.msi, it seems to be the root cause of this crash
    * Update WER to suggest re-enabling SMB 2.0 and/or applying
    MicrosoftFixit50307.msi to solve this problem and fix incorrect WER
    suggestion to install Vista SP1 on computers when Vista SP2 is already
    installed
    * Update KB975517 with this known issue, document all registry settings and
    any other changes made by MicrosoftFixit50304.msi and
    MicrosoftFixit50307.msi
    * Clarify required changes to disable SMB 2.0 made by MicrosoftFixit50304
    vs. KB950836, they appear to be different
    * Forward this information to MSRC to have them test and see if the reported
    BSOD in RDR_FILE_SYSTEM might be regression errors from the fixes made for
    MS09-050 / MS07-063 and possible upcoming patch for Microsoft Security
    y in SMB Could Allow Denial of Service

    =========
    "Robinson Zhang - MSFT" wrote in message
    news:721b0334-bc92-439d-9246-f83340a07c83...
    Hi Mltwwlco,
    < Snipped >

    Thursday, January 7, 2010 5:03 PM
  • Have you received any replies yet? I've had this same issue on a SBS 2008 and Windows 7 machine and haven't got any definitive answers.
    Wednesday, March 17, 2010 2:18 AM
  • First of all, I am sorry for the delayed response.

     

    I have established similar test environments to check this issue. However, I cannot reproduce the same problem here. Also, I noticed that you have performed many tests there and I agree that it is likely related to network connection or a certain applications which may be conflict with the SMB components.

     

    Although I am not a member for FitIt team, I will forward your feedbacks to the related team. Also, please understand that to identify such issue's root cause, we still need to perform debugging, which is beyond what we can do in the forum, I still strongly suggest that you continue to work with CSS members.

     

    Hope it helps.

    Thursday, April 22, 2010 10:29 AM
    Moderator
  • Thanks heaps for documenting this!!! I have this exact same problem and it had been driving me mad for months! ... I had disabled SMB2.0 because of files not showing up in network folders which was breaking our Mapinfo program... but this was the side effect...

    I had this problem not only show up for windows photo previewer but also when you press the "extract" button in the client of 7-Zip while opening a zip file on a network share mapped locally.


    This is a terminal server running Server 2008 R2 SP2 x64

    Unfortunately I have to leave SMB2 turned OFF in order to fix the mapped network drive issue as per here which also breaks Mapinfo as per here http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/947489ae-dc86-45f0-ad5e-463a62e1d59f

    And the fixit wasn't the problem for me - its just the difference between SMB1 and SMB2 .... if I change the reg key to disable SMB2 .. instant BSOD when jpeg on mapped local network share... I believe this is actually a side effect of SMB2 being disabled and the reason no one has complained much is because not many users actually disable SMB2 ...

     

     

    Wednesday, November 9, 2011 12:17 PM
  • hi,

    i m also getting these problems and these are driven me crazy.i didn't found any single solution so that i could resolve these. i have already tried whole the process given by robinson but it takes me to the end.i m not getting even my boot screen.plz help me.

    thanks

    Thursday, December 15, 2011 1:08 PM
  • Hi Sophiya - your problem sounds unrelated to this thread. I suggest checking for hardware faults (e.g. faulty memory) then formatting your computer and reinstalling windows from scratch. Thanks
    Thursday, December 15, 2011 1:12 PM