Remove From My Forums

BSOD in mrxsmb10.sys post Nov 2009 Bulletins

Question
0

Sign in to vote

Yesterday my Vista Ultimate SP2 x86 system BSOD after attempting to open a jpg file saved on a mapped network drive connected to a local share (T: mapped to \\mycomputer\share\subfolder). After submitting error report (solution suggested upgrading to Vista SP1, yet I have Vista SP2), I made a copy of the file and attempted to open the copy, same BSOD.
The details on the screen are only displayed a couple of seconds but the error occurs in RDR_FILE_SYSTEM and with driver MRXSMB10.SYS. The driver version is 6.0.6002.18005 which appears to be the correct SP2 binary.

- jpg causing error was created from screenshot in MSPaint, 31 KB
- Disabling all VirusScan 8.5i options and setting 3 McAfee services to disabled did not fix the issue
- Error only occurs when double clicking the jpg file to open
- Error does not occur when opening jpg from physical drive, only with mapped drive T:
- Error does not occur when renaming jpg to .jpg.txt and opening with notepad
- Error does not occur when right clicking file and choosing Open With, all JPG viewers work ok without error even the default viewer used by double clicking
- C:\>ftype jpegfile
jpegfile=%SystemRoot%\System32\rundll32.exe "%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll", ImageView_Fullscreen %1
- C:\>assoc .jpg
.jpg=jpegfile

- Similar errors occurred with VirusScan 8.7i last year, complete removal and replacement by 8.5i fixed that issue (8.7i Patch 2 may fix this issue per McAfee KB)

- No changes have occurred to system except installing all November 2009 Security Bulletins last week
- I will attempt to find additional jpg files on T: as well as on remote servers to see if BSOD re-occurs
- appx 6 Windows Error Reports (one for each BSOD) have been submitted
- Why do I have a mapped drive to a local hard drive? Long file names get cut off due to the deep path, and the mapped drive seems to be an easier solution than the the ancient DOS subst command

Note: unlike the newsgroup forums, I do not see a method to attach files to this message/post, please re-enable TechNet Managed Newsgroups!

Friday, November 20, 2009 5:37 PM

All replies

0

Sign in to vote

Latest BSOD details (McAfee turned off), this time re-created by opening a PNG file instead of a JPG from T:

Problem signature:
Problem Event Name:    BlueScreen
OS Version:    6.0.6002.2.2.0.256.1
Locale ID:    1033

Additional information about the problem:
BCCode:    27
BCP1:    BAAD0075
BCP2:    AC3F439C
BCP3:    AC3F4098
BCP4:    AB884DCA
OS Version:    6_0_6002
Service Pack:    2_0
Product:    256_1

Files that help describe the problem:
C:\Windows\Minidump\Mini112009-12.dmp
C:\Users\myusername\AppData\Local\Temp\WER-56737-0.sysdata.xml
C:\Users\myusername\AppData\Local\Temp\WERF48B.tmp.version.txt

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

- GIF files opened without problem
- JPG file that causes BSOD opens correctly from mapped network drive on remote computer
- Error occurs when file opened from unc path as well as mapped drive letter
- Error does not occur when file opened from drive connected via SUBST
- Error does not occur on a Windows XP SP2 system

Friday, November 20, 2009 6:25 PM
0

Sign in to vote

Hi Mltwwlco,

Before moving on, please allow me explain background information regarding the blue screen stop problem.

What is the blue screen stop?

Generally speaking, this should actually be a blue screen stop issue or stop error issue. Windows 2000 and later (including Windows Vista) uses separated user mode and kernel mode memory space. The blue screen stop errors are always caused by kernel portion components, such as a device drivers, backup software or anti-virus services (buggy services).

To be more specific, the system goes to a blue screen because there is some exceptions happened in the kernel (a device drivers, backup software or anti-virus services, etc.), and Windows implements this mechanism: When it detects some errors occur in the kernel, it will kill the box in case some more severe damage happens. Then we get a blue screen or the system reboots (it depends on what the system settings are).

Windows 2000, Windows XP and Windows Vista act similarly when kernel mode crash problem occurs.

How to troubleshoot the blue screen stop problem?

To solid troubleshoot this kind of kernel crash issue, we need to debug the crashed system dump and analyze the related source code if needed. Unfortunately, debugging is beyond what we can do in the forum. I'd like to recommend that you contact Microsoft Customer Support Service (CSS) for assistance so that this problem can be resolved efficiently. To obtain the phone numbers for specific technology request please take a look at the web site listed below:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

If you are outside the US please see http://support.microsoft.com for regional support phone numbers.

Having said that, I'd still like to provide the following general troubleshooting steps for your reference. You can try them first before calling Microsoft CSS:

Note: Please perform a complete system backup first. If any unexpected issue occurs, we can quickly restore the system to the current status.

1. Scan your system to make sure that the system is virus free. Temporarily disable your anti-virus software to see if this problem is gone.

2. If you have recently installed any software, hardware or drivers, please remove them.

3. Disable all the third party startup programs and services by using the MSConfig.exe utility shipped with system. To use this tool, you can refer to the following Microsoft Knowledge Base article:

How to perform a clean boot procedure to determine whether background programs are interfering with a game or a program that you currently use

http://support.microsoft.com/kb/331796

4. However, if the issue still persists, please contact Microsoft Customer Support Service (CSS) for further troubleshooting. I hope the problem will be resolved soon.

Hope it helps.

Tuesday, November 24, 2009 2:10 AM

Moderator
1

Sign in to vote
After a couple of weeks of troubleshooting and removing both
antivirus and VPN software, I found the problem was due to Security Advisory
975497, specifically applying the MicrosoftFixit50304.msi (digital signature
signed 2009-09-09 20:05:55). Fixit 50304 disables SMB 2.0 and was
recommended as a work-around until security bulletin MS09-050 was issued.
icrosoftFixit50307.msi can optionally be used to
re-enable SMB 2.0 (aka reverse Fixit 50304) since the vulnerability is
patched (I forgot to re-enable it).
The reproducible sequence of events that cause this BSOD:
1. Installed MicrosoftFixit50304.msi at 2009-09-21 18:00:23 per Application
log
2. 2009-10-14 MS09-050 installed with all other applicable October 2009
Security Bulletins
3. 2009-11-19 13_39 attempted to open JPG file created in MSPaint on T:
mapped to a local share on my computer, BSOD, windows error report sent on
next reboot
4. 2009-11-20 additional testing and multiple BSOD WER (WER = Windows Error
Report aka Problem Reports and Solutions) sent, initial report made to
newsgroup/forum TechNet.en-US.itprovistasecurity
5. 2009-12-15 uninstalled McAfee 8.5i and Cisco VPN, cold boot, BSOD still
occurs
6. 2009-12-15 verified registry setting for SMB 2.0 per MS07-063:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"Smb2"=dword:00000000
15 Remembered / found MicrosoftFixit50304.msi was applied, backed
up SMB 2.0 registry keys with current settings, applied
MicrosoftFixit50307.msi to re-enable SMB 2.0, power off and cold reboot
performed
8. 2009-12-15 Tested accessing JPG file from T: SYSTEM DID NOT BSOD -
PROBLEM SOLVED!
9. 2009-12-15 Backed up SMB 2.0 registry keys, applied
MicrosoftFixit50304.msi, reboot, BSOD re-occurs as expected, rebooted and
error report sent to Microsoft
10. 2009-12-15 applied MicrosoftFixit50307.msi to re-enable SMB 2.0, power
off and cold reboot performed, no additional BSOD.
11. Changed registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
"Smb2"=dword:00000001
to "Smb2"=dword:00000000
which should manually disable SMB 2.0 per KB950836
12. Tested accessing JPG file from T:, SMB 2.0 off no problems, rebooted and
still no problems!
13. Re-ran MicrosoftFixit50307.msi to re-enable SMB 2.0
14. 2009-12-17 Reported findings to Microsoft

assist others with this issue and close this
problem:

* Contact Fixit group to verify my test results ( I have spent over 10 hours
troubleshooting this issue plus lost work due to unexpected BSOD)
* Fix MicrosoftFixit50304.msi, it seems to be the root cause of this crash
* Update WER to suggest re-enabling SMB 2.0 and/or applying
MicrosoftFixit50307.msi to solve this problem and fix incorrect WER
suggestion to install Vista SP1 on computers when Vista SP2 is already
installed
* Update KB975517 with this known issue, document all registry settings and
any other changes made by MicrosoftFixit50304.msi and
MicrosoftFixit50307.msi
* Clarify required changes to disable SMB 2.0 made by MicrosoftFixit50304
vs. KB950836, they appear to be different
* Forward this information to MSRC to have them test and see if the reported
BSOD in RDR_FILE_SYSTEM might be regression errors from the fixes made for
MS09-050 / MS07-063 and possible upcoming patch for Microsoft Security
y in SMB Could Allow Denial of Service

=========
"Robinson Zhang - MSFT" wrote in message
news:721b0334-bc92-439d-9246-f83340a07c83...
Hi Mltwwlco,
< Snipped >
- Proposed as answer by my_public_identity Wednesday, November 9, 2011 12:16 PM
Thursday, December 17, 2009 8:33 PM

Microsoft, I would appreciate a reply per the terms in "TechNet Managed Newsgroups and Forums" h ttp://technet.microsoft.com/en-us/subscriptions/ms788697.aspx and "

Managed newsgroup support, with guaranteed response times.
Get expert technical answers by the next business day -guaranteed -through more than 100 managed newsgroups.

" ht tp://technet.microsoft.com/en-us/subscriptions/default.aspx</F ONT>

"Mltwwlco" wrote in message news:66d72557-5009-410 3-af61-c9d2bd9fb0e3...

After a couple of weeks of troubleshooting and removing both
antivirus and VPN software, I found the problem was due to Security Advisory
975497, specifically applying the MicrosoftFixit50304.msi (digital signature
signed 2009-09-09 20:05:55). Fixit 50304 disables SMB 2.0 and was
recommended as a work-around until security bulletin MS09-050 was issued.
icrosoftFixit50307.msi can optionally be used to
re-enable SMB 2.0 (aka reverse Fixit 50304) since the vulnerability is
patched (I forgot to re-enable it).
The reproducible sequence of events that cause this BSOD:
1. Installed MicrosoftFixit50304.msi at 2009-09-21 18:00:23 per Application
log
2. 2009-10-14 MS09-050 installed with all other applicable October 2009
Security Bulletins
3. 2009-11-19 13_39 attempted to open JPG file created in MSPaint on T:
mapped to a local share on my computer, BSOD, windows error report sent on
next reboot
4. 2009-11-20 additional testing and multiple BSOD WER (WER = Windows Error
Report aka Problem Reports and Solutions) sent, initial report made to
newsgroup/forum TechNet.en-US.itprovistasecurity
5. 2009-12-15 uninstalled McAfee 8.5i and Cisco VPN, cold boot, BSOD still
occurs
6. 2009-12-15 verified registry setting for SMB 2.0 per MS07-063:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanman Server\Parameters]
"Smb2"=dword:00000000
15 Remembered / found MicrosoftFixit50304.msi was applied, backed
up SMB 2.0 registry keys with current settings, applied
MicrosoftFixit50307.msi to re-enable SMB 2.0, power off and cold reboot
performed
8. 2009-12-15 Tested accessing JPG file from T: SYSTEM DID NOT BSOD -
PROBLEM SOLVED!
9. 2009-12-15 Backed up SMB 2.0 registry keys, applied
MicrosoftFixit50304.msi, reboot, BSOD re-occurs as expected, rebooted and
error report sent to Microsoft
10. 2009-12-15 applied MicrosoftFixit50307.msi to re-enable SMB 2.0, power
off and cold reboot performed, no additional BSOD.
11. Changed registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ Parameters
"Smb2"=dword:00000001
to "Smb2"=dword:00000000
which should manually disable SMB 2.0 per KB950836
12. Tested accessing JPG file from T:, SMB 2.0 off no problems, rebooted and
still no problems!
13. Re-ran MicrosoftFixit50307.msi to re-enable SMB 2.0
14. 2009-12-17 Reported findings to Microsoft

assist others with this issue and close this
problem:

* Contact Fixit group to verify my test results ( I have spent over 10 hours
troubleshooting this issue plus lost work due to unexpected BSOD)
* Fix MicrosoftFixit50304.msi, it seems to be the root cause of this crash
* Update WER to suggest re-enabling SMB 2.0 and/or applying
MicrosoftFixit50307.msi to solve this problem and fix incorrect WER
suggestion to install Vista SP1 on computers when Vista SP2 is already
installed
* Update KB975517 with this known issue, document all registry settings and
any other changes made by MicrosoftFixit50304.msi and
MicrosoftFixit50307.msi
* Clarify required changes to disable SMB 2.0 made by MicrosoftFixit50304
vs. KB950836, they appear to be different
* Forward this information to MSRC to have them test and see if the reported
BSOD in RDR_FILE_SYSTEM might be regression errors from the fixes made for
MS09-050 / MS07-063 and possible upcoming patch for Microsoft Security
y in SMB Could Allow Denial of Service

=========
"Robinson Zhang - MSFT" wrote in message
news:721b0334-bc92-439d-9246-f83340a07c83...
Hi Mltwwlco,
< Snipped >

Thursday, December 31, 2009 9:39 PM

Another week has passed, I require a response to this issue ASAP!

"Mltwwlco" wrote in message news:dcfb05dd-6010-431 2-8c0c-c89ff6c1adcd...

Microsoft, I would appreciate a reply per the terms in "TechNet Managed Newsgroups and Forums" h ttp://technet.microsoft.com/en-us/subscriptions/ms788697.aspx and "

Managed newsgroup support, with guaranteed response times.
Get expert technical answers by the next business day -guaranteed -through more than 100 managed newsgroups.
" ht tp://technet.microsoft.com/en-us/subscriptions/default.aspx< ;/F ONT>

"Mltwwlco" wrote in message news:66d72557-5009-410 3-af61-c9d2bd9fb0e3...

After a couple of weeks of troubleshooting and removing both
antivirus and VPN software, I found the problem was due to Security Advisory
975497, specifically applying the MicrosoftFixit50304.msi (digital signature
signed 2009-09-09 20:05:55). Fixit 50304 disables SMB 2.0 and was
recommended as a work-around until security bulletin MS09-050 was issued.
icrosoftFixit50307.msi can optionally be used to
re-enable SMB 2.0 (aka reverse Fixit 50304) since the vulnerability is
patched (I forgot to re-enable it).
The reproducible sequence of events that cause this BSOD:
1. Installed MicrosoftFixit50304.msi at 2009-09-21 18:00:23 per Application
log
2. 2009-10-14 MS09-050 installed with all other applicable October 2009
Security Bulletins
3. 2009-11-19 13_39 attempted to open JPG file created in MSPaint on T:
mapped to a local share on my computer, BSOD, windows error report sent on
next reboot
4. 2009-11-20 additional testing and multiple BSOD WER (WER = Windows Error
Report aka Problem Reports and Solutions) sent, initial report made to
newsgroup/forum TechNet.en-US.itprovistasecurity
5. 2009-12-15 uninstalled McAfee 8.5i and Cisco VPN, cold boot, BSOD still
occurs
6. 2009-12-15 verified registry setting for SMB 2.0 per MS07-063:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanman Server\Parameters]
"Smb2"=dword:00000000
15 Remembered / found MicrosoftFixit50304.msi was applied, backed
up SMB 2.0 registry keys with current settings, applied
MicrosoftFixit50307.msi to re-enable SMB 2.0, power off and cold reboot
performed
8. 2009-12-15 Tested accessing JPG file from T: SYSTEM DID NOT BSOD -
PROBLEM SOLVED!
9. 2009-12-15 Backed up SMB 2.0 registry keys, applied
MicrosoftFixit50304.msi, reboot, BSOD re-occurs as expected, rebooted and
error report sent to Microsoft
10. 2009-12-15 applied MicrosoftFixit50307.msi to re-enable SMB 2.0, power
off and cold reboot performed, no additional BSOD.
11. Changed registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ Parameters
"Smb2"=dword:00000001
to "Smb2"=dword:00000000
which should manually disable SMB 2.0 per KB950836
12. Tested accessing JPG file from T:, SMB 2.0 off no problems, rebooted and
still no problems!
13. Re-ran MicrosoftFixit50307.msi to re-enable SMB 2.0
14. 2009-12-17 Reported findings to Microsoft

assist others with this issue and close this
problem:

* Contact Fixit group to verify my test results ( I have spent over 10 hours
troubleshooting this issue plus lost work due to unexpected BSOD)
* Fix MicrosoftFixit50304.msi, it seems to be the root cause of this crash
* Update WER to suggest re-enabling SMB 2.0 and/or applying
MicrosoftFixit50307.msi to solve this problem and fix incorrect WER
suggestion to install Vista SP1 on computers when Vista SP2 is already
installed
* Update KB975517 with this known issue, document all registry settings and
any other changes made by MicrosoftFixit50304.msi and
MicrosoftFixit50307.msi
* Clarify required changes to disable SMB 2.0 made by MicrosoftFixit50304
vs. KB950836, they appear to be different
* Forward this information to MSRC to have them test and see if the reported
BSOD in RDR_FILE_SYSTEM might be regression errors from the fixes made for
MS09-050 / MS07-063 and possible upcoming patch for Microsoft Security
y in SMB Could Allow Denial of Service

=========
"Robinson Zhang - MSFT" wrote in message
news:721b0334-bc92-439d-9246-f83340a07c83...
Hi Mltwwlco,
< Snipped >

Thursday, January 7, 2010 5:03 PM

Have you received any replies yet? I've had this same issue on a SBS 2008 and Windows 7 machine and haven't got any definitive answers.

Wednesday, March 17, 2010 2:18 AM

First of all, I am sorry for the delayed response.

I have established similar test environments to check this issue. However, I cannot reproduce the same problem here. Also, I noticed that you have performed many tests there and I agree that it is likely related to network connection or a certain applications which may be conflict with the SMB components.

Although I am not a member for FitIt team, I will forward your feedbacks to the related team. Also, please understand that to identify such issue's root cause, we still need to perform debugging, which is beyond what we can do in the forum, I still strongly suggest that you continue to work with CSS members.

Hope it helps.

Thursday, April 22, 2010 10:29 AM

Moderator

Thanks heaps for documenting this!!! I have this exact same problem and it had been driving me mad for months! ... I had disabled SMB2.0 because of files not showing up in network folders which was breaking our Mapinfo program... but this was the side effect...

I had this problem not only show up for windows photo previewer but also when you press the "extract" button in the client of 7-Zip while opening a zip file on a network share mapped locally.

This is a terminal server running Server 2008 R2 SP2 x64

Unfortunately I have to leave SMB2 turned OFF in order to fix the mapped network drive issue as per here which also breaks Mapinfo as per here http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/947489ae-dc86-45f0-ad5e-463a62e1d59f

And the fixit wasn't the problem for me - its just the difference between SMB1 and SMB2 .... if I change the reg key to disable SMB2 .. instant BSOD when jpeg on mapped local network share... I believe this is actually a side effect of SMB2 being disabled and the reason no one has complained much is because not many users actually disable SMB2 ...

Edited by my_public_identity Wednesday, November 9, 2011 12:43 PM

Wednesday, November 9, 2011 12:17 PM

hi,

i m also getting these problems and these are driven me crazy.i didn't found any single solution so that i could resolve these. i have already tried whole the process given by robinson but it takes me to the end.i m not getting even my boot screen.plz help me.

thanks

Thursday, December 15, 2011 1:08 PM

Hi Sophiya - your problem sounds unrelated to this thread. I suggest checking for hardware faults (e.g. faulty memory) then formatting your computer and reinstalling windows from scratch. Thanks

Thursday, December 15, 2011 1:12 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

BSOD in mrxsmb10.sys post Nov 2009 Bulletins

Question

All replies