Windows 10 crashed when accessing \\tsclient path from Remote Desktop via FAR Manager RRS feed

  • Question

  • How to reproduce:

    1. Connect to Windows 10 (1607 x64) from Windows 10 (possible other OS too) via Remote Desktop. Before connect, in the "Remote Desktop Connection options"/"Local Resources" allow access to local drives.

    2. In the remote desktop session start FAR Manager (v3.0 build 4747 x64) and type "cd \\tsclient\D", where "D" is a local drive where you allow access at step 1.

    3. Try to enter to some folder - at first-second folder Windows 10 with RDP server will crash (BSOD).

    The problem appeared on different computers and could be easily reproduced on fresh Windows 10 instance installed on Hyper-V.

    See MEMORY.DMP information below:

    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       srv*c:\Program Files\Symbols*http://msdl.microsoft.com/download/symbols
    Symbol search path is: srv*c:\Program Files\Symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 10 Kernel Version 14393 UP Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 14393.0.amd64fre.rs1_release.160715-1616
    Machine Name:
    Kernel base = 0xfffff801`1280a000 PsLoadedModuleList = 0xfffff801`12b0f060
    Debug session time: Sat Aug  6 17:05:26.934 2016 (UTC + 3:00)
    System Uptime: 0 days 0:01:36.994
    Loading Kernel Symbols
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 000000e5`6abd8018).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    Use !analyze -v to get detailed debugging information.
    BugCheck 27, {fcb0027c, ffffd5073f279eb8, ffffd5073f279af0, 0}
    Page c920 not present in the dump file. Type ".hh dbgerr004" for details
    Probably caused by : rdbss.sys ( rdbss! ?? ::FNODOBFM::`string'+1f09 )
    Followup:     MachineOwner
    kd> !analyze -v
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
        If you see RxExceptionFilter on the stack then the 2nd and 3rd parameters are the
        exception record and context record. Do a .cxr on the 3rd parameter and then kb to
        obtain a more informative stack trace.
        The high 16 bits of the first parameter is the RDBSS bugcheck code, which is defined
        as follows:
         RDBSS_BUG_CHECK_CACHESUP  = 0xca550000,
         RDBSS_BUG_CHECK_CLEANUP   = 0xc1ee0000,
         RDBSS_BUG_CHECK_CLOSE     = 0xc10e0000,
         RDBSS_BUG_CHECK_NTEXCEPT  = 0xbaad0000,
    Arg1: 00000000fcb0027c
    Arg2: ffffd5073f279eb8
    Arg3: ffffd5073f279af0
    Arg4: 0000000000000000
    Debugging Details:
    Page c920 not present in the dump file. Type ".hh dbgerr004" for details
    BUILD_VERSION_STRING:  14393.0.amd64fre.rs1_release.160715-1616
    SYSTEM_MANUFACTURER:  Microsoft Corporation
    SYSTEM_PRODUCT_NAME:  Virtual Machine
    SYSTEM_SKU:  None
    SYSTEM_VERSION:  Hyper-V UEFI Release v1.0
    BIOS_VENDOR:  Microsoft Corporation
    BIOS_VERSION:  Hyper-V UEFI Release v1.0
    BIOS_DATE:  11/26/2012
    BASEBOARD_MANUFACTURER:  Microsoft Corporation
    BASEBOARD_PRODUCT:  Virtual Machine
    BASEBOARD_VERSION:  Hyper-V UEFI Release v1.0
    DUMP_TYPE:  1
    BUGCHECK_P1: fcb0027c
    BUGCHECK_P2: ffffd5073f279eb8
    BUGCHECK_P3: ffffd5073f279af0
    BUGCHECK_P4: 0
    EXCEPTION_RECORD:  ffffd5073f279eb8 -- (.exr 0xffffd5073f279eb8)
    ExceptionAddress: ffffd5073f279ec8
       ExceptionCode: 0130ec30
      ExceptionFlags: 00000001
    NumberParameters: 1059561160
       Parameter[0]: ffffd5073f279dc0
       Parameter[1]: ffffd5073f279af0
       Parameter[2]: ffffa58a7d665080
       Parameter[3]: ffffa58a7ee4eb00
       Parameter[4]: ffffa58a7e423a70
       Parameter[5]: 0000000006410200
       Parameter[6]: 0000000000020002
       Parameter[7]: fffff807f265615c
       Parameter[8]: 0000000000000000
       Parameter[9]: ffffd5073f279e78
       Parameter[10]: ffffd5073f279e78
       Parameter[11]: ffffd5073f279f30
       Parameter[12]: ffffd5073f279f30
       Parameter[13]: 0000000000000100
       Parameter[14]: 0000000000000000
    CONTEXT:  ffffd5073f279af0 -- (.cxr 0xffffd5073f279af0)
    rax=0000000000000000 rbx=0000000000400800 rcx=0000000000000000
    rdx=c040000000000004 rsi=0000000000000001 rdi=0000000000000002
    rip=ffffd5073f279e48 rsp=ffffffffffffffff rbp=ffffffffffffffff
     r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
    r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000183f00000000
    iopl=1 vip vif nv dn di pl nz na po cy
    cs=9b28  ss=3f27  ds=3f27  es=d507  fs=ffff  gs=9b28             efl=ffffd507
    9b28:9e48 ??              ???
    Resetting default scope
    CPU_COUNT: 1
    CPU_MHZ: ce4
    CPU_VENDOR:  GenuineIntel
    CPU_MODEL: 2a
    CPU_MICROCODE: 6,2a,7,0 (F,M,S,R)  SIG: FFFFFFFF'00000000 (cache) FFFFFFFF'00000000 (init)
    BUGCHECK_STR:  0x27
    PROCESS_NAME:  Far.exe
    ERROR_CODE: (NTSTATUS) 0x130ec30 - <unable code="" error="" get="" text="" to="">
    EXCEPTION_CODE: (Win32) 0x130ec30 (19983408) - <unable code="" error="" get="" text="" to="">
    EXCEPTION_CODE_STR:  130ec30
    EXCEPTION_PARAMETER1:  ffffd5073f279dc0
    EXCEPTION_PARAMETER2:  ffffd5073f279af0
    EXCEPTION_PARAMETER3:  ffffa58a7d665080
    ANALYSIS_SESSION_TIME:  08-06-2016 17:28:09.0247
    ANALYSIS_VERSION: 10.0.10586.567 amd64fre
    LAST_CONTROL_TRANSFER:  from 0000000000000000 to ffffd5073f279e48
    BAD_STACK_POINTER:  ffffffffffffffff
    UNALIGNED_STACK_POINTER:  ffffffffffffffff
    ffff8a01`61c75238 fffff807`f262fd19 : 00000000`00000027 00000000`fcb0027c ffffd507`3f279eb8 ffffd507`3f279af0 : nt!KeBugCheckEx
    ffff8a01`61c75240 fffff807`f26633b6 : ffffd507`00000000 00000000`00000000 ffffa58a`7d188c01 ffffa58a`7d188cc0 : rdbss! ?? ::FNODOBFM::`string'+0x1f09
    ffff8a01`61c75390 fffff807`f262299b : ffffa58a`7d188cc0 ffffd507`3f279af0 ffffd507`3f279eb8 000000e5`6abd9000 : rdbss!RxCommonClose+0x126
    ffff8a01`61c75430 fffff807`f265e626 : ffffd507`3f0fa148 fffff807`f0ef4060 00000000`00000000 ffffa58a`7d665080 : rdbss!RxFsdCommonDispatch+0x55b
    ffff8a01`61c755b0 fffff807`f32f1203 : ffffa58a`7f05d040 ffffa58a`7d654190 ffffa58a`7d65d770 fffff807`f0ed4ba3 : rdbss!RxFsdDispatch+0x86
    ffff8a01`61c75600 fffff807`f1f8dc8c : ffffa58a`7f7e67e0 ffffa58a`7f7e67e0 00000000`00000000 ffffa58a`7d017fb8 : rdpdr!DrPeekDispatch+0x203
    ffff8a01`61c75680 fffff807`f1f8c64c : ffffd507`36a28e70 ffffa58a`7d665080 ffffa58a`7d017e10 ffffa58a`7f7e67e0 : mup!MupStateMachine+0x1dc
    ffff8a01`61c756f0 fffff807`f0ed5206 : ffffa58a`7d65d770 00000000`00000000 ffffa58a`7ff537d0 ffff8a01`61c75800 : mup!MupClose+0x8c
    ffff8a01`61c75750 fffff807`f0ed3146 : ffffa58a`7db106c0 ffffa58a`7e027df0 00000000`00000001 ffffa58a`7ce6e5c0 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1a6
    ffff8a01`61c757e0 fffff801`12c2e9ed : ffffa58a`7d665080 00000000`00000001 ffffa58a`7d017e10 ffffa58a`7e027df0 : FLTMGR!FltpDispatch+0xb6
    ffff8a01`61c75840 fffff801`12bfa4e8 : ffffa58a`7d665050 00000000`00000000 ffffa58a`7cefbf20 00000000`00000000 : nt!IopDeleteFile+0x12d
    ffff8a01`61c758c0 fffff801`12852e96 : 00000000`00000000 00000000`00000000 ffffa58a`7d665050 ffffa58a`7d665080 : nt!ObpRemoveObjectRoutine+0x78
    ffff8a01`61c75920 fffff801`12c1575f : 00000000`00000000 ffffa58a`7d665000 ffffa58a`7d665050 ffffa58a`7d665060 : nt!ObfDereferenceObjectWithTag+0xc6
    ffff8a01`61c75960 fffff801`12c6619b : 00000283`23478d2e 00000000`00000000 00000283`23478d2e fffff801`12958e1f : nt!ObCloseHandleTableEntry+0x28f
    ffff8a01`61c75aa0 fffff801`1295ec93 : 00000000`00000000 ffffa58a`7e1b3b00 00000000`00000000 00000283`23362cd8 : nt!NtClose+0xcb
    ffff8a01`61c75b00 00007ffa`8c925034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    000000e5`6a9ac6f8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`8c925034
    THREAD_SHA1_HASH_MOD_FUNC:  8833fcd4a9e6b0908019794767bef5d764f170e8
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  3fd8a8b158e8467e8e4fdbf3cfd62ad6bd712c52
    THREAD_SHA1_HASH_MOD:  ed6fe6e7b54740eb8140216d5f68249590f044fd
    rdbss! ?? ::FNODOBFM::`string'+1f09
    fffff807`f262fd19 cc              int     3
    FAULT_INSTR_CODE:  cf8b49cc
    SYMBOL_NAME:  rdbss! ?? ::FNODOBFM::`string'+1f09
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: rdbss
    IMAGE_NAME:  rdbss.sys
    FAILURE_BUCKET_ID:  0x27_STACKPTR_ERROR_rdbss!_??_::FNODOBFM::_string_
    BUCKET_ID:  0x27_STACKPTR_ERROR_rdbss!_??_::FNODOBFM::_string_
    TARGET_TIME:  2016-08-06T14:05:26.000Z
    OSBUILD:  14393
    SUITE_MASK:  272
    OSNAME:  Windows 10
    OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS
    USER_LCID:  0
    OSBUILD_TIMESTAMP:  2016-07-16 05:16:17
    BUILDDATESTAMP_STR:  160715-1616
    BUILDLAB_STR:  rs1_release
    BUILDOSVER_STR:  10.0.14393.0.amd64fre.rs1_release.160715-1616
    FAILURE_ID_HASH_STRING:  km:0x27_stackptr_error_rdbss!_??_::fnodobfm::_string_
    FAILURE_ID_HASH:  {f3d0b1d8-30f1-b7b4-a98e-1df402c3f351}
    Followup:     MachineOwner

    • Edited by rdmitry Saturday, August 6, 2016 3:00 PM
    Saturday, August 6, 2016 2:59 PM

All replies

  • Hi rdmitry,

    According to your analysis, the issue is related to "rdbss.sys". It is "Redirected Drive Buffering SubSystem Driver". Considering the issue occurred on every machine, I suspect it is not compatible with the Windows 10 RDP feature. You`d better confirm this with the software developer.

    Best regards

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, August 8, 2016 5:53 AM
  • Dear MeipoXu,

    The rdbss.sys module is a part of Windows 10, and this issue means user mode program could crash the kernel.

    The RDP file access works without problem on Windows 7/Server 2008 R2/2012/2012 R2.

    Best regards, Dmitry

    • Edited by rdmitry Thursday, August 11, 2016 12:21 AM
    Wednesday, August 10, 2016 9:45 PM
  • Hi rdmitry,

    Since the issue is related to the third party software, it is recommended to confirm with the software developer to confirm this.
    Due to the limited working environment, it is not available for me to test this. Thanks for your understanding and cooperation.

    Best regards

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Proposed as answer by Suncatcher_13 Saturday, January 7, 2017 6:21 PM
    • Unproposed as answer by Suncatcher_13 Saturday, January 7, 2017 6:21 PM
    Monday, August 15, 2016 6:58 AM
  • It seems issue was fixed with today's update KB3176934. The KB does not mention this issue at all, but have new rdbss:

    rdbss.sys,"10.0.14393.82","435,040","06-Aug-2016","04:16","x64","None","Not applicable",

    With this update I'm not able to reproduce the issue.

    • Proposed as answer by -Mr Happy- Tuesday, August 23, 2016 10:52 PM
    • Marked as answer by ZigZag3143x Wednesday, August 24, 2016 4:02 AM
    • Unmarked as answer by rdmitry Saturday, August 27, 2016 11:45 PM
    Tuesday, August 23, 2016 10:37 PM
  • Hi rdmitry,

    I am glad the issue has been resolved and thanks for updating. Please remember to mark the reply.

    Best regards

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, August 24, 2016 1:07 AM
  • I'm afraid the problem isn't solved yet. I can reproduce it on the current Windows 10 Anniversary with yesterday's patches as well as the Windows Server 2016 RTM installation, both with rdbss.sys version 10.0.14393.82. And the current Windows 10 Insider Preview 14905.1000 crashes as well...
    Wednesday, August 24, 2016 2:24 PM
  • You are right. Problem still present. I was unable to reproduce the issue on 1 processor, but it appeared again when I set up 2 processors (I run tests on VM).

    I have no information about availability of Windows Server 2016 RTM; with MSDN subscription I have see Server 2016 TP5 version.

    It is really sad that Microsoft put this buggy version to Windows Server.

    MeipoXu, please do not ignore this issue and ask development team for a fix.

    Saturday, August 27, 2016 1:04 PM
  • I can reproduce the same problem consistently on rdbss.sys version 10.0.14393.82 if I access \\tsclient\c\users\ and there're lots of files there, the PC is multi-core. Looks like it crashes when the total number of files in the directory reaches approximately 1000.

    Here're the BSOD details from BlueScreenView:

    rdbss.sys rdbss.sys+fd19 fffff80e`c8940000 fffff80e`c89b5000 0x00075000 0x57a5591c 6/08/2016 1:27:24 PM Microsoft® Windows® Operating System Redirected Drive Buffering SubSystem Driver 10.0.14393.0 (rs1_release.160715-1616) Microsoft Corporation C:\WINDOWS\system32\drivers\rdbss.sys

    • Edited by Alex2550 Wednesday, August 31, 2016 3:33 PM
    Wednesday, August 31, 2016 5:56 AM
  • Dear MeipoXu,

    If the user mode program can crash the kernel it BY ITSELF means that it's a bug in Windows regardless of what exactly that particular program is doing and potential attack vector on Windows. So yes, it's pretty serious.

    Wednesday, August 31, 2016 8:37 AM
  • The problem is actual so far. After updating Windows Server 2016 to Cumulative Update KB3192366 with rdbss.sys 10.0.14393.206 (rs1_release.160915-0644) the OS is crashing to BSOD when accessing local redirected disk from remote desktop session.
    • Edited by Pavel Nosov Monday, September 26, 2016 8:32 PM
    Monday, September 26, 2016 8:31 PM
  • Hello MeipoXu,

    This issue still is not resolved. Currently it also appeared on Windows Server 2016.

    Also I've seen the same issue in the TechNet forums not caused by FAR Manger software: Remote Windows 10 VM BSOD while trying to print locally while connected with Remote Desktop

    Did you sent this information to RDBSS devlopers?

    Saturday, November 12, 2016 9:23 AM
  • Confirm this bug too. It is still not fixed.
    Saturday, January 7, 2017 6:24 PM