RDR_FILE_SYSTEM caused by mrxsmb.sys

OSR_Community_User · October 10, 2013, 4:29am

Hi,

i know its not a developer question at all, but the best place to ask. I am running a fairly old (but up to date) windows xp pro system for testing purposes on several applications i am developing on and yesterday i faced a problem which i had never seen before. I am suddenly facing a RDR_FILE_SYSTEM in an early booting stage, so i get no memory dumps. Starting the system successfully in safe mode cleary made me think that it must be one of the drivers that are not necessary to boot into a running system. After having a brief look into the systems loaded drivers and the drivers skipped from loading in ntbootlog.txt and device managers hardware and drivers, i couldnt find anything that changed in the past few days. Reading the Bug Check description on msdn statet that it is some issue with the SMB redirector file system and this made me try starting the system with network support which again instantly run into the bugcheck i had before. So i booted again into safe mode and excluded the mrxsmb driver from loading. This made the system start successfully but disabling this driver also makes depending services and other drivers not loading. Some of them are those i need. This behaviour suddenly started to arise for reasons unknown. I made some memory testing on the system that run successfully through all the 2GB ram on the system and also run some chkdsk /F on the file system. The only way to start into a running system is to disable mrxsmb but this is no solution at all. I know that xp is dead, but i still use it for testing purposes on some code i am maintaining.

Maybe important to know is that a week ago i had the latest comodo security suite running on that system and i removed it 3 days ago with no problems. The system did reboot many times till that without any problems, I also had some drivers running like Ext2IFS, Ext2FSD, Linux Reader to access external ext2/3 formated drives and even after removing them all worked fine. Maybe some of them broke something somewhere but i have no idea what could have damaged and maybe someone else has a good idea. Looking into the registry hives regarding the scm and installed drivers shows no traces left from the drivers.

One additional thing to mention here is that one day before the bugcheck, the system started to behave strange by not displaying attached usb drives in the my computer folder and sometimes in the disk management tool (diskmgmt hangs indefinitely). The interesting thing is that all drives can be seen in the device manager and by diskpart but not by the explorer. My first thought was some bad shell extension but i couldnt find any bad shell extensions. All work fine. I can fully access the drives by their mountpoints/labels using the command line interface. For whatever reason the UI doesnt get updated when the usb drives arrive. Another odd thing is that the devices will be shown in the explorer after restarting the explorer process which also made me think at first that this could be some bad shell extension but it isnt. The system broadcasts successfully messages like DBT_DEVNODES_CHANGED, DBT_DEVICEARRIVAL::DEVICETYPE_VOLUME but the shell doesnt update the view.

Does anybody have any more ideas what could have caused this and where to look on the system? Its no big deal to start from a fresh installation, but i personally would like to know what could have caused this and where exactly to look at to fix that issue. Maybe someone else will have the same trouble some day. I also tried to fix this with a early system restore point, but this also failed.

Thanks in advance

K.

Christiaan_Ghijselinck · October 11, 2013, 4:06am

Did you check for virusses and rootkits ? To be sure after all , you need to plug out your harddisk and move it into another PC.
You could , for example , put the disk into an USB case and use it as external disk on the other PC…

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Thursday, October 10, 2013 10:28 AM
Subject: [ntdev] RDR_FILE_SYSTEM caused by mrxsmb.sys

Hi,

i know its not a developer question at all, but the best place to ask. I am running a fairly old (but up to date) windows xp pro
system for testing purposes on several applications i am developing on and yesterday i faced a problem which i had never seen
before. I am suddenly facing a RDR_FILE_SYSTEM in an early booting stage, so i get no memory dumps. Starting the system successfully
in safe mode cleary made me think that it must be one of the drivers that are not necessary to boot into a running system. After
having a brief look into the systems loaded drivers and the drivers skipped from loading in ntbootlog.txt and device managers
hardware and drivers, i couldnt find anything that changed in the past few days. Reading the Bug Check description on msdn statet
that it is some issue with the SMB redirector file system and this made me try starting the system with network support which again
instantly run into the bugcheck i had before. So i booted again into safe mode and excluded the mrxsmb driver from loading. This
made the system start successfully but disabling this driver also makes depending services and other drivers not loading. Some of
them are those i need. This behaviour suddenly started to arise for reasons unknown. I made some memory testing on the system that
run successfully through all the 2GB ram on the system and also run some chkdsk /F on the file system. The only way to start into a
running system is to disable mrxsmb but this is no solution at all. I know that xp is dead, but i still use it for testing purposes
on some code i am maintaining.

Maybe important to know is that a week ago i had the latest comodo security suite running on that system and i removed it 3 days ago
with no problems. The system did reboot many times till that without any problems, I also had some drivers running like Ext2IFS,
Ext2FSD, Linux Reader to access external ext2/3 formated drives and even after removing them all worked fine. Maybe some of them
broke something somewhere but i have no idea what could have damaged and maybe someone else has a good idea. Looking into the
registry hives regarding the scm and installed drivers shows no traces left from the drivers.

One additional thing to mention here is that one day before the bugcheck, the system started to behave strange by not displaying
attached usb drives in the my computer folder and sometimes in the disk management tool (diskmgmt hangs indefinitely). The
interesting thing is that all drives can be seen in the device manager and by diskpart but not by the explorer. My first thought was
some bad shell extension but i couldnt find any bad shell extensions. All work fine. I can fully access the drives by their
mountpoints/labels using the command line interface. For whatever reason the UI doesnt get updated when the usb drives arrive.
Another odd thing is that the devices will be shown in the explorer after restarting the explorer process which also made me think
at first that this could be some bad shell extension but it isnt. The system broadcasts successfully messages like
DBT_DEVNODES_CHANGED, DBT_DEVICEARRIVAL::DEVICETYPE_VOLUME but the shell doesnt update the view.

Does anybody have any more ideas what could have caused this and where to look on the system? Its no big deal to start from a fresh
installation, but i personally would like to know what could have caused this and where exactly to look at to fix that issue. Maybe
someone else will have the same trouble some day. I also tried to fix this with a early system restore point, but this also failed.

Thanks in advance

K.

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · October 11, 2013, 4:46am

>for example , put the disk into an USB case and use it as external disk on the other PC…

Thats an good idea. I will run a full scan for viruses and a chkdsk on the disk again with an external usb connection.

best

K.

OSR_Community_User · October 11, 2013, 7:30am

I run a full check for malicious code of any kind and also chkdsk with no results on the offline windows system from an external usb drive adapter. Any more ideas?

Christiaan_Ghijselinck · October 11, 2013, 9:23am

You could still check for installed rootkits and suspicious startup programs. You may find “rootkitrevealer” and “autoruns” at
http://technet.microsoft.com/en-us/sysinternals/bb795534

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Friday, October 11, 2013 1:29 PM
Subject: RE:[ntdev] RDR_FILE_SYSTEM caused by mrxsmb.sys

>I run a full check for malicious code of any kind and also chkdsk with no results on the offline windows system from an external
>usb drive adapter. Any more ideas?
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · October 11, 2013, 1:59pm

Hi Christiaan,

i already did run rootkitrevealer, gmer, tssdkiller etc. and some av scanners on the os and drives. all negative. autoruns doest give any suspicious results and there arent any unknown drivers or services. i really dont know where to look anymore. SOmething has broken the system, but what?

best

K.

Christiaan_Ghijselinck · October 11, 2013, 2:36pm

>>SOmething has broken the system, but what?

I have no idea myself. I suggest to replace your hard disk with an empty one and install a fresh copy of XP on that new disk. May
be , your problems are caused by a hardware problem on the board , and with a fresh installation , you can check if these problems
occur again or not.

Christiaan

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Friday, October 11, 2013 7:58 PM
Subject: RE:[ntdev] RDR_FILE_SYSTEM caused by mrxsmb.sys

> Hi Christiaan,
>
> i already did run rootkitrevealer, gmer, tssdkiller etc. and some av scanners on the os and drives. all negative. autoruns doest
> give any suspicious results and there arent any unknown drivers or services. i really dont know where to look anymore. SOmething
> has broken the system, but what?
>
>
> best
>
> K.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · October 11, 2013, 9:37pm

I dont think that it is an hardware problem because i started several live based systems, linux and windows on that machine and even did perform some hardware diagnostics without anything not working. Everything works fine as long as i start without the mrxsmb.sys loading. Interesting to know would be what exactly mrxsmb is accessing in the background, including registry, hardware, file system other drivers, etc. There must be some way to track that back. I dont have a cable for debugging the xp system. Important to know would be the initialization steps mrxsmb is taking and how it works so one could eliminate any bad configuration or bad data to track the problem down. But i personbally dont know anything about this driver.