The Ever-Morphing Mrxsmb

Most Microsoft platforms, including Windows 2000, use the Common Internet File System (CIFS) standard to implement file and print sharing. Win2K implements CIFS with an enhanced version of the Server Message Block (SMB) protocol (which explains the "smb" part of mrxsmb.sys). Two kernel mode components initiate and manage remote connections, mrxsmb.sys and rdbss.sys. Together, these components create a remote session, perform the file system operations you request (e.g., open, close, read, or write a file or spool a print job), and terminate the session when you no longer need the resource. When a system encounters a problem connecting to or accessing a remote resource, you see event log warnings and error messages from mrxsmb.sys. In severe cases, mrxmb.sys crashes with a veritable smorgasbord of stop codes.

Mrxsmb writes event log messages when a network is alive and well and when a system has connectivity problems. For example, when you boot a system that claims to be the master browser, Mrxsmb writes event ID 8003 informing you that a new guy on the block attempted to take over the role of master browser and that a browser election has occurred. When you boot a system that is unable to contact a domain controller (DC) or a DNS server, you see multiple messages from Mrxsmb, including event ID 3034 "The redirector was unable to initialize security context or query context attributes" and Event ID 3019 "The redirector failed to determine the connection type." Although event ID 3034 most often indicates a serious problem, the Microsoft article "Error Message: The Redirector Failed to Determine the Connection Type" states that you can safely ignore the event ID 3019 warning message.

Unless you're exceptionally brilliant or exceptionally lucky, you’ve probably seen your share of Mrxsmb messages or blue screens. The good news is that you can’t blame your lack of technical brilliance for some of these failures, especially the blue screens; they result from flaws in how the two redirector components interact with their remote counterparts. Microsoft has released no fewer than 12 bug fixes for mrxsmb.sys since April of this year.

Table 1 documents most of the known redirector problems as of September 23 and will help you diagnose a redirector problem. This sordid saga corrects six blue screens, potential loss of data, a problem accessing DFS shares, and a digital dashboard problem that likely belongs at the bottom of the priority list.

The last table entry lists the Win2K Service Pack 3 (SP3) versions of mrxsmb.sys and rdbss.sys. SP3 went public on August 1, 2002. On my SP3 systems, mrxsmb.sys and rdbss.sys have version number 5.0.2195.5434, which predate even the April 4 update (Q318789) immediately above the last line. We can only conclude that the SP3 redirector components systems are more than 12 versions out-of-date. We’ve progressed, if you can call it that, from version 5534 in April to version 6067 in just a few months. Want to place bets on how many new versions are waiting in the wings?

To complicate matters further, none of these patches are available for public download. If Microsoft releases six updates in 3 months for OS components that support and manage access to remote resources, the company needs to provide a public download option. A less desirable but minimally acceptable alternative is to have Microsoft rate mrxsmb.sys changes as critical and publish them on the Windows Update site. I couldn't confirm that the most recent versions of both components contain all the patches for earlier problems. Although I suspect this is most likely the case, it would be nice to verify that the September 23 version (5.0.2195.6067) is a rollup of all earlier releases.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.