• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7061
  • Last Modified:

Workstation Service will not start

Having a problem that has several post here and elsewhere on the web but none of them seem to have a solution that works.



Problem Description.

The workstation service will not start -- the errors in the event log are --

Entry 1-

Event Type: Error

Event Source: Workstation

Event ID: 5727

Description: Could not load RDR device driver.

Data: 0000: 34 00 00 c0 4..A


Entry 2-

Event Type: Error

Event Source: Service Control Manager

Event ID: 7024

Description: The Workstation service terminated with service-specific error
2250.


Since the service is not started this computer can not see the network shares or other computers in the workgroup.

The Internet connection is fine and working without problems.

The server service is starting and running - other computers on the network can see the pc and it's shares.

The other services that will not start are dependant on the workstation service.



The system with the problem is running Windows XP with Service Pack 3 and current updates installed.  
The firewall in use is Windows Firewall with sharing enabled - turning it off has no effect on the problem.  
Multiple scans for malware report the system is clean and HighJack This does not find anything unusual.



I have tried all the following as suggested in various posts but nothing has fixed the problem.

Run SFC = no problems found

Deinstalled network hardware and reinstalled with new drivers.

Reset TCPIP with netsh

Reset Winsock with netsh

Completely deinstalled and reinstalled TCPIP using modified inf file



None of the posts I can find actually say what the RDR device driver is or where it is found.  
Although the workstation lists no dependancy it seems to have one for this driver.  
Does anyone know what it actually is or have an idea why it would work for the server service and not the workstation service?
Any ideas as to what the actual files or registry entries involved are so that I can compare them to a working system?

Regards
Mike Hughes
0
entcomp
Asked:
entcomp
  • 3
  • 2
  • 2
  • +1
1 Solution
 
Purple_TidderCommented:
This isn't an answer but probably a good troubleshooting step if you have the hardware.  Have you removed/disabled the NIC and installed a different one?  If the same behavior is exhibited I guess you'll need to continue troubleshooting.  If the problem goes away it's definitely NIC or driver related.  Typically when I've seen this a newer/older driver fixes the problem.

Have you by chance installed any network drivers from windows update?  This has happened to me a few times where windows update thought it had a better driver and ended up killing random things.
0
 
Em ManCommented:
are there any logs after you execute the sfc /scannow  ?
0
 
Purple_TidderCommented:
Here's an interesting solution.  It may not have the same cause as your problem but the answer could very well be the same.

http://www.jasonhartman.net/2005/01/problem-starting-server-and.html
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Em ManCommented:
expand d:\i386\mup.sy_ c:\windows\system32\drivers
expand d:\i386\mup.sy_ c:\windows\system32\dllcache
0
 
johnb6767Commented:
"None of the posts I can find actually say what the RDR device driver is or where it is found.  "

I would check here.....

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr   (educated guess only).....

And you are 100% certain this is not RDPDR? Sorry, have to ask....

Also, use this method to look under Non Plug and Play Drivers in the Device Manager, to see if it is present.....

Device Manager Does Not Display Devices Not Currently Present in Windows 2000
http://support.microsoft.com/kb/241257

Ignore the Win2K title, still works.....




0
 
johnb6767Commented:
Also, have you removed and reinstalled both the "Client for MS Networks" and "File and Printer Sharing" from the Network Connection? Uninstall them both, reboot, and reinstall them to see if they rebuild....

Make sure you have a local account, as the Netlogon service will not be running, and might not be able to logon to the domain (maybe a cached profile might work?)
0
 
entcompAuthor Commented:
OK I got this fixed and wanted to reply to the suggestions as well as what I finally found.

" Have you removed/disabled the NIC and installed a different one? "
Yes but it had no effect on the problem.

"are there any logs after you execute the sfc /scannow  ? "
Not that I could find - the system is XP and the log file showed up in vista.  In light of the fix below you have to suspect that it missed the file.

"Here's an interesting solution.  It may not have the same cause as your problem but the answer could very well be the same."
No duplicated names.

"expand d:\i386\mup.sy_ c:\windows\system32\drivers
expand d:\i386\mup.sy_ c:\windows\system32\dllcache "
Tried with no effect.

"I would check here.....
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr   (educated guess only)....."
Would make perfect sense except for the fact that this key does not exist in the registry.

"Also, have you removed and reinstalled both the "Client for MS Networks" and "File and Printer Sharing" from the Network Connection? Uninstall them both, reboot, and reinstall them to see if they rebuild...."
This did not fix the problem but it did finally point out the real cause.  When I removed both at the same time and rebooted I still have problem but I had one new entry in the event log.  After reinstalling the client I started to get an error message that the MRxSMB service could not be started.
When I went looking I found the mrxsmb.sys gone from the \system32\driver dircetory.  I replaced it from the service pack file store and after a reboot I finally had the workstation service started.

My best guess is that some sort of interaction between a malware attack and the anti-virus resulted the missing file and somehow also not creating an error message for the file.  Resetting the client got it looking for the file correctly again and coughed up the event log entry for the actual problem.

If I recall correctly there is more than one hack that targets that file and in this case must have included some sort of change that hid the trail.

Thanks for all the help









0
 
entcompAuthor Commented:
Made a detailed post as to what the root cause was
0
 
Purple_TidderCommented:
Wow, very nice solution indeed.
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now