entcomp
asked on
Workstation Service will not start
Having a problem that has several post here and elsewhere on the web but none of them seem to have a solution that works.
Problem Description.
The workstation service will not start -- the errors in the event log are --
Entry 1-
Event Type: Error
Event Source: Workstation
Event ID: 5727
Description: Could not load RDR device driver.
Data: 0000: 34 00 00 c0 4..A
Entry 2-
Event Type: Error
Event Source: Service Control Manager
Event ID: 7024
Description: The Workstation service terminated with service-specific error
2250.
Since the service is not started this computer can not see the network shares or other computers in the workgroup.
The Internet connection is fine and working without problems.
The server service is starting and running - other computers on the network can see the pc and it's shares.
The other services that will not start are dependant on the workstation service.
The system with the problem is running Windows XP with Service Pack 3 and current updates installed.
The firewall in use is Windows Firewall with sharing enabled - turning it off has no effect on the problem.
Multiple scans for malware report the system is clean and HighJack This does not find anything unusual.
I have tried all the following as suggested in various posts but nothing has fixed the problem.
Run SFC = no problems found
Deinstalled network hardware and reinstalled with new drivers.
Reset TCPIP with netsh
Reset Winsock with netsh
Completely deinstalled and reinstalled TCPIP using modified inf file
None of the posts I can find actually say what the RDR device driver is or where it is found.
Although the workstation lists no dependancy it seems to have one for this driver.
Does anyone know what it actually is or have an idea why it would work for the server service and not the workstation service?
Any ideas as to what the actual files or registry entries involved are so that I can compare them to a working system?
Regards
Mike Hughes
Problem Description.
The workstation service will not start -- the errors in the event log are --
Entry 1-
Event Type: Error
Event Source: Workstation
Event ID: 5727
Description: Could not load RDR device driver.
Data: 0000: 34 00 00 c0 4..A
Entry 2-
Event Type: Error
Event Source: Service Control Manager
Event ID: 7024
Description: The Workstation service terminated with service-specific error
2250.
Since the service is not started this computer can not see the network shares or other computers in the workgroup.
The Internet connection is fine and working without problems.
The server service is starting and running - other computers on the network can see the pc and it's shares.
The other services that will not start are dependant on the workstation service.
The system with the problem is running Windows XP with Service Pack 3 and current updates installed.
The firewall in use is Windows Firewall with sharing enabled - turning it off has no effect on the problem.
Multiple scans for malware report the system is clean and HighJack This does not find anything unusual.
I have tried all the following as suggested in various posts but nothing has fixed the problem.
Run SFC = no problems found
Deinstalled network hardware and reinstalled with new drivers.
Reset TCPIP with netsh
Reset Winsock with netsh
Completely deinstalled and reinstalled TCPIP using modified inf file
None of the posts I can find actually say what the RDR device driver is or where it is found.
Although the workstation lists no dependancy it seems to have one for this driver.
Does anyone know what it actually is or have an idea why it would work for the server service and not the workstation service?
Any ideas as to what the actual files or registry entries involved are so that I can compare them to a working system?
Regards
Mike Hughes
are there any logs after you execute the sfc /scannow ?
Here's an interesting solution. It may not have the same cause as your problem but the answer could very well be the same.
http://www.jasonhartman.net/2005/01/problem-starting-server-and.html
http://www.jasonhartman.net/2005/01/problem-starting-server-and.html
expand d:\i386\mup.sy_ c:\windows\system32\driver
expand d:\i386\mup.sy_ c:\windows\system32\dllcac
expand d:\i386\mup.sy_ c:\windows\system32\dllcac
"None of the posts I can find actually say what the RDR device driver is or where it is found. "
I would check here.....
HKEY_LOCAL_MACHINE\SYSTEM\
And you are 100% certain this is not RDPDR? Sorry, have to ask....
Also, use this method to look under Non Plug and Play Drivers in the Device Manager, to see if it is present.....
Device Manager Does Not Display Devices Not Currently Present in Windows 2000
http://support.microsoft.com/kb/241257
Ignore the Win2K title, still works.....
I would check here.....
HKEY_LOCAL_MACHINE\SYSTEM\
And you are 100% certain this is not RDPDR? Sorry, have to ask....
Also, use this method to look under Non Plug and Play Drivers in the Device Manager, to see if it is present.....
Device Manager Does Not Display Devices Not Currently Present in Windows 2000
http://support.microsoft.com/kb/241257
Ignore the Win2K title, still works.....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK I got this fixed and wanted to reply to the suggestions as well as what I finally found.
" Have you removed/disabled the NIC and installed a different one? "
Yes but it had no effect on the problem.
"are there any logs after you execute the sfc /scannow ? "
Not that I could find - the system is XP and the log file showed up in vista. In light of the fix below you have to suspect that it missed the file.
"Here's an interesting solution. It may not have the same cause as your problem but the answer could very well be the same."
No duplicated names.
"expand d:\i386\mup.sy_ c:\windows\system32\driver
expand d:\i386\mup.sy_ c:\windows\system32\dllcac
Tried with no effect.
"I would check here.....
HKEY_LOCAL_MACHINE\SYSTEM\
Would make perfect sense except for the fact that this key does not exist in the registry.
"Also, have you removed and reinstalled both the "Client for MS Networks" and "File and Printer Sharing" from the Network Connection? Uninstall them both, reboot, and reinstall them to see if they rebuild...."
This did not fix the problem but it did finally point out the real cause. When I removed both at the same time and rebooted I still have problem but I had one new entry in the event log. After reinstalling the client I started to get an error message that the MRxSMB service could not be started.
When I went looking I found the mrxsmb.sys gone from the \system32\driver dircetory. I replaced it from the service pack file store and after a reboot I finally had the workstation service started.
My best guess is that some sort of interaction between a malware attack and the anti-virus resulted the missing file and somehow also not creating an error message for the file. Resetting the client got it looking for the file correctly again and coughed up the event log entry for the actual problem.
If I recall correctly there is more than one hack that targets that file and in this case must have included some sort of change that hid the trail.
Thanks for all the help
" Have you removed/disabled the NIC and installed a different one? "
Yes but it had no effect on the problem.
"are there any logs after you execute the sfc /scannow ? "
Not that I could find - the system is XP and the log file showed up in vista. In light of the fix below you have to suspect that it missed the file.
"Here's an interesting solution. It may not have the same cause as your problem but the answer could very well be the same."
No duplicated names.
"expand d:\i386\mup.sy_ c:\windows\system32\driver
expand d:\i386\mup.sy_ c:\windows\system32\dllcac
Tried with no effect.
"I would check here.....
HKEY_LOCAL_MACHINE\SYSTEM\
Would make perfect sense except for the fact that this key does not exist in the registry.
"Also, have you removed and reinstalled both the "Client for MS Networks" and "File and Printer Sharing" from the Network Connection? Uninstall them both, reboot, and reinstall them to see if they rebuild...."
This did not fix the problem but it did finally point out the real cause. When I removed both at the same time and rebooted I still have problem but I had one new entry in the event log. After reinstalling the client I started to get an error message that the MRxSMB service could not be started.
When I went looking I found the mrxsmb.sys gone from the \system32\driver dircetory. I replaced it from the service pack file store and after a reboot I finally had the workstation service started.
My best guess is that some sort of interaction between a malware attack and the anti-virus resulted the missing file and somehow also not creating an error message for the file. Resetting the client got it looking for the file correctly again and coughed up the event log entry for the actual problem.
If I recall correctly there is more than one hack that targets that file and in this case must have included some sort of change that hid the trail.
Thanks for all the help
ASKER
Made a detailed post as to what the root cause was
Wow, very nice solution indeed.
Have you by chance installed any network drivers from windows update? This has happened to me a few times where windows update thought it had a better driver and ended up killing random things.