#StackBounty: #windows-10 #network-shares #crash #windows-server-2016 #random Network drive launched application randomly crashes on Wi…

Bounty: 50

Introduction

On Windows 10 (update 1703 or 1809), applications launched from a network drive crashes after period of 60 to 95 minutes. On Windows 7 applications runs flawlessly.

Symptoms

  • All attempts to launch applications from network drive succeed;
  • All affected 32 bit applications EXE/DLL logged an 0xc0000006 exception on Event Viewer.
  • On 16 bit application (Foxpro 2.6 for MS-DOS), occurs error “Unable to process error” or simply breaks and exits.
  • Once in a while “Fatal error 104 while attempting to report error 104” occured.
  • Failure happens even during continuous usage (no significant inactivity period occurs);
  • Failure only occured on Windows 10 32 bit/64 bit workstations either running Update 1703 or Update 1809. Windows 7 workstations were fine.
  • Gathered analysis points to “safe” random period from 60 to 95 minutes between first launch and break occurs;
  • Using Wireshark, error STATUS_NETWORK_SESSION_EXPIRED is consistently logged at failure ocurrs on some scenarios.
  • If there are several instances, launched at different times, they all fail at the same second;
  • A instance launch from a local drive runs fine even after an eventual fail on network launched instances;
  • All afected sites servers are running on Windows 2016 Server;
  • Network drive is functional after fail;
  • If the application is launch from local drive no problem occurs;
  • Network connectivity never fails (continuous PINGs) before, during or after application breaks;

Tested lab system configurations

  • Windows Server 2016 Essentials (1607)
  • Windows 10 32 bit / 64 bit (update 1703 / 1809)
  • Windows 7 (32 bit only)
  • Cable
  • Switch

Server network configuration

Results of Powershell’s Get-SMBServerConfiguration command:

AnnounceComment                 : 
AnnounceServer                  : False
AsynchronousCredits             : 512
AuditSmb1Access                 : False
AutoDisconnectTimeout           : 999999
AutoShareServer                 : True
AutoShareWorkstation            : True
CachedOpenLimit                 : 10
DurableHandleV2TimeoutInSeconds : 180
EnableAuthenticateUserSharing   : False
EnableDownlevelTimewarp         : False
EnableForcedLogoff              : True
EnableLeasing                   : False
EnableMultiChannel              : True
EnableOplocks                   : True
EnableSecuritySignature         : True
EnableSMB1Protocol              : True
EnableSMB2Protocol              : True
EnableStrictNameChecking        : True
EncryptData                     : False
IrpStackSize                    : 15
KeepAliveTime                   : 2
MaxChannelPerSession            : 32
MaxMpxCount                     : 50
MaxSessionPerConnection         : 16384
MaxThreadsPerQueue              : 20
MaxWorkItems                    : 1
NullSessionPipes                : netlogon,samr,lsarpc
NullSessionShares               : 
OplockBreakWait                 : 35
PendingClientTimeoutInSeconds   : 120
RejectUnencryptedAccess         : True
RequireSecuritySignature        : True
ServerHidden                    : True
Smb2CreditsMax                  : 8192
Smb2CreditsMin                  : 512
SmbServerNameHardeningLevel     : 0
TreatHostAsStableStorage        : False
ValidateAliasNotCircular        : True
ValidateShareScope              : True
ValidateShareScopeNotAliased    : True
ValidateTargetName              : True

Workstation network configuration

Results of Powershell’s Get-SMBClientConfiguration command:

ConnectionCountPerRssNetworkInterface : 4
DirectoryCacheEntriesMax              : 16
DirectoryCacheEntrySizeMax            : 65536
DirectoryCacheLifetime                : 0
DormantFileLimit                      : 1023
EnableBandwidthThrottling             : True
EnableByteRangeLockingOnReadOnlyFiles : True
EnableInsecureGuestLogons             : True
EnableLargeMtu                        : True
EnableLoadBalanceScaleOut             : True
EnableMultiChannel                    : True
EnableSecuritySignature               : False
ExtendedSessionTimeout                : 1000
FileInfoCacheEntriesMax               : 64
FileInfoCacheLifetime                 : 0
FileNotFoundCacheEntriesMax           : 128
FileNotFoundCacheLifetime             : 5
KeepConn                              : 600
MaxCmds                               : 50
MaximumConnectionCountPerServer       : 32
OplocksDisabled                       : False
RequireSecuritySignature              : False
SessionTimeout                        : 60
UseOpportunisticLocking               : False
WindowSizeThreshold                   : 8

What we had already done

  • Checked event viewer, even on SMBCLIENT and SMBSERVER sub-events, but unable to find correlation between events and application failure.
  • Tried enabling SMB1 on both server/workstation followed by a reboot;
  • Tried disabling antivirus (ESET) on both server/workstation followed by a reboot;
  • Disabled powersaving network on both server/workstation followed by a reboot;
  • Disabled autodisconnect (changing it to -1) followed by a reboot;
  • Tried disabling firewall on both server/workstation;
  • Case has been under lab surveilance for weeks with no success.

Is there anyone else facing the symptons and able to provide alternative solutions?

Thanks for you attention


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.