MS Hotfix: Fixes 3 FileSystem Filter limit

Discussion in 'other security issues & news' started by Bill Stout, May 7, 2007.

Thread Status:
Not open for further replies.
  1. Bill Stout

    Bill Stout Registered Member

    Oct 14, 2004
    Mountain View, CA

    I'm no longer at GreenBorder, but one hotfix discovery might be helpful to some of you running multiple security products.

    During compatibility testing we found that XP and 2003 can handle up to three file-system filter drivers. AV software packages can contain more than one filter driver. Adding just one more security product can cause odd behavior.

    File system drivers operate in the kernel. One symptom of loading too many file-system filters, is the system becomes extremely slow, eventually such that you can watch screen draw of individual screen objects. The task manager does not show that the kernel is waiting (CPU and Memory utilization look good). This may be concurrent with file system corruption, data may be written to non-data areas of a partition.

    Another symptom is that writing to a DFS share (e.g.; filename change or write file), for example, can cause an immediate BSOD.

    MS KB906866 - Sep 22, 2006, describes the problem as related to DFS, and a hotfix that you have to request from Microsoft. This hotfix will be included in Service Pack 3 which should be out before Summer.

    "STOP 0x00000035 NO_MORE_IRP_STACK_LOCATIONS"..."the Mup.sys driver assumes that there must be no more than three file-system filter drivers running at the same time. The Mup.sys driver handles Distributed File System (DFS) file I/O requests. If there are four or more file system filter drivers, the I/O request packet (IRP) location buffer that is pre-allocated by Mup.sys will overflow. When this occurs, you receive the Stop error that is described in the Symptoms section."

    This is a two-part hotfix, first is to add a registry value, second is to run an executable (not downloadable from Microsoft). The registry portion is to add a DWORD value of DfsIrpStackSize with a decimal value of '10' to this location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup\Parameters. To obtain the hotfix you have to call Microsoft (800) MICROSOFT (642-7676).

    Hope this helps...

    Bill Stout
    Last edited: May 9, 2007
Thread Status:
Not open for further replies.