Serious BUG which affect wide range of Windows systems

  • Thread starter Thread starter LinuxIsTheCancer
  • Start date Start date
L

LinuxIsTheCancer

Guest
I found the serious BUG which affect wide range of Windows systems, from Vista to 10, including Windows Server.

I've found that standard "defrag.exe" can cause file corruption under some circumstances.
The mentioned file corruption can happen during automatic maintenance (which compresses some files with NTFS compression and runs defrag.exe) and scheduled/manual defragmentation on system volumes with compressed (NTFS compression) files.

During investigation i've found some interesting facts:
  1. The file corruption is always happen with compressed (NTFS compression) files hardlinked to WinSxS file repository
  2. The file corruption is always happen only with some specific files
  3. This specific files should be fragmented (NTFS compression causes file fragmentation)
  4. The file corruption does not change the file size
  5. The file corruption is always resides at the end of the file, look like the data and the end of the corrupted files is just overriten with some garbage
  6. The data written by the "defrag.exe" to the end of each corrupted file is random, but the data pattern is the same for each particular file

On my test system (Windows 8.1 Enterprise with Update) only those files was corrupted by the "defrag.exe":

SHA1 checksum before defragmentation:
Code: 
25afca7b7d459eae47359691c7f54133d79b3892 *Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_19fbb18075fefb90\Amd64\CNBJ2530.DPB
25afca7b7d459eae47359691c7f54133d79b3892 *Windows\WinSxS\amd64_prncacla.inf_31bf3856ad364e35_6.3.9600.17415_none_95dd5540d57f8c01\Amd64\CNBJ2530.DPB
f97cea19c3dd45ff153d88fc6852172d4750c178 *Windows\System32\NL7Models0404.dll
f97cea19c3dd45ff153d88fc6852172d4750c178 *Windows\WinSxS\amd64_microsoft-windows-w..chinese_traditional_31bf3856ad364e35_6.3.9600.16384_none_da1970df8c4dae3f\NL7Models0404.dll
60a7c773083b2f39a7564d6d2e78f0c73a339739 *Windows\SysWOW64\NlsData0414.dll
60a7c773083b2f39a7564d6d2e78f0c73a339739 *Windows\WinSxS\x86_microsoft-windows-naturallanguage6-0414_31bf3856ad364e35_6.3.9600.17415_none_d48386f27bb83f5d\NlsData0414.dll
e2de8a477c4cf0ee859b23e961b2cf3b981c2283 *Windows\SysWOW64\wbemcomn.dll
e2de8a477c4cf0ee859b23e961b2cf3b981c2283 *Windows\WinSxS\wow64_microsoft-windows-wmi-core-wbemcomn-dll_31bf3856ad364e35_6.3.9600.17415_none_fedad3362b50a192\wbemcomn.dll
1155fcc96a4b690fde73ee949abd5a467b5fcc97 *Windows\WinSxS\x86_microsoft-windows-store-runtime_31bf3856ad364e35_6.3.9600.17415_none_85d0e5ba5abd52cc\WSShared.dll

SHA1 checksum after defragmentation:
Code: 
ef3e85c9217f063f34f641185dc581f3e10977df *Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_19fbb18075fefb90\Amd64\CNBJ2530.DPB
ef3e85c9217f063f34f641185dc581f3e10977df *Windows\WinSxS\amd64_prncacla.inf_31bf3856ad364e35_6.3.9600.17415_none_95dd5540d57f8c01\Amd64\CNBJ2530.DPB
0f7dda1fdf64a56e94fccede01c8f281e27e9f26 *Windows\System32\NL7Models0404.dll
0f7dda1fdf64a56e94fccede01c8f281e27e9f26 *Windows\WinSxS\amd64_microsoft-windows-w..chinese_traditional_31bf3856ad364e35_6.3.9600.16384_none_da1970df8c4dae3f\NL7Models0404.dll
b90e6467ac4e45b63afe16288051135a84531d43 *Windows\SysWOW64\NlsData0414.dll
b90e6467ac4e45b63afe16288051135a84531d43 *Windows\WinSxS\x86_microsoft-windows-naturallanguage6-0414_31bf3856ad364e35_6.3.9600.17415_none_d48386f27bb83f5d\NlsData0414.dll
384cd54e920ae6c41f8937f7419a07621cdc7fdc *Windows\SysWOW64\wbemcomn.dll
384cd54e920ae6c41f8937f7419a07621cdc7fdc *Windows\WinSxS\wow64_microsoft-windows-wmi-core-wbemcomn-dll_31bf3856ad364e35_6.3.9600.17415_none_fedad3362b50a192\wbemcomn.dll
8fe2945539080bc6e1b29849ca10baf6a318a905 *Windows\WinSxS\x86_microsoft-windows-store-runtime_31bf3856ad364e35_6.3.9600.17415_none_85d0e5ba5abd52cc\WSShared.dll

Checksums of corrupted files can vary due to the random nature of corruption.

Batch file to reproduce the file corruption (should run under the SYSTEM account):
Code: 
@echo off

sfc /verifyonly

compact /C /A "C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_19fbb18075fefb90\Amd64\CNBJ2530.DPB"
compact /C /A "C:\Windows\WinSxS\amd64_prncacla.inf_31bf3856ad364e35_6.3.9600.17415_none_95dd5540d57f8c01\Amd64\CNBJ2530.DPB"
compact /C /A "C:\Windows\System32\NL7Models0404.dll"
compact /C /A "C:\Windows\WinSxS\amd64_microsoft-windows-w..chinese_traditional_31bf3856ad364e35_6.3.9600.16384_none_da1970df8c4dae3f\NL7Models0404.dll"
compact /C /A "C:\Windows\SysWOW64\NlsData0414.dll"
compact /C /A "C:\Windows\WinSxS\x86_microsoft-windows-naturallanguage6-0414_31bf3856ad364e35_6.3.9600.17415_none_d48386f27bb83f5d\NlsData0414.dll"
compact /C /A "C:\Windows\SysWOW64\wbemcomn.dll"
compact /C /A "C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core-wbemcomn-dll_31bf3856ad364e35_6.3.9600.17415_none_fedad3362b50a192\wbemcomn.dll"
compact /C /A "C:\Windows\WinSxS\x86_microsoft-windows-store-runtime_31bf3856ad364e35_6.3.9600.17415_none_85d0e5ba5abd52cc\WSShared.dll"

sfc /verifyonly

defrag.exe C: /V /H

sfc /verifyonly

pause


When the batch file finished the report about corrupted files can be found in "C:\Windows\Logs\CBS\CBS.log" file.
I tested this batch file on clean installed system (Windows 8.1 Enterprise with Update) and in most cases files "CNBJ2530.DPB" and "wbemcomn.dll" are become corrupted with "hash mismatch" error in CBS.log.

Compare contents of good and corrupted files:

n3mg0i.png

Thread about "CNBJ2530.DPB" file corruption on sysnative.com:


More...
 

Similar threads

A
WAS service unable to start with the error 'the data is invalid'
Replies
0
Views
259
ashfana
A
Q
windows 7 adobe file locations
Replies
0
Views
126
qwqw2
Q
E
Windows 10 Differences in NTFS compression between the Windows Explorer and COMPACT based on new XPRESS4K/XPRES8K/XPRESS16K/LZX algorithms
Replies
0
Views
145
Exotic Hadron
E
Q
windows 8.1 need help removing virus
Replies
0
Views
92
qwqw2
Q
W
adobe virus file location log updated
Replies
0
Views
106
wwg8w8
W
Back
Top