hey guys, I have a weird problem since upgrading my win7 to sp1.... some .sys files (drivers in my \windows\system32\drivers folder) appear with the wrong info in the "File description" and "Copyright" fields (in the Properties view). It has the right CRC/MD5 (I hashed it against a known-valid one) and the "File version" is right too. But the File description and Copyright are picking up values from a DIFFERENT file. it's crazy. e.g. my "serial.sys" is picking up strings from "BrSerId.sys" -- it says "Brotehr Serial I/F Driver (WDM)" for description. YES that's how they spelled "Brother" --it looks like whoever made the .mui file was high on heroin at the time. Don't beleive me then check your "BrSerId.sys" file. I thought that it might be $MFT corruption on my filesystem, but I've chkdsk'ed several times and everything comes up clean. Weird thing is, if I boot into SAFE MODE it doesn't happen. so kind of seems like a bad driver or shell ex causing it. Strangest damn thing I've ever seen really. I think something might be borked with my MUI Cache. not sure how to rebuild that one though, and all the .sys.mui files are locked up tight, owned by TrustedInstaller. anyone else seeing anything like this? I'd post a screenshot but i dont have 20 posts yet.
man this is drivin me up the friggin wall. i can't figure this out, now i'm worried I got a rootkit or something. when I boot in safe mode the file descriptions are fine. But if I boot "normal" the description is messed up. I even tried msconfig and disabled ALL drivers & services, and it still comes up bogus. this is the damndest thing i've ever seen.
I think that the wrong localization resource (from "C:\Windows\System32\drivers\en-US\serial.sys.mui") is being cross-linked with the Brother serial I/F driver ("C:\Windows\System32\drivers\en-US\BrSerId.sys.mui") somehow. Why? Who knows. Also, again this doesn't happen in safe-mode boot. I think I'm going to send this to Mark Russinovich for a "Case of the unexplained..." hopefully he can figure it out. I noted another driver pair that is showing this behavior: ohci1394.sys & 1394ohci.sys Is anyone else seeing this or am I the only one?
Same issue for me luckman212, I'm experiencing the *exact* same issues as you are, with the same two sets of files. Your post is the only other occurrence I've found. I noticed it by running SysInternals AutoRuns. The strange thing is it occurred soon after applying Win7 SP1, but not *immediately* after. If I load my post SP1 AutoRuns list, it displays properly, but the list one week later displays "serial" and "1394ohci" as you described and these were the only changes on the listing. The crazy "Brotehr" description for "serial.sys" jumped out as very strange, and the files themselves are binary-identical to the backup set I made prior to applying SP1. If you do figure this one out, please post! Additionally, I've noticed that trying to get the Properties from any item on the AutoRuns list results in a "Not Responding" from AutoRuns, from which I have to kill the process. Everything else functions OK, including "jumping" to the registry settings. I don't know when this faulty behavior began, but just noticed it while trying to resolve the "Brotehr" weirdness. AutoRuns had previously worked fully in Win 7 at some point in the past, so something is tripping it up. (Nothing for AutoRuns shows in SysInternals Process Monitor after AutoRuns stops responding, so no clues whether it's related to disk or registry or app.) The Windows\winsxs directory, with all its backup dlls is slow to expand in Explorer after SP1, probably thanks to the massive number of files/folders SP1 added to my x64 system. I'm going to use DISM or Disk Cleanup to reclaim the space & reduce the numbers for this directory, & hope that may help. Otherwise, everything post SP1 seems to have remained stable. Good Luck!
More info... Impressive tracking, Luckman! I tried the following on my quadcore x64 Home Premium system, to no avail: - Logged in as a different user (admin) - chkdsk/defrag during boot (no issues) - sfc /SCANNOW (all fine) - used DISM to reclaim my SP1 rollback resources (cleaned up 17,000+ files, 3700+ folders & 4+GB space, primarily from winsxs!) - copied serial.sys to another location & renamed the file (version properties the same, even from old backup copies in different locations) - Yes, I do use VMware, although it's Server rather than WS. I checked the version info of serial.sys copied to a virtual XP session, and of course it properly displays the Description there as "Serial Device Driver". The only version info difference is the Description which, as you tracked down, seems to use the MUI to display various languages - incorrectly in US English after SP1. - Functionally, I don't notice anything unusual & I do use Firewire/1394. - for HKLM\ SYSTEM\ CurrentControlSet\ Control\ MUI\ StringCacheSettings, I have only 1 value: REG_DWORD StringCacheGeneration = 0x00000112 - I do have another driver file named BrSerId.sys that has that same "Brotehr" typo Description before & after SP1, same date as serial.sys. That it's labeled as part of the Windows OS build doesn't give you the warm & fuzzies about Brother Industries or MS quality assurance, ha, ha. I'd expect that it's only the MUI translated File Description that's "off", and functionally it's fine in which case the only people that would notice would be the type to use such tools as AutoRuns to check for changes. Of course when highlighted as a change, the "Brotehr" typo in the file description for a MS driver immediately jumps out. Hopefully the cause of the "break" doesn't ripple down or break anything else, but when things point to the wrong place bad things can happen.
Interesting... The SysInternals SigCheck utility is revealing on these drivers. Try the following, for instance: sigcheck -q -a -i C:\Windows\system32\drivers\serial.sys returns: ----------- Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat Signers: Microsoft Windows Microsoft Windows Verification PCA Microsoft Root Certificate Authority Signing date: 2:37 pm 11/20/10 Publisher: Brother Industries Ltd. Description: Brotehr Serial I/F Driver (WDM) Product: Microsoft« Windows« Operating System Version: 1.0.0.0,2006 File version: 1.0.1.6 (vbl_wcp_d2_drivers.060801-2007) Strong Name: Unsigned Original Name: brserid.sys.mui Internal Name: brserid.sys Copyright: Copyright (C) Brother Industries Ltd.1997-2006 Comments: n/a ----------- Seems like this utility has been redirected to "brserid.sys". If apps are directed to the wrong driver in more than just file description, again, bad things might happen.
Resolved! NOT... For me, RESOLVED with today's post-SP1 Windows Update which installed KB2505438, "Slow performance in applications that use the DirectWrite API on a computer that is running Windows 7 or Windows Server 2008 R2", involving the FontCache. No more misdirection on the File Description. Ironically, the Windows Update link for "More information" on this KB provided a misspelled URL, containing "micrososft", that misdirected some to completely unrelated sites, ha, ha. You can't make this stuff up! Edit 9-Mar-11: Oops, the "fix" was only temporary. It's back to "misdirected" again!@#$%.
Posted too soon... Sorry Luckman, I posted "resolved" too soon. It appears the "fix" was only temporary, similar to when you added a new language pack. Back to being misdirected, about a day later. Oh well...