mui cache corrupt? wrong File description showing up for serial.sys

Discussion in 'Windows 7' started by luckman212, Feb 17, 2011.

  1. luckman212

    luckman212 MDL Novice

    Sep 25, 2008
    33
    3
    0
    hey guys, I have a weird problem since upgrading my win7 to sp1.... some .sys files (drivers in my \windows\system32\drivers folder) appear with the wrong info in the "File description" and "Copyright" fields (in the Properties view). It has the right CRC/MD5 (I hashed it against a known-valid one) and the "File version" is right too. But the File description and Copyright are picking up values from a DIFFERENT file. it's crazy.

    e.g. my "serial.sys" is picking up strings from "BrSerId.sys" -- it says "Brotehr Serial I/F Driver (WDM)" for description. YES that's how they spelled "Brother" --it looks like whoever made the .mui file was high on heroin at the time. Don't beleive me then check your "BrSerId.sys" file.

    I thought that it might be $MFT corruption on my filesystem, but I've chkdsk'ed several times and everything comes up clean. Weird thing is, if I boot into SAFE MODE it doesn't happen. so kind of seems like a bad driver or shell ex causing it. Strangest damn thing I've ever seen really. I think something might be borked with my MUI Cache. not sure how to rebuild that one though, and all the .sys.mui files are locked up tight, owned by TrustedInstaller.

    anyone else seeing anything like this? I'd post a screenshot but i dont have 20 posts yet.
     
  2. luckman212

    luckman212 MDL Novice

    Sep 25, 2008
    33
    3
    0
    man this is drivin me up the friggin wall. i can't figure this out, now i'm worried I got a rootkit or something. when I boot in safe mode the file descriptions are fine. But if I boot "normal" the description is messed up. I even tried msconfig and disabled ALL drivers & services, and it still comes up bogus. this is the damndest thing i've ever seen.
     
  3. luckman212

    luckman212 MDL Novice

    Sep 25, 2008
    33
    3
    0
    I think that the wrong localization resource (from "C:\Windows\System32\drivers\en-US\serial.sys.mui") is being cross-linked with the Brother serial I/F driver ("C:\Windows\System32\drivers\en-US\BrSerId.sys.mui") somehow. Why? Who knows. Also, again this doesn't happen in safe-mode boot. I think I'm going to send this to Mark Russinovich for a "Case of the unexplained..." hopefully he can figure it out.

    I noted another driver pair that is showing this behavior:

    ohci1394.sys & 1394ohci.sys

    Is anyone else seeing this or am I the only one?
     
  4. Myrrh

    Myrrh MDL Expert

    Nov 26, 2008
    1,401
    500
    60
    have you tried chkdsk /f and see what it finds?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. luckman212

    luckman212 MDL Novice

    Sep 25, 2008
    33
    3
    0
    yeah... was one of the 1st things I did (see first post). this is a crazy one.
     
  6. HobNob

    HobNob MDL Novice

    Mar 4, 2011
    5
    0
    0
    Same issue for me


    luckman212,

    I'm experiencing the *exact* same issues as you are, with the same two sets of files. Your post is the only other occurrence I've found. I noticed it by running SysInternals AutoRuns. The strange thing is it occurred soon after applying Win7 SP1, but not *immediately* after. If I load my post SP1 AutoRuns list, it displays properly, but the list one week later displays "serial" and "1394ohci" as you described and these were the only changes on the listing. The crazy "Brotehr" description for "serial.sys" jumped out as very strange, and the files themselves are binary-identical to the backup set I made prior to applying SP1.

    If you do figure this one out, please post! Additionally, I've noticed that trying to get the Properties from any item on the AutoRuns list results in a "Not Responding" from AutoRuns, from which I have to kill the process. Everything else functions OK, including "jumping" to the registry settings. I don't know when this faulty behavior began, but just noticed it while trying to resolve the "Brotehr" weirdness. AutoRuns had previously worked fully in Win 7 at some point in the past, so something is tripping it up. (Nothing for AutoRuns shows in SysInternals Process Monitor after AutoRuns stops responding, so no clues whether it's related to disk or registry or app.)

    The Windows\winsxs directory, with all its backup dlls is slow to expand in Explorer after SP1, probably thanks to the massive number of files/folders SP1 added to my x64 system. I'm going to use DISM or Disk Cleanup to reclaim the space & reduce the numbers for this directory, & hope that may help. Otherwise, everything post SP1 seems to have remained stable.

    Good Luck!
     
  7. HobNob

    HobNob MDL Novice

    Mar 4, 2011
    5
    0
    0
    More info...

    Impressive tracking, Luckman! I tried the following on my quadcore x64 Home Premium system, to no avail:

    - Logged in as a different user (admin)
    - chkdsk/defrag during boot (no issues)
    - sfc /SCANNOW (all fine)
    - used DISM to reclaim my SP1 rollback resources (cleaned up 17,000+ files, 3700+ folders & 4+GB space, primarily from winsxs!)
    - copied serial.sys to another location & renamed the file (version properties the same, even from old backup copies in different locations)

    - Yes, I do use VMware, although it's Server rather than WS. I checked the version info of serial.sys copied to a virtual XP session, and of course it properly displays the Description there as "Serial Device Driver". The only version info difference is the Description which, as you tracked down, seems to use the MUI to display various languages - incorrectly in US English after SP1.

    - Functionally, I don't notice anything unusual & I do use Firewire/1394.

    - for HKLM\ SYSTEM\ CurrentControlSet\ Control\ MUI\ StringCacheSettings, I have only 1 value: REG_DWORD StringCacheGeneration = 0x00000112

    - I do have another driver file named BrSerId.sys that has that same "Brotehr" typo Description before & after SP1, same date as serial.sys. That it's labeled as part of the Windows OS build doesn't give you the warm & fuzzies about Brother Industries or MS quality assurance, ha, ha.

    I'd expect that it's only the MUI translated File Description that's "off", and functionally it's fine in which case the only people that would notice would be the type to use such tools as AutoRuns to check for changes. Of course when highlighted as a change, the "Brotehr" typo in the file description for a MS driver immediately jumps out. Hopefully the cause of the "break" doesn't ripple down or break anything else, but when things point to the wrong place bad things can happen.
     
  8. HobNob

    HobNob MDL Novice

    Mar 4, 2011
    5
    0
    0
    Interesting...

    The SysInternals SigCheck utility is revealing on these drivers. Try the following, for instance:

    sigcheck -q -a -i C:\Windows\system32\drivers\serial.sys

    returns:

    -----------
    Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat
    Signers:
    Microsoft Windows
    Microsoft Windows Verification PCA
    Microsoft Root Certificate Authority
    Signing date: 2:37 pm 11/20/10
    Publisher: Brother Industries Ltd.
    Description: Brotehr Serial I/F Driver (WDM)
    Product: Microsoft« Windows« Operating System
    Version: 1.0.0.0,2006
    File version: 1.0.1.6 (vbl_wcp_d2_drivers.060801-2007)
    Strong Name: Unsigned
    Original Name: brserid.sys.mui
    Internal Name: brserid.sys
    Copyright: Copyright (C) Brother Industries Ltd.1997-2006
    Comments: n/a
    -----------

    Seems like this utility has been redirected to "brserid.sys". If apps are directed to the wrong driver in more than just file description, again, bad things might happen.
     
  9. HobNob

    HobNob MDL Novice

    Mar 4, 2011
    5
    0
    0
    #10 HobNob, Mar 8, 2011
    Last edited: Mar 10, 2011
    Resolved! NOT...

    For me, RESOLVED with today's post-SP1 Windows Update which installed KB2505438, "Slow performance in applications that use the DirectWrite API on a computer that is running Windows 7 or Windows Server 2008 R2", involving the FontCache. No more misdirection on the File Description.

    Ironically, the Windows Update link for "More information" on this KB provided a misspelled URL, containing "micrososft", that misdirected some to completely unrelated sites, ha, ha. You can't make this stuff up!



    Edit 9-Mar-11: Oops, the "fix" was only temporary. It's back to "misdirected" again!@#$%.
     
  10. luckman212

    luckman212 MDL Novice

    Sep 25, 2008
    33
    3
    0
    Nice HobNob! going to have to check that out for sure.
     
  11. HobNob

    HobNob MDL Novice

    Mar 4, 2011
    5
    0
    0
    Posted too soon...

    Sorry Luckman, I posted "resolved" too soon. It appears the "fix" was only temporary, similar to when you added a new language pack. Back to being misdirected, about a day later. Oh well...
     
  12. luckman212

    luckman212 MDL Novice

    Sep 25, 2008
    33
    3
    0
    I was afraid of that!! The hunt continues...