Correcting a specific SMB signature bug in Windows 2000

Windows 2000 contains a bug that can cause your users to encounter errors when they save files. Service Pack 3 doesn't fix this bug, but here's what you can do about it.

A bug in all editions of Windows 2000 can affect your users when they attempt to save a file to the server. The fix for this bug is not included in the latest service pack—Service Pack 3—so it is important to know what to do to correct the problem.

Specifically, the bug can create a situation in which a user is unable to save a file because of an error in the way that the SMB (Server Message Block) signature is calculated by the server or workstation. Fortunately, this potential problem has a workaround that can be easily implemented, but it is at the cost of security. Here’s how you can squash this bug.

The message
When users encounter this bug, the following error message is displayed.
{Delayed Write Failed}
Windows was unable to save all the data for the file {file}.
The data has been lost.
This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.

Check the event log
When this error occurs, Microsoft recommends that you check the event log for a specific message. Look for an event that has an event ID of 50 with a source of MrxSMB. Open it and look for the status. If the status code is c0000022—which translates to STATUS_ACCESS_DENIED—you are almost certainly likely to be suffering from this error.

Working around the problem
Until you are able to obtain a permanent fix, you can work around the problem by making a single modification to the registry. Before you make this change, you should be aware that there could be major security implications related to this workaround. Since the problem has to do with the signature on an SMB packet, disabling SMB signatures will correct the problem.

A word of caution
This Daily Feature describes how to make changes to your server's registry. Make sure you have complete backups of your server before doing anything suggested in this article. If you make a mistake when making changes to your server's registry, you may cause your server to be unbootable, requiring a reinstallation of Windows. Proceed with extreme caution.

However, disabling SMB signatures also leaves you open to certain types of attacks—most notably a man-in-the-middle attack, which can be accomplished by modifying the contents of an SMB packet during transmission between a client and the server. With SMB signatures in place and working, these types of attacks are avoided because of the signing process. That said, if you are suffering from this problem, you will have to decide to make the trade-off between security and functionality until you can put a permanent solution into place.

To disable SMB signatures, start Regedit. Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters and look for the enablesecuritysignature key. Double-click the key name and change the value from 1 to 0, as shown in Figure A.

Figure A
Changing the value of enablesecuritysignaturewill disable SMB signatures.

A permanent secure fix
If you find yourself requiring signed SMB packets and encountering this error, your only recourse is to contact Microsoft technical support to obtain the hot fix. Unfortunately, this is the only way to permanently fix the problem while not weakening security. Before you call, make sure that you are positive that this is the problem you are encountering, or you will likely face support fees from the Microsoft help line. The Knowledge Base article associated with this error is 321733. Microsoft has indicated that this fix will be a part of a future service pack. It is currently listed as a “post-SP3 hotfix.”

Editor's Picks