Network Connectivity Problem

Will try to explain this concisely. Loss internet connectivity post a McAfee Security Centre Update (to the latest version 11) over 2 weeks ago….appears to be causing problems for others as well. After some investigation, a Restore & eventually uninstalling & reinstalling McAfee, have re-established connectivity temporarily, i.e. need to re-establish it every day.

Essentially, once per day, I must uninstall & reinstall my Network Driver. I believe McAfee caused the initial problem but files inherent to my system are causing the ongoing situation. My System is Windows XP Pro-SP3.

I currently have a Dell Latitude D620 Laptop; it was basically reimaged (restored) from my previous PC (a Dell Inspiron Laptop) 2 years ago, after which necessary Drivers were installed (long story). I believe this is what is causing the ongoing problem as every day the following event occurs:

Source: Windows File Protection
File replacement was attempted on the protected system file c:\windows\system32\drivers\b57xp32.sys. This file was restored to the original version to maintain system stability. The file version of the bad file is 8.48.0.0; the version of the system file is 2.16.0.0.

The above refers to my Broadcom Network Adapter. When it’s working it shows Driver Version 8.48.00 with File Version 216b.00 under Driver File Details. It stops working after the above event & the only option (as update says it’s current) is to uninstall & reinstall. The above event only (but always) occurs once a day & appears to occur after either a McAfee update or Windows Defender (maybe coincidental ?). I can do many shut downs & restarts throughout the day, no problem, this will only occur once.

Occurrences of this Driver that I could find in the Files are below

Version 2.16.0 appears in 1) I386\DRIVER.CAB 2) WINDOWS\system32\drivers 3) WINDOWS\Driver Cache
Version 8.48.0 appears in 1) Program Files\Broadcom\drvinst 2)dell\drivers\R116101.

None of these appear to change when the above Windows File Protection Action occurs.

I could use some advice on how best proceed & into which file I need to get the version 8.48.0 so that Windows File Replacement recognizes it as the valid version, as I have now uninstalled/reinstalled my Network Adapter Driver 16 times. Please & Thanks for any advice

 

Hello,
Windows System File Protection stores the info in filelist.xml in C:\WINDOWS\system32\Restore. If you cannot see it there, it is hidden and you will have to unhide it in Folder Options. Do this in an admin account. First,create a backup of filelist.xml. Open up filelist.xml in the restore directory with notepad after removing the Read Only attribute in properties.

You will see something like this. If you were to exclude explorer.

PCHealthProtect>
<VERSION>1.0</VERSION>
<DEFTYPE>E</DEFTYPE>
<FILES>
<Exclude>
<REC>%windir%\explorer.exe</REC>
</Exclude>

You would use
<Exclude>
<REC>%windir%\system32\drivers\b57xp32.sys<REC>
</Exclude>
Note: You do not need to include </Exclude> like in my example as they are already included. Just place it between the </Exclude> statements.
Note: You may see your sys file on an include list further down in the file. If so, just delete that.

Save the file and change it back to read only.
click file -> Save (not save as)

Now you have to delete the file from dllcache
start menu-> run and type in "%windir%\system32\dllcache" without the quotes

Delete b57xp32.sys

Now you should be able to use the later version.

 

Thank you very much for that tgel yet something else that I have learned!!

 

Your welcome iain.t. Just like I learned from your posts. That is why I enjoy MajorGeeks. People helping others by sharing there knowledge and always learning something new.

 

tgell
Thanks for your prompt response & clear explanation. I have a few more questions, however, before I proceed, just to clarify.

The file was not in my Windows\System32\Restore folder but in Windows\ServicePackFiles\I386.
My questions are:

1. If I add the driver to the exclusions in the filelist.xml wouldn’t that be enough (i.e. SFC won’t check on that file anymore?) &, if yes, why delete from cache?
2. If as above, excluded from filelist.xml & this file is used by both SFC & Restore, won’t I potentially get into trouble at some point in the future if I attempt a Restore (i.e. can’t restore driver)?
3. Re. dll cache, see question 1 re. Why delete & also, should I not replace the occurrence in this file instead?

Just trying to cover contingencies & your assist much appreciated. Tx, GB

 

Hello,
Are you saying the filelist.xml was not in the C:\WINDOWS\system32\Restore folder. It is on both of my computers. I would not proceed any further if the filelist.xml in not listed in the Restore folder.

1. you may be right but I believe WFP looks at the files in dllcache and if there is a discrepancy with what is in the system folder, it will try and replace the file with the one in dllcache. From what I have read, this happens every so often the computer is operating. If you delete the file, there will be no chance of that.

2. Don't believe so. A system restore would still replace the file from the system restore folder. This just keeps windows from replacing it with what it thinks is the correct version, either from the dllcache or a CD. Worse case would be to reinstall the driver. I cannot confirm if the older version would be replace the new version if a sfc /scannow command was issued but I do not think so.

3. No need to replace the file in dllcache because it will be deleted in step 1. Now Windows has no chance of replacing the file because we excluded it in filelist.xml. One note. When deleting the file in dllcache, windows will ask for a confirmation that you do not want to restore it.

Did you look in the filelist.xml file assuming it is in the Restore folder. Maybe your sys file was in the included section. The include section on both of my computers is the following.

<Include>
<REC>*:\Documents And Settings\*\Application Data\Microsoft\Internet Explorer\Quick Launch</REC>
</Include>

A little info on WFP;
http://msdn.microsoft.com/en-us/windows/hardware/gg463455#EBB

 

tgell
Tx Again (for both your response & the useful link, as I kept getting info on Windows ME SFC when I wanted XP WFP). The piece I had truly been unaware of was the “filelist.xml”. However, based on what you’ve told me & my understanding, here’s what I think (& your opinion on same would be appreciated).

I

1. can definitely confirm that filelist.xml “IS NOT” in my Restore Folder, but in my ServicePackFiles folder.
2. I can definitely confirm that the driver b57xp32.32 is not in any file in the <Include> list in the filelist.xml.
3. Based on what I’ve read, it is not illogical that Windows\ServicePackFiles\I386 might be accessed by WFP (which I believe is what is occurring in this case).

Per my earlier post this Driver:

• Version 2.16.0 (doesn’t work) appears in 1) I386\DRIVER.CAB 2) WINDOWS\system32\drivers 3) WINDOWS\Driver Cache
• Version 8.48.0 (I which I keep reinstalling) appears in 1) Program Files\Broadcom\drvinst 2)dell\drivers\R116101.

I believe the reinstall may be occurring from Program Files\Broadcom|\drvinst after which WFP is checking the Catalogue in I386\DRIVER.CAB maybe ??? for the (what it thinks is) valid version (which doesn’t match what I’ve just installed) & then replacing installed with the version in the dll cache.

Based on this, it would seem, if the filelist.xml is used for WFP exception, then yes I should be able to simply add it (this driver) to “exclusions”. There is nothing that currently specifically includes “it” .Do you agree? Pls & Tx.GB

(I’m still baffled as to the & why of this happening now but that can hold for another day)

 

I cannot understand why you do not have a filelist.xml in C:\WINDOWS\system32\Restore. Do you have a Restore folder?

It does look into catalog files for comparison. And in the process the filelist.xml is used.

From Wiki:
WFP covers all files which the operating system installs (such as DLL, EXE, SYS, OCX etc.), protecting them from deletion or from replacement by older versions. The digital signatures of these files are checked using code signing and the signature catalog files stored in the %Systemroot%\system32\catRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} folder


The only locations that is accessed by WFP in XP for file replacement is the following.

http://support.microsoft.com/kb/222193

1. The cache folder (by default, %systemroot%\system32\dllcache).
2. The network install path, if the system was installed using network install.
3. The Windows CD-ROM, if the system was installed from CD-ROM.


In Windows 2000 it was the following:

http://support.microsoft.com/kb/236995

When it is replacing files, WFP looks in the following locations to find the correct version:

* %SystemRoot%\System32\DllCache folder
* %SystemRoot%\Driver Cache\Platform\Driver.cab file
* Original Windows 2000 installation source (which could be a network share or a local CD-ROM drive)

Sorry, could you clarify the last sentence a little bit.

 

tgell
Yes I do have the requisite Restore Folder. It contains exe files as well as a DAT file corresponding to my last Restore, but not the filelist.xml (which, as indicated, is in ServicePackFiles, also used by WFP on occasion). And yes, it does appear that WFP is “replacing” my reinstalled driver with the driver it “finds” in the DllCache folder or the Driver.CAB file. However, my question for you is what is your understanding of how filelist.xml is used? This gets us back to where we started (not so much what WFP is replacing but what it is checking if I understood your original reply correctly). I will have a look at the link you referenced: I think I may have scanned it before. I would, however, be interested in your answer to the filelist.xml function (as it is the new piece I'm trying to understand)? Please & Tx . GB

 

Sorry,
I can only tell you that FILELIST.XML lists the files and directories that are to be protected or not and keeps WFP from replacing those files.

This person used it for deleting files from a directory and not having them replaced.

http://www.ntcompatible.com/postprint98639.html

Edit: This link seems to indicate that more things should be deleted in order to keep the file from being replaced. Which seems to contradict other sites that explain the process.

http://www.aspfree.com/c/a/BrainDump/How-to-Hack-Protected-Windows-XP-Files/

 

I would also confirm that C:\WINDOWS\DriverCache is used by WFP.

 

Just another question: Do you have system restore active on your computer?

 

tgell..Thanks, you've reconfirmed my understanding from your first reply. At this point it can't hurt to try. I'll add the driver to the exclusions & give it a day or 2. We'll see what happens. (Everything'll be backed up & I can always restore (although God knows McAfee doesn't like it). Will let you know if resolves (although it is admittedly a bandaid). GB