mrxsmb20.sys — WIL feature-staging / telemetry churn
KB5075912
1. Overview
- Unpatched Binary:
mrxsmb20_unpatched.sys - Patched Binary:
mrxsmb20_patched.sys - Overall Similarity: 98.25%
- Diff Statistics: 519 matched functions, 6 changed functions, 513 identical functions, and 0 unmatched functions in either direction.
- Verdict: The patch retires a WIL feature-staging telemetry feature (
Feature_Servicing_EnableSMBHardeningTelemetry) and refactors the WIL feature-usage reporting helpers. No security-relevant behavior changes. The SMB2 negotiate-response parsing and the SMB2 encryption request-flag logic are byte-for-byte identical between the two builds. There is no authentication bypass, no encryption downgrade, and no memory-safety defect in the changed code.
2. Change Summary
- Severity: None (informational).
- Change Class: Feature-staging library churn (Windows Installer Logging / WIL feature staging) plus WPP/ETW telemetry restructuring.
- Affected Functions:
Smb2ProcessNegotiateResponse(0x1C00051E8),Smb2SessionSetup_Finalize(0x1C003CD50 → 0x1C003CC80),Smb2TreeConnect_Start(0x1C003E930 → 0x1C003E700), and three WIL feature-reporting helpers.
What actually changed:
-
The WIL staged feature
Feature_Servicing_EnableSMBHardeningTelemetrywas removed. Its enablement gateFeature_Servicing_EnableSMBHardeningTelemetry__private_IsEnabledDeviceUsage(unpatched at 0x1C00162D8) is called from two places in the unpatched build — insideSmb2ProcessNegotiateResponse(0x1C0005923) and insideSmb2SessionSetup_Finalize(0x1C003D0E3). In both cases the return value gates whether a WPP/ETW telemetry trace event (guarded by_tlgKeywordOn) is emitted. In the patched build the feature and both call sites are gone; the telemetry blocks they guarded are removed/consolidated. The function's body itself is a standard WIL gate: it reads the feature-state cache cell and, on a cache miss, callswil_details_IsEnabledFallbackwith the feature descriptor. -
In
Smb2TreeConnect_Startthe unpatched build makes an unconditional call toFeature_SMBSynchronousRedirection__private_ReportDeviceUsage(0x1C003EA20). The patched build replaces that single call with an inline WIL feature-state-cache fast path: it loads the feature-state cache celldata_1C0034278, tests bit 0x10 (the "usage already recorded" bit), and only on a miss callswil_details_FeatureReporting_ReportUsageToServicefollowed bywil_details_FeatureStateCache_TryEnableDeviceUsageFastPath. This is the standard "report once, then cache" WIL pattern. -
The WIL helpers
wil_details_FeatureReporting_ReportUsageToServiceandwil_details_FeatureReporting_ReportUsageToServiceDirectwere refactored (global vs. per-context data references, control-flow restructuring).
Note on the data_1C0034278 cell: this is the WIL feature-state cache cell for the staged features above (the same cell read by the IsEnabledDeviceUsage gate). It is not a "global encryption policy flag." Testing bit 0x10 of it selects the report-once fast path; it does not enable or disable SMB encryption.
3. Pseudocode Diff
Smb2ProcessNegotiateResponse (0x1C00051E8) and Smb2SessionSetup_Finalize (0x1C003CD50 → 0x1C003CC80)
// --- UNPATCHED (Smb2ProcessNegotiateResponse, after SmbCeSetServerBufferSizes) ---
if (SmbCeSetServerBufferSizes(...) == 0) {
if (Feature_Servicing_EnableSMBHardeningTelemetry__private_IsEnabledDeviceUsage()) {
if (dialect != 0x2FF && _tlgKeywordOn(&dword_1C0034058)) {
// emit WPP/ETW telemetry event
}
}
}
// --- PATCHED ---
if (SmbCeSetServerBufferSizes(...) == 0) {
// feature gate removed; telemetry block removed/consolidated
if (dialect != 0x2FF) { ... }
}
Smb2SessionSetup_Finalize follows the same shape: the unpatched build calls the feature gate at 0x1C003D0E3 and, on success, checks _tlgKeywordOn(&dword_1C0034058) before emitting a telemetry event; the patched build removes the gate and its telemetry block.
Smb2TreeConnect_Start (0x1C003E930 → 0x1C003E700)
// --- UNPATCHED ---
if (SmbCeCheckServerEntryDialect(...)) { // second dialect check
if (server_caps & 0x40) // [rsi+0xB0] & 0x40
request_flags |= 0x1; // [rdi+0x59A] |= 1
Feature_SMBSynchronousRedirection__private_ReportDeviceUsage(); // unconditional WIL usage report
if (server_entry[0x2D9] & 0x10) { // server encryption support
request_flags |= 0x2; // [rdi+0x59A] |= 2
request_encrypt_flag = 1; // [rdi+0x458] = 1
}
}
// --- PATCHED ---
if (SmbCeCheckServerEntryDialect(...)) {
if (server_caps & 0x40) // IDENTICAL
request_flags |= 0x1; // [rdi+0x59A] |= 1 (unchanged)
// WIL feature-state cache fast path replaces the unconditional report:
if (!(data_1C0034278 & 0x10)) { // report-once cache miss
wil_details_FeatureReporting_ReportUsageToService(...);
wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(3);
}
if (server_entry[0x2D9] & 0x10) { // IDENTICAL
request_flags |= 0x2; // [rdi+0x59A] |= 2 (unchanged)
request_encrypt_flag = 1; // [rdi+0x458] = 1 (unchanged)
}
}
The encryption request-flag logic (server_caps & 0x40 → set bit 0x1; server_entry[0x2D9] & 0x10 → set bit 0x2 and [rdi+0x458]=1) is present and identical in both builds. Only the WIL usage-reporting call in the middle changed.
4. Assembly Analysis
Unpatched Smb2TreeConnect_Start (0x1C003EA0C–0x1C003EA41):
00000001C003EA0C mov eax, [rsi+0B0h] ; server capabilities
00000001C003EA12 test al, 40h ; encryption capability bit
00000001C003EA14 jz short loc_1C003EA20
00000001C003EA16 lea eax, [rcx-1] ; rcx=2 -> eax=1
00000001C003EA19 or [rdi+59Ah], ax ; set request flag bit 0x1
00000001C003EA20 call Feature_SMBSynchronousRedirection__private_ReportDeviceUsage
00000001C003EA25 mov rax, [rsi+58h] ; server entry
00000001C003EA2E test byte ptr [rax+2D9h], 10h
00000001C003EA35 jz short loc_1C003EA47
00000001C003EA37 or [rdi+59Ah], cx ; set request flag bit 0x2
00000001C003EA41 mov [rdi+458h], al ; encryption request flag = 1
Patched Smb2TreeConnect_Start (0x1C003E7D9–0x1C003E841):
00000001C003E7D9 mov eax, [rsi+0B0h] ; server capabilities
00000001C003E7DF lea edx, [r8-1] ; r8=2 -> edx=1
00000001C003E7E3 test al, 40h ; encryption capability bit
00000001C003E7E5 jz short loc_1C003E7EE
00000001C003E7E7 or [rdi+59Ah], dx ; set request flag bit 0x1 (SAME as unpatched)
00000001C003E7EE mov ecx, dword ptr cs:WPP_MAIN_CB.DeviceLock.Header ; load feature-state cache cell (data_1C0034278)
00000001C003E7FB test cl, 10h ; report-once cache bit
00000001C003E7FE jnz short loc_1C003E82C ; already reported -> skip
00000001C003E817 call wil_details_FeatureReporting_ReportUsageToService
00000001C003E821 call wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath
00000001C003E82C mov rax, [rsi+58h] ; server entry
00000001C003E830 test byte ptr [rax+2D9h], 10h
00000001C003E837 jz short loc_1C003E848
00000001C003E839 or [rdi+59Ah], r8w ; set request flag bit 0x2 (SAME as unpatched)
00000001C003E841 mov byte ptr [rdi+458h], 1 ; encryption request flag = 1 (SAME as unpatched)
The or [rdi+59Ah], ... request-flag stores and the [rdi+458h]=1 store are unchanged. The test cl, 10h; jnz on data_1C0034278 gates the WIL usage-report/cache calls, not encryption. There is no policy check on the encryption flags, in either build.
5. Trigger / Reachability
Not applicable. No security-relevant condition is introduced or removed. The changed code is reached during normal SMB2 negotiate-response processing and tree-connect request building, but the only behavioral difference is whether WIL usage telemetry is emitted/recorded. A malicious SMB server cannot influence the encryption request-flag decision differently between the two builds, because that logic is identical.
6. Impact Assessment
No exploit primitive. The removed function Feature_Servicing_EnableSMBHardeningTelemetry__private_IsEnabledDeviceUsage is a WIL feature-enablement gate that reads a cached state cell and, on a miss, calls wil_details_IsEnabledFallback with a static feature descriptor. It performs no operation on SMB connection, session, or crypto state, and takes no attacker-controlled input. Its removal, and the substitution of the report-once cache fast path in Smb2TreeConnect_Start, are servicing/telemetry changes with no reachable security impact.
7. Verification Notes
The following were checked directly against both builds:
Smb2ProcessNegotiateResponse(0x1C00051E8): the server-buffer-size handling, dialect handling, and the[rdi+0x2D8]/[rdi+0x2D9]capability-flag computation are identical in both builds. The only difference afterSmbCeSetServerBufferSizesreturns 0 is the removedFeature_Servicing_EnableSMBHardeningTelemetrygate and its guarded telemetry block.Feature_Servicing_EnableSMBHardeningTelemetry__private_IsEnabledDeviceUsage(unpatched 0x1C00162D8): readsWPP_MAIN_CB.DeviceLock.Header(the feature-state cache cell), returns the cached bit on a hit, else calls the fallback. It is entirely absent from the patched binary.Smb2TreeConnect_Start: encryption request-flag stores ([rdi+0x59A]bits 0x1/0x2,[rdi+0x458]) are identical; only the WIL usage-reporting call was replaced by the inline cache fast path.
8. Changed Functions — Full Triage
sub_1C003C008(wil_UninitializeFeatureStaging) /sub_1C00157C0(wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath) (0.8514 similarity): False-positive match. Two different WIL functions paired by index coincidence. Not security-relevant.Smb2SessionSetup_Finalize(0x1C003CD50 → 0x1C003CC80) (0.8984 similarity): Feature-staging / telemetry. TheFeature_Servicing_EnableSMBHardeningTelemetry__private_IsEnabledDeviceUsagecall at 0x1C003D0E3 and its_tlgKeywordOn-guarded telemetry block are removed; ETW tracing is consolidated. Register/stack-frame reallocation. Not security-relevant.Smb2TreeConnect_Start(0x1C003E930 → 0x1C003E700) (0.9323 similarity): Feature-staging. The unconditionalFeature_SMBSynchronousRedirection__private_ReportDeviceUsagecall is replaced by an inline report-once cache fast path (data_1C0034278 & 0x10→ReportUsageToService+TryEnableDeviceUsageFastPath). Encryption request-flag logic unchanged. Not security-relevant.Smb2ProcessNegotiateResponse(0x1C00051E8) (0.9458 similarity): Feature-staging / telemetry. TheFeature_Servicing_EnableSMBHardeningTelemetrygate at 0x1C0005923 and its guarded telemetry event are removed; core negotiate-response parsing (buffer sizes, dialect validation, capability-flag computation) is unchanged. Not security-relevant.sub_1C0015794(wil_details_FeatureReporting_ReportUsageToServiceDirect) →sub_1C00156D0(0.9765 similarity): Cosmetic. WIL usage-notification helper refactored to reference global data structures. Not security-relevant.sub_1C0015668(wil_details_FeatureReporting_ReportUsageToService) →sub_1C00155B4(0.9897 similarity): Cosmetic. Control flow restructured (if-else chain to cascading decrement/compare, compiler churn). Calls the updated helper. Not security-relevant.
9. Unmatched Functions
- Added: None.
- Removed: None reported by the matcher. Note that
Feature_Servicing_EnableSMBHardeningTelemetry__private_IsEnabledDeviceUsage(and its__private_IsEnabledFallback) are present in the unpatched build and absent in the patched build; they were retired along with the staged feature rather than being counted as unmatched.
10. Confidence & Caveats
- Confidence: High. All six changed functions were compared instruction-by-instruction across both builds. Every difference reduces to WIL feature-staging (staged-feature retirement, usage-reporting refactor, report-once cache fast path) and the WPP/ETW telemetry these gates controlled.
- Conclusion: No security-relevant change. No CWE applies. There is no encryption-negotiation vulnerability, no authentication/encryption bypass, and no memory-safety issue in the changed code. The encryption request-flag decision in the SMB2 tree-connect builder is identical between the two builds.