1. Overview

  • Unpatched Binary: mrxsmb20_unpatched.sys
  • Patched Binary: mrxsmb20_patched.sys
  • Overall Similarity: 98.25%
  • Diff Statistics: 519 matched functions, 6 changed functions, 513 identical functions, and 0 unmatched functions in either direction.
  • Verdict: The patch retires a WIL feature-staging telemetry feature (Feature_Servicing_EnableSMBHardeningTelemetry) and refactors the WIL feature-usage reporting helpers. No security-relevant behavior changes. The SMB2 negotiate-response parsing and the SMB2 encryption request-flag logic are byte-for-byte identical between the two builds. There is no authentication bypass, no encryption downgrade, and no memory-safety defect in the changed code.

2. Change Summary

  • Severity: None (informational).
  • Change Class: Feature-staging library churn (Windows Installer Logging / WIL feature staging) plus WPP/ETW telemetry restructuring.
  • Affected Functions: Smb2ProcessNegotiateResponse (0x1C00051E8), Smb2SessionSetup_Finalize (0x1C003CD50 → 0x1C003CC80), Smb2TreeConnect_Start (0x1C003E930 → 0x1C003E700), and three WIL feature-reporting helpers.

What actually changed:

  1. The WIL staged feature Feature_Servicing_EnableSMBHardeningTelemetry was removed. Its enablement gate Feature_Servicing_EnableSMBHardeningTelemetry__private_IsEnabledDeviceUsage (unpatched at 0x1C00162D8) is called from two places in the unpatched build — inside Smb2ProcessNegotiateResponse (0x1C0005923) and inside Smb2SessionSetup_Finalize (0x1C003D0E3). In both cases the return value gates whether a WPP/ETW telemetry trace event (guarded by _tlgKeywordOn) is emitted. In the patched build the feature and both call sites are gone; the telemetry blocks they guarded are removed/consolidated. The function's body itself is a standard WIL gate: it reads the feature-state cache cell and, on a cache miss, calls wil_details_IsEnabledFallback with the feature descriptor.

  2. In Smb2TreeConnect_Start the unpatched build makes an unconditional call to Feature_SMBSynchronousRedirection__private_ReportDeviceUsage (0x1C003EA20). The patched build replaces that single call with an inline WIL feature-state-cache fast path: it loads the feature-state cache cell data_1C0034278, tests bit 0x10 (the "usage already recorded" bit), and only on a miss calls wil_details_FeatureReporting_ReportUsageToService followed by wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath. This is the standard "report once, then cache" WIL pattern.

  3. The WIL helpers wil_details_FeatureReporting_ReportUsageToService and wil_details_FeatureReporting_ReportUsageToServiceDirect were refactored (global vs. per-context data references, control-flow restructuring).

Note on the data_1C0034278 cell: this is the WIL feature-state cache cell for the staged features above (the same cell read by the IsEnabledDeviceUsage gate). It is not a "global encryption policy flag." Testing bit 0x10 of it selects the report-once fast path; it does not enable or disable SMB encryption.

3. Pseudocode Diff

Smb2ProcessNegotiateResponse (0x1C00051E8) and Smb2SessionSetup_Finalize (0x1C003CD50 → 0x1C003CC80)

// --- UNPATCHED (Smb2ProcessNegotiateResponse, after SmbCeSetServerBufferSizes) ---
if (SmbCeSetServerBufferSizes(...) == 0) {
    if (Feature_Servicing_EnableSMBHardeningTelemetry__private_IsEnabledDeviceUsage()) {
        if (dialect != 0x2FF && _tlgKeywordOn(&dword_1C0034058)) {
            // emit WPP/ETW telemetry event
        }
    }
}

// --- PATCHED ---
if (SmbCeSetServerBufferSizes(...) == 0) {
    // feature gate removed; telemetry block removed/consolidated
    if (dialect != 0x2FF) { ... }
}

Smb2SessionSetup_Finalize follows the same shape: the unpatched build calls the feature gate at 0x1C003D0E3 and, on success, checks _tlgKeywordOn(&dword_1C0034058) before emitting a telemetry event; the patched build removes the gate and its telemetry block.

Smb2TreeConnect_Start (0x1C003E930 → 0x1C003E700)

// --- UNPATCHED ---
if (SmbCeCheckServerEntryDialect(...)) {           // second dialect check
    if (server_caps & 0x40)                         // [rsi+0xB0] & 0x40
        request_flags |= 0x1;                        // [rdi+0x59A] |= 1
    Feature_SMBSynchronousRedirection__private_ReportDeviceUsage();  // unconditional WIL usage report
    if (server_entry[0x2D9] & 0x10) {                // server encryption support
        request_flags |= 0x2;                        // [rdi+0x59A] |= 2
        request_encrypt_flag = 1;                    // [rdi+0x458] = 1
    }
}

// --- PATCHED ---
if (SmbCeCheckServerEntryDialect(...)) {
    if (server_caps & 0x40)                          // IDENTICAL
        request_flags |= 0x1;                         // [rdi+0x59A] |= 1  (unchanged)
    // WIL feature-state cache fast path replaces the unconditional report:
    if (!(data_1C0034278 & 0x10)) {                   // report-once cache miss
        wil_details_FeatureReporting_ReportUsageToService(...);
        wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath(3);
    }
    if (server_entry[0x2D9] & 0x10) {                 // IDENTICAL
        request_flags |= 0x2;                          // [rdi+0x59A] |= 2  (unchanged)
        request_encrypt_flag = 1;                      // [rdi+0x458] = 1   (unchanged)
    }
}

The encryption request-flag logic (server_caps & 0x40 → set bit 0x1; server_entry[0x2D9] & 0x10 → set bit 0x2 and [rdi+0x458]=1) is present and identical in both builds. Only the WIL usage-reporting call in the middle changed.

4. Assembly Analysis

Unpatched Smb2TreeConnect_Start (0x1C003EA0C–0x1C003EA41):

00000001C003EA0C  mov     eax, [rsi+0B0h]        ; server capabilities
00000001C003EA12  test    al, 40h                ; encryption capability bit
00000001C003EA14  jz      short loc_1C003EA20
00000001C003EA16  lea     eax, [rcx-1]           ; rcx=2 -> eax=1
00000001C003EA19  or      [rdi+59Ah], ax         ; set request flag bit 0x1
00000001C003EA20  call    Feature_SMBSynchronousRedirection__private_ReportDeviceUsage
00000001C003EA25  mov     rax, [rsi+58h]         ; server entry
00000001C003EA2E  test    byte ptr [rax+2D9h], 10h
00000001C003EA35  jz      short loc_1C003EA47
00000001C003EA37  or      [rdi+59Ah], cx         ; set request flag bit 0x2
00000001C003EA41  mov     [rdi+458h], al         ; encryption request flag = 1

Patched Smb2TreeConnect_Start (0x1C003E7D9–0x1C003E841):

00000001C003E7D9  mov     eax, [rsi+0B0h]        ; server capabilities
00000001C003E7DF  lea     edx, [r8-1]            ; r8=2 -> edx=1
00000001C003E7E3  test    al, 40h                ; encryption capability bit
00000001C003E7E5  jz      short loc_1C003E7EE
00000001C003E7E7  or      [rdi+59Ah], dx         ; set request flag bit 0x1  (SAME as unpatched)
00000001C003E7EE  mov     ecx, dword ptr cs:WPP_MAIN_CB.DeviceLock.Header  ; load feature-state cache cell (data_1C0034278)
00000001C003E7FB  test    cl, 10h                ; report-once cache bit
00000001C003E7FE  jnz     short loc_1C003E82C     ; already reported -> skip
00000001C003E817  call    wil_details_FeatureReporting_ReportUsageToService
00000001C003E821  call    wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath
00000001C003E82C  mov     rax, [rsi+58h]         ; server entry
00000001C003E830  test    byte ptr [rax+2D9h], 10h
00000001C003E837  jz      short loc_1C003E848
00000001C003E839  or      [rdi+59Ah], r8w        ; set request flag bit 0x2  (SAME as unpatched)
00000001C003E841  mov     byte ptr [rdi+458h], 1 ; encryption request flag = 1  (SAME as unpatched)

The or [rdi+59Ah], ... request-flag stores and the [rdi+458h]=1 store are unchanged. The test cl, 10h; jnz on data_1C0034278 gates the WIL usage-report/cache calls, not encryption. There is no policy check on the encryption flags, in either build.

5. Trigger / Reachability

Not applicable. No security-relevant condition is introduced or removed. The changed code is reached during normal SMB2 negotiate-response processing and tree-connect request building, but the only behavioral difference is whether WIL usage telemetry is emitted/recorded. A malicious SMB server cannot influence the encryption request-flag decision differently between the two builds, because that logic is identical.

6. Impact Assessment

No exploit primitive. The removed function Feature_Servicing_EnableSMBHardeningTelemetry__private_IsEnabledDeviceUsage is a WIL feature-enablement gate that reads a cached state cell and, on a miss, calls wil_details_IsEnabledFallback with a static feature descriptor. It performs no operation on SMB connection, session, or crypto state, and takes no attacker-controlled input. Its removal, and the substitution of the report-once cache fast path in Smb2TreeConnect_Start, are servicing/telemetry changes with no reachable security impact.

7. Verification Notes

The following were checked directly against both builds:

  • Smb2ProcessNegotiateResponse (0x1C00051E8): the server-buffer-size handling, dialect handling, and the [rdi+0x2D8]/[rdi+0x2D9] capability-flag computation are identical in both builds. The only difference after SmbCeSetServerBufferSizes returns 0 is the removed Feature_Servicing_EnableSMBHardeningTelemetry gate and its guarded telemetry block.
  • Feature_Servicing_EnableSMBHardeningTelemetry__private_IsEnabledDeviceUsage (unpatched 0x1C00162D8): reads WPP_MAIN_CB.DeviceLock.Header (the feature-state cache cell), returns the cached bit on a hit, else calls the fallback. It is entirely absent from the patched binary.
  • Smb2TreeConnect_Start: encryption request-flag stores ([rdi+0x59A] bits 0x1/0x2, [rdi+0x458]) are identical; only the WIL usage-reporting call was replaced by the inline cache fast path.

8. Changed Functions — Full Triage

  • sub_1C003C008 (wil_UninitializeFeatureStaging) / sub_1C00157C0 (wil_details_FeatureStateCache_TryEnableDeviceUsageFastPath) (0.8514 similarity): False-positive match. Two different WIL functions paired by index coincidence. Not security-relevant.
  • Smb2SessionSetup_Finalize (0x1C003CD50 → 0x1C003CC80) (0.8984 similarity): Feature-staging / telemetry. The Feature_Servicing_EnableSMBHardeningTelemetry__private_IsEnabledDeviceUsage call at 0x1C003D0E3 and its _tlgKeywordOn-guarded telemetry block are removed; ETW tracing is consolidated. Register/stack-frame reallocation. Not security-relevant.
  • Smb2TreeConnect_Start (0x1C003E930 → 0x1C003E700) (0.9323 similarity): Feature-staging. The unconditional Feature_SMBSynchronousRedirection__private_ReportDeviceUsage call is replaced by an inline report-once cache fast path (data_1C0034278 & 0x10ReportUsageToService + TryEnableDeviceUsageFastPath). Encryption request-flag logic unchanged. Not security-relevant.
  • Smb2ProcessNegotiateResponse (0x1C00051E8) (0.9458 similarity): Feature-staging / telemetry. The Feature_Servicing_EnableSMBHardeningTelemetry gate at 0x1C0005923 and its guarded telemetry event are removed; core negotiate-response parsing (buffer sizes, dialect validation, capability-flag computation) is unchanged. Not security-relevant.
  • sub_1C0015794 (wil_details_FeatureReporting_ReportUsageToServiceDirect) → sub_1C00156D0 (0.9765 similarity): Cosmetic. WIL usage-notification helper refactored to reference global data structures. Not security-relevant.
  • sub_1C0015668 (wil_details_FeatureReporting_ReportUsageToService) → sub_1C00155B4 (0.9897 similarity): Cosmetic. Control flow restructured (if-else chain to cascading decrement/compare, compiler churn). Calls the updated helper. Not security-relevant.

9. Unmatched Functions

  • Added: None.
  • Removed: None reported by the matcher. Note that Feature_Servicing_EnableSMBHardeningTelemetry__private_IsEnabledDeviceUsage (and its __private_IsEnabledFallback) are present in the unpatched build and absent in the patched build; they were retired along with the staged feature rather than being counted as unmatched.

10. Confidence & Caveats

  • Confidence: High. All six changed functions were compared instruction-by-instruction across both builds. Every difference reduces to WIL feature-staging (staged-feature retirement, usage-reporting refactor, report-once cache fast path) and the WPP/ETW telemetry these gates controlled.
  • Conclusion: No security-relevant change. No CWE applies. There is no encryption-negotiation vulnerability, no authentication/encryption bypass, and no memory-safety issue in the changed code. The encryption request-flag decision in the SMB2 tree-connect builder is identical between the two builds.