Have a Windows environment where the "Ports" tab is empty on all network printers, but only on some win7 clients. All other printing functionality from these clients works to printers on those print servers. Due to the way the environment is set up I cannot easily attach a kernel debugger to these vSphere virtual machines.
- Server 2008 R2 machines - OK
- Clean Win7 machine - OK
- Win7 machine + much 3rd party software, including 3rd party device drivers, multiple API hooking software, etc - BROKEN
All machines are joined to same domain, and logged in as same user. Using Rohitab API Monitor on Explorer.exe I identified the winspool EnumPorts is succeeding, but returning 0 ports on the failing machine, but under same user account/same network and same parameters it returns 600+ ports on both working machines..
I wrote a test C++ program to test EnumPorts on its own. The Visual Studio 2015 project + binary is here
The key part of this program is:
pPortInfo = (PORT_INFO_2 *)malloc(cbNeeded);
bResult = EnumPorts(argv[1],
2,
(LPBYTE)pPortInfo,
cbNeeded,
&cbNeeded,
&cbReturned);
On a working machine output from pPortInfo is :
CALL: EnumPorts("\\PRINTSERVER01",(LPBYTE)pPortInfo,4096,&cbNeeded,&cbReturned)
RETURNED: false ERROR CODE: 122 ERROR MSG: The data area passed to a system call is too small.
CALL: EnumPorts("\\PRINTSERVER01",(LPBYTE)pPortInfo,121800,&cbNeeded,&cbReturned)
RETURNED: true ERROR CODE: 0 ERROR MSG: The operation completed successfully.
cbReturned = 629
PORT #0
Port Name: TS005
Monitor Name: Dynamic Print Monitor
Description: Inactive TS Port
Port Type: WRITE READ
PORT #1
Port Name: TS004
Monitor Name: Dynamic Print Monitor
Description: Inactive TS Port
Port Type: WRITE READ
etc...
On the broken machine:
CALL: EnumPorts("\\PRINTSERVER01",(LPBYTE)pPortInfo,4096,&cbNeeded,&cbReturned)
RETURNED: true ERROR CODE: 0 ERROR MSG: The operation completed successfully.
cbReturned = 0
What I have identified/tried so far
- Using SysInternals AutoRuns to compare machines there are hundreds of differences between Windows Services Configuration/Drivers/Hooking DLLs on both machines. I want to find a technique to narrow this down to potential culprit without having to remove/disable all these items
- I've tried disabling all hooking DLLs by renaming AppInit_DLLs key and confirming these DLLs no longer load in the process, but it remains broken
- Captured WireShark trace - On the working machine network traffic is sent/received to the print server when EnumPorts is called. On the broken machine there is no network traffic sent to the print server at all. However on the broken machine you can still run commands like net view /all \ and map to printers/drives on the remote print server.
- Used Microsoft Message Analyzer RPC trace, this logs the RPC calls but not sure how to interpret this data. None of the calls appear to be failing.
- Looking deeper into winspool!EnumPorts it uses NdrClientCall2 to communicate with print server but these calls are not failing.
- Tried disabling local firewall
- Tried netsh winsock reset and restarting
- Tested with antivirus disabled
- Created a filter in Windows Event viewer to look at ALL windows event log entries during the time test is run and can't find any seemingly related errors
- Running my test tool via WinDbg there are no first chance exceptions or other errors
- Tried setting a breakpoint at the completion of EnumPort function then created a complete memory dmp with NotMyFault but couldn't find anything, and didn't really know what I was looking for in the first place
- Used Process Monitor to look for missing registry keys/files and couldn't find any