PC w/ XP SP3 generating a lot of repetitive SMB traffic

[mabman]

A client has indicated their Windows 2003-domain-based network has
been experiencing file access slowness as well as frequent "working
offline" followed by online messages in their XP clients recently.

In troubleshooting this, I have run Wireshark packet captures on the
server to see what's happening between the clients and the server.

This may or may not be related to overall network performance issues,
but I'm seeing a fair amount of repetitive SMB traffic coming from 1
PC in particular, over and over again. While it doesn't seem be a
large amount of traffic in terms of size (over an hour I saw about 26
MB from the client to the server, and about 17 MB back with nothing
else running on the PC), it keeps happening for just this one PC, and
frankly I'm running out of ideas. Some searching on the subject came
back with some general references to SAMBA setups, but nothing
relevant to the Win2k3 setup here. Again, it is only happening with 1
PC - other PCs on the network aren't generating anything close to this
amount of traffic to/from the server.

Any suggestions on how to make this client stop doing this would be
greatly appreciated.

General setup:
- server: - Windows 2003 Standard SP2
- client: - Windows XP SP3
- SAV 10.1 client installed
- My Documents redirection configured via GPO

Troubleshooting steps tried:
- server: - disabled all extra NIC features (Offloading, flow control,
etc)
- client: - disabled SAV
- disabled Windows Search
- disabled Offline Files

This starts happening when the client PC is rebooted and Windows XP
loads, but no one is logged in, which is odd.

Below is a CSV export from Wireshark (10.0.0.5 is the server,
10.0.0.154 is the client PC). The same pattern repeats continuously.
Again, any suggestions would be appreciated.

"No.","Time","Source","Destination","Protocol","Info"
"7","0.010464","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_PATH_INFO, Query File Basic Info, Path: \chris\My Documents"
"8","0.010561","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_PATH_INFO"
"9","0.011352","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FS_INFO, Query Full FS Size Info"
"10","0.011389","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_FS_INFO"
"11","0.021646","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_PATH_INFO, Query File Basic Info, Path: "
"12","0.021915","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_PATH_INFO"
"13","0.022441","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FS_INFO, Query FS Attribute Info"
"14","0.022488","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_FS_INFO"
"15","0.023050","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_PATH_INFO, Query File Basic Info, Path: "
"16","0.023166","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_PATH_INFO"
"17","0.023496","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FS_INFO, Query FS Attribute Info"
"18","0.023539","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_FS_INFO"
"19","0.024039","10.0.0.154","10.0.0.5","SMB","NT Create AndX Request,
Path: \$Extend\$Quota:$Q:$INDEX_ALLOCATION"
"20","0.024164","10.0.0.5","10.0.0.154","SMB","NT Create AndX
Response, FID: 0x0000, Error: STATUS_OBJECT_PATH_NOT_FOUND"
"21","0.024391","10.0.0.154","10.0.0.5","SMB","NT Create AndX Request,
FID: 0xc002, Path: "
"22","0.024526","10.0.0.5","10.0.0.154","SMB","NT Create AndX
Response, FID: 0xc002"
"23","0.024732","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FILE_INFO, FID: 0xc002, Query File Internal Info"
"24","0.024771","10.0.0.5","10.0.0.154","SMB","Trans2 Response, FID:
0xc002, QUERY_FILE_INFO"
"25","0.024984","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FILE_INFO, FID: 0xc002, Query File Standard Info"
"26","0.025017","10.0.0.5","10.0.0.154","SMB","Trans2 Response, FID:
0xc002, QUERY_FILE_INFO"
"27","0.025205","10.0.0.154","10.0.0.5","SMB","NT Trans Request, NT
IOCTL FILE_SYSTEM Function:0x001e, FID: 0xc002"
"28","0.025230","10.0.0.5","10.0.0.154","SMB","NT Trans Response, FID:
0xc002, NT IOCTL, Error: STATUS_INVALID_PARAMETER"
"29","0.025430","10.0.0.154","10.0.0.5","SMB","Close Request, FID:
0xc002"
"30","0.025465","10.0.0.5","10.0.0.154","SMB","Close Response, FID:
0xc002"
"31","0.025687","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_PATH_INFO, Query File Basic Info, Path: "
"32","0.025760","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_PATH_INFO"
"33","0.025945","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FS_INFO, Query Full FS Size Info"
"34","0.025981","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_FS_INFO"
"39","1.083409","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_PATH_INFO, Query File Basic Info, Path: \public"
"40","1.083565","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_PATH_INFO"
"41","1.088492","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FS_INFO, Query FS Attribute Info"
"42","1.088528","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_FS_INFO"
"43","1.091290","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_PATH_INFO, Query File Basic Info, Path: \public"
"44","1.091365","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_PATH_INFO"
"45","1.091786","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FS_INFO, Query FS Attribute Info"
"46","1.091816","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_FS_INFO"
"47","1.094252","10.0.0.154","10.0.0.5","SMB","NT Create AndX Request,
Path: \public\$Extend\$Quota:$Q:$INDEX_ALLOCATION"
"48","1.094464","10.0.0.5","10.0.0.154","SMB","NT Create AndX
Response, FID: 0x0000, Error: STATUS_OBJECT_PATH_NOT_FOUND"
"49","1.096362","10.0.0.154","10.0.0.5","SMB","NT Create AndX Request,
FID: 0xc005, Path: \public"
"50","1.096502","10.0.0.5","10.0.0.154","SMB","NT Create AndX
Response, FID: 0xc005"
"51","1.097850","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FILE_INFO, FID: 0xc005, Query File Internal Info"
"52","1.097883","10.0.0.5","10.0.0.154","SMB","Trans2 Response, FID:
0xc005, QUERY_FILE_INFO"
"53","1.098651","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FILE_INFO, FID: 0xc005, Query File Standard Info"
"54","1.098683","10.0.0.5","10.0.0.154","SMB","Trans2 Response, FID:
0xc005, QUERY_FILE_INFO"
"55","1.099002","10.0.0.154","10.0.0.5","SMB","NT Trans Request, NT
IOCTL FILE_SYSTEM Function:0x001e, FID: 0xc005"
"56","1.099030","10.0.0.5","10.0.0.154","SMB","NT Trans Response, FID:
0xc005, NT IOCTL, Error: STATUS_INVALID_PARAMETER"
"57","1.104809","10.0.0.154","10.0.0.5","SMB","Close Request, FID:
0xc005"
"58","1.104848","10.0.0.5","10.0.0.154","SMB","Close Response, FID:
0xc005"
"59","1.107131","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_PATH_INFO, Query File Basic Info, Path: \public"
"60","1.107212","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_PATH_INFO"
"61","1.109690","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FS_INFO, Query Full FS Size Info"
"62","1.109725","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_FS_INFO"
"63","1.122234","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_PATH_INFO, Query File Basic Info, Path: \chris\My Documents"
"64","1.122327","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_PATH_INFO"
"65","1.125434","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FS_INFO, Query FS Attribute Info"
"66","1.125469","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_FS_INFO"
"67","1.127256","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_PATH_INFO, Query File Basic Info, Path: \chris\My Documents"
"68","1.127335","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_PATH_INFO"
"69","1.127656","10.0.0.154","10.0.0.5","SMB","Trans2 Request,
QUERY_FS_INFO, Query FS Attribute Info"
"70","1.127688","10.0.0.5","10.0.0.154","SMB","Trans2 Response,
QUERY_FS_INFO"
"71","1.128152","10.0.0.154","10.0.0.5","SMB","NT Create AndX Request,
Path: \chris\My Documents\$Extend\$Quota:$Q:$INDEX_ALLOCATION"
"72","1.128276","10.0.0.5","10.0.0.154","SMB","NT Create AndX
Response, FID: 0x0000, Error: STATUS_OBJECT_PATH_NOT_FOUND"
"73","1.129255","10.0.0.154","10.0.0.5","SMB","NT Create AndX Request,
FID: 0x000d, Path: \chris\My Documents"
"74","1.129387","10.0.0.5","10.0.0.154","SMB","NT Create AndX
Response, FID: 0x000d"
"75","1.129911","10.0.0.154","10.0.0.5","SMB","NT Trans Request, NT
IOCTL FILE_SYSTEM Function:0x001e, FID: 0x000d"
"76","1.129942","10.0.0.5","10.0.0.154","SMB","NT Trans Response, FID:
0x000d, NT IOCTL, Error: STATUS_INVALID_PARAMETER"
"77","1.130375","10.0.0.154","10.0.0.5","SMB","Close Request, FID:
0x000d"
"78","1.130415","10.0.0.5","10.0.0.154","SMB","Close Response, FID:
0x000d"

[mabman]

I should add, no Event Log errors in Application or System log on
either the server or the client.

[Bill Kearney]

Are you using network profiles as part of a domain? Or local ones? In
either case it would seem like a good idea to start by trashing the "chris"
user profile stored on that machine. Assuming there is one named chris, the
SMB requests looking for it indicate that as a likely username. Or is the
server or share named chris?

Then take a close look at what other applications or services are installed
on that machine. It would seem like there's something extra installed on it
that's trying to make repeated network requests.

"mabman" <gl...@hub.ca> wrote in message
news:c636c805-27c7-4c27...@t23g2000yqt.googlegroups.com...

[mabman]

The user "chris"on that PC does have a redirected "My Documents"
folder on the server. As you mention the confusing thing is the
network activity when no user is logged into the PC. I'll have to
look further at the profile - I've checked the PC and I don't see
anything unusual installed.

On Mar 27, 1:30 pm, "Bill Kearney" <wkearney99#at#hotmail#dot#com>
wrote:

> > 0x000d"- Hide quoted text -
>
> - Show quoted text -