Error: “Can’t load SMART Utilities library (code 5) Access is denied” when printing to a Samsung Colour Laser Printer CLP-300N

Hardware

System Requirements:

  • Windows 2000 Professional
  • Windows XP Home, Professional
  • Windows Server 2003
  • Windows Vista

The Problem:

When a user who is not a local/domain administrator prints to your print server you may receive the following error message on the local console account of the Print Server (Windows Server 2003).

SMART UI 32-bits Gateway error
Can’t load SMART Utilities library (code 5)
Access is denied.

SMART code 5 error message

Depending upon your situation, you may receive this error when:

  • Any user attempts to send any print job to the printer via the share
  • When a user attempts to print from Microsoft Internet Explorer and not from other applications

The error occurs using driver 1.63.11 on 2000/XP/2003 and 3.03 under Windows Vista when communicated with a printer server rather than the printer NIC directly.

If you are serving the share from 2000 or XP you shouldn’t see this issue.

More Information:

So you get a new laser printer, and the last thing that you expect is that every time someone tries to print you wind up with a support call to unblock the print queue! Yet this is exactly what Samsung seem to expect you to do.

I didn’t fiddle around when I heard about this, I checked the drivers were up to date and just logged a support call with Samsung who called back – be it 5 hours later than promised…

The support call in summary:

  1. Calls, registers
  2. Explanation of problem that printer needs unblocking every time someone sends a print job
  3. Gets put on call back queue
  4. Call back does happen, but 5 hours later than originally told
  5. Looks on expert system
  6. Expert system draws a blank
  7. Me: “Can I speak to a higher level 1 support agent?”
    Samsung: “No”
  8. Me: “Can I speak to a developer and fault report it?”
    Samsung: “No”
  9. Me: “Can you tell me when the next driver revision is due to be released?”
    Samsung: “No”
  10. Me: “Is there a new driver revision in the pipe-line?”
    Samsung: “I don’t know”
    Me: “Can you find out?”
    Samsung: “No”
  11. Me: “What are you going to do about it?”
    Samsung: “There is nothing that I can do?”
  12. The samsung guy now Google’s the problem and find exactly the same support material that I had already gone through to no avail from a user community web site Samsung guy starts reading it to me, and just to be annoying I interrupted him mid way through and continued to read the same paragraph to him from the same web page ending
    Me: “Yes I can Google too, this doesn’t work”
  13. Samsung guy now tells me to do one of the suggestions on the comments to the Google search result:
    Samsung: “If you format the server that will fix it”
    Me: “Are you out of your mind! I’m not formatting a domain controller to fix a printer problem, especially when the thing was only installed 2 months ago and there is no evidence that it would even fix the problem” (This article exists because it will not fix the problem)
    Samsung: “That is all I can suggest”
  14. Samsung guy now tells me that because there is something on Google he is sure that a developer must be aware of it and will be working on it
  15. Exasperated by this point
    Me: “OK, how about a past driver revision, perhaps if we go back to an older v1 it will sort itself out?”
    Samsung: “No, I can’t do that, I don’t have access to drivers, we can’t give them to you”
    Me: “Can you put me through to someone who can”
    Samsung: “No, there isn’t anyone”
    Me: “Can you escalate this request?”
    Samsung: “No”
  16. Me: “Can you escalate this request with a developer, supervisor or manager?”
    Samsung: “No”
  17. Me: “What do you expect us to do?”
    Samsung: “I don’t know”
  18. I summarised the situation to the monosyllabic individual on the other end of the phone
    Me: “So what you are saying is that as an organisation you find the fact that you’ve just sold us a brand new network laser printer that cannot accept a print job unless an administrator physically logs into the system console and clicks OK to an error message for each and every print job from a non-administrative user? The only advice you are willing to give me is to format an in-use domain controller to fix a printer driver problem and you find this an acceptable solution and are not willing to do anything about it?”
    … and this was the best bit:
    Samsung: “Yes”
  19. I have to say that at that point I pretty much put the phone down with a few monosyllabic intonations of my own, only realising as I did it that I didn’t tell them that they would be removed from the buying list for this.

 

The Moral of the Story

Don’t buy Samsung Printers and certainly don’t bother with their technical support in the UK.

I sincerely hope that someone in Samsung UK does read this page and does take on board the above, because quite frankly there are some serious issues in their support department.

… and yes, Samsung are no longer on any of my or my clients purchase lists.

The Fix

A couple of months went by between the support call and me actually getting around to looking at it properly – a couple of very, very aggravating months by all accounts.

In a nut shell and after some forensic analysis and some perplexing:

When your user sends off a print job to the print server, it trips off a user-level instance inside the spoolsv.exe, which determines ultimately the permissions that the user is going to have for their print job, sets up the print environment and negotiates with the driver to receive validated queue objects.

For some CONVLUTED reason, the Samsung driver is telling the spoolsv.exe process that it needs to make use of NTVDM.exe under the credentials of the user who transmitted the print job.

If you do not know, NTVDM is the NT Virtual Desktop Manager, it is the process wrapper service used to execute 16-bit (yes 16-bit) code under the 32-bit environment of Win32 (in this case).

One question: Why?
This is a printer designed exclusively for use against NT 5.0 and above (Windows 2000+), so why in blazes does it need access to a 16-bit host process to print something?!?!

This is where your having Windows Server 2003 comes into play, because there are security model changes between 2000, XP and 2003 that have caused this problem.

Windows 2000

Under Windows 2000 the default permissions for NTVDM.exe are…

  • Administrators (F)
  • Everyone (R & E)
  • Power Users (R & E)
  • SYSTEM (F)
  • Users (R & E)

Windows XP

Similarly under Windows XP…

  • Administrators (F)
  • Power Users (R & E) [Professional Only]
  • System (F)
  • Users (R & E)

Windows Server 2003

Lastly under Windows Server 2003…

  • Administrators (F)
  • Batch (R & E)
  • Interactive (R & E)
  • Service (R & E)
  • System (F)

The solution should now be self-explanatory, the user/domain user account has no access to NTVDM.exe under Windows Server 2003 by default, therefore you simply need to give the user groups Read & Execute access to the NTVDM.exe on the Widows 2003 Server that you are sharing the printer from and it will solve the access denied problem that plagues this particular driver.

This isn’t a particularly great solution as it means modifying default Microsoft file permissions, however, it will make the printer work without you having to live in front of a console session between 9am and 5pm.

… it just doesn’t explain why it needs access to NTVDM in the first place.