Security Audit Failure (Event Viewer) tcpip.sys hash not valid/cor

A

artfuldodga

Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/11/08 3:35p
Event ID: 5038
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: XPS1530-PC
Description:
Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5038</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2008-11-08T19:05:00.227Z" />
<EventRecordID>27081</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="56" />
<Channel>Security</Channel>
<Computer>XPS1530-PC</Computer>
<Security />
</System>
<EventData>
<Data
Name="param1">\Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys</Data>
</EventData>
</Event>

OS Vista Ultimate SP1

I have no idea why this failure is showing up, is there a specific service
needed for the audit success? Other than seeing the error(s) occur via Event
Viewer, I have not had any issues with connectivity, and other security
audits complete fine without failure. Anyone have any ideas what might fix
this? I do not believe I modified the tcpip.sys in any way
 
P

Paul Shapiro

Interesting. My Vista 64 SP1 crashed two days ago for the first time in
months, and reported the same error with the same file. It just happened
once so I didn't investigate further. Seems to have been working fine since
then and no more error message in the event log. I wondered if was
antivirus-related? I have Trend Micro plus Windows Defender. Anything sound
familiar?
 
A

artfuldodga

yeah so the results of the manual check.

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>sfc /verifyfile=C:\Windows\System32\drivers\tcpip.sys
Windows Resource Protection did not find any integrity violations.

error is still showing up in event viewer with no adverse effects, wondering
where i can go from here in order to sort it out? maybe i need to have a
specific service enabled in order for it to process correctly, any more ideas?
 
A

Allan

artfuldodga said:
yeah so the results of the manual check.

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>sfc /verifyfile=C:\Windows\System32\drivers\tcpip.sys
Windows Resource Protection did not find any integrity violations.

error is still showing up in event viewer with no adverse effects,
wondering
where i can go from here in order to sort it out? maybe i need to have a
specific service enabled in order for it to process correctly, any more
ideas?

Engel said:
See if the information in this article, "How to Repair and Verify the
Integrity of Vista System Files with System File Checker"

<http://www.vistax64.com/tutorials/66978-system-files.html>

Good luck


Ǝиçεl
-=-
Try replacing the module from the installation media with a good copy after
backing up this allegedly corrupted driver. You should not have to do a
complete repair reinstallation (I don't believe so).
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top