|
|
Sigcheck reports file as ok, sfc /scannow completes ok. Is this file ok?
Thanks Mark
Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys
sigcheck v1.54 - sigcheck
Copyright (C) 2004-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\Windows\System32\drivers\tcpip.sys:
Verified: Signed
Signing date: 7:33 PM 5/28/2008
Publisher: Microsoft Corporation
Description: TCP/IP Driver
Product: Microsoft« Windows« Operating System
Version: 6.0.6001.18063
File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
Original Name: tcpip.sys
Internal Name: tcpip.sys
Copyright: ⌠Microsoft Corporation. All rights reserved.
Comments: n/a
MD5: 82e266bee5f0167e41c6ecfdd2a79c02
SHA1: f633629656e43452aa08611f0f72d24a46e7441c
SHA256:
1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6d98bd643093b666
|
|
Hello Mark,
Yes the file is OK.
This error happens when tcpip.sys is loaded in user mode, to check the
version information of the driver binary.
It loaded fine at boot time in kernel mode and was successfully verified or
you would have seen errors at boot time or tcpip.sys would not have loaded.
Thanks,
Darrell Gorter[MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| >From: "Mark Naughton" <MarkNaughton[ at ]hotmail.com>
| >Subject: Code integrity error on tcpip.sys
| >Date: Wed, 10 Dec 2008 15:40:03 -0500
| >Lines: 38
| >Message-ID: <B11D7537-E874-4D0A-8DD9-5A1657251BBE[ at ]microsoft.com>
| >MIME-Version: 1.0
| >Content-Type: text/plain;
| > format=flowed;
| > charset="utf-8";
| > reply-type=original
| >Content-Transfer-Encoding: 8bit
| >X-Priority: 3
| >X-MSMail-Priority: Normal
| >X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
| >X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
| >X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| >X-MS-CommunityGroup-PostID: {B11D7537-E874-4D0A-8DD9-5A1657251BBE}
| >Newsgroups: microsoft.public.windows.vista.security
| >Path: TK2MSFTNGHUB02.phx.gbl
| >Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.security:19999
| >NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| >X-Tomcat-NG: microsoft.public.windows.vista.security
| >
| >
| >
| >Sigcheck reports file as ok, sfc /scannow completes ok. Is this file ok?
| >Thanks Mark
| >
| >
| >Code integrity determined that the image hash of a file is not valid.
The
| >file could be corrupt due to unauthorized modification or the invalid
hash
| >could indicate a potential disk device error.
| >
| >File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
| >
| >
| >
| >
| >C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys
| >
| >sigcheck v1.54 - sigcheck
| >Copyright (C) 2004-2008 Mark Russinovich
| >Sysinternals - www.sysinternals.com
| >
| >C:\Windows\System32\drivers\tcpip.sys:
| > Verified: Signed
| > Signing date: 7:33 PM 5/28/2008
| > Publisher: Microsoft Corporation
| > Description: TCP/IP Driver
| > Product: Microsoft« Windows« Operating System
| > Version: 6.0.6001.18063
| > File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
| > Original Name: tcpip.sys
| > Internal Name: tcpip.sys
| > Copyright: ⌠Microsoft Corporation. All rights reserved.
| > Comments: n/a
| > MD5: 82e266bee5f0167e41c6ecfdd2a79c02
| > SHA1: f633629656e43452aa08611f0f72d24a46e7441c
| > SHA256:
| >1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6d98bd643093b666
| >
| >
|
|
Since installing Vista SP1 three weeks ago, I have had BSOD crashes that
immediately follow a CodeIntegrity violation error (event ID 3002) in the log
that cites TCPIP.SYS according to the OPs message. Over a hundred crashes.
Day after day, I've been over this problem with 1st and 2nd level Vista
support. I am now strongly suspicious that this driver is corrupt and is
causing these crashes. The version installed by SP1 currently on my system
reads as v6.0.6001.18000 and is dated 18-Jan-2008.
My driver was not patched so far as I know. The only third party software
installed after SP1 is Adobe CS4. Bone stock Dell Dimension E521. Lots of
systematic searches for driver updates, disabling unneeded devices, all to no
avail. The only constant is TCPIP.SYS and the error report that immediately
precedes each crash.
I do not know if I am a candidate for hotfix based on KB article #952709,
which carries TWO updates of this one file. [v6.0.6001.18063 and
v6.0.6001.22167 (both dated 26-Apr-2008). ]
Are you really sure this is okay?
What can I do? Install the hotfix listed above? Try SP2 BETA? Reverting
to pre SP1 isn't an option, because my Adobe CS4 won't run without SP1 or
higher.
Luke Kaven
""Darrell Gorter[MSFT]"" wrote:
[Quoted Text] > Hello Mark,
> Yes the file is OK.
> This error happens when tcpip.sys is loaded in user mode, to check the
> version information of the driver binary.
> It loaded fine at boot time in kernel mode and was successfully verified or
> you would have seen errors at boot time or tcpip.sys would not have loaded.
>
> Thanks,
> Darrell Gorter[MSFT]
>
> This posting is provided "AS IS" with no warranties, and confers no rights
> --------------------
> | >From: "Mark Naughton" <MarkNaughton[ at ]hotmail.com>
> | >Subject: Code integrity error on tcpip.sys
> | >Date: Wed, 10 Dec 2008 15:40:03 -0500
> | >Lines: 38
> | >Message-ID: <B11D7537-E874-4D0A-8DD9-5A1657251BBE[ at ]microsoft.com>
> | >MIME-Version: 1.0
> | >Content-Type: text/plain;
> | > format=flowed;
> | > charset="utf-8";
> | > reply-type=original
> | >Content-Transfer-Encoding: 8bit
> | >X-Priority: 3
> | >X-MSMail-Priority: Normal
> | >X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
> | >X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
> | >X-MS-CommunityGroup-MessageCategory:
> {E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
> | >X-MS-CommunityGroup-PostID: {B11D7537-E874-4D0A-8DD9-5A1657251BBE}
> | >Newsgroups: microsoft.public.windows.vista.security
> | >Path: TK2MSFTNGHUB02.phx.gbl
> | >Xref: TK2MSFTNGHUB02.phx.gbl
> microsoft.public.windows.vista.security:19999
> | >NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
> | >X-Tomcat-NG: microsoft.public.windows.vista.security
> | >
> | >
> | >
> | >Sigcheck reports file as ok, sfc /scannow completes ok. Is this file ok?
> | >Thanks Mark
> | >
> | >
> | >Code integrity determined that the image hash of a file is not valid.
> The
> | >file could be corrupt due to unauthorized modification or the invalid
> hash
> | >could indicate a potential disk device error.
> | >
> | >File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
> | >
> | >
> | >
> | >
> | >C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys
> | >
> | >sigcheck v1.54 - sigcheck
> | >Copyright (C) 2004-2008 Mark Russinovich
> | >Sysinternals - www.sysinternals.com
> | >
> | >C:\Windows\System32\drivers\tcpip.sys:
> | > Verified: Signed
> | > Signing date: 7:33 PM 5/28/2008
> | > Publisher: Microsoft Corporation
> | > Description: TCP/IP Driver
> | > Product: Microsoft« Windows« Operating System
> | > Version: 6.0.6001.18063
> | > File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
> | > Original Name: tcpip.sys
> | > Internal Name: tcpip.sys
> | > Copyright: ⌠Microsoft Corporation. All rights reserved.
> | > Comments: n/a
> | > MD5: 82e266bee5f0167e41c6ecfdd2a79c02
> | > SHA1: f633629656e43452aa08611f0f72d24a46e7441c
> | > SHA256:
> | >1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6d98bd643093b666
> | >
> | >
>
>
|
|
On Mon, 22 Dec 2008 00:46:01 -0800, Luke Kaven <Luke
Kaven[ at ]discussions.microsoft.com> wrote:
[Quoted Text] >What can I do? Install the hotfix listed above? Try SP2 BETA? Reverting
>to pre SP1 isn't an option, because my Adobe CS4 won't run without SP1 or
>higher.
1) try the hotfix. If it's not meant for your system, it won't
install.
2) if the problem IS SP1, then your CS4 is going to be pretty useless
on a computer that is constantly crashing, hmm??
--
Max
|
|
"The Max" wrote:
[Quoted Text] > On Mon, 22 Dec 2008 00:46:01 -0800, Luke Kaven <Luke
> Kaven[ at ]discussions.microsoft.com> wrote:
>
> >What can I do? Install the hotfix listed above? Try SP2 BETA? Reverting
> >to pre SP1 isn't an option, because my Adobe CS4 won't run without SP1 or
> >higher.
>
> 1) try the hotfix. If it's not meant for your system, it won't
> install.
>
> 2) if the problem IS SP1, then your CS4 is going to be pretty useless
> on a computer that is constantly crashing, hmm??
I get a couple of hours of use of the machine each day between crashes. It
is either that or nothing. So I think I'm best off trying to get SP1 to
work, or SP2 for that matter.
|
|
"Luke Kaven" <Luke Kaven[ at ]discussions.microsoft.com> wrote in message
news:7325F3C4-A2E9-4573-8D25-CA742962C93E[ at ]microsoft.com...
[Quoted Text] > Since installing Vista SP1 three weeks ago, I have had BSOD crashes that
> immediately follow a CodeIntegrity violation error (event ID 3002) in the
> log
> that cites TCPIP.SYS according to the OPs message. Over a hundred
> crashes.
>
> Day after day, I've been over this problem with 1st and 2nd level Vista
> support. I am now strongly suspicious that this driver is corrupt and is
> causing these crashes. The version installed by SP1 currently on my
> system
> reads as v6.0.6001.18000 and is dated 18-Jan-2008.
>
> My driver was not patched so far as I know. The only third party software
> installed after SP1 is Adobe CS4. Bone stock Dell Dimension E521. Lots
> of
> systematic searches for driver updates, disabling unneeded devices, all to
> no
> avail. The only constant is TCPIP.SYS and the error report that
> immediately
> precedes each crash.
>
> I do not know if I am a candidate for hotfix based on KB article #952709,
> which carries TWO updates of this one file. [v6.0.6001.18063 and
> v6.0.6001.22167 (both dated 26-Apr-2008). ]
>
> Are you really sure this is okay?
>
> What can I do? Install the hotfix listed above? Try SP2 BETA? Reverting
> to pre SP1 isn't an option, because my Adobe CS4 won't run without SP1 or
> higher.
>
> Luke Kaven
>
> ""Darrell Gorter[MSFT]"" wrote:
>
>> Hello Mark,
>> Yes the file is OK.
>> This error happens when tcpip.sys is loaded in user mode, to check the
>> version information of the driver binary.
>> It loaded fine at boot time in kernel mode and was successfully verified
>> or
>> you would have seen errors at boot time or tcpip.sys would not have
>> loaded.
>>
>> Thanks,
>> Darrell Gorter[MSFT]
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights
>> --------------------
>> | >From: "Mark Naughton" <MarkNaughton[ at ]hotmail.com>
>> | >Subject: Code integrity error on tcpip.sys
>> | >Date: Wed, 10 Dec 2008 15:40:03 -0500
>> | >Lines: 38
>> | >Message-ID: <B11D7537-E874-4D0A-8DD9-5A1657251BBE[ at ]microsoft.com>
>> | >MIME-Version: 1.0
>> | >Content-Type: text/plain;
>> | > format=flowed;
>> | > charset="utf-8";
>> | > reply-type=original
>> | >Content-Transfer-Encoding: 8bit
>> | >X-Priority: 3
>> | >X-MSMail-Priority: Normal
>> | >X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
>> | >X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
>> | >X-MS-CommunityGroup-MessageCategory:
>> {E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
>> | >X-MS-CommunityGroup-PostID: {B11D7537-E874-4D0A-8DD9-5A1657251BBE}
>> | >Newsgroups: microsoft.public.windows.vista.security
>> | >Path: TK2MSFTNGHUB02.phx.gbl
>> | >Xref: TK2MSFTNGHUB02.phx.gbl
>> microsoft.public.windows.vista.security:19999
>> | >NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
>> | >X-Tomcat-NG: microsoft.public.windows.vista.security
>> | >
>> | >
>> | >
>> | >Sigcheck reports file as ok, sfc /scannow completes ok. Is this file
>> ok?
>> | >Thanks Mark
>> | >
>> | >
>> | >Code integrity determined that the image hash of a file is not valid.
>> The
>> | >file could be corrupt due to unauthorized modification or the invalid
>> hash
>> | >could indicate a potential disk device error.
>> | >
>> | >File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
>> | >
>> | >
>> | >
>> | >
>> | >C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys
>> | >
>> | >sigcheck v1.54 - sigcheck
>> | >Copyright (C) 2004-2008 Mark Russinovich
>> | >Sysinternals - www.sysinternals.com
>> | >
>> | >C:\Windows\System32\drivers\tcpip.sys:
>> | > Verified: Signed
>> | > Signing date: 7:33 PM 5/28/2008
>> | > Publisher: Microsoft Corporation
>> | > Description: TCP/IP Driver
>> | > Product: Microsoft« Windows« Operating System
>> | > Version: 6.0.6001.18063
>> | > File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
>> | > Original Name: tcpip.sys
>> | > Internal Name: tcpip.sys
>> | > Copyright: ⌠Microsoft Corporation. All rights
>> reserved.
>> | > Comments: n/a
>> | > MD5: 82e266bee5f0167e41c6ecfdd2a79c02
>> | > SHA1: f633629656e43452aa08611f0f72d24a46e7441c
>> | > SHA256:
>> | >1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6d98bd643093b666
>> | >
>> | >
>>
Check Dell's support site for a new device driver for the network interface
hardware.
Mike.
|
|
"Michael D. Ober" wrote:
[Quoted Text] > Check Dell's support site for a new device driver for the network interface
> hardware.
Note that the machine was not networked and the network interface hardware
device driver was disabled during this time.
Last night, I connected to the network and installed every Microsoft update
listed by auto-update. Within a half hour, the machine crashed following a
CodeIntegrity violation, also citing hash of TCPIP.SYS (though this file
itself was updated). But this does leave open the question of the network
interface hardware, which was obviously up during that time. But just
barely. So I have now installed that driver update.
I ran FSCK /R on the system disk just in case. Ran while booting and I was
away while it completed. Does anyone know if there is a saved FSCK log
anywhere on the system.
|
|
Of course I meant to say "CHKDSK /R". I found the log. No bad sectors, but
a few free sectors marked as allocated.
|
|
Hmmm, 37 Microsoft updates and an updated network interface driver later, the
machine still crashes. Still with EventID 3002. CodeIntegrity error.
TCPIP.SYS. "per-page image hashes could not be found on this system" Stayed
up for 12 hours today, a new record. But after I brought it back up it
crashed ten minutes later while idle.
Any ideas out there? One of you Microsoft engineers must have an idea of
what causes this kind of thing. No useful information from L2 Vista support,
though they've tried to be helpful.
|
|
Figure 2. Code integrity events
The Code Integrity Operational log shows events generated by the kernel when
a kernel mode driver fails an image verification check when the driver is
loaded. The image verification failure may be due to a number of reasons,
including the following:
a.. The driver was unsigned, but installed on the system by an
administrator and Code Integrity is not allowing the driver to load.
b.. The driver was signed, but the driver image file was modified or
tampered with and the modification invalidated the driver signature.
c.. The system disk device may have device errors when reading the image
file for the device from bad disk sectors.
From this article:
http://msdn.microsoft.com/en-us/library/bb530195.aspx
....near the bottom
It looks like what you are experiencing to me, Hope it helps.
"Luke Kaven" <LukeKaven[ at ]discussions.microsoft.com> wrote in message
news:C3D5CD03-8D72-4DF4-A766-ECDC9A345F4E[ at ]microsoft.com...
[Quoted Text] > Hmmm, 37 Microsoft updates and an updated network interface driver later,
> the
> machine still crashes. Still with EventID 3002. CodeIntegrity error.
> TCPIP.SYS. "per-page image hashes could not be found on this system"
> Stayed
> up for 12 hours today, a new record. But after I brought it back up it
> crashed ten minutes later while idle.
>
> Any ideas out there? One of you Microsoft engineers must have an idea of
> what causes this kind of thing. No useful information from L2 Vista
> support,
> though they've tried to be helpful.
|
|
Thanks for putting that up. I appreciate it.
This is a straight stock install with updates from Microsoft. No patches to
TCPIP.SYS were made (as I know some people do patch this driver). So the
signed, stock driver was installed. If anything is modifying it, it isn't
showing up as a change in the driver file on disk. I don't have reason to
think that anything is modifying it in memory at the moment.
So is a disk error possible here? I can't find any accompanying messages
about disk errors. And I'm wondering why, after installing a number of
updates, why it would always be that one driver that is cited by the
CodeIntegrity violation? Could it be that there is an intermittently bad
sector somewhere in the pagefile where this driver happens to reside? Why
wouldn't disk errors be showing up in the log?
I know CHKDSK won't necessarily identify marginal sectors. It's been a
while since I've had to fix a disk. Could someone remind me if there is a
way to do a low level scan that will identify marginal sectors and put them
on the permanent bad sector list without necessitating a complete reformat
and reinstall?
Thanks, Luke
"FromTheRafters" wrote:
[Quoted Text] > Figure 2. Code integrity events > > The Code Integrity Operational log shows events generated by the kernel when > a kernel mode driver fails an image verification check when the driver is > loaded. The image verification failure may be due to a number of reasons, > including the following: > > a.. The driver was unsigned, but installed on the system by an > administrator and Code Integrity is not allowing the driver to load. > b.. The driver was signed, but the driver image file was modified or > tampered with and the modification invalidated the driver signature. > c.. The system disk device may have device errors when reading the image > file for the device from bad disk sectors. > From this article: > > http://msdn.microsoft.com/en-us/library/bb530195.aspx> > ....near the bottom > > It looks like what you are experiencing to me, Hope it helps. > > "Luke Kaven" <LukeKaven[ at ]discussions.microsoft.com> wrote in message > news:C3D5CD03-8D72-4DF4-A766-ECDC9A345F4E[ at ]microsoft.com... > > Hmmm, 37 Microsoft updates and an updated network interface driver later, > > the > > machine still crashes. Still with EventID 3002. CodeIntegrity error. > > TCPIP.SYS. "per-page image hashes could not be found on this system" > > Stayed > > up for 12 hours today, a new record. But after I brought it back up it > > crashed ten minutes later while idle. > > > > Any ideas out there? One of you Microsoft engineers must have an idea of > > what causes this kind of thing. No useful information from L2 Vista > > support, > > though they've tried to be helpful. > > > |
|
|