Re: Code integrity error on tcpip.sys -- IS suspicious
- From: Darrellg@xxxxxxxxxxxxxxxxxxxx ("Darrell Gorter[MSFT]")
- Date: Wed, 07 Jan 2009 01:32:25 GMT
Here is where the issue gets confusing.
If TCPIP.sys is failing at boot time you shouldn't be able to boot.
So this means that the file appears to pass the boot test when the kernel
first loads the file.
If you are crashing at boot time, I could see this as the cause.
What happens in the event log message is that something loads TCPIP.sys
into memory during user mode.
Not all the data is present to verify the page hashes so the error message
This is after TCPIP is already loaded
Is this 64-bit?
What is the exact BlueScreen Error message that you are seeing?
What is the Event Log message that you are seeing?
So is there a one to one correlation between every BSOD and every event
message or do they happen independant of each other?
This posting is provided "AS IS" with no warranties, and confers no rights
| >Thread-Topic: Code integrity error on tcpip.sys -- IS suspicious
| >thread-index: AcllBpysS8LPnTdfRrO4ui5uNk2nfA==
| >X-WBNR-Posting-Host: 22.214.171.124
| >From: =?Utf-8?B?THVrZSBLYXZlbg==?= <LukeKaven@xxxxxxxxxxxxxxxxxxxxxxxxx>
| >References: <B11D7537-E874-4D0A-8DD9-5A1657251BBE@xxxxxxxxxxxxx>
| >Subject: Re: Code integrity error on tcpip.sys -- IS suspicious
| >Date: Tue, 23 Dec 2008 05:59:02 -0800
| >Lines: 63
| >Message-ID: <5C785667-7EB7-4289-B59B-F13492B575B5@xxxxxxxxxxxxx>
| >MIME-Version: 1.0
| >Content-Type: text/plain;
| > charset="Utf-8"
| >Content-Transfer-Encoding: 7bit
| >X-Newsreader: Microsoft CDO for Windows 2000
| >Content-Class: urn:content-classes:message
| >Importance: normal
| >Priority: normal
| >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
| >Newsgroups: microsoft.public.windows.vista.security
| >Path: TK2MSFTNGHUB02.phx.gbl
| >Xref: TK2MSFTNGHUB02.phx.gbl
| >NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| >X-Tomcat-NG: microsoft.public.windows.vista.security
| >Thanks for putting that up. I appreciate it.
| >This is a straight stock install with updates from Microsoft. No
| >TCPIP.SYS were made (as I know some people do patch this driver). So
| >signed, stock driver was installed. If anything is modifying it, it
| >showing up as a change in the driver file on disk. I don't have reason
| >think that anything is modifying it in memory at the moment.
| >So is a disk error possible here? I can't find any accompanying
| >about disk errors. And I'm wondering why, after installing a number of
| >updates, why it would always be that one driver that is cited by the
| >CodeIntegrity violation? Could it be that there is an intermittently
| >sector somewhere in the pagefile where this driver happens to reside?
| >wouldn't disk errors be showing up in the log?
| >I know CHKDSK won't necessarily identify marginal sectors. It's been a
| >while since I've had to fix a disk. Could someone remind me if there is
| >way to do a low level scan that will identify marginal sectors and put
| >on the permanent bad sector list without necessitating a complete
| >and reinstall?
| >Thanks, Luke
| >"FromTheRafters" wrote:
| >> Figure 2. Code integrity events
| >> The Code Integrity Operational log shows events generated by the
| >> a kernel mode driver fails an image verification check when the driver
| >> loaded. The image verification failure may be due to a number of
| >> including the following:
| >> a.. The driver was unsigned, but installed on the system by an
| >> administrator and Code Integrity is not allowing the driver to load.
| >> b.. The driver was signed, but the driver image file was modified or
| >> tampered with and the modification invalidated the driver signature.
| >> c.. The system disk device may have device errors when reading the
| >> file for the device from bad disk sectors.
| >> From this article:
| >> http://msdn.microsoft.com/en-us/library/bb530195.aspx
| >> ....near the bottom
| >> It looks like what you are experiencing to me, Hope it helps.
| >> "Luke Kaven" <LukeKaven@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
| >> news:C3D5CD03-8D72-4DF4-A766-ECDC9A345F4E@xxxxxxxxxxxxxxxx
| >> > Hmmm, 37 Microsoft updates and an updated network interface driver
| >> > the
| >> > machine still crashes. Still with EventID 3002. CodeIntegrity
| >> > TCPIP.SYS. "per-page image hashes could not be found on this
| >> > Stayed
| >> > up for 12 hours today, a new record. But after I brought it back up
| >> > crashed ten minutes later while idle.
| >> >
| >> > Any ideas out there? One of you Microsoft engineers must have an
| >> > what causes this kind of thing. No useful information from L2 Vista
| >> > support,
| >> > though they've tried to be helpful.