Re: Code integrity error on tcpip.sys -- IS suspicious



Hello Luke,
Here is where the issue gets confusing.
If TCPIP.sys is failing at boot time you shouldn't be able to boot.
So this means that the file appears to pass the boot test when the kernel
first loads the file.
If you are crashing at boot time, I could see this as the cause.

What happens in the event log message is that something loads TCPIP.sys
into memory during user mode.
Not all the data is present to verify the page hashes so the error message
is generated.
This is after TCPIP is already loaded

Is this 64-bit?
What is the exact BlueScreen Error message that you are seeing?
What is the Event Log message that you are seeing?
So is there a one to one correlation between every BSOD and every event
message or do they happen independant of each other?

Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| >Thread-Topic: Code integrity error on tcpip.sys -- IS suspicious
| >thread-index: AcllBpysS8LPnTdfRrO4ui5uNk2nfA==
| >X-WBNR-Posting-Host: 207.46.193.207
| >From: =?Utf-8?B?THVrZSBLYXZlbg==?= <LukeKaven@xxxxxxxxxxxxxxxxxxxxxxxxx>
| >References: <B11D7537-E874-4D0A-8DD9-5A1657251BBE@xxxxxxxxxxxxx>
<5XrQL$zWJHA.4692@xxxxxxxxxxxxxxxxxxxxxx>
<7325F3C4-A2E9-4573-8D25-CA742962C93E@xxxxxxxxxxxxx>
<BqSdnXIm_N_aE9LUnZ2dnUVZ_vOdnZ2d@xxxxxxxxxxxxx>
<C3D5CD03-8D72-4DF4-A766-ECDC9A345F4E@xxxxxxxxxxxxx>
<OQ2oJFQZJHA.1336@xxxxxxxxxxxxxxxxxxxx>
| >Subject: Re: Code integrity error on tcpip.sys -- IS suspicious
| >Date: Tue, 23 Dec 2008 05:59:02 -0800
| >Lines: 63
| >Message-ID: <5C785667-7EB7-4289-B59B-F13492B575B5@xxxxxxxxxxxxx>
| >MIME-Version: 1.0
| >Content-Type: text/plain;
| > charset="Utf-8"
| >Content-Transfer-Encoding: 7bit
| >X-Newsreader: Microsoft CDO for Windows 2000
| >Content-Class: urn:content-classes:message
| >Importance: normal
| >Priority: normal
| >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
| >Newsgroups: microsoft.public.windows.vista.security
| >Path: TK2MSFTNGHUB02.phx.gbl
| >Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.security:20235
| >NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| >X-Tomcat-NG: microsoft.public.windows.vista.security
| >
| >Thanks for putting that up. I appreciate it.
| >
| >This is a straight stock install with updates from Microsoft. No
patches to
| >TCPIP.SYS were made (as I know some people do patch this driver). So
the
| >signed, stock driver was installed. If anything is modifying it, it
isn't
| >showing up as a change in the driver file on disk. I don't have reason
to
| >think that anything is modifying it in memory at the moment.
| >
| >So is a disk error possible here? I can't find any accompanying
messages
| >about disk errors. And I'm wondering why, after installing a number of
| >updates, why it would always be that one driver that is cited by the
| >CodeIntegrity violation? Could it be that there is an intermittently
bad
| >sector somewhere in the pagefile where this driver happens to reside?
Why
| >wouldn't disk errors be showing up in the log?
| >
| >I know CHKDSK won't necessarily identify marginal sectors. It's been a
| >while since I've had to fix a disk. Could someone remind me if there is
a
| >way to do a low level scan that will identify marginal sectors and put
them
| >on the permanent bad sector list without necessitating a complete
reformat
| >and reinstall?
| >
| >Thanks, Luke
| >
| >"FromTheRafters" wrote:
| >
| >> Figure 2. Code integrity events
| >>
| >> The Code Integrity Operational log shows events generated by the
kernel when
| >> a kernel mode driver fails an image verification check when the driver
is
| >> loaded. The image verification failure may be due to a number of
reasons,
| >> including the following:
| >>
| >> a.. The driver was unsigned, but installed on the system by an
| >> administrator and Code Integrity is not allowing the driver to load.
| >> b.. The driver was signed, but the driver image file was modified or
| >> tampered with and the modification invalidated the driver signature.
| >> c.. The system disk device may have device errors when reading the
image
| >> file for the device from bad disk sectors.
| >> From this article:
| >>
| >> http://msdn.microsoft.com/en-us/library/bb530195.aspx
| >>
| >> ....near the bottom
| >>
| >> It looks like what you are experiencing to me, Hope it helps.
| >>
| >> "Luke Kaven" <LukeKaven@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
| >> news:C3D5CD03-8D72-4DF4-A766-ECDC9A345F4E@xxxxxxxxxxxxxxxx
| >> > Hmmm, 37 Microsoft updates and an updated network interface driver
later,
| >> > the
| >> > machine still crashes. Still with EventID 3002. CodeIntegrity
error.
| >> > TCPIP.SYS. "per-page image hashes could not be found on this
system"
| >> > Stayed
| >> > up for 12 hours today, a new record. But after I brought it back up
it
| >> > crashed ten minutes later while idle.
| >> >
| >> > Any ideas out there? One of you Microsoft engineers must have an
idea of
| >> > what causes this kind of thing. No useful information from L2 Vista
| >> > support,
| >> > though they've tried to be helpful.
| >>
| >>
| >>
| >

.



Relevant Pages

  • Re: Code integrity error on tcpip.sys
    ... unless we both just happened to have disk errors in the same ... click the install button on the installer, ... TCPIP.SYS were made (as I know some people do patch this driver). ... I know CHKDSK won't necessarily identify marginal sectors. ...
    (microsoft.public.windows.vista.security)
  • Re: Plan for adding XD support in mtd layer
    ... Those are card readers built into notebooks, ... I guess I won't buy a new notebook just to test a driver then. ... On top of that you have the FTL that adds further ... consists of several 512 byte sectors. ...
    (Linux-Kernel)
  • Re: Fixing a crashed disk
    ... Report of a single bad read depends very much on the driver. ... do remapping of sectors _it_ determines are failing, ... reporting software have conflated or misinterpreted the data. ...
    (Fedora)
  • Re: Linux-2.6.31-rc4 - i915 errors
    ... At boot time my eeepc says: ... We recently added some error detection & reporting to the driver. ... EIR stuck: 0x00000010, masking ...
    (Linux-Kernel)
  • [PATCH] New IDE/block driver for OCTEON SOC Compact Flash interface.
    ... have this CF driver for your consideration. ... Most OCTEON variants have *no* DMA or interrupt support on the CF ... * in terms of small sectors, ...
    (Linux-Kernel)