Code integrity error on tcpip.sys

  • Thread starter Thread starter Mark Naughton
  • Start date Start date
M

Mark Naughton

Sigcheck reports file as ok, sfc /scannow completes ok. Is this file ok?
Thanks Mark


Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys




C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys

sigcheck v1.54 - sigcheck
Copyright (C) 2004-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Windows\System32\drivers\tcpip.sys:
Verified: Signed
Signing date: 7:33 PM 5/28/2008
Publisher: Microsoft Corporation
Description: TCP/IP Driver
Product: Microsoft« Windows« Operating System
Version: 6.0.6001.18063
File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
Original Name: tcpip.sys
Internal Name: tcpip.sys
Copyright: ⌠Microsoft Corporation. All rights reserved.
Comments: n/a
MD5: 82e266bee5f0167e41c6ecfdd2a79c02
SHA1: f633629656e43452aa08611f0f72d24a46e7441c
SHA256:
1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6d98bd643093b666
 
Hello Mark,
Yes the file is OK.
This error happens when tcpip.sys is loaded in user mode, to check the
version information of the driver binary.
It loaded fine at boot time in kernel mode and was successfully verified or
you would have seen errors at boot time or tcpip.sys would not have loaded.

Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| >From: "Mark Naughton" <[email protected]>
| >Subject: Code integrity error on tcpip.sys
| >Date: Wed, 10 Dec 2008 15:40:03 -0500
| >Lines: 38
| >Message-ID: <[email protected]>
| >MIME-Version: 1.0
| >Content-Type: text/plain;
| > format=flowed;
| > charset="utf-8";
| > reply-type=original
| >Content-Transfer-Encoding: 8bit
| >X-Priority: 3
| >X-MSMail-Priority: Normal
| >X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
| >X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
| >X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| >X-MS-CommunityGroup-PostID: {B11D7537-E874-4D0A-8DD9-5A1657251BBE}
| >Newsgroups: microsoft.public.windows.vista.security
| >Path: TK2MSFTNGHUB02.phx.gbl
| >Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.security:19999
| >NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| >X-Tomcat-NG: microsoft.public.windows.vista.security
| >
| >
| >
| >Sigcheck reports file as ok, sfc /scannow completes ok. Is this file ok?
| >Thanks Mark
| >
| >
| >Code integrity determined that the image hash of a file is not valid.
The
| >file could be corrupt due to unauthorized modification or the invalid
hash
| >could indicate a potential disk device error.
| >
| >File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
| >
| >
| >
| >
| >C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys
| >
| >sigcheck v1.54 - sigcheck
| >Copyright (C) 2004-2008 Mark Russinovich
| >Sysinternals - www.sysinternals.com
| >
| >C:\Windows\System32\drivers\tcpip.sys:
| > Verified: Signed
| > Signing date: 7:33 PM 5/28/2008
| > Publisher: Microsoft Corporation
| > Description: TCP/IP Driver
| > Product: Microsoft« Windows« Operating System
| > Version: 6.0.6001.18063
| > File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
| > Original Name: tcpip.sys
| > Internal Name: tcpip.sys
| > Copyright: ⌠Microsoft Corporation. All rights reserved.
| > Comments: n/a
| > MD5: 82e266bee5f0167e41c6ecfdd2a79c02
| > SHA1: f633629656e43452aa08611f0f72d24a46e7441c
| > SHA256:
| >1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6d98bd643093b666
| >
| >
 
Since installing Vista SP1 three weeks ago, I have had BSOD crashes that
immediately follow a CodeIntegrity violation error (event ID 3002) in the log
that cites TCPIP.SYS according to the OPs message. Over a hundred crashes.

Day after day, I've been over this problem with 1st and 2nd level Vista
support. I am now strongly suspicious that this driver is corrupt and is
causing these crashes. The version installed by SP1 currently on my system
reads as v6.0.6001.18000 and is dated 18-Jan-2008.

My driver was not patched so far as I know. The only third party software
installed after SP1 is Adobe CS4. Bone stock Dell Dimension E521. Lots of
systematic searches for driver updates, disabling unneeded devices, all to no
avail. The only constant is TCPIP.SYS and the error report that immediately
precedes each crash.

I do not know if I am a candidate for hotfix based on KB article #952709,
which carries TWO updates of this one file. [v6.0.6001.18063 and
v6.0.6001.22167 (both dated 26-Apr-2008). ]

Are you really sure this is okay?

What can I do? Install the hotfix listed above? Try SP2 BETA? Reverting
to pre SP1 isn't an option, because my Adobe CS4 won't run without SP1 or
higher.

Luke Kaven

"Darrell Gorter[MSFT]" said:
Hello Mark,
Yes the file is OK.
This error happens when tcpip.sys is loaded in user mode, to check the
version information of the driver binary.
It loaded fine at boot time in kernel mode and was successfully verified or
you would have seen errors at boot time or tcpip.sys would not have loaded.

Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| >From: "Mark Naughton" <[email protected]>
| >Subject: Code integrity error on tcpip.sys
| >Date: Wed, 10 Dec 2008 15:40:03 -0500
| >Lines: 38
| >Message-ID: <[email protected]>
| >MIME-Version: 1.0
| >Content-Type: text/plain;
| > format=flowed;
| > charset="utf-8";
| > reply-type=original
| >Content-Transfer-Encoding: 8bit
| >X-Priority: 3
| >X-MSMail-Priority: Normal
| >X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
| >X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
| >X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| >X-MS-CommunityGroup-PostID: {B11D7537-E874-4D0A-8DD9-5A1657251BBE}
| >Newsgroups: microsoft.public.windows.vista.security
| >Path: TK2MSFTNGHUB02.phx.gbl
| >Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.security:19999
| >NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| >X-Tomcat-NG: microsoft.public.windows.vista.security
| >
| >
| >
| >Sigcheck reports file as ok, sfc /scannow completes ok. Is this file ok?
| >Thanks Mark
| >
| >
| >Code integrity determined that the image hash of a file is not valid.
The
| >file could be corrupt due to unauthorized modification or the invalid
hash
| >could indicate a potential disk device error.
| >
| >File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
| >
| >
| >
| >
| >C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys
| >
| >sigcheck v1.54 - sigcheck
| >Copyright (C) 2004-2008 Mark Russinovich
| >Sysinternals - www.sysinternals.com
| >
| >C:\Windows\System32\drivers\tcpip.sys:
| > Verified: Signed
| > Signing date: 7:33 PM 5/28/2008
| > Publisher: Microsoft Corporation
| > Description: TCP/IP Driver
| > Product: Microsoft« Windows« Operating System
| > Version: 6.0.6001.18063
| > File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
| > Original Name: tcpip.sys
| > Internal Name: tcpip.sys
| > Copyright: ⌠Microsoft Corporation. All rights reserved.
| > Comments: n/a
| > MD5: 82e266bee5f0167e41c6ecfdd2a79c02
| > SHA1: f633629656e43452aa08611f0f72d24a46e7441c
| > SHA256:
| >1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6d98bd643093b666
| >
| >
 
The Max said:
On Mon, 22 Dec 2008 00:46:01 -0800, Luke Kaven <Luke


1) try the hotfix. If it's not meant for your system, it won't
install.

2) if the problem IS SP1, then your CS4 is going to be pretty useless
on a computer that is constantly crashing, hmm??

I get a couple of hours of use of the machine each day between crashes. It
is either that or nothing. So I think I'm best off trying to get SP1 to
work, or SP2 for that matter.
 
Michael D. Ober said:
Check Dell's support site for a new device driver for the network interface
hardware.

Note that the machine was not networked and the network interface hardware
device driver was disabled during this time.

Last night, I connected to the network and installed every Microsoft update
listed by auto-update. Within a half hour, the machine crashed following a
CodeIntegrity violation, also citing hash of TCPIP.SYS (though this file
itself was updated). But this does leave open the question of the network
interface hardware, which was obviously up during that time. But just
barely. So I have now installed that driver update.

I ran FSCK /R on the system disk just in case. Ran while booting and I was
away while it completed. Does anyone know if there is a saved FSCK log
anywhere on the system.
 
Of course I meant to say "CHKDSK /R". I found the log. No bad sectors, but
a few free sectors marked as allocated.
 
Hmmm, 37 Microsoft updates and an updated network interface driver later, the
machine still crashes. Still with EventID 3002. CodeIntegrity error.
TCPIP.SYS. "per-page image hashes could not be found on this system" Stayed
up for 12 hours today, a new record. But after I brought it back up it
crashed ten minutes later while idle.

Any ideas out there? One of you Microsoft engineers must have an idea of
what causes this kind of thing. No useful information from L2 Vista support,
though they've tried to be helpful.
 
Figure 2. Code integrity events

The Code Integrity Operational log shows events generated by the kernel when
a kernel mode driver fails an image verification check when the driver is
loaded. The image verification failure may be due to a number of reasons,
including the following:

a.. The driver was unsigned, but installed on the system by an
administrator and Code Integrity is not allowing the driver to load.
b.. The driver was signed, but the driver image file was modified or
tampered with and the modification invalidated the driver signature.
c.. The system disk device may have device errors when reading the image
file for the device from bad disk sectors.
From this article:

http://msdn.microsoft.com/en-us/library/bb530195.aspx

....near the bottom

It looks like what you are experiencing to me, Hope it helps.
 
Thanks for putting that up. I appreciate it.

This is a straight stock install with updates from Microsoft. No patches to
TCPIP.SYS were made (as I know some people do patch this driver). So the
signed, stock driver was installed. If anything is modifying it, it isn't
showing up as a change in the driver file on disk. I don't have reason to
think that anything is modifying it in memory at the moment.

So is a disk error possible here? I can't find any accompanying messages
about disk errors. And I'm wondering why, after installing a number of
updates, why it would always be that one driver that is cited by the
CodeIntegrity violation? Could it be that there is an intermittently bad
sector somewhere in the pagefile where this driver happens to reside? Why
wouldn't disk errors be showing up in the log?

I know CHKDSK won't necessarily identify marginal sectors. It's been a
while since I've had to fix a disk. Could someone remind me if there is a
way to do a low level scan that will identify marginal sectors and put them
on the permanent bad sector list without necessitating a complete reformat
and reinstall?

Thanks, Luke
 
Hello Luke,
Here is where the issue gets confusing.
If TCPIP.sys is failing at boot time you shouldn't be able to boot.
So this means that the file appears to pass the boot test when the kernel
first loads the file.
If you are crashing at boot time, I could see this as the cause.

What happens in the event log message is that something loads TCPIP.sys
into memory during user mode.
Not all the data is present to verify the page hashes so the error message
is generated.
This is after TCPIP is already loaded

Is this 64-bit?
What is the exact BlueScreen Error message that you are seeing?
What is the Event Log message that you are seeing?
So is there a one to one correlation between every BSOD and every event
message or do they happen independant of each other?

Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| >Thread-Topic: Code integrity error on tcpip.sys -- IS suspicious
| >thread-index: AcllBpysS8LPnTdfRrO4ui5uNk2nfA==
| >X-WBNR-Posting-Host: 207.46.193.207
| >From: =?Utf-8?B?THVrZSBLYXZlbg==?= <[email protected]>
| >References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| >Subject: Re: Code integrity error on tcpip.sys -- IS suspicious
| >Date: Tue, 23 Dec 2008 05:59:02 -0800
| >Lines: 63
| >Message-ID: <[email protected]>
| >MIME-Version: 1.0
| >Content-Type: text/plain;
| > charset="Utf-8"
| >Content-Transfer-Encoding: 7bit
| >X-Newsreader: Microsoft CDO for Windows 2000
| >Content-Class: urn:content-classes:message
| >Importance: normal
| >Priority: normal
| >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
| >Newsgroups: microsoft.public.windows.vista.security
| >Path: TK2MSFTNGHUB02.phx.gbl
| >Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.security:20235
| >NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| >X-Tomcat-NG: microsoft.public.windows.vista.security
| >
| >Thanks for putting that up. I appreciate it.
| >
| >This is a straight stock install with updates from Microsoft. No
patches to
| >TCPIP.SYS were made (as I know some people do patch this driver). So
the
| >signed, stock driver was installed. If anything is modifying it, it
isn't
| >showing up as a change in the driver file on disk. I don't have reason
to
| >think that anything is modifying it in memory at the moment.
| >
| >So is a disk error possible here? I can't find any accompanying
messages
| >about disk errors. And I'm wondering why, after installing a number of
| >updates, why it would always be that one driver that is cited by the
| >CodeIntegrity violation? Could it be that there is an intermittently
bad
| >sector somewhere in the pagefile where this driver happens to reside?
Why
| >wouldn't disk errors be showing up in the log?
| >
| >I know CHKDSK won't necessarily identify marginal sectors. It's been a
| >while since I've had to fix a disk. Could someone remind me if there is
a
| >way to do a low level scan that will identify marginal sectors and put
them
| >on the permanent bad sector list without necessitating a complete
reformat
| >and reinstall?
| >
| >Thanks, Luke
| >
| >"FromTheRafters" wrote:
| >
| >> Figure 2. Code integrity events
| >>
| >> The Code Integrity Operational log shows events generated by the
kernel when
| >> a kernel mode driver fails an image verification check when the driver
is
| >> loaded. The image verification failure may be due to a number of
reasons,
| >> including the following:
| >>
| >> a.. The driver was unsigned, but installed on the system by an
| >> administrator and Code Integrity is not allowing the driver to load.
| >> b.. The driver was signed, but the driver image file was modified or
| >> tampered with and the modification invalidated the driver signature.
| >> c.. The system disk device may have device errors when reading the
image
| >> file for the device from bad disk sectors.
| >> From this article:
| >>
| >> http://msdn.microsoft.com/en-us/library/bb530195.aspx
| >>
| >> ....near the bottom
| >>
| >> It looks like what you are experiencing to me, Hope it helps.
| >>
| >> | >> > Hmmm, 37 Microsoft updates and an updated network interface driver
later,
| >> > the
| >> > machine still crashes. Still with EventID 3002. CodeIntegrity
error.
| >> > TCPIP.SYS. "per-page image hashes could not be found on this
system"
| >> > Stayed
| >> > up for 12 hours today, a new record. But after I brought it back up
it
| >> > crashed ten minutes later while idle.
| >> >
| >> > Any ideas out there? One of you Microsoft engineers must have an
idea of
| >> > what causes this kind of thing. No useful information from L2 Vista
| >> > support,
| >> > though they've tried to be helpful.
| >>
| >>
| >>
| >
 
Back
Top