Event 5038, Microsoft Windows security auditing. fveapi.dll

  • Thread starter Thread starter Peter K
  • Start date Start date
P

Peter K

I get this security event a lot on Vista 32-bit SP1:

"Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\fveapi.dll"

This file is located in two places on my system, and it seems the same in
both:

C:\Windows\System32\fveapi.dl
C:\Windows\SoftwareDistribution\Download\f7fd361ee72a8e86a63bf6b0eb2d2503\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6001.18000_none_34daa5e8f21ef8d2\fveapi.dll

Version: 6.0.6001.18000
Size: 173056 bytes
SHA1: b89d67b3bc79a87aff89d0e05d9553b176d0aa4d

Can someone else verify this to be the correct file after 32-bit SP1 is
installed?

If it IS correct, why do I get an incredible pause sometimes when loading a
program that uses this DLL, followed by this audit failure event in the log,
but then apparently everything continues on as it should...?
 
Peter K said:
This file is located in two places on my system, and it seems the same in
both:

C:\Windows\System32\fveapi.dll

fveapi.dll is not part of Vista. I haven't it.
 
Peter K said:
I get this security event a lot on Vista 32-bit SP1:

"Code integrity determined that the image hash of a file is not valid.
The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\fveapi.dll"

This file is located in two places on my system, and it seems the same in
both:

C:\Windows\System32\fveapi.dll
C:\Windows\SoftwareDistribution\Download\f7fd361ee72a8e86a63bf6b0eb2d2503\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6001.18000_none_34daa5e8f21ef8d2\fveapi.dll

Version: 6.0.6001.18000
Size: 173056 bytes
SHA1: b89d67b3bc79a87aff89d0e05d9553b176d0aa4d

Can someone else verify this to be the correct file after 32-bit SP1 is
installed?

If it IS correct, why do I get an incredible pause sometimes when loading
a
program that uses this DLL, followed by this audit failure event in the
log,
but then apparently everything continues on as it should...?
.
Hi Peter K
Go here and have a read.
http://www.greatis.com/vista/DLL/f/fveapi.dll.htm

bw..
 
meerkat said:

Thanks for your help, meerkat, yep I did a whole lot of surfing before I
posted on this forum, but nowhere did I find these DLL reference sites
referring to the SP1 versions of the DLL's, I believe them all to still be
referring to the original Vista. If you look at the directory
C:\Windows\System32 after installing SP1, you see a whole pile of files with
the identical version number 6.0.6001.18000, one of which is fveapi.dll, and
I simply would like to know whether I have a rotten copy of it, or whether
Vista security is mis-diagnosing it for some reason and slowing things down.
By the way, if it helps, my copy has this MD5 sum:

MD5: 1acb8d567b779dc3ff09e7f31ac3f111
 
Peter said:
I get this security event a lot on Vista 32-bit SP1:

"Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\fveapi.dll"

Well, by chance in my digging I came across another tab in the Event
Viewer that showed another event related to the same problem that must
cascade into the security auditing event above:

Event ID 3002, "Code integrity determined that the image hash of a file
is not valid. The file could be corrupt due to unauthorized
modification or the invalid hash could indicate a potential disk device
error.

File Name: \Device\HarddiskVolume1\Windows\System32\fveapi.dll"

Putting this into Google reveals this quite informational Microsoft web
page "User-mode Protected Media Path File Validation":

http://technet2.microsoft.com/windo...e318-42ec-8a5e-41ccb306fc211033.mspx?mfr=true

in which the fix for this problem is to do a Startup Repair. I'll try
that this evening!
 
Back
Top