Security Audit Failure (Event Viewer) tcpip.sys hash not valid/cor

Sponsored Links

Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/11/08 3:35p
Event ID: 5038
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: XPS1530-PC
Description:
Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5038</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2008-11-08T19:05:00.227Z" />
<EventRecordID>27081</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="56" />
<Channel>Security</Channel>
<Computer>XPS1530-PC</Computer>
<Security />
</System>
<EventData>
<Data
Name="param1">\Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys</Data>
</EventData>
</Event>

OS Vista Ultimate SP1

I have no idea why this failure is showing up, is there a specific service
needed for the audit success? Other than seeing the error(s) occur via Event
Viewer, I have not had any issues with connectivity, and other security
audits complete fine without failure. Anyone have any ideas what might fix
this? I do not believe I modified the tcpip.sys in any way

See if the information in this article, "How to Repair and Verify the
Integrity of Vista System Files with System File Checker"

<http://www.vistax64.com/tutorials/66978-system-files.html>

Good luck

Interesting. My Vista 64 SP1 crashed two days ago for the first time in
months, and reported the same error with the same file. It just happened
once so I didn't investigate further. Seems to have been working fine since
then and no more error message in the event log. I wondered if was
antivirus-related? I have Trend Micro plus Windows Defender. Anything sound
familiar?

yeah so the results of the manual check.

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>sfc /verifyfile=C:\Windows\System32\drivers\tcpip.sys
Windows Resource Protection did not find any integrity violations.

error is still showing up in event viewer with no adverse effects, wondering
where i can go from here in order to sort it out? maybe i need to have a
specific service enabled in order for it to process correctly, any more ideas?

Try replacing the module from the installation media with a good copy after
backing up this allegedly corrupted driver. You should not have to do a
complete repair reinstallation (I don't believe so).