Security Audit Failure (Event Viewer) tcpip.sys hash not valid/cor

Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/11/08 3:35p
Event ID: 5038
Task Category: System Integrity
Level: Information
Keywords: Audit Failure
User: N/A
Computer: XPS1530-PC
Description:
Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.

File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5038</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2008-11-08T19:05:00.227Z" />
<EventRecordID>27081</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="56" />
<Channel>Security</Channel>
<Computer>XPS1530-PC</Computer>
<Security />
</System>
<EventData>
<Data
Name="param1">\Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys</Data>
</EventData>
</Event>

OS Vista Ultimate SP1

I have no idea why this failure is showing up, is there a specific service
needed for the audit success? Other than seeing the error(s) occur via Event
Viewer, I have not had any issues with connectivity, and other security
audits complete fine without failure. Anyone have any ideas what might fix
this? I do not believe I modified the tcpip.sys in any way

See if the information in this article, "How to Repair and Verify the
Integrity of Vista System Files with System File Checker"

<http://www.vistax64.com/tutorials/66978-system-files.html>

Good luck


Ǝиçεl
-=-


"artfuldodga" wrote:

> Code integrity determined that the image hash of a file is not valid. The
> file could be corrupt due to unauthorized modification or the invalid hash
> could indicate a potential disk device error.
>
> File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
>
> Log Name: Security
> Source: Microsoft-Windows-Security-Auditing
> Date: 8/11/08 3:35p
> Event ID: 5038
> Task Category: System Integrity
> Level: Information
> Keywords: Audit Failure
> User: N/A
> Computer: XPS1530-PC
> Description:
> Code integrity determined that the image hash of a file is not valid. The
> file could be corrupt due to unauthorized modification or the invalid hash
> could indicate a potential disk device error.
>
> File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
> Event Xml:
> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> <System>
> <Provider Name="Microsoft-Windows-Security-Auditing"
> Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
> <EventID>5038</EventID>
> <Version>0</Version>
> <Level>0</Level>
> <Task>12290</Task>
> <Opcode>0</Opcode>
> <Keywords>0x8010000000000000</Keywords>
> <TimeCreated SystemTime="2008-11-08T19:05:00.227Z" />
> <EventRecordID>27081</EventRecordID>
> <Correlation />
> <Execution ProcessID="4" ThreadID="56" />
> <Channel>Security</Channel>
> <Computer>XPS1530-PC</Computer>
> <Security />
> </System>
> <EventData>
> <Data
> Name="param1">\Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys</Data>
> </EventData>
> </Event>
>
> OS Vista Ultimate SP1
>
> I have no idea why this failure is showing up, is there a specific service
> needed for the audit success? Other than seeing the error(s) occur via Event
> Viewer, I have not had any issues with connectivity, and other security
> audits complete fine without failure. Anyone have any ideas what might fix
> this? I do not believe I modified the tcpip.sys in any way

Interesting. My Vista 64 SP1 crashed two days ago for the first time in
months, and reported the same error with the same file. It just happened
once so I didn't investigate further. Seems to have been working fine since
then and no more error message in the event log. I wondered if was
antivirus-related? I have Trend Micro plus Windows Defender. Anything sound
familiar?

"Engel" <Engel@discussions.microsoft.com> wrote in message
news:8B730BEF-0E34-4965-B8E0-0B5742ACA61A@microsoft.com...
>
> See if the information in this article, "How to Repair and Verify the
> Integrity of Vista System Files with System File Checker"
>
> <http://www.vistax64.com/tutorials/66978-system-files.html>
>
> Good luck
>
>
> Ǝиçεl
> -=-
>
>
> "artfuldodga" wrote:
>
>> Code integrity determined that the image hash of a file is not valid.
>> The
>> file could be corrupt due to unauthorized modification or the invalid
>> hash
>> could indicate a potential disk device error.
>>
>> File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
>>
>> Log Name: Security
>> Source: Microsoft-Windows-Security-Auditing
>> Date: 8/11/08 3:35p
>> Event ID: 5038
>> Task Category: System Integrity
>> Level: Information
>> Keywords: Audit Failure
>> User: N/A
>> Computer: XPS1530-PC
>> Description:

>> OS Vista Ultimate SP1
>>
>> I have no idea why this failure is showing up, is there a specific
>> service
>> needed for the audit success? Other than seeing the error(s) occur via
>> Event
>> Viewer, I have not had any issues with connectivity, and other security
>> audits complete fine without failure. Anyone have any ideas what might
>> fix
>> this? I do not believe I modified the tcpip.sys in any way

yeah so the results of the manual check.

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>sfc /verifyfile=C:\Windows\System32\drivers\tcpip.sys
Windows Resource Protection did not find any integrity violations.

error is still showing up in event viewer with no adverse effects, wondering
where i can go from here in order to sort it out? maybe i need to have a
specific service enabled in order for it to process correctly, any more ideas?

"Engel" wrote:

>
> See if the information in this article, "How to Repair and Verify the
> Integrity of Vista System Files with System File Checker"
>
> <http://www.vistax64.com/tutorials/66978-system-files.html>
>
> Good luck
>
>
> Ǝиçεl
> -=-
>
>
> "artfuldodga" wrote:
>
> > Code integrity determined that the image hash of a file is not valid. The
> > file could be corrupt due to unauthorized modification or the invalid hash
> > could indicate a potential disk device error.
> >
> > File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
> >
> > Log Name: Security
> > Source: Microsoft-Windows-Security-Auditing
> > Date: 8/11/08 3:35p
> > Event ID: 5038
> > Task Category: System Integrity
> > Level: Information
> > Keywords: Audit Failure
> > User: N/A
> > Computer: XPS1530-PC
> > Description:
> > Code integrity determined that the image hash of a file is not valid. The
> > file could be corrupt due to unauthorized modification or the invalid hash
> > could indicate a potential disk device error.
> >
> > File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
> > Event Xml:
> > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> > <System>
> > <Provider Name="Microsoft-Windows-Security-Auditing"
> > Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
> > <EventID>5038</EventID>
> > <Version>0</Version>
> > <Level>0</Level>
> > <Task>12290</Task>
> > <Opcode>0</Opcode>
> > <Keywords>0x8010000000000000</Keywords>
> > <TimeCreated SystemTime="2008-11-08T19:05:00.227Z" />
> > <EventRecordID>27081</EventRecordID>
> > <Correlation />
> > <Execution ProcessID="4" ThreadID="56" />
> > <Channel>Security</Channel>
> > <Computer>XPS1530-PC</Computer>
> > <Security />
> > </System>
> > <EventData>
> > <Data
> > Name="param1">\Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys</Data>
> > </EventData>
> > </Event>
> >
> > OS Vista Ultimate SP1
> >
> > I have no idea why this failure is showing up, is there a specific service
> > needed for the audit success? Other than seeing the error(s) occur via Event
> > Viewer, I have not had any issues with connectivity, and other security
> > audits complete fine without failure. Anyone have any ideas what might fix
> > this? I do not believe I modified the tcpip.sys in any way

"artfuldodga" <artfuldodga@discussions.microsoft.com> wrote in message
news:BCDD2D91-75C1-4695-9C7C-B1EA98AEAEFC@microsoft.com...
> yeah so the results of the manual check.
>
> Microsoft Windows [Version 6.0.6001]
> Copyright (c) 2006 Microsoft Corporation. All rights reserved.
> C:\Windows\system32>sfc /verifyfile=C:\Windows\System32\drivers\tcpip.sys
> Windows Resource Protection did not find any integrity violations.
>
> error is still showing up in event viewer with no adverse effects,
> wondering
> where i can go from here in order to sort it out? maybe i need to have a
> specific service enabled in order for it to process correctly, any more
> ideas?
>
> "Engel" wrote:
>
>>
>> See if the information in this article, "How to Repair and Verify the
>> Integrity of Vista System Files with System File Checker"
>>
>> <http://www.vistax64.com/tutorials/66978-system-files.html>
>>
>> Good luck
>>
>>
>> Ǝиçεl
>> -=-
>>
>>
>> "artfuldodga" wrote:
>>
>> > Code integrity determined that the image hash of a file is not valid.
>> > The
>> > file could be corrupt due to unauthorized modification or the invalid
>> > hash
>> > could indicate a potential disk device error.
>> >
>> > File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
>> >
>> > Log Name: Security
>> > Source: Microsoft-Windows-Security-Auditing
>> > Date: 8/11/08 3:35p
>> > Event ID: 5038
>> > Task Category: System Integrity
>> > Level: Information
>> > Keywords: Audit Failure
>> > User: N/A
>> > Computer: XPS1530-PC
>> > Description:
>> > Code integrity determined that the image hash of a file is not valid.
>> > The
>> > file could be corrupt due to unauthorized modification or the invalid
>> > hash
>> > could indicate a potential disk device error.
>> >
>> > File Name: \Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys
>> > Event Xml:
>> > <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
>> > <System>
>> > <Provider Name="Microsoft-Windows-Security-Auditing"
>> > Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
>> > <EventID>5038</EventID>
>> > <Version>0</Version>
>> > <Level>0</Level>
>> > <Task>12290</Task>
>> > <Opcode>0</Opcode>
>> > <Keywords>0x8010000000000000</Keywords>
>> > <TimeCreated SystemTime="2008-11-08T19:05:00.227Z" />
>> > <EventRecordID>27081</EventRecordID>
>> > <Correlation />
>> > <Execution ProcessID="4" ThreadID="56" />
>> > <Channel>Security</Channel>
>> > <Computer>XPS1530-PC</Computer>
>> > <Security />
>> > </System>
>> > <EventData>
>> > <Data
>> > Name="param1">\Device\HarddiskVolume3\Windows\System32\drivers\tcpip.sys</Data>
>> > </EventData>
>> > </Event>
>> >
>> > OS Vista Ultimate SP1
>> >
>> > I have no idea why this failure is showing up, is there a specific
>> > service
>> > needed for the audit success? Other than seeing the error(s) occur via
>> > Event
>> > Viewer, I have not had any issues with connectivity, and other security
>> > audits complete fine without failure. Anyone have any ideas what might
>> > fix
>> > this? I do not believe I modified the tcpip.sys in any way
Try replacing the module from the installation media with a good copy after
backing up this allegedly corrupted driver. You should not have to do a
complete repair reinstallation (I don't believe so).

--
Allan