Vista - Code integrity error on tcpip.sys

Sigcheck reports file as ok, sfc /scannow completes ok. Is this file ok?
Thanks Mark


Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys




C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys

sigcheck v1.54 - sigcheck
Copyright (C) 2004-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Windows\System32\drivers\tcpip.sys:
Verified: Signed
Signing date: 7:33 PM 5/28/2008
Publisher: Microsoft Corporation
Description: TCP/IP Driver
Product: Microsoft« Windows« Operating System
Version: 6.0.6001.18063
File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
Original Name: tcpip.sys
Internal Name: tcpip.sys
Copyright: � Microsoft Corporation. All rights reserved.
Comments: n/a
MD5: 82e266bee5f0167e41c6ecfdd2a79c02
SHA1: f633629656e43452aa08611f0f72d24a46e7441c
SHA256:
1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6d98bd643093b666

Hello Mark,
Yes the file is OK.
This error happens when tcpip.sys is loaded in user mode, to check the
version information of the driver binary.
It loaded fine at boot time in kernel mode and was successfully verified or
you would have seen errors at boot time or tcpip.sys would not have loaded.

Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| >From: "Mark Naughton" <MarkNaughton@xxxxxx>
| >Subject: Code integrity error on tcpip.sys
| >Date: Wed, 10 Dec 2008 15:40:03 -0500
| >Lines: 38
| >Message-ID: <B11D7537-E874-4D0A-8DD9-5A1657251BBE@xxxxxx>
| >MIME-Version: 1.0
| >Content-Type: text/plain;
| > format=flowed;
| > charset="utf-8";
| > reply-type=original
| >Content-Transfer-Encoding: 8bit
| >X-Priority: 3
| >X-MSMail-Priority: Normal
| >X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
| >X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
| >X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| >X-MS-CommunityGroup-PostID: {B11D7537-E874-4D0A-8DD9-5A1657251BBE}
| >Newsgroups: microsoft.public.windows.vista.security
| >Path: TK2MSFTNGHUB02.phx.gbl
| >Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.security:19999
| >NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| >X-Tomcat-NG: microsoft.public.windows.vista.security
| >
| >
| >
| >Sigcheck reports file as ok, sfc /scannow completes ok. Is this file ok?
| >Thanks Mark
| >
| >
| >Code integrity determined that the image hash of a file is not valid.
The
| >file could be corrupt due to unauthorized modification or the invalid
hash
| >could indicate a potential disk device error.
| >
| >File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
| >
| >
| >
| >
| >C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys
| >
| >sigcheck v1.54 - sigcheck
| >Copyright (C) 2004-2008 Mark Russinovich
| >Sysinternals - www.sysinternals.com
| >
| >C:\Windows\System32\drivers\tcpip.sys:
| > Verified: Signed
| > Signing date: 7:33 PM 5/28/2008
| > Publisher: Microsoft Corporation
| > Description: TCP/IP Driver
| > Product: Microsoft« Windows« Operating System
| > Version: 6.0.6001.18063
| > File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
| > Original Name: tcpip.sys
| > Internal Name: tcpip.sys
| > Copyright: � Microsoft Corporation. All rights reserved.
| > Comments: n/a
| > MD5: 82e266bee5f0167e41c6ecfdd2a79c02
| > SHA1: f633629656e43452aa08611f0f72d24a46e7441c
| > SHA256:
| >1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6d98bd643093b666
| >
| >

Since installing Vista SP1 three weeks ago, I have had BSOD crashes that
immediately follow a CodeIntegrity violation error (event ID 3002) in the log
that cites TCPIP.SYS according to the OPs message. Over a hundred crashes.

Day after day, I've been over this problem with 1st and 2nd level Vista
support. I am now strongly suspicious that this driver is corrupt and is
causing these crashes. The version installed by SP1 currently on my system
reads as v6.0.6001.18000 and is dated 18-Jan-2008.

My driver was not patched so far as I know. The only third party software
installed after SP1 is Adobe CS4. Bone stock Dell Dimension E521. Lots of
systematic searches for driver updates, disabling unneeded devices, all to no
avail. The only constant is TCPIP.SYS and the error report that immediately
precedes each crash.

I do not know if I am a candidate for hotfix based on KB article #952709,
which carries TWO updates of this one file. [v6.0.6001.18063 and
v6.0.6001.22167 (both dated 26-Apr-2008). ]

Are you really sure this is okay?

What can I do? Install the hotfix listed above? Try SP2 BETA? Reverting
to pre SP1 isn't an option, because my Adobe CS4 won't run without SP1 or
higher.

Luke Kaven

""Darrell Gorter[MSFT]"" wrote:

On Mon, 22 Dec 2008 00:46:01 -0800, Luke Kaven <Luke
Kaven@xxxxxx> wrote:
1) try the hotfix. If it's not meant for your system, it won't
install.

2) if the problem IS SP1, then your CS4 is going to be pretty useless
on a computer that is constantly crashing, hmm??

--
Max

"The Max" wrote:I get a couple of hours of use of the machine each day between crashes. It
is either that or nothing. So I think I'm best off trying to get SP1 to
work, or SP2 for that matter.

"Luke Kaven" <Luke Kaven@xxxxxx> wrote in message
news:7325F3C4-A2E9-4573-8D25-CA742962C93E@xxxxxxCheck Dell's support site for a new device driver for the network interface
hardware.

Mike.

"Michael D. Ober" wrote:Note that the machine was not networked and the network interface hardware
device driver was disabled during this time.

Last night, I connected to the network and installed every Microsoft update
listed by auto-update. Within a half hour, the machine crashed following a
CodeIntegrity violation, also citing hash of TCPIP.SYS (though this file
itself was updated). But this does leave open the question of the network
interface hardware, which was obviously up during that time. But just
barely. So I have now installed that driver update.

I ran FSCK /R on the system disk just in case. Ran while booting and I was
away while it completed. Does anyone know if there is a saved FSCK log
anywhere on the system.

Of course I meant to say "CHKDSK /R". I found the log. No bad sectors, but
a few free sectors marked as allocated.

Hmmm, 37 Microsoft updates and an updated network interface driver later, the
machine still crashes. Still with EventID 3002. CodeIntegrity error.
TCPIP.SYS. "per-page image hashes could not be found on this system" Stayed
up for 12 hours today, a new record. But after I brought it back up it
crashed ten minutes later while idle.

Any ideas out there? One of you Microsoft engineers must have an idea of
what causes this kind of thing. No useful information from L2 Vista support,
though they've tried to be helpful.

Figure 2. Code integrity events

The Code Integrity Operational log shows events generated by the kernel when
a kernel mode driver fails an image verification check when the driver is
loaded. The image verification failure may be due to a number of reasons,
including the following:

a.. The driver was unsigned, but installed on the system by an
administrator and Code Integrity is not allowing the driver to load.
b.. The driver was signed, but the driver image file was modified or
tampered with and the modification invalidated the driver signature.
c.. The system disk device may have device errors when reading the image
file for the device from bad disk sectors.
From this article:

http://msdn.microsoft.com/en-us/library/bb530195.aspx

....near the bottom

It looks like what you are experiencing to me, Hope it helps.

"Luke Kaven" <LukeKaven@xxxxxx> wrote in message
news:C3D5CD03-8D72-4DF4-A766-ECDC9A345F4E@xxxxxx