Code integrity error on tcpip.sys

Posted: 12-10-2008, 08:40 PM


Sigcheck reports file as ok, sfc /scannow completes ok. Is this file ok?
Thanks Mark


Code integrity determined that the image hash of a file is not valid. The
file could be corrupt due to unauthorized modification or the invalid hash
could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\t cpip.sys




C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys

sigcheck v1.54 - sigcheck
Copyright (C) 2004-2008 Mark Russinovich
Sysinternals - www.sysinternals.com

C:\Windows\System32\drivers\tcpip.sys:
Verified: Signed
Signing date: 7:33 PM 5/28/2008
Publisher: Microsoft Corporation
Description: TCP/IP Driver
Product: Microsoft« Windows« Operating System
Version: 6.0.6001.18063
File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
Original Name: tcpip.sys
Internal Name: tcpip.sys
Copyright: ⌐ Microsoft Corporation. All rights reserved.
Comments: n/a
MD5: 82e266bee5f0167e41c6ecfdd2a79c02
SHA1: f633629656e43452aa08611f0f72d24a46e7441c
SHA256:
1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6d 98bd643093b666

Code integrity error on tcpip.sys


Responses to "Code integrity error on tcpip.sys"

Darrell Gorter[MSFT]
Guest
Posts: n/a
 
RE: Code integrity error on tcpip.sys
Posted: 12-11-2008, 03:23 AM
Hello Mark,
Yes the file is OK.
This error happens when tcpip.sys is loaded in user mode, to check the
version information of the driver binary.
It loaded fine at boot time in kernel mode and was successfully verified or
you would have seen errors at boot time or tcpip.sys would not have loaded.

Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
| >From: "Mark Naughton" <MarkNaughton@hotmail.com>
| >Subject: Code integrity error on tcpip.sys
| >Date: Wed, 10 Dec 2008 15:40:03 -0500
| >Lines: 38
| >Message-ID: <B11D7537-E874-4D0A-8DD9-5A1657251BBE@microsoft.com>
| >MIME-Version: 1.0
| >Content-Type: text/plain;
| > format=flowed;
| > charset="utf-8";
| > reply-type=original
| >Content-Transfer-Encoding: 8bit
| >X-Priority: 3
| >X-MSMail-Priority: Normal
| >X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
| >X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
| >X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| >X-MS-CommunityGroup-PostID: {B11D7537-E874-4D0A-8DD9-5A1657251BBE}
| >Newsgroups: microsoft.public.windows.vista.security
| >Path: TK2MSFTNGHUB02.phx.gbl
| >Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.security:19999
| >NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
| >X-Tomcat-NG: microsoft.public.windows.vista.security
| >
| >
| >
| >Sigcheck reports file as ok, sfc /scannow completes ok. Is this file ok?
| >Thanks Mark
| >
| >
| >Code integrity determined that the image hash of a file is not valid.
The
| >file could be corrupt due to unauthorized modification or the invalid
hash
| >could indicate a potential disk device error.
| >
| >File Name: \Device\HarddiskVolume2\Windows\System32\drivers\t cpip.sys
| >
| >
| >
| >
| >C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys
| >
| >sigcheck v1.54 - sigcheck
| >Copyright (C) 2004-2008 Mark Russinovich
| >Sysinternals - www.sysinternals.com
| >
| >C:\Windows\System32\drivers\tcpip.sys:
| > Verified: Signed
| > Signing date: 7:33 PM 5/28/2008
| > Publisher: Microsoft Corporation
| > Description: TCP/IP Driver
| > Product: Microsoft« Windows« Operating System
| > Version: 6.0.6001.18063
| > File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
| > Original Name: tcpip.sys
| > Internal Name: tcpip.sys
| > Copyright: ⌐ Microsoft Corporation. All rights reserved.
| > Comments: n/a
| > MD5: 82e266bee5f0167e41c6ecfdd2a79c02
| > SHA1: f633629656e43452aa08611f0f72d24a46e7441c
| > SHA256:
| >1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6 d98bd643093b666
| >
| >

Luke Kaven
Guest
Posts: n/a
 
RE: Code integrity error on tcpip.sys -- IS suspicious
Posted: 12-22-2008, 08:46 AM
Since installing Vista SP1 three weeks ago, I have had BSOD crashes that
immediately follow a CodeIntegrity violation error (event ID 3002) in the log
that cites TCPIP.SYS according to the OPs message. Over a hundred crashes.

Day after day, I've been over this problem with 1st and 2nd level Vista
support. I am now strongly suspicious that this driver is corrupt and is
causing these crashes. The version installed by SP1 currently on my system
reads as v6.0.6001.18000 and is dated 18-Jan-2008.

My driver was not patched so far as I know. The only third party software
installed after SP1 is Adobe CS4. Bone stock Dell Dimension E521. Lots of
systematic searches for driver updates, disabling unneeded devices, all to no
avail. The only constant is TCPIP.SYS and the error report that immediately
precedes each crash.

I do not know if I am a candidate for hotfix based on KB article #952709,
which carries TWO updates of this one file. [v6.0.6001.18063 and
v6.0.6001.22167 (both dated 26-Apr-2008). ]

Are you really sure this is okay?

What can I do? Install the hotfix listed above? Try SP2 BETA? Reverting
to pre SP1 isn't an option, because my Adobe CS4 won't run without SP1 or
higher.

Luke Kaven

""Darrell Gorter[MSFT]"" wrote:
> Hello Mark,
> Yes the file is OK.
> This error happens when tcpip.sys is loaded in user mode, to check the
> version information of the driver binary.
> It loaded fine at boot time in kernel mode and was successfully verified or
> you would have seen errors at boot time or tcpip.sys would not have loaded.
>
> Thanks,
> Darrell Gorter[MSFT]
>
> This posting is provided "AS IS" with no warranties, and confers no rights
> --------------------
> | >From: "Mark Naughton" <MarkNaughton@hotmail.com>
> | >Subject: Code integrity error on tcpip.sys
> | >Date: Wed, 10 Dec 2008 15:40:03 -0500
> | >Lines: 38
> | >Message-ID: <B11D7537-E874-4D0A-8DD9-5A1657251BBE@microsoft.com>
> | >MIME-Version: 1.0
> | >Content-Type: text/plain;
> | > format=flowed;
> | > charset="utf-8";
> | > reply-type=original
> | >Content-Transfer-Encoding: 8bit
> | >X-Priority: 3
> | >X-MSMail-Priority: Normal
> | >X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
> | >X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
> | >X-MS-CommunityGroup-MessageCategory:
> {E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
> | >X-MS-CommunityGroup-PostID: {B11D7537-E874-4D0A-8DD9-5A1657251BBE}
> | >Newsgroups: microsoft.public.windows.vista.security
> | >Path: TK2MSFTNGHUB02.phx.gbl
> | >Xref: TK2MSFTNGHUB02.phx.gbl
> microsoft.public.windows.vista.security:19999
> | >NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
> | >X-Tomcat-NG: microsoft.public.windows.vista.security
> | >
> | >
> | >
> | >Sigcheck reports file as ok, sfc /scannow completes ok. Is this file ok?
> | >Thanks Mark
> | >
> | >
> | >Code integrity determined that the image hash of a file is not valid.
> The
> | >file could be corrupt due to unauthorized modification or the invalid
> hash
> | >could indicate a potential disk device error.
> | >
> | >File Name: \Device\HarddiskVolume2\Windows\System32\drivers\t cpip.sys
> | >
> | >
> | >
> | >
> | >C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys
> | >
> | >sigcheck v1.54 - sigcheck
> | >Copyright (C) 2004-2008 Mark Russinovich
> | >Sysinternals - www.sysinternals.com
> | >
> | >C:\Windows\System32\drivers\tcpip.sys:
> | > Verified: Signed
> | > Signing date: 7:33 PM 5/28/2008
> | > Publisher: Microsoft Corporation
> | > Description: TCP/IP Driver
> | > Product: Microsoft« Windows« Operating System
> | > Version: 6.0.6001.18063
> | > File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
> | > Original Name: tcpip.sys
> | > Internal Name: tcpip.sys
> | > Copyright: ⌐ Microsoft Corporation. All rights reserved.
> | > Comments: n/a
> | > MD5: 82e266bee5f0167e41c6ecfdd2a79c02
> | > SHA1: f633629656e43452aa08611f0f72d24a46e7441c
> | > SHA256:
> | >1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6 d98bd643093b666
> | >
> | >
>
>
The Max
Guest
Posts: n/a
 
Re: Code integrity error on tcpip.sys -- IS suspicious
Posted: 12-22-2008, 10:03 AM
On Mon, 22 Dec 2008 00:46:01 -0800, Luke Kaven <Luke
Kaven@discussions.microsoft.com> wrote:
>What can I do? Install the hotfix listed above? Try SP2 BETA? Reverting
>to pre SP1 isn't an option, because my Adobe CS4 won't run without SP1 or
>higher.
1) try the hotfix. If it's not meant for your system, it won't
install.

2) if the problem IS SP1, then your CS4 is going to be pretty useless
on a computer that is constantly crashing, hmm??

--
Max
Luke Kaven
Guest
Posts: n/a
 
Re: Code integrity error on tcpip.sys -- IS suspicious
Posted: 12-22-2008, 10:25 AM
"The Max" wrote:
> On Mon, 22 Dec 2008 00:46:01 -0800, Luke Kaven <Luke
> Kaven@discussions.microsoft.com> wrote:
>
> >What can I do? Install the hotfix listed above? Try SP2 BETA? Reverting
> >to pre SP1 isn't an option, because my Adobe CS4 won't run without SP1 or
> >higher.
>
> 1) try the hotfix. If it's not meant for your system, it won't
> install.
>
> 2) if the problem IS SP1, then your CS4 is going to be pretty useless
> on a computer that is constantly crashing, hmm??
I get a couple of hours of use of the machine each day between crashes. It
is either that or nothing. So I think I'm best off trying to get SP1 to
work, or SP2 for that matter.

Michael D. Ober
Guest
Posts: n/a
 
Re: Code integrity error on tcpip.sys -- IS suspicious
Posted: 12-22-2008, 12:55 PM
"Luke Kaven" <Luke Kaven@discussions.microsoft.com> wrote in message
news:7325F3C4-A2E9-4573-8D25-CA742962C93E@microsoft.com...
> Since installing Vista SP1 three weeks ago, I have had BSOD crashes that
> immediately follow a CodeIntegrity violation error (event ID 3002) in the
> log
> that cites TCPIP.SYS according to the OPs message. Over a hundred
> crashes.
>
> Day after day, I've been over this problem with 1st and 2nd level Vista
> support. I am now strongly suspicious that this driver is corrupt and is
> causing these crashes. The version installed by SP1 currently on my
> system
> reads as v6.0.6001.18000 and is dated 18-Jan-2008.
>
> My driver was not patched so far as I know. The only third party software
> installed after SP1 is Adobe CS4. Bone stock Dell Dimension E521. Lots
> of
> systematic searches for driver updates, disabling unneeded devices, all to
> no
> avail. The only constant is TCPIP.SYS and the error report that
> immediately
> precedes each crash.
>
> I do not know if I am a candidate for hotfix based on KB article #952709,
> which carries TWO updates of this one file. [v6.0.6001.18063 and
> v6.0.6001.22167 (both dated 26-Apr-2008). ]
>
> Are you really sure this is okay?
>
> What can I do? Install the hotfix listed above? Try SP2 BETA? Reverting
> to pre SP1 isn't an option, because my Adobe CS4 won't run without SP1 or
> higher.
>
> Luke Kaven
>
> ""Darrell Gorter[MSFT]"" wrote:
>
>> Hello Mark,
>> Yes the file is OK.
>> This error happens when tcpip.sys is loaded in user mode, to check the
>> version information of the driver binary.
>> It loaded fine at boot time in kernel mode and was successfully verified
>> or
>> you would have seen errors at boot time or tcpip.sys would not have
>> loaded.
>>
>> Thanks,
>> Darrell Gorter[MSFT]
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights
>> --------------------
>> | >From: "Mark Naughton" <MarkNaughton@hotmail.com>
>> | >Subject: Code integrity error on tcpip.sys
>> | >Date: Wed, 10 Dec 2008 15:40:03 -0500
>> | >Lines: 38
>> | >Message-ID: <B11D7537-E874-4D0A-8DD9-5A1657251BBE@microsoft.com>
>> | >MIME-Version: 1.0
>> | >Content-Type: text/plain;
>> | > format=flowed;
>> | > charset="utf-8";
>> | > reply-type=original
>> | >Content-Transfer-Encoding: 8bit
>> | >X-Priority: 3
>> | >X-MSMail-Priority: Normal
>> | >X-Newsreader: Microsoft Windows Mail 6.0.6001.18000
>> | >X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
>> | >X-MS-CommunityGroup-MessageCategory:
>> {E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
>> | >X-MS-CommunityGroup-PostID: {B11D7537-E874-4D0A-8DD9-5A1657251BBE}
>> | >Newsgroups: microsoft.public.windows.vista.security
>> | >Path: TK2MSFTNGHUB02.phx.gbl
>> | >Xref: TK2MSFTNGHUB02.phx.gbl
>> microsoft.public.windows.vista.security:19999
>> | >NNTP-Posting-Host: TK2MSFTNGHUB02.phx.gbl 127.0.0.1
>> | >X-Tomcat-NG: microsoft.public.windows.vista.security
>> | >
>> | >
>> | >
>> | >Sigcheck reports file as ok, sfc /scannow completes ok. Is this file
>> ok?
>> | >Thanks Mark
>> | >
>> | >
>> | >Code integrity determined that the image hash of a file is not valid.
>> The
>> | >file could be corrupt due to unauthorized modification or the invalid
>> hash
>> | >could indicate a potential disk device error.
>> | >
>> | >File Name: \Device\HarddiskVolume2\Windows\System32\drivers\t cpip.sys
>> | >
>> | >
>> | >
>> | >
>> | >C:\Windows\System32\drivers>sigcheck -a -h -r tcpip.sys
>> | >
>> | >sigcheck v1.54 - sigcheck
>> | >Copyright (C) 2004-2008 Mark Russinovich
>> | >Sysinternals - www.sysinternals.com
>> | >
>> | >C:\Windows\System32\drivers\tcpip.sys:
>> | > Verified: Signed
>> | > Signing date: 7:33 PM 5/28/2008
>> | > Publisher: Microsoft Corporation
>> | > Description: TCP/IP Driver
>> | > Product: Microsoft« Windows« Operating System
>> | > Version: 6.0.6001.18063
>> | > File version: 6.0.6001.18063 (vistasp1_gdr.080425-1930)
>> | > Original Name: tcpip.sys
>> | > Internal Name: tcpip.sys
>> | > Copyright: ⌐ Microsoft Corporation. All rights
>> reserved.
>> | > Comments: n/a
>> | > MD5: 82e266bee5f0167e41c6ecfdd2a79c02
>> | > SHA1: f633629656e43452aa08611f0f72d24a46e7441c
>> | > SHA256:
>> | >1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6 d98bd643093b666
>> | >
>> | >
>>
Check Dell's support site for a new device driver for the network interface
hardware.

Mike.


Luke Kaven
Guest
Posts: n/a
 
Re: Code integrity error on tcpip.sys -- IS suspicious
Posted: 12-22-2008, 06:42 PM
"Michael D. Ober" wrote:
> Check Dell's support site for a new device driver for the network interface
> hardware.
Note that the machine was not networked and the network interface hardware
device driver was disabled during this time.

Last night, I connected to the network and installed every Microsoft update
listed by auto-update. Within a half hour, the machine crashed following a
CodeIntegrity violation, also citing hash of TCPIP.SYS (though this file
itself was updated). But this does leave open the question of the network
interface hardware, which was obviously up during that time. But just
barely. So I have now installed that driver update.

I ran FSCK /R on the system disk just in case. Ran while booting and I was
away while it completed. Does anyone know if there is a saved FSCK log
anywhere on the system.
Luke Kaven
Guest
Posts: n/a
 
Re: Code integrity error on tcpip.sys -- IS suspicious
Posted: 12-22-2008, 06:48 PM
Of course I meant to say "CHKDSK /R". I found the log. No bad sectors, but
a few free sectors marked as allocated.
Luke Kaven
Guest
Posts: n/a
 
Re: Code integrity error on tcpip.sys -- IS suspicious
Posted: 12-23-2008, 05:14 AM
Hmmm, 37 Microsoft updates and an updated network interface driver later, the
machine still crashes. Still with EventID 3002. CodeIntegrity error.
TCPIP.SYS. "per-page image hashes could not be found on this system" Stayed
up for 12 hours today, a new record. But after I brought it back up it
crashed ten minutes later while idle.

Any ideas out there? One of you Microsoft engineers must have an idea of
what causes this kind of thing. No useful information from L2 Vista support,
though they've tried to be helpful.
FromTheRafters
Guest
Posts: n/a
 
Re: Code integrity error on tcpip.sys -- IS suspicious
Posted: 12-23-2008, 01:20 PM
Figure 2. Code integrity events

The Code Integrity Operational log shows events generated by the kernel when
a kernel mode driver fails an image verification check when the driver is
loaded. The image verification failure may be due to a number of reasons,
including the following:

a.. The driver was unsigned, but installed on the system by an
administrator and Code Integrity is not allowing the driver to load.
b.. The driver was signed, but the driver image file was modified or
tampered with and the modification invalidated the driver signature.
c.. The system disk device may have device errors when reading the image
file for the device from bad disk sectors.
From this article:

http://msdn.microsoft.com/en-us/library/bb530195.aspx

....near the bottom

It looks like what you are experiencing to me, Hope it helps.

"Luke Kaven" <LukeKaven@discussions.microsoft.com> wrote in message
news:C3D5CD03-8D72-4DF4-A766-ECDC9A345F4E@microsoft.com...
> Hmmm, 37 Microsoft updates and an updated network interface driver later,
> the
> machine still crashes. Still with EventID 3002. CodeIntegrity error.
> TCPIP.SYS. "per-page image hashes could not be found on this system"
> Stayed
> up for 12 hours today, a new record. But after I brought it back up it
> crashed ten minutes later while idle.
>
> Any ideas out there? One of you Microsoft engineers must have an idea of
> what causes this kind of thing. No useful information from L2 Vista
> support,
> though they've tried to be helpful.

 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
SP1 BUG: Code Integrity Error for tcpip.sys in Event Viewer BillD Windows Vista Security 0 04-24-2008 03:30 PM
Code Integrity error in AVG Antivirus avgtdi.sys BillD Windows Vista Security 3 05-30-2007 09:46 AM
problem error code : ctcatend: MO L65 FO P247x ERROR CODE=0 thom Windows XP Music 0 12-02-2003 02:28 AM
Symantec error and TCPIP settings David Windows XP Security & Administration 1 10-19-2003 04:59 PM
Setup Could Not Verify the Integrity of the File" Error Message Darren Windows XP Performance & Maintenance 3 08-13-2003 09:35 PM