Event 5038, Microsoft Windows security auditing. fveapi.dll

Discussion in 'Windows Vista Security' started by Peter K, Jul 30, 2008.

  1. Peter K

    Peter K Guest

    I get this security event a lot on Vista 32-bit SP1:

    "Code integrity determined that the image hash of a file is not valid. The
    file could be corrupt due to unauthorized modification or the invalid hash
    could indicate a potential disk device error.

    File Name: \Device\HarddiskVolume1\Windows\System32\fveapi.dll"

    This file is located in two places on my system, and it seems the same in
    both:

    C:\Windows\System32\fveapi.dl
    C:\Windows\SoftwareDistribution\Download\f7fd361ee72a8e86a63bf6b0eb2d2503\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6001.18000_none_34daa5e8f21ef8d2\fveapi.dll

    Version: 6.0.6001.18000
    Size: 173056 bytes
    SHA1: b89d67b3bc79a87aff89d0e05d9553b176d0aa4d

    Can someone else verify this to be the correct file after 32-bit SP1 is
    installed?

    If it IS correct, why do I get an incredible pause sometimes when loading a
    program that uses this DLL, followed by this audit failure event in the log,
    but then apparently everything continues on as it should...?
     
    Peter K, Jul 30, 2008
    #1
    1. Advertisements

  2. Peter K

    BillD Guest

    fveapi.dll is not part of Vista. I haven't it.
     
    BillD, Jul 30, 2008
    #2
    1. Advertisements

  3. In your case, it's probably a bug.

    I can't wait for your post about it.
     
    Paul Montgomery, Jul 30, 2008
    #3
  4. Peter K

    meerkat Guest

    Hi Peter K
    Go here and have a read.
    http://www.greatis.com/vista/DLL/f/fveapi.dll.htm

    bw..
     
    meerkat, Jul 30, 2008
    #4
  5. Peter K

    Peter K Guest

    Thanks for your help, meerkat, yep I did a whole lot of surfing before I
    posted on this forum, but nowhere did I find these DLL reference sites
    referring to the SP1 versions of the DLL's, I believe them all to still be
    referring to the original Vista. If you look at the directory
    C:\Windows\System32 after installing SP1, you see a whole pile of files with
    the identical version number 6.0.6001.18000, one of which is fveapi.dll, and
    I simply would like to know whether I have a rotten copy of it, or whether
    Vista security is mis-diagnosing it for some reason and slowing things down.
    By the way, if it helps, my copy has this MD5 sum:

    MD5: 1acb8d567b779dc3ff09e7f31ac3f111
     
    Peter K, Jul 30, 2008
    #5
  6. Well, by chance in my digging I came across another tab in the Event
    Viewer that showed another event related to the same problem that must
    cascade into the security auditing event above:

    Event ID 3002, "Code integrity determined that the image hash of a file
    is not valid. The file could be corrupt due to unauthorized
    modification or the invalid hash could indicate a potential disk device
    error.

    File Name: \Device\HarddiskVolume1\Windows\System32\fveapi.dll"

    Putting this into Google reveals this quite informational Microsoft web
    page "User-mode Protected Media Path File Validation":

    http://technet2.microsoft.com/windo...e318-42ec-8a5e-41ccb306fc211033.mspx?mfr=true

    in which the fix for this problem is to do a Startup Repair. I'll try
    that this evening!
     
    Pēteris Kļaviņš, Jul 31, 2008
    #6
  7. Peter K

    Peter Foldes Guest

    Peter Foldes, Jul 31, 2008
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.