blarty-fargo wrote:
The upshot is that, when you reboot, your screen will be 640x480 with 4 bit colour. I added this to another thread on this forum - but that seems to be stale.
No, not stale. You mean this thread? I can't add anything more to it because it's been passed on to McAfee. They're mulling it over, and you should get an answer in a day or two - they've only had the details since last night. Anything I might try to add to the discussion would quite possibly be misleading, or even wrong. It's a driver problem, which means low-level interactions somewhere. That's as far as I can take it.
Cheers Hayton
Sorry if I stepped on your toes.
Blarty
Hi Hayton,
I suppose this thread here then continues dealing with:
1) Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.
2) Almost at every shut-down a bunch of the following warnings (ID 64008) is generated in the System Event Viewer:
The protected system file [path\filename] could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
Hi That is the same as I've been getting. Sometimes I will only get two or three warnings other times is a long list
And indeed daydreamer, it started with DAT 6370.0000
There is a description of Windows File Protection at http://support.microsoft.com/default.aspx?scid=kb;en-us;222193
I think there may be two things going on here. The first one is that system files are being modified, triggering a response from WFP. I won't say this is caused by the McAfee update, but we do need some more investigation of this.
... protection is triggered after WFP receives a directory change notification for a file in a protected directory. After WFP receives this notification, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WFP replaces the new file with the file from the cache folder (if it is in the cache folder) or from the installation source. WFP searches for the correct file ...
If WFP finds the file in the cache folder or if the installation source is automatically located, WFP silently replaces the file and logs an event that resembles the following in the System log:
Event ID: 64001
Source: Windows File Protection
Description: File replacement was attempted on the protected system file <filename> . This file was restored to the original version to maintain system stability. The file version of the system file is x.x:x.x.If WFP cannot automatically find the file in any of these locations, you receive ... the following message, where file_name is the name of the file that was replaced and product is the Windows product you are using:
"Windows File Protection
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your product CD-ROM now"
Note If an administrator is not logged on, WFP cannot display either of these dialog boxes.
So, are there any 64001 messages in the Event Log, and are you running with Administrator privileges?
The 64004 message can occur when a program replaces newer system files with older ones of its own. Entering "sfc /purgecache" from the command line can solve the problem. Interesting that the only files mentioned were drmclien.dll and drmstor.dll - Packaged Media, that is multimedia files that have been encrypted (using Windows Media Rights Manager). I wonder if the encryption has anything to do with it?
(One thing I am seeing is that the 64001 message (and to a lesser extent the 64004 message) has in the past been associated with specific malware infections. If everyone reporting this problem has the same malware infection, otherwise unnoticed and unreported, I would be very surprised; but it's worth noting. Just to be sure, I would advise running a scan with McAfee and A.N.Other of your choice.)
============================================================
The second issue is characterised by messages in the Event Log saying
"The protected system file [path\filename] could not be verified as valid"
(because Windows File Protection is terminating)
- which implies that verification is not taking place, rather than that the files are invalid. The underlying problem here seems to be that the WFP service or process shuts down unexpectedly during the verification process.
There is a Microsoft Technet article about this HERE which suggests that you should run File Signature Verification (sigverif.exe) to verify that the files listed in the event log were not replaced with unrecognized versions.
In a discussion about WFP prompting a user to replace a protected file is the following, which might explain why Event ID 64008 occurs :
Normally, WFP posts system event log messages when a protected file is replaced, but the event message is not posted until the WFP dialog box is answered. Because typical users do not know that WFP is prompting them for the installation source, the computer may be restarted before the WFP dialog box is answered. In this situation, the following message is posted in the event log during a system shutdown:
Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64008
Date: current_date
Time: current_time
User: N/A
Computer: MYMACHINENAME
Description: The protected system file C:\winnt\system32\File_Name.exe could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
There was at one time an article in the McAfee KnowledgeBase (KB26580 - Event ID 64008) about this but it does not now exist.
That's about all I've been able to come up with so far. Anything else I can find out that's relevant I'll pass on.
Message was edited by: Hayton on 21/06/11 20:35:52 ISTI didn't have any issues at all, no symptoms of any kind prior to the update. The version it was updated to was:
McAfee SecurityCenter
Version: 11.0
Build: 11.0.560
AffId: 0
Language: en-us
Last update: 6/14/2011 (The date hadn't updated from an SC update for 10.5.239 for some reason)
McAfee VirusScan
Version: 15.0
Build: 15.0.288
Last update: 6/17/2011
DAT Version: 6380.0000
DAT Creation Date: 6/17/2011
Boot DAT Version: 6369.0000
Boot DAT Creation Date: 6/6/2011
Engine Version: 5400.1158
McAfee Personal Firewall
Version 12.0
Build: 12.0.335
Last update: 6/17/2011
My first 64008 warnings appeared in Event Viewer on shutdown when I clicked restart for McAfee to complete the installation of the 2011 update. They were for the following files, in order of appearance in the log:
c:\windows\system32\logonui.exe
c:\windows\system32\shgina.dll
c:\windows\system32\sclgntfy.dll
c:\windows\system32\sens.dll
c:\windows\system32\es.dll
c:\windows\system32\drprov.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\tapi32.dll
c:\windows\system32\kbdus.dll
c:\windows\resources\themes\luna\luna.msstyles
c:\windows\system32\wuaueng.dll
c:\windows\system32\mspatcha.dll
c:\windows\system32\wups.dll
The only other unique file that appeared in one of these warnings (Event ID: 64008) after was this:
c:\windows\system32\winhttp.dll
The only time I was prompted with a pop-up was apparently when this file was replaced once I put my XP Installation CD in:
Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64001
Date: 6/18/2011
Time: 1:07:53 AM
User: N/A
Computer: ---
Description:
File replacement was attempted on the protected system file dmconfig.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 2600.0.503.0, the version of the system file is 2600.0.503.0.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Again, I had absolutely no symptoms before that 6/17/11 update. I hardly do anything online. I have NoScript, WOT, and AdBlockPlus for Firefox. I virtually never allow scripts. No infections on previous scans with McAfee, ESET, MalwareBytes Anti-Malware, or SpyBot Seach & Destroy. No suspicious files, registry keys, or startup items found using HijackThis. No suspicious network activity or unexplained traffic. Absolutely no pop-ups (except that single WFP one).
Since the update, I've received the 64008 warnings on most shutdowns for some combination of the files I listed earlier in this post. I've noticed McAfee seems to cause the winlogon.exe process to use more memory, CPU, and roughly at the same time that mcshield.exe does something. Using Process Monitor by SysInternals, this seems to be true. I've only received the single 64001 event after receiving one (1) pop-up regarding the "Files that are required for Windows to run properly have been replaced by unrecognized version... Insert Windows XP Installation CD..." message once and it triggered that single 64001 event.
Like other users have said, sometimes there's just one warning from the previous shutdown. Sometimes there's a list. I hope this information helps shed a little light on the issue. McAfee worked perfect for me (aside from that old error on shutdown last spring) all last year. Oh speaking of that error last spring, like before, I never shut my monitor until the computer powers down. I always sit here and stare at my screen as it shuts down in the event any errors pop-up. I've seen no pop-ups at all.
@ Hayton
I am running with admin rights.
And yes, I ran a full scan using McAfee with the very last updates. No issues detected.
No "spontaneous" 64001-events, except for the following ones (as a result of the re-install of Windows Media Player 11 on 20-Jun):
wmvdmoe2.dll
wmvdmod.dll
wmspdmoe.dll
wmsdmoe2.dll
wmsdmod.dll
wmidx.dll
wmdmps.dll
wmdmlog.dll
wmadmoe.dll
mswmdm.dll
mspmsp.dll
cewmdm.dll
When I run "sfc.exe /scannow", I get the following events:
64004's for drmclien.dll or drmstor.dll
The protected system file [file] could not be restored to its original, valid version. The file version of the bad file is 10.0.0.3802 The specific error code is 0x800b0100 [No signature was present in the subject.
].
Plenty of 64021's for many other files
The system file [file] could not be copied into the DLL cache. The specific error code is 0x800b0100 [No signature was present in the subject.
]. This file is necessary to maintain system stability.
Message was edited by: gvr39 on 6/22/11 3:33:04 AM CDT
My warnings on both machines are all 64008.
@daydreamer
I am still having these 64008's as well.
In my previous post I was just describing what happens when I try to fix these warnings (e.g., by running an SFC as suggested in the warning).
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership: