Event 5038, Microsoft Windows security auditing. fveapi.dll   

I get this security event a lot on Vista 32-bit SP1:

"Code integrity determined that the image hash of a file is not valid.  The 
file could be corrupt due to unauthorized modification or the invalid hash 
could indicate a potential disk device error.

File Name:	\Device\HarddiskVolume1\Windows\System32\fveapi.dll"

This file is located in two places on my system, and it seems the same in 
both:

C:\Windows\System32\fveapi.dll
C:\Windows\SoftwareDistribution\Download\f7fd361ee72a8e86a63bf6b0eb2d2503\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6001.18000_none_34daa5e8f21ef8d2\fveapi.dll

Version: 6.0.6001.18000
Size: 173056 bytes
SHA1: b89d67b3bc79a87aff89d0e05d9553b176d0aa4d

Can someone else verify this to be the correct file after 32-bit SP1 is 
installed?

If it IS correct, why do I get an incredible pause sometimes when loading a 
program that uses this DLL, followed by this audit failure event in the log, 
but then apparently everything continues on as it should...?

------------------------------------------------------------------------
 Peter Klavins

date: Wed, 30 Jul 2008 10:03:02 -0700   author:   Peter K am

RE: Event 5038, Microsoft Windows security auditing. fveapi.dll   

"Peter K" wrote:

> This file is located in two places on my system, and it seems the same in 
> both:
> 
> C:\Windows\System32\fveapi.dll

fveapi.dll is not part of Vista. I haven't it.

date: Wed, 30 Jul 2008 11:19:00 -0700   author:   BillD

Re: Event 5038, Microsoft Windows security auditing. fveapi.dll   

On Wed, 30 Jul 2008 11:19:00 -0700, BillD
 wrote:

>
>
>"Peter K" wrote:
>
>> This file is located in two places on my system, and it seems the same in 
>> both:
>> 
>> C:\Windows\System32\fveapi.dll
>
>fveapi.dll is not part of Vista. I haven't it.

In your case, it's probably a bug.

I can't wait for your post about it.

date: Wed, 30 Jul 2008 13:59:31 -0500   author:   Paul Montgomery

Re: Event 5038, Microsoft Windows security auditing. fveapi.dll   

"Peter K" <p.klavins@online.nospam> wrote in message 
news:C01FBA1D-1570-4B35-B6C3-6B7097F47A9D@microsoft.com...
>I get this security event a lot on Vista 32-bit SP1:
>
> "Code integrity determined that the image hash of a file is not valid. 
> The
> file could be corrupt due to unauthorized modification or the invalid hash
> could indicate a potential disk device error.
>
> File Name: \Device\HarddiskVolume1\Windows\System32\fveapi.dll"
>
> This file is located in two places on my system, and it seems the same in
> both:
>
> C:\Windows\System32\fveapi.dll
> C:\Windows\SoftwareDistribution\Download\f7fd361ee72a8e86a63bf6b0eb2d2503\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6001.18000_none_34daa5e8f21ef8d2\fveapi.dll
>
> Version: 6.0.6001.18000
> Size: 173056 bytes
> SHA1: b89d67b3bc79a87aff89d0e05d9553b176d0aa4d
>
> Can someone else verify this to be the correct file after 32-bit SP1 is
> installed?
>
> If it IS correct, why do I get an incredible pause sometimes when loading 
> a
> program that uses this DLL, followed by this audit failure event in the 
> log,
> but then apparently everything continues on as it should...?
> .
Hi Peter K
Go here and have a read.
http://www.greatis.com/vista/DLL/f/fveapi.dll.htm

bw..

date: Wed, 30 Jul 2008 20:02:47 +0100   author:   meerkat

Re: Event 5038, Microsoft Windows security auditing. fveapi.dll   

"meerkat" wrote:

> > Version: 6.0.6001.18000
> > Size: 173056 bytes
> > SHA1: b89d67b3bc79a87aff89d0e05d9553b176d0aa4d
> >
> > Can someone else verify this to be the correct file after 32-bit SP1 is
> > installed?
> >
> > If it IS correct, why do I get an incredible pause sometimes when loading 
> > a
> > program that uses this DLL, followed by this audit failure event in the 
> > log,
> > but then apparently everything continues on as it should...?
> > .
> Hi Peter K
> Go here and have a read.
> http://www.greatis.com/vista/DLL/f/fveapi.dll.htm
> 
> bw..

Thanks for your help, meerkat, yep I did a whole lot of surfing before I 
posted on this forum, but nowhere did I find these DLL reference sites 
referring to the SP1 versions of the DLL's, I believe them all to still be 
referring to the original Vista. If you look at the directory 
C:\Windows\System32 after installing SP1, you see a whole pile of files with 
the identical version number 6.0.6001.18000, one of which is fveapi.dll, and 
I simply would like to know whether I have a rotten copy of it, or whether 
Vista security is mis-diagnosing it for some reason and slowing things down. 
By the way, if it helps, my copy has this MD5 sum:

MD5: 1acb8d567b779dc3ff09e7f31ac3f111

------------------------------------------------------------------------
 Peter Klavins

date: Wed, 30 Jul 2008 14:08:01 -0700   author:   Peter K am

Re: Event 5038, Microsoft Windows security auditing. fveapi.dll   

Peter K wrote:
> I get this security event a lot on Vista 32-bit SP1:
> 
> "Code integrity determined that the image hash of a file is not valid.  The 
> file could be corrupt due to unauthorized modification or the invalid hash 
> could indicate a potential disk device error.
> 
> File Name:	\Device\HarddiskVolume1\Windows\System32\fveapi.dll"
> 

Well, by chance in my digging I came across another tab in the Event
Viewer that showed another event related to the same problem that must
cascade into the security auditing event above:

Event ID 3002, "Code integrity determined that the image hash of a file 
is not valid.  The file could be corrupt due to unauthorized 
modification or the invalid hash could indicate a potential disk device 
error.

File Name:	\Device\HarddiskVolume1\Windows\System32\fveapi.dll"

Putting this into Google reveals this quite informational Microsoft web
page "User-mode Protected Media Path File Validation":

http://technet2.microsoft.com/windowsserver2008/en/library/81e36ccc-e318-42ec-8a5e-41ccb306fc211033.mspx?mfr=true

in which the fix for this problem is to do a Startup Repair.  I'll try
that this evening!

------------------------------------------------------------------------
  Peter Klavins                                  klavins@netspace.net.au

date: Thu, 31 Jul 2008 18:15:03 +0200   author:   PÄ“teris Kļaviņš

Re: Event 5038, Microsoft Windows security auditing. fveapi.dll   

See the following
http://www.greatis.com/vista/DLL/f/fveapi.dll.htm
-- 
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"Peter K" <p.klavins@online.nospam> wrote in message news:C01FBA1D-1570-4B35-B6C3-6B7097F47A9D@microsoft.com...
>I get this security event a lot on Vista 32-bit SP1:
> 
> "Code integrity determined that the image hash of a file is not valid.  The 
> file could be corrupt due to unauthorized modification or the invalid hash 
> could indicate a potential disk device error.
> 
> File Name: \Device\HarddiskVolume1\Windows\System32\fveapi.dll"
> 
> This file is located in two places on my system, and it seems the same in 
> both:
> 
> C:\Windows\System32\fveapi.dll
> C:\Windows\SoftwareDistribution\Download\f7fd361ee72a8e86a63bf6b0eb2d2503\x86_microsoft-windows-securestartup-core_31bf3856ad364e35_6.0.6001.18000_none_34daa5e8f21ef8d2\fveapi.dll
> 
> Version: 6.0.6001.18000
> Size: 173056 bytes
> SHA1: b89d67b3bc79a87aff89d0e05d9553b176d0aa4d
> 
> Can someone else verify this to be the correct file after 32-bit SP1 is 
> installed?
> 
> If it IS correct, why do I get an incredible pause sometimes when loading a 
> program that uses this DLL, followed by this audit failure event in the log, 
> but then apparently everything continues on as it should...?
> 
> > Peter Klavins

date: Thu, 31 Jul 2008 17:22:33 -0400   author:   Peter Foldes