Udostępnij za pośrednictwem


Event ID 3003 — User-mode Protected Media Path File Validation

Applies To: Windows Server 2008

Protected Processes are used to enhance the Digital Rights Management technology in Windows Vista and Windows Server 2008. Code Integrity validates user-mode files loaded into Protected Processes that are part of the Protected Media Path. The validation compares the page hashes stored in the system security catalog files to the page hashes of the user-mode files themselves. If the page hashes in the system security catalog files do not match the page hashes from the system file, the system file is not loaded by the operating system.

Additionally, Code Integrity validates cryptographic system files. The following cryptographic system files are validated by Code Integrity: bcrypt.dll, dssenh.dll, rsaenh.dll, win32_tpm.dll, and fveapi.all.

Note: If a kernel debugger is attached to the computer, Code Integrity still validates the page hashes on the user-mode files against the page hashes stored in the system security catalog files, but the operating system will load the files.

Event Details

Product: Windows Operating System
ID: 3003
Source: Microsoft-Windows-CodeIntegrity
Version: 6.0
Symbolic Name: CiImagePageHashNotFoundDebuggerAttached
Message: Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system. The image is allowed to load because kernel mode debugger is attached.

Resolve

Replace the system file by using Startup Repair with kernel debugger attached

The page hash of the system file must match the hash stored in the system security catalog. If the hashes do not match, you should replace the system file with a version that has the correct hash. This can be done by using Startup Repair.

When a kernel debugger is attached to the computer, Code Integrity checks the integrity of the file but the operating system still loads it. If a kernel debugger is attached to the computer, no further action is required, but we recommend that you replace the system file by using Startup Repair.

To replace a system file by using Startup Repair:

  1. Insert the Windows product disc.
  2. Restart the computer.
  3. When prompted, press any key to start the computer from the Windows product disc.
  4. Choose the appropriate language settings, and then click Next.
  5. Click Repair your computer.
  6. Select the operating system you want to repair, and then click Next.
  7. On the System Recovery Options menu, click Startup Repair.
  8. When Startup Repair has finished, restart the computer.

Verify

To verify that user-mode files were sucessfully validated and loaded, confirm that Event ID 3002 or 3003 are no longer being logged to the Microsoft-Windows-CodeIntegrity operational event log channel.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To confirm that Event ID 3002 or 3003 are no longer being logged to the Code Integrity operational channel:

  1. Click Start, point to Administrative Tools, and then click Event Viewer.
  2. Expand Applications and Service Logs, expand Microsoft, expand Windows, expand CodeIntegrity, and then click Operational.
  3. Click to sort the events on the Date and Time column.
  4. Look for an instance of Event ID 3002 or 3003 that is after the date and time the issue was resolved.
  5. If no instances are found, user-mode files are being successfully validated and loaded.

User-mode Protected Media Path File Validation

Core Security