PDA

View Full Version : program or website to verify "known good" MD5 of sys or DLL files?

LuckMan212
November 6th, 2008, 01:55 PM
Hello,
I am fighting with a strange problem with errors in my Vista x64 event log (ID:3002):
"Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system."

I have not had any adverse effects from this but it has me worried and a bit obsessed. I have completed a SFC scan of the system using an Administrative command prompt, result:

C:\Windows\system32>sfc /verifyonly
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection did not find any integrity violations.

I have also scanned my entire filesystem for tcpip.sys and computed the MD5 sums (in green) of all results:

C:\Windows\System32\drivers\tcpip.sys : 8e041924441ff8755e5b4f135c8c3767
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18000_none_0f3cadd61ec3b22c\tcpip.sys : 7a1183fbb802f5abad7fa18bc67e0858
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18063_none_0efecf2c1ef1a5d7\tcpip.sys : 8e041924441ff8755e5b4f135c8c3767
C:\Windows\winsxs\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22167_none_0f8c6d1f380baafd\tcpip.sys : f10a60005fb50698e33a1940c6ebb010
C:\Windows\winsxs\Backup\amd64_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18063_none_0efecf2c1ef1a5d7_tcpip.sys_3339bd51 : 8e041924441ff8755e5b4f135c8c3767

My tcpip.sys contains a valid digital signature:
http://img87.imageshack.us/img87/8618/sshot1cx9.png

searching the web for those MD5 hashes or a site/program that can verify them agains a "known good" I came up empty. Can anyone with a fully-patched Vista x64 (SP1) verify these for me or help me out with a way to 100% confirm that these tcpip.sys' are not hijacked/infected in some way? Is there a good reliable way to do this?
acr1965
November 6th, 2008, 10:41 PM
If you downloaded from a site does that site's numbers match these (assuming the download page of the site has them listed)?

Also, not sure if you have this little context menu add on but it is handy for me sometimes and works in my Vista, although x32.

http://beeblebrox.org/hashtab/
LuckMan212
November 6th, 2008, 10:44 PM
I did not 'download' tcpip.sys - it is part of the operating system. The reason for the different versions present on my system, I presume is because of patches/updates released by Microsoft via Windows Update. I am familiar with the HashTab extension (I used to use it) and while it is very good, I ran some speed tests on large files and found that the febooti FileTweak extensions are faster (by 2-3x) and offer additional features as well (hex editor, file attribute modifications etc) and also run native 64-bit.

But I don't want to get off-topic. Back to the original question: is there a website or program that verifies local system files (dlls/ocx/sys/etc) against known-good hashes?
acr1965
November 6th, 2008, 11:31 PM
sorry- I should have read your post closer.
nick s
November 7th, 2008, 12:40 AM
Beyond SFC, I know of no alternative way to verify system files. I stopped obsessing a long time ago over Vista's tcpip.sys hash-related event log errors. For me, those errors have appeared occasionally on various machines since Vista's release candidates. I would ignore them. Here's the most useful explanation I've read on the subject: Discuss: Windows Security Log Event ID 5038 (http://www.ultimatewindowssecurity.com/wiki/SecurityLogEventID5038.ashx?Discuss=1).

Nick
Franklin
November 7th, 2008, 02:46 AM
Could uploading the file to Virus Total (http://www.virustotal.com/) be of any use as you can recheck the md5 under "Additional Information".

Below is from my Vista 32 bit.
-{ Quote: "File tcpip.sys received on 11.07.2008 08:28:36 (CET)
Current status: finished
Result: 0/35 (0.00%)

Additional information
File size: 802816 bytes
MD5...: d944522b048a5feb7700b5170d3d9423" }-
PROROOTECT
November 7th, 2008, 08:25 AM
Hi,

SecCheck: http://mynetwatchman.com/tools/sc/

You have with SecCheck: Text report ( with file SHA1 dump ), XML report ( dll's description with SHA1 ), Hash analysis.

Don't forget: Forum software & services; thread Your NEW BEST Free Softwares ... #90 ... It's for you!
kwismer
November 7th, 2008, 04:38 PM
besides the other suggestions you might find that http://fileadvisor.bit9.com useful for the purpose in question... you can search by file name, md5 hash or sha1 hash...

also, the valid digital signature from microsoft suggests it's fine...
LuckMan212
November 9th, 2008, 09:14 PM
Thanks- that bit9 website it almost exactly what I was looking for. If they had a desktop counterpart that verified hashes against their database of known-good that would be perfect. But this is still good. Too bad their downloadable right-click shell extension is x86 only (I run Vista x64 so the shell extension is not supported unless I run my explorer.exe process in 32bit mode, which I don't). Either way, it's a useful tool to add to my arsenal. Thanks :dry:
acr1965
November 11th, 2008, 11:50 PM
Saw this while browsing CastleCops-

http://hashes.castlecops.com/