locked
Security Event Log Audit Failure #5038 of wpshelper.sys in Vista(x86) SP2 RRS feed

  • Question

  • I've recently noticed bursts of Event Log entries #5038 in the Security Event Log in Vista(x86) SP2 systems:

    ->cmd
    ->eventvwr.exe
    ->Windows log
    ->Security

    "Code integrity determined that the image hash of a file is not valid.
    The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error."
    File Name:\Device\HarddiskVolume1\Windows\System32\drivers\wpshelper.sys 

    I've also noticed bursts of Event Log entries #3001 in the CodeIntegrity Event Log in Vista(x86) SP2 systems:
    ->cmd
    ->eventvwr.exe
    ->Applications and Services Logs
    ->Microsoft
    ->Windows
    ->CodeIntegrity
    ->Operational

    "Code Integrity determined an unsigned kernel module \Device\HarddiskVolume1\Windows\System32\drivers\wpshelper.sys is loaded into the system.
    Check with the publisher to see if a signed version of the kernel module is available."

    I doubt whether an unsigned driver(wpshelper.sys) of Symantec Corporationis loaded without a digital signature.

    So I refered link:
    http://msdn.microsoft.com/en-us/library/bb530195.aspx#digitalsigskernmodules_topic8

    To verify embedded signatures
    1.While running Windows Vista, right-click the driver .sys file and click Properties in the context menu.
    2.Click the Digital Signatures tab, if it is present.
     If this tab is not present, the file does not have an embedded signature.
    3.Select the signer and click Details to open the Signature Details dialog box.
    4.Click View Certificate to open the certificate’s property pages.
     Verify that there are no warning dialog boxes.
     Verify that the certificates subject name is Publisher is registered with a recognized certification authority.
    5.Click the Certification Path tab.
     Verify that the subject name of the top certificate is Microsoft Code Verification Root

    I see wpshelper.sys of that "This digital signature is OK".

    To verify embedded signatures using "signtool.exe" for kernel mode code signing policy.

    And result is that wpshelper.sys is successfully verified.

    C:\>signtool.exe verify /kp /v c:\Windows\System32\drivers\wpshelper.sys

    Verifying: c:\Windows\System32\drivers\wpshelper.sys
    SHA1 hash of file: F7326134E0582EB6A3A4E9270B733BC98DDD8B57
    Signing Certificate Chain:
        Issued to: Class 3 Public Primary Certification Authority
        Issued by: Class 3 Public Primary Certification Authority
        Expires:   2028/8/2  07:59:59
        SHA1 hash: 742C3192E607E424EB4549542BE1BBC53E6174E2

            Issued to: VeriSign Class 3 Code Signing 2004 CA
            Issued by: Class 3 Public Primary Certification Authority
            Expires:   2014/7/16  07:59:59
            SHA1 hash: 197A4AEBDB25F0170079BB8C73CB2D655E0018A4

                Issued to: Symantec Corporation
                Issued by: VeriSign Class 3 Code Signing 2004 CA
                Expires:   2010/11/25  07:59:59
                SHA1 hash: 508E846523E1B131438B220694BE91793886508E

    The signature is timestamped: 2009/12/4  03:16:01
    Timestamp Verified by:
        Issued to: Thawte Timestamping CA
        Issued by: Thawte Timestamping CA
        Expires:   2021/1/1  07:59:59
        SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

            Issued to: VeriSign Time Stamping Services CA
            Issued by: Thawte Timestamping CA
            Expires:   2013/12/4  07:59:59
            SHA1 hash: F46AC0C6EFBB8C6A14F55F09E2D37DF4C0DE012D

                Issued to: VeriSign Time Stamping Services Signer - G2
                Issued by: VeriSign Time Stamping Services CA
                Expires:   2012/6/15  07:59:59
                SHA1 hash: ADA8AAA643FF7DC38DD40FA4C97AD559FF4846DE

    Successfully verified: c:\Windows\System32\drivers\wpshelper.sys

    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0

    Everytime I reboot system, I can see these Event Log #5038 and #3001.
    I don't know whether Event 5038 and 3001 may cause some issue or these just mislead text in the event log.

    Thursday, May 13, 2010 2:28 AM