none
Audiodg.exe reads 5500< *.cat files in windows\catroot folder becouse build-in l3codeca.acm wrong signed or somthing RRS feed

  • Question

  • Hello.

    Can we just disable mp3 codec: Fraunhofer IIS MPEG Layer-3 Codec (l3codeca.acm or l3codecp.acm)? How does they used? Can windows work without it and any problems?

    We have VDI on Windows Server 2012R2 + Windows 8.1 Ent x64 VMs.

    I check it situation on our corporate image with soft and on clean install from official *.iso after installing updates. It's hapened when we use RDP, not local logon:

    Every time, when user logon via RDP (with sound pass-throw) into VM it's start audiodg.exe process for initiation of audio components. Example: after auto-startup Lync, or if we open sound mixer and press test, or trying open microphone settings. All that operations stucking and waiting, when audiodg.exe end "initiation" proecess and all audio continue work. Audiodg.exe trying load audio codecs  *.acm. And when loading "C:\Windows\System32\l3codeca.acm" (or l3codecp.acm if we setting up it in the registry) process trying check digital sign of codec - but that codec have wrong hash or somthing and becouse of this audiodg.exe compare hash of that file with hash in *.cat files in windows\catroot\ folder - ~5500 files (yeah). And it's hapend every time, when user login again, after reboot of test VM or auto-apply checkpoint of VDI VM.

    It's generate alert 6281 in Security log:

    Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

    File Name:    \Device\HarddiskVolume2\Windows\System32\l3codeca.acm   

    About embedded sign and catroot. I think it's situation but with codec and not system startup:
    "Having an embedded signature saves significant time during system startup because there is no need for the system loader to locate the catalog filefor the driver at system startup. A typical computer might have many different catalog files in the catalog root store (%System%\CatRoot). Locating the correct catalog file to verify the thumbprint of a driver file can require a substantial amount of time."

    Sorry for bad english.

    Update:

    Log Name:Microsoft-Windows-CodeIntegrity/Operational

    Event 3020:

    Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

    Maybe because cat file associated with that file doesn't contain hash of that one?

    sigcheck64.exe -i C:\Windows\System32\l3codeca.acm

    Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_559_for_KB3000850~31bf3856ad364e35~amd64~~6.3.1.8.cat


    • Edited by Maksim C Thursday, October 15, 2020 1:30 PM
    Thursday, October 15, 2020 8:15 AM

All replies