cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

Just confirming that I have problems with those same two files: I get the 64008 error message for luna.msstyles and kbdda.dll (Danish keybord file; equivalent to kbdus.dll).

The 64001 message tells me that my nvidia driver has been replaced.

I get event ID 516 from source mfehidk :

Process **\MCUPDMGR.EXE pid (1256) contains a certified but untrustworthy content. The execution of a preferred Operation with a McAfee-Driver, however, was permitted.

All these date from July 19th/20th around midnight, when I returned from vacation and McAfee updated itself, requiring a reboot.

Best regards,

Kristine

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

An additional question to McAfee personnel:

I have refrained from updating McAfee on my son's computer (also XP SP3) as we need at least one properly functioning machine in the house.

However, a month of not updating anything is beginning to feel uncomfortable.

Do we have to wait for the XP SP3 issue to be solved completely, including a patch to fix the many affected computers, or is there already a new 'safe' issue of Security Center to which we can upgrade our 'good' machine?

Thank you.

Best regards,

Kristine

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

dougr_t3_support wrote:

I was able to reproduce it once, but now my XP machine no longer gets the messages. Seems like there is a 3rd variable to the equation.

When I reproduced it, Windows was applying 103 updates and had a bunch of stuff in pendingfilerenames.

Once Windows finished updates all reboots afterwards come back with no Event ID 64008.

Since I have it on VMWare I will try to go back to an old snapshot and hopefully relive it.

Thanks,

I've seen the issue only on XP machines, not when using VMWare. In fact, just the other day I saw McAfee install on VMWare XP SP3 build and not generate the WFP warnings. Other users that have posted in this thread have managed to reproduce this very issue on clean XP SP3 installs. Given that Ex_Brit hasn't experienced the issue and his XP SP3 build is a virtual machine, something in the virtual environment doesn't let this issue occur. For the rest of us, we see the biggest issues once we restart following McAfee updates. Mcafee_xp_user has described the problem quite accurately.

I last turned on my PC on Monday night. I received a McAfee update that required a restart without a change in build for SecurityCenter (something with the McAfee update server has made every update since around the time 11.0.572 was pushed that causes a SecurityCenter update to download each time along with the DAT). On restart following that update, I immediately checked Task Manager and Process Explorer, winlogon.exe was very active and updated files in the dllcache (this also coincides with a loss of disk space which I've described many times now). At the same time I checked Event Viewer and WFP warnings (64008s) were present for the following files:

c:\windows\system32\scrrun.dll

c:\windows\system32\sclgntfy.dll

c:\windows\system32\drprov.dll

c:\windows\system32\rasapi32.dll

c:\windows\system32\wuaueng.dll

I shutdown the PC about 40 minutes later. On boot this time around (a boot not following a boot after a McAfee update) and winlogon.exe is almost normal. Few files have been updated/replaced in the dllcache. Disk space isn't missing like it does in the session following an update. However, WFP warnings (64008s) were still present from the previous shutdown, this time for the following files:

c:\windows\system32\mspatcha.dll

c:\windows\system32\logonui.exe

c:\windows\system32\sens.dll

c:\windows\system32\kbdus.dll

c:\windows\resources\themes\luna\luna.msstyles

It's generally the same or similar group of files for everyone. Another symptom I've noticed is that while I have my Excel spreadsheet open for keeping track of the disk space loss attributed to WFP/sfc_os.dll in the winlogon.exe process, I occasionally have messages when attempting to save the spreadsheet saying another user has made changes and do I wish to overwrite the file or save a copy.. There are no other users. I'm quite certain of that. It seems to me there's something with the real-time scanner that causes programs or XP itself to think files have been modified when they really haven't, which would explain the file replacement and sudden file verification by Windows File Protection.

Regarding some skeptical comments made by some posters, I sincerely doubt we're the only users experiencing the problems. I just think we're the only users who have either seen file replacement/XP installation disk pop-ups and/or looked in Event Viewer and bothered to dig deep enough to find the thread here. Non-virtual machines with XP SP3 seem to have the issue. I haven't heard of or seen a virtual machine reproduce the issue except the once instance Doug mentioned.

Nice to see tier 3 support involved. Thanks Doug and thanks to the mods and other users for keeping this alive.

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

Agreed with yippiekaiyay.  More info about some tests I ran:

After the experiment described on my XP machine that throws the WFP popups where I disabled real-time scanning (RTS), and observed that the shutdown and startup AFTER update with RTS disabled showed nothing in event log.  Later in the AM after I wrote here, I enabled RTS then did another shut down and restart and that caused some 64008 at shut down and again WFP pop ups on restart.

Last evening I did another variant on the test.  RTS was enabled. I had an update waiting, so I clicked to install the update (with RTS enabled).  Then i disabled RTS and performed a shut down and restart.  Clean event log.  I did one more shut down restart. Clean event log.  Now I re-enabled RTS, and did another shut down restart.  This time, the event log stayed clean.  Interesting? Not sure, but maybe.

Also to echo yippiekaiyay, my other 2 XP machines (another Dell desktop, and a Dell Laptop) that never show the WFP popups, do show the event log trails of 64008 at shutdown after receiving McAfee updates.  My start date on all 3 is the 08/08/2011 date.

Thats it for the additional observations that I have here.

Greens
Level 9
Report Inappropriate Content
Message 95 of 265

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

I've done some more investigating and experimenting tonight.  I disabled real time scanning and restarted the computer and had nothing from WFP showing in the event log. 

I also found something from microsoft that may explain the files that could not be copied to the cache during a sfc scan that some of us have experienced.  This article talks about MCE 2005 and mine is MCE 2002.  Not all of our missing files are referred to in the article but this might be what is happening.  The link is

http:\support.microsoft.com\kb909059

  The files that some of us are finding that cannot be copied are:

c\:windows\ehome\ehcircl.dll  could not be copied

c:\windows\ehome\zh-chs\ehepgdat.dll  could not be copied

c:\windows\ehome\de\ehepgdat.resources.dll   could not be copied

c:\windows\ehome\fr\ehepgdat.resources.dll  could not be copied

c:\windows\ehome\ja\ehepgdat.resources.dll  could not be copied

c:\windiws\ehome\ko\ehepgdat.resources.dll  could not be copied

c\:windows\ehome\ehituner.dll  could not be copied

c\:windows\ehome\ehiepg.dll  could not be copied

c:\windows\ehome\ehtray.exe (bad signature restored to original version)

c:\windows\ehome\ehtray.exe not restored - cancelled due to user interaction

c:\windows\ehome\snchk.exe  could not be copied

c:\program files\windows media player\npdrmv2.dll  could not be copied

c:\program files\windows media player\wmpns.dll  could not be copied

I've never had to run sfc before so maybe it's always been this way.  How about the others who are in my boat with these files? 

This still doesn't explain why I get a WFP pop up when running Malwarebytes of SuperAntispyware scans.  I noticed earlier in this thread somewhere that someone had gotten the pop up when running another spyware scan (I think it was Defender).  Myabe we are getting somewhere with the other troubles though.

Greens
Level 9
Report Inappropriate Content
Message 96 of 265

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

I disabled McAfee real time scanning and ran a full Malwarebytes scan without getting any WFP pop ups.  I haven't tried SuperAntispyware yet but I'm betting that if I disasble real time scanning in McAfee first that no pop ups will appear in that either.  Don't know if this will help come up with a fix or not but I thought I'd toss it in.

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 97 of 265

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

Just wondering any1 not using registry cleaners? If you are which 1s? I am running some tests on my box later on today.

Greens
Level 9
Report Inappropriate Content
Message 98 of 265

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

I've never used a registry cleaner.  From what I can tell on my system, everything is running ok is spite of the errors and the errors seem to be stemming from real time scanning.  The files that scannow is asking for may be files that have been put elsewhere on the computer by Dell.  Since I've never run scannow until this problem surfaced, it may not be anything to worry about as per a Microsoft article that I found.  But here is something else:  is this affecting only certain systems?  I have a Dell XPS 400, came with MCE SP2 and I updated it to SP3 when the big update from Microsoft rolled around.  There is mention of WFP errors happening recently elsewhere on the web and no solutions from what I've found.  I do recall getting a Microsoft update around the sme time as McAfee's.

Reliable Contributor Peacekeeper
Reliable Contributor
Report Inappropriate Content
Message 99 of 265

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

My test box is self built so no name PC. Doing some tests for Doug later on today.

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

Hi - I have never used any type of Registry Cleaner.

After reading Greens message, I did go back to look closely at the list kicked out by sfc /scannnow on my Dell XPS 410 Media Center Edition XP system.  Some Windows Media Player (WMP) files and some Media Center files. 

None of the WMP files complained about exist.  I did upgrade the computer to WMP 11 early in the life of the computer. 

None of the Media Center files exist, except the ehtray.exe, where the signature was being complained about.

And yes, the system does seem to operate okay.  My WFP popup dialogs usually trace to ehtray.exe after I cancel them and look in the event log.