cancel
Showing results for 
Search instead for 
Did you mean: 
Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 21 of 265

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

blarty-fargo wrote:

The upshot is that, when you reboot, your screen will be 640x480 with 4 bit colour. I added this to another thread on this forum - but that seems to be stale.

No, not stale. You mean this thread? I can't add anything more to it because it's been passed on to McAfee. They're mulling it over, and you should get an answer in a day or two - they've only had the details since last night. Anything I might try to add to the discussion would quite possibly be misleading, or even wrong. It's a driver problem, which means low-level interactions somewhere. That's as far as I can take it.

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

Cheers Hayton

Sorry if I stepped on your toes.

Blarty

gvr39
Level 7
Report Inappropriate Content
Message 23 of 265

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

Hi Hayton,

I suppose this thread here then continues dealing with:

1) Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

2) Almost at every shut-down a bunch of the following warnings (ID 64008) is generated in the System Event Viewer:

The protected system file [path\filename] could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

Hi That is the same as I've been getting. Sometimes  I will  only get two or three warnings other times is a long list

gvr39
Level 7
Report Inappropriate Content
Message 25 of 265

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

And indeed daydreamer, it started with DAT 6370.0000

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 26 of 265

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

There is a description of Windows File Protection at http://support.microsoft.com/default.aspx?scid=kb;en-us;222193

I think there may be two things going on here. The first one is that system files are being modified, triggering a response from WFP. I won't say this is caused by the McAfee update, but we do need some more investigation of this.

... protection is triggered after WFP receives a directory change notification for a file in a protected directory. After WFP receives this notification, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WFP replaces the new file with the file from the cache folder (if it is in the cache folder) or from the installation source. WFP searches for the correct file ...

If WFP finds the file in the cache folder or if the installation source is automatically located, WFP silently replaces the file and logs an event that resembles the following in the System log:

Event ID: 64001
Source: Windows File Protection
Description: File replacement was attempted on the protected system file <filename> . This file was restored to the original version to maintain system stability. The file version of the system file is x.x:x.x.

If WFP cannot automatically find the file in any of these locations, you receive ... the following message, where file_name is the name of the file that was replaced and product is the Windows product you are using:

"Windows File Protection

Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your product CD-ROM now"


Note If an administrator is not logged on, WFP cannot display either of these dialog boxes.

So, are there any 64001 messages in the Event Log, and are you running with Administrator privileges?

The 64004 message can occur when a program replaces newer system files with older ones of its own. Entering "sfc /purgecache" from the command line can solve the problem. Interesting that the only files mentioned were drmclien.dll and drmstor.dll - Packaged Media, that is multimedia files that have been encrypted (using Windows Media Rights Manager). I wonder if the encryption has anything to do with it?

(One thing I am seeing is that the 64001 message (and to a lesser extent the 64004 message) has in the past been associated with specific malware infections. If everyone reporting this problem has the same malware infection, otherwise unnoticed and unreported, I would be very surprised; but it's worth noting. Just to be sure, I would advise running a scan with McAfee and A.N.Other of your choice.)

   ============================================================

The second issue is characterised by messages in the Event Log saying

"The protected system file [path\filename] could not be verified as valid"

(because Windows File Protection is terminating)

- which implies that verification is not taking place, rather than that the files are invalid. The underlying problem here seems to be that the WFP service or process shuts down unexpectedly during the verification process.

There is a Microsoft Technet article about this HERE which suggests that you should run File Signature Verification (sigverif.exe) to verify that the files listed in the event log were not replaced with unrecognized versions.

In a discussion about WFP prompting a user to replace a protected file is the following, which might explain why Event ID 64008 occurs :

Normally, WFP posts system event log messages when a protected file is replaced, but the event message is not posted until the WFP dialog box is answered. Because typical users do not know that WFP is prompting them for the installation source, the computer may be restarted before the WFP dialog box is answered. In this situation, the following message is posted in the event log during a system shutdown:

Event Type:     Information
Event Source:     Windows File Protection
Event Category:     None
Event ID:     64008
Date:      current_date
Time:      current_time
User:      N/A
Computer: MYMACHINENAME
Description: The protected system file C:\winnt\system32\File_Name.exe could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.

There was at one time an article in the McAfee KnowledgeBase (KB26580 - Event ID 64008) about this but it does not now exist.

That's about all I've been able to come up with so far. Anything else I can find out that's relevant I'll pass on.

Message was edited by: Hayton on 21/06/11 20:35:52 IST

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

I didn't have any issues at all, no symptoms of any kind prior to the update. The version it was updated to was:

McAfee SecurityCenter

Version: 11.0

Build: 11.0.560

AffId: 0

Language: en-us

Last update: 6/14/2011 (The date hadn't updated from an SC update for 10.5.239 for some reason)

McAfee VirusScan

Version: 15.0

Build: 15.0.288

Last update: 6/17/2011

DAT Version: 6380.0000

DAT Creation Date: 6/17/2011

Boot DAT Version: 6369.0000

Boot DAT Creation Date: 6/6/2011

Engine Version: 5400.1158

McAfee Personal Firewall

Version 12.0

Build: 12.0.335

Last update: 6/17/2011

My first 64008 warnings appeared in Event Viewer on shutdown when I clicked restart for McAfee to complete the installation of the 2011 update. They were for the following files, in order of appearance in the log:

c:\windows\system32\logonui.exe

c:\windows\system32\shgina.dll

c:\windows\system32\sclgntfy.dll

c:\windows\system32\sens.dll

c:\windows\system32\es.dll

c:\windows\system32\drprov.dll

c:\windows\system32\ntlanman.dll

c:\windows\system32\davclnt.dll

c:\windows\system32\rasapi32.dll

c:\windows\system32\rasman.dll

c:\windows\system32\tapi32.dll

c:\windows\system32\kbdus.dll

c:\windows\resources\themes\luna\luna.msstyles

c:\windows\system32\wuaueng.dll

c:\windows\system32\mspatcha.dll

c:\windows\system32\wups.dll

The only other unique file that appeared in one of these warnings (Event ID: 64008) after was this:

c:\windows\system32\winhttp.dll

The only time I was prompted with a pop-up was apparently when this file was replaced once I put my XP Installation CD in:

Event Type:    Information

Event Source:    Windows File Protection

Event Category:    None

Event ID:    64001

Date:        6/18/2011

Time:        1:07:53 AM

User:        N/A

Computer:    ---

Description:

File replacement was attempted on the protected system file dmconfig.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 2600.0.503.0, the version of the system file is 2600.0.503.0.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Again, I had absolutely no symptoms before that 6/17/11 update. I hardly do anything online. I have NoScript, WOT, and AdBlockPlus for Firefox. I virtually never allow scripts. No infections on previous scans with McAfee, ESET, MalwareBytes Anti-Malware, or SpyBot Seach & Destroy. No suspicious files, registry keys, or startup items found using HijackThis. No suspicious network activity or unexplained traffic. Absolutely no pop-ups (except that single WFP one).

Since the update, I've received the 64008 warnings on most shutdowns for some combination of the files I listed earlier in this post. I've noticed McAfee seems to cause the winlogon.exe process to use more memory, CPU, and roughly at the same time that mcshield.exe does something. Using Process Monitor by SysInternals, this seems to be true. I've only received the single 64001 event after receiving one (1) pop-up regarding the "Files that are required for Windows to run properly have been replaced by unrecognized version... Insert Windows XP Installation CD..." message once and it triggered that single 64001 event.

Like other users have said, sometimes there's just one warning from the previous shutdown. Sometimes there's a list. I hope this information helps shed a little light on the issue. McAfee worked perfect for me (aside from that old error on shutdown last spring) all last year. Oh speaking of that error last spring, like before, I never shut my monitor until the computer powers down. I always sit here and stare at my screen as it shuts down in the event any errors pop-up. I've seen no pop-ups at all.

gvr39
Level 7
Report Inappropriate Content
Message 28 of 265

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

@ Hayton

I am running with admin rights.

And yes, I ran a full scan using McAfee with the very last updates. No issues detected.

No "spontaneous" 64001-events, except for the following ones (as a result of the re-install of Windows Media Player 11 on 20-Jun):

wmvdmoe2.dll

wmvdmod.dll

wmspdmoe.dll

wmsdmoe2.dll

wmsdmod.dll

wmidx.dll

wmdmps.dll

wmdmlog.dll

wmadmoe.dll

mswmdm.dll

mspmsp.dll

cewmdm.dll

When I run "sfc.exe /scannow", I get the following events:

64004's for drmclien.dll or drmstor.dll

The protected system file [file] could not be restored to its original, valid version. The file version of the bad file is 10.0.0.3802  The specific error code is 0x800b0100 [No signature was present in the subject.

].

Plenty of 64021's for many other files

The system file [file] could not be copied into the DLL cache.  The specific error code is 0x800b0100 [No signature was present in the subject.

].  This file is necessary to maintain system stability.

Message was edited by: gvr39 on 6/22/11 3:33:04 AM CDT

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

My warnings  on both machines are all 64008.

gvr39
Level 7
Report Inappropriate Content
Message 30 of 265

Re: Files that are required for Windows to run properly have been replaced by unrecognised versions. To maintain system stability Windows must restore the original versions of these files.

Jump to solution

@daydreamer

I am still having these 64008's as well.

In my previous post I was just describing what happens when I try to fix these warnings (e.g., by running an SFC as suggested in the warning).

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community