User-mode Protected Media Path File Validation

Applies To: Windows Server 2008

Protected Processes are used to enhance the Digital Rights Management technology in Windows Vista and Windows Server 2008. Code Integrity validates user-mode files loaded into Protected Processes that are part of the Protected Media Path. The validation compares the page hashes stored in the system security catalog files to the page hashes of the user-mode files themselves. If the page hashes in the system security catalog files do not match the page hashes from the system file, the system file is not loaded by the operating system.

Additionally, Code Integrity validates cryptographic system files. The following cryptographic system files are validated by Code Integrity: bcrypt.dll, dssenh.dll, rsaenh.dll, win32_tpm.dll, and fveapi.all.

Note: If a kernel debugger is attached to the computer, Code Integrity still validates the page hashes on the user-mode files against the page hashes stored in the system security catalog files, but the operating system will load the files.

Events

Event ID Source Message

3002

Microsoft-Windows-CodeIntegrity

Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system.

3003

Microsoft-Windows-CodeIntegrity

Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system. The image is allowed to load because kernel mode debugger is attached.

Code Integrity

Core Security