User-mode Protected Media Path File Validation
Applies To: Windows Server 2008
Protected Processes are used to enhance the Digital Rights Management technology in Windows Vista and Windows Server 2008. Code Integrity validates user-mode files loaded into Protected Processes that are part of the Protected Media Path. The validation compares the page hashes stored in the system security catalog files to the page hashes of the user-mode files themselves. If the page hashes in the system security catalog files do not match the page hashes from the system file, the system file is not loaded by the operating system.
Additionally, Code Integrity validates cryptographic system files. The following cryptographic system files are validated by Code Integrity: bcrypt.dll, dssenh.dll, rsaenh.dll, win32_tpm.dll, and fveapi.all.
Note: If a kernel debugger is attached to the computer, Code Integrity still validates the page hashes on the user-mode files against the page hashes stored in the system security catalog files, but the operating system will load the files.
Events
| Event ID | Source | Message |
|---|---|---|
Microsoft-Windows-CodeIntegrity |
Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system. | |
Microsoft-Windows-CodeIntegrity |
Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system. The image is allowed to load because kernel mode debugger is attached. |