Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\guard64.dll
Also see this event:
Microsoft-Windows-Security-Mitigations/KernelMode
Process '\Device\HarddiskVolume2\Program Files (x86)\Google\Chrome Beta\Application\chrome.exe' (PID 10540) was blocked from loading the non-Microsoft-signed binary '\Windows\System32\guard64.dll'.
I had these alerts more recently, specifically when launching Edge but it turned out to be related to the exploit protection tweaks I’d made via windows app & browser control.
When I look in Windows event observer, I have a lot of entries concerning guard64.dll : hash problem. Code integrity found that the image of the file is not valid.
The bad image error is something you can ignore. It has been around since 2009. Futuretech explains it briefly here:
Windows will notice there is no hash provided as it would like see. It is not a security issue nor does it effect functioning. But it is sloppy Comodo does not fix this. You can safely disregard these events being logged.
I just realized this is the issue that has been affecting my system for the past 7 months, I just chose to ignore it until today. When this happens, my system locks up, I can see the HDD (SSD) light full lit up for about 30 seconds - anything I’m doing is frozen (gaming, browsing, typing, etc.). Only today I decided sift through Event Viewer to see the file “guard64.dll” associated with several Audit Failure and Audit Success events for that entire minute.
Based on what I read in this thread, I’m less fearful of a compromised system however as I mentioned, it’s super annoying having the system lock up every day, sometimes a couple times a day. Is there no solution for this?
I have read the prior responses to this thread informing readers that this is not a problem, however something has changed to make it a problem.
Some time in the past week I started getting a pop-up when booting the system before I got to log in. The title is:
[b]AvLaunch.exe - Bad Image[/b]
In the body of the pop-up the icon left of the message body is a red circle with a white X.
The message in the body is:
C:\Windows\system32\guard64.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. Error status: 0xc000002.
Upon browsing the system event log Applications and Services Logs\Microsoft\Windows\CodeIntegrity\Operational I find a pair of messages that repeat approximately twice a minute. The first message of each pair is an Error:
In browsing the properties of this file I observe that the signing certificate expired 12/3/2021. I would provide certificate details but Microsoft has disabled text cut/paste on the certificate window and the certificate export function only supports binary and character-encoded binary formats.
Install comodo firewall on another pc. The first time an error occurred.
I tried [b]SFC[/b], DISM, and installed all VC++ 2005~2019
Event log errors stop increasing after removing the comodo firewall
It is my understanding that sfc checks system files for integrity, and replaces with good files if any bad ones found.
So, would that not cause problems for Comodo if Comodo’s purpose built guard64.dll is replaced with standard system dll, ie make it (comodo) a bit of a NOP,
or at least cause some other problem.
So, I would suggest that the audit failure could be cause of a bit more than a cosmetic / no effect type mischief maker.
EDIT: Does the audit failure disappear after sfc is run ?, if so then does that neuter CIS, or cause the problems that others have described ?
It is often suggested that sfc [system file checker] is used (command line as Admin) where OS is having problems [where it is at least possible that comodo will get broken too].
EDIT: By the way, in comodo Support menu [above About], there is a Diagnostics option to try detect and repair the comodo installion,
it is a good idea to try this with internet access where it seem to try download any broken files [or at least report the problems found],
it sometimes says “problems were found but could not be fixed”, quite often a second try at diagnosts says “no problems found” (try 2nd Diagnostics after a re-boot).
Someone suggested in reply to me that I provide more details, especially if I were running Avast. In fact, I am running avast (antivirus only, not their firewall which I believe is inferior to Comodo w/resp. to my needs and desires), and it was avast that was generating this message and disabling that dll. I discovered this by searching for the file named in the error box margin and reading its properties. I tried whitelisting the Comodo dll in Avast to no avail, but shortly thereafter the problem went away and I removed the file path from the Avast whitelist. Everything is fine now.
I suspect that Avast was blocking Comodo. If so, and if this was deliberate I believe it was a very unethical business practice on the part of Avast. Someone at Avast must have realized this and fixed it.
I suspect that Avast was blocking Comodo. If so, and if this was deliberate I believe it was a very unethical business practice on the part of Avast. Someone at Avast must have realized this and fixed it.
More likely that Avast detected the audit failure and disabled guard64.dll because of this [and later became aware that it was part of Comodo, perhaps became aware due to your attempt to whitelist it].