Windows Security Auditing events referencing 0patchLoader.dll or 0patchLoaderX64.dll

Mitja Kolsek -

The Security log may show multiple "Microsoft Windows Security Auditing" events with ID 6281 and the following text:

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Program Files (x86)\0patch\Agent\0patchLoaderX64.dll

 

We haven't been able to determine why Windows log these events despite our DLLs being properly signed, but "Code Integrity" comes in various flavors on Windows, from preventing non-Microsoft-signed drivers from loading under Secure Boot, to preventing non-Microsoft-signed DLLs from getting loaded into certain processes such as Edge's rendering processes on Windows 10. It is possible that we have stumbled on some undocumented Windows behavior.

We currently aren't aware of any way to prevent these events from being logged with our present design of 0patch Agent, so we recommend ignoring them when they reference 0patchLoader.dll or 0patchLoaderX64.dll.

 

Have more questions? Submit a request

4 Comments

  • 0
    Avatar
    brokenmarbles

    It has been over a year since the publication of this article and the Audit Failures of Event ID 6281 referencing the Loader DLLs  causing the error have not been addressed and still occur to this day? What is going on here?

    The Event ID is triggered by opening the 0patch Console. Although the DLLs are correctly signed according to 0patch, it still begs the question: "Why hasn't this been fixed since it involves system integrity?"

    Audit Failures are serious business since it involves System Integrity.

    If 0patch can figure a way to patch vulnerabilities that Microsoft can't or won't, then why can't 0patch configure its Console Program to open without triggering an Audit Failure?

    On a side note, I bought 0patch Pro recently and only two Applications needed patched. Obviously the rest were handled properly by Microsoft, which include the 900 that are enabled by 0patch automatically.

    So I guess another question I have, is did I just buy a product to get only two patches?

    I'll monitor the product closely for a year, and if I don't see any new patches between now and then, then it means I bought two patches for almost thirty bucks and it would be more computer snake oil that I fell for because Microsoft won't patch the Spooler Subsystem or Host Processes for Windows Services.

    Actually, the publication is two years old:

    Edited by brokenmarbles
  • 0
    Avatar
    Mitja Kolsek

    Hi brokenmarbles, thank you for your post. We haven't forgotten about this but honestly don't know what to do to get rid of these events. The DLL in question is properly signed (if you manually check its signature, Windows will show you everything's okay) but for some reason, some Windows component is complaining about its signature, scaring our users, and cluttering their event logs. We're not the only ones with this problem either; see this Comodo support thread going back to 2009, and numerous other cases a Google search finds. Microsoft's documentation on this event talks about "unsigned driver or system file," but our DLL is neither, and, again, is properly signed. We plan to redesign 0patch Agent to improve it on various fronts, which will likely resolve the issue at hand as a side effect.

    As for the number of currently relevant patches on your computer, this depends heavily on the Windows version you're using. On fully-updated, still-supported Windows versions (ones still receiving free Windows updates), you're likely to only see our patches for 0days or "wont fix" issues as relevant, and these may come and go depending on when Microsoft decides to fix them. We'd appreciate your making a support request (email to support@0patch.com) with information about your Windows version and a screenshot of 0patch Console on page PATCHES -> RELEVANT PATCHES so we can take a deeper look at your situation.

    Cheers, Mitja

  • 0
    Avatar
    brokenmarbles

    Thank you for your quick reply Mitja.

    I did look at the digital Signatures and Certificates, and indeed they did all check out as you implied.

    Upon further reading your informative articles, I'm left at ease knowing that 0patch is dedicated to supporting their customers and product.

    At this time, hence reading your in depth published articles on the product, I see no need to start a support request email at this time.

    Although, I'm still not exactly sure what 0patch is doing that Microsoft Updates are failing to do, other than addressing the printer Nightmare vulnerability Bug and rpcss.dll/KrbRelay Local Privilege Escalation and RemotePotato0 NTLM Relay Attack that Microsoft refuses to address on a current up-to-date Windows 10 operating system.

    I was told in TenForums, that 0patch allows users to run out-of-date operating systems past their end-of-life terms; but honestly don't understand what exactly the benefits are of using 0patch on current up-to-date Operating Systems at this time, other than the two modules that were patched on my system.

    Like I mentioned in my first comment, if by the end of the 0patch Pro Subscription or (09/06/2023) I don't see more than my current two modules patched, or more than the already 900 existing Licensed patches, then it will leave me wondering and scratching my head as to what exactly 0patch is doing that Microsoft isn't.

     

  • 0
    Avatar
    Mitja Kolsek

    Hi brokenmarbles, please see this article about the value 0patch provides on a still-supported Windows system with Windows Updates regularly applied:
    https://0patch.zendesk.com/hc/en-us/articles/360011687600

    While you currently see two relevant patches on your computer, a couple of 0day patches we've issued earlier this year were also relevant at some point but have since been patched by Microsoft:

    1) Follina - https://blog.0patch.com/2022/06/free-micropatches-for-follina-microsoft.html

    2) DogWalk - https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html

    3) CVE-2022-26904 - https://blog.0patch.com/2022/03/a-bug-that-doesnt-want-to-die-cve-2021.html

    The value of having 0days patched as quickly as possible instead of waiting for the original vendor to provide official fixes is obviously different for different types of users.

    Cheers, Mitja

Please sign in to leave a comment.