Audit Failure after Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.331.1168.0)

Y

YuriS10101

Hi all, two days ago my Windows Defender loaded new updates, and right after (i.e. 8 minutes after) I started getting errors (this is from Reliability Monitor):


Description

Faulting Application Path: C:\Windows\System32\svchost.exe



Problem signature

Problem Event Name: BEX64

Application Name: svchost.exe_LxssManager

Application Version: 10.0.19041.546

Application Timestamp: 058e175a

Fault Module Name: ucrtbase.dll

Fault Module Version: 10.0.19041.789

Fault Module Timestamp: 2bd748bf

Exception Offset: 000000000007286e

Exception Code: c0000409

Exception Data: 0000000000000007

OS Version: 10.0.19041.2.0.0.256.48

Locale ID: 1033

Additional Information 1: 3133

Additional Information 2: 3133c33d07a77e5380eb4466855ba877

Additional Information 3: a27e

Additional Information 4: a27e8094a9e9149387a666cabef0785d



Extra information about the problem

Bucket ID: 5f23db7e829af97c72132953f1caa969 (1302430157755820393)



LxssManager, as I understand, is a part of WSL, and I need WSL for my work. Right at that time WSL stopped working with error:


C:\WINDOWS\system32>wsl

The remote procedure call failed.


In the event Log I can clearly see, that every time I try to start WSL, LxssManager crashes AND I get Audit Failure:


Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\aepic.dll


- <Event xmlns=" ">


- <System>


<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />


<EventID>6281</EventID>


<Version>0</Version>


<Level>0</Level>


<Task>12290</Task>


<Opcode>0</Opcode>


<Keywords>0x8010000000000000</Keywords>


<TimeCreated SystemTime="2021-02-19T03:26:19.9781773Z" />


<EventRecordID>614692</EventRecordID>


<Correlation />


<Execution ProcessID="4" ThreadID="11840" />


<Channel>Security</Channel>


<Computer>armagedon</Computer>


<Security />


</System>


- <EventData>


<Data Name="param1">\Device\HarddiskVolume1\Windows\System32\aepic.dll</Data>


</EventData>


</Event>



So I assumed that my aepic.dll is somehow corrupted, but sfc /scannow doesn't find anything, and Dism.exe /online /cleanup-image /ScanHealth (and other dism.exe variations I found on forums) doesn't find anything corrupted.

In desperation I just tried to download latest version of aepic.dll from dll-files.com, and was going to replace it by hand (changing permissions to myself, otherwise it had TrustedInstallers owner) - but surprisingly I couldn't replace it, because the file is apparently in use by windows (trying to overwrite it Windows Explorer says it's open in another program).


Trying to somehow disable Code Integrity checks for it were unsuccessful, I couldn't find any instructions how to do that (exceptions for Code Integrity in windows defender work only for .exe files - and yes, I tried this for wsl.exe - it didn't work)


I tried to install all updates that I had pending in the update center, including Windows 20H2 update - and that had changed nothing as well.


So my question is - how can I fix this file, or maybe I can disable Code Integrity checks, or maybe just uninstall this security update (can't find how to uninstall it). I don't want to reinstall whole Windows as I will lose tons of configuration of my development environment, and I need WSL for docker-desktop and so on.


Please any suggestions are welcome as I am desperate at this point :)


P.S. Microsoft Windows [Version 10.0.19042.804]


Edition Windows 10 Pro

Version 20H2

Installed on ‎6/‎22/‎2020

OS build 19042.804

Experience Windows Feature Experience Pack 120.2212.551.0

Continue reading...
 
Back
Top Bottom