Audiodg.exe reads 5500< *.cat files in Windows\System32\catroot folder becouse build-in l3codeca.acm wrong signed or somthing

Maks Cur 196 Reputation points
2020-10-15T13:33:08.19+00:00

Hello.

Can we just disable mp3 codec: Fraunhofer IIS MPEG Layer-3 Codec (l3codeca.acm or l3codecp.acm)? How does they used? Can windows work without it without any problems?

We have VDI on Windows Server 2012R2 + Windows 8.1 Ent x64 VMs.

I check that situation on our corporate image with soft and on clean install from official *.iso after installing updates. It's hapened when we use RDP, not local logon:

Every time, when user logon via RDP (with sound pass-throw) into VM it's start audiodg.exe process for initiation of audio components. Example: after auto-startup Lync, or if we open sound mixer and press test, or trying open microphone settings. All that operations stucking and waiting, when audiodg.exe will finish "initiation" proecess and all audio continue work. Audiodg.exe trying load audio codecs .acm. And when loading "C:\Windows\System32\l3codeca.acm" (or l3codecp.acm if we setting up it in the registry) process trying check digital sign of codec - but that codec have wrong hash or somthing and becouse of this audiodg.exe compare hash of that file with hash in .cat files in windows\catroot\ folder - ~5500 files (yeah). And it's hapend every time, when user login again, after reboot of test VM or auto-apply checkpoint of VDI VM.

It's generate alert 6281 in Security log:

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
File Name: \Device\HarddiskVolume2\Windows\System32\l3codeca.acm

About embedded sign and catroot. I think it's situation but with codec and not system startup:

Having an embedded signature saves significant time during system startup because there is no need for the system loader to locate the catalog filefor the driver at system startup. A typical computer might have many different catalog files in the catalog root store (%System%\CatRoot). Locating the correct catalog file to verify the thumbprint of a driver file can require a substantial amount of time.

Sorry for bad english.

Added:

Log Name:Microsoft-Windows-CodeIntegrity/Operational

Event 3002:

Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\l3codeca.acm because the set of per-page image hashes could not be found on the system.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,517 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,143 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Eleven Yu (Shanghai Wicresoft Co,.Ltd.) 10,666 Reputation points Microsoft Vendor
    2020-10-16T05:19:44.873+00:00

    Hi,

    Please refer to below article to see if the event 3002 error could be resolved.

    Event ID 3002 — User-mode Protected Media Path File Validation
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc734001(v=ws.10)?redirectedfrom=MSDN

    Thanks,
    Eleven

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.