Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 64004 Source: WindowsFileProtection

The protected system file <file> could not be restored to its original, valid version. The file version of the bad file is <file version>. The specific error code is <error code> [<error description>].
See ME816197 for a hotfix applicable to Microsoft Windows 2000.
I received this error thousands of times (filling up several system logs) over 2 days until I discovered it was being caused by the W32.Pinfi virus. This virus is also called W32/Pate or W32/Parite. This virus adds approximately 177K of garbage to “.exe” and “.scr” files. Removal is simple. Follow the directions at Symantec Security Response W32.Pinfi. After the removal of this virus, the WFP errors stopped.
From a newsgroup post: "Like a handful of other users, I have been seeing the mysterious Event
ID 64004 "Windows File Protection" turning up in my system log lately. The affected servers definitely have been repeatedly infected with the W32.ElKern.4926 virus (naming per Symantec's virus list), and I believe that the files that are generating my 64004 events are those that are currently infected by this virus. Unfortunately, I am having a hard time cleaning those files out, and Symantec's client is not telling me why it is successfully cleaning some files, and failing to clean others. Well, the virus can definitely infect any portable executable, including those in the %SYSTEMROOT%\system32 directory, I know, because it did. Symantec's encyclopedia indicates that W32.ElKern.4926 may infect a single portable executable multiple times, which can then result in files that cannot be cleaned. In the end, I was able to clean every infected file I found (approximately 5, 000 files on a dozen servers). It appears that some files, even after being successfully cleaned by Symantec's client, end up with a damaged digital signature (at best), which I suspect was triggering the 64004 errors, when those files were called. I'm talking here of critical system files like CSRSS.EXE, LSASS.EXE and even WINLOGON.EXE, all of which I've seen infected by W32.ElKern.4926 (and simultaneously, and subsequent to cleaning, implicated in 64004 messages). What I did was to restart the server, with realtime file protection active, stop any non-critical services, and scan the entire disk. Because I was still getting 64004 messages, still had some critical files showing un-cleanable infections (because those files were open), and because I just did not trust the integrity of many of my files at this point anyway, I simply reinstalled Service Pack 3. After that, 64004 messages stopped, scans showed no virus, and everything seems OK".
I have several Windows 2000 Servers that have begun persistently logging this error to the system log, for a variety of files. I believe that these files are either currently infected with a virus (W32.ElKern.4926, in particular), or were previously infected with that virus (it is possible that attempts to remove the virus from the file damaged the digital signature used by Microsoft and partner vendors to ensure file integrity).
It happened when server was being backed up using Veritas Open File Option. As soon as Open File Option stopped, error stopped.

This event can occur when a program replaces newer system files with older ones of its own. Using from the command line "sfc /purgecache" can solve the problem. See Windows File Protection link below. Also applying the latest service pack may help.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.