Forum Discussion

HotCakeX's avatar
Dec 29, 2019

[SOLVED] Memory Integrity bounces back to "turned off" state after Windows restart - fast ring 19536

This is an old post and the issue is no longer relevant.

 

This has been happening since a couple of builds ago as well.

I turn on the Memory Integrity in Core isolation section of Windows Defender, then after a restart or two, I go check again and see it's turned off.

it usually happens when I uninstall a program that needs to be restarted. but it also happens when I uninstall a software that does Not need Windows restart to finish uninstall process.

 

https://aka.ms/AA6xajf

 

  • helzayat's avatar
    helzayat
    Copper Contributor
    Build 22621.2215 here. Memory Integrity is turned off every time I restart the computer.
    Turning it on requires a restart, so every restart is now two. I now dread doing anything that requires a restart and keep wondering what would really be wrong with running with Memory Integrity off (except for the annoying exclamation mark in the Defender icon).
    • HotCakeX's avatar
      HotCakeX
      MVP
      Make sure virtualization features of your CPU are turned on in the UEFI.
      • jimp335's avatar
        jimp335
        Copper Contributor

        i have this problem.  i had two files that were shown to be the problem.  i removed them, one by renaming and the other by uninstalling a program.  neither show up as causing the problem.  i also have virtualization turned on in my gigabyte bios.  when i restart the machine after re-enabling memory integrity it turns the integrity back off with no explanation.  i tried fully turning off the machine and then turning back on but that did not help.  are there other ideas that i can try?  

        TIA

        jim

        HotCakeX 

    • Deleted's avatar
      Deleted

      helzayat  

      KB5029351 - this is a preview, so your computer is a private device, I really think that you do not have to fear anything, moreover, if you enable the memory integrity and do not restart - then definitely changing the settings will not start, so you only waste time!

       

       

  • TechTroubler's avatar
    TechTroubler
    Copper Contributor
    I see you haven’t received any reply or response for this issue. I have recently noticed the same issue. It seem after activating and restarting windows core isolation is activated but upon any following system restart core isolation will be disabled. It does not occur if the system is shutdown and during start up. It only occurs if the system is restarted after core isolation has been enabled.

    It very concerning bug. I have reason to suspect malware or system configuration with regards to permission or access control. Also could have been due to security software I was using Bit Defender maybe certain windows security parameters were changed.

    I Hope someone actually has a valid fix to the issue.
    • StefaniaCastelli's avatar
      StefaniaCastelli
      Brass Contributor

      TechTroubler 

       

      In my case, the machine seems fully compromised; and even if no performance degradation, no strange attitudes (except for the one in subject), no loss of documents or other occurrences happens, I have tons of duplicated Microsoft drivers loaded on boot, to keep the state of the things "as is".
      I mean:
      - Different BIOS
      - A section "Firmware" (brand new) in Device Manager that's related to another machine to keep the fake BIOS "as is"
      - Intel i7 Microcode (sixth generation - Skylake) altered

       

      and I could go on and on and on. (I attached a couple of meaningful screenshots).
      Anyway, I don't think to be fully in the hands of a "Spectre" variant.
      Some of these things may be the consequence of my studies/experiments with Azure/Intune/Defender Endpoint Protection, that now "administer" some parts of my own identity and hardware security.

      The Microcode, Firmware, UEFI and "Secure Boot" failures are great problems for all the brands that adopted UEFI boot instead of MBR BIOS.
      I have a couple of 2008 "Core Duo" with 8 GB DDR2 RAM that are my safe docks (just in case we're in front of a foreign deliberated Warfare ACT).

      A couple of links among the many:
      NVD - CVE-2022-25368 (nist.gov)
      New Variant of Spectre Attack Bypasses Intel and Arm Hardware Mitigations | SecurityWeek.Com
      AMD Product Security | AMD

      Microsoft offers a 100,000 $ bounty for further info and solutions on these matters

       


       

  • HotCakeX 

     

    I was seeing this issue as well and here is how I resolved it. After 2 weeks, it's stayed enabled after reboots, hibernate, etc.  I do not have any incompatible drivers that would conflict with HVCI / Memory Integrity and turn this off, so it's not a driver causing this.

     

    For me, the solution was to disable and then re-enable hibernate so a new hiber.sys file would be created with the necessary memory encryption for when "Memory Integrity" is ON.  I primarily use Hibernate to shutdown at night.

     

    1. Open an Admin Command prompt and execute the below to delete the hiber.sys file and bcd  boot entries

     

    powercfg /hibernate off

     

    2. Turn on Memory Integrity and reboot.

    3. Open an Admin Command prompt and enable hibernate.

     

    powercfg /hibernate on

     

     

     

    • jimp335's avatar
      jimp335
      Copper Contributor

      Keith_KeplerMS 

      thanks. I’ll give it a try. Any ideas why a hibernate command causes the issue?

       

       Jim

      • Keith_KeplerMS's avatar
        Keith_KeplerMS
        Icon for Microsoft rankMicrosoft

        jimp335 

        From what I understand, it has to do with the entire Dynamic Root of Trust Measurement (DRTM) boot process when hibernate is involved. (Force firmware code to be measured and attested by Secure Launch on Windows 10 | Microsoft Security Blog)

         

        I thought, perhaps when my hiberfil.sys file was created, it (and the relevant BCD entries) were made without the necessary signatures to support Memory Integrity or it was made with a prior release of Windows where security feature X or Y did not exist yet.   So, I took a logical leap of faith and removed it and recreated it "after" having Memory Integrity on.  I was pleasantly surprised to find it resolved my issue.  

         

        FYI: My device is a corp Entra joined device with BitLocker/Secure Boot enabled. 

         

    • helzayat's avatar
      helzayat
      Copper Contributor

      I tried this but unfortunately in my case it was not the solution. Problem persisted after new hiber.sys was created.