This has just happened to me (out of nowhere) on SEVERAL COMPUTERS that all share the same internet connection. Literally out of nowhere, I did not install anything and it was not present yesterday. Thus, this looks like an attack more than just a random occurrence.
i got this yesterday also, the dism restorehealth froze at 62.3% closed that and ran the chkdsk and sfc ( sfc found issues ran again found nothing ), prior to that i reinstalled my norton 360
after i left feedback in the norton panel.
never had this happen before
not sure why this is happening, but saw mention below of beta
microsofts insider previews have never before as far as i can recall caused this message to appear, why now?
Apparently the latest insider version changed something that Norton was not expecting.
thanks for the tip not sure what could be different with the insider this time from the kb notes it wasnt anything major changed.
maybe some new file or .exe norton caught who knows,
hope it gets resolved
All: What are the DISM command lines you are using for the insider DISM issues? And, are you running them from a command prompt or from within power shell with admin?
SA
@Lyrically20038 Unfortunately we cannot give suggestions regarding the Avast product line here. Although, it shares the same engine with Norton there are differences we do not have access to. Thanks for sharing the Avast similarities for the Admins to review and give back to the dev teams to look at.
SA
1 Like
If you look in the %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx log, I assume you will see an error, Event ID 3033 and in the CI Verbose log:
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-CodeIntegrity%4Verbose.evtx
If enabled, when the error occurs, you will see RequestedSigningLevel = 12, which is Windows signed. 8 for example is âMicrosoftâ. A third-party dll will never be signed as âWindowsâ which is the issue here and the reason for the error. You get this with processes like svchost.exe hosting the dosvc as it is Protected and also requires signing level 12 for a module. The question is then why now? I suspect KB5052093.
1 Like
@user4278 Good thoughts. KB5052093 was released in February, pulled due to installations failing then re-released. Its the service stacking update for Windows Updates in build 26100.3323. Microsoft says the March patch Tuesday releases should fix any remaining errors as SS can and does cause issue with DISM functionality.
SA
2 Likes
It miraculously disappeared last night. 
2 Likes
@KnightDelta Did your machine by chance get any updates to your Norton install or from Microsoft?
SA
No, it simply stopped happening. Keep in mind there are several PCs on my internet connection, all of them started receiving this message without updating/installing anything, and all together stopped. Again, this looks like a type of attack against Norton, because there is nothing else that seems to connect.
Correction: maybe a hostile takeover attempt that they then undid? I have literally no idea.
My best answer is, from what is posted here regarding event ID 3033, that is related to LSASS. Malware does try to fake itself as that process in some cases.
And the other issue that is a red flag is KB5052093 that is directly related to the Windows Updates Service Stacking component of Windows. If running DISM commands that update as posted earlier has an issue with DISM that is being remediated.
Edited: Has anyone ran DISM without an internet connection to verify that method fails?
Thirdly, Microsoft is known to perform a silent removal in certain instances, this will reset user settings and at times, cause data loss. Has anyone seen any updates that were previously installed that arenât there currently? TIA.
SA
FYI!!
Everything is now working. I have not changed versions of Windows, so Iâm wondering what Norton changed?
@rawintellect43952 Did your Norton version update and change? If so that would be where the change is, and we are unaware ( Guruâs ) of what that change is if Norton updated.
SA
I believe I understand what has happened.
Prior to the issue, we would have had, for example: C:\Windows\system32\ntoskrnl.exe - SHA256: F17B73CB132AC289BD40247685EE07E92786E7667CF50440C1A37D5110869E5F
Then if you allowed:
February 25, 2025âKB5052093 (OS Build 26100.3323) Preview you had: C:\Windows\system32\ntoskrnl.exe - SHA256:
95E38650E89F0151E35E27E2B71F505D52304C117EDDCB448969E85C1657427D - 10.0.26100.3323 (WinBuild.160101.0800)
Finally MS have released
March 11, 2025âKB5053598 (OS Build 26100.3476) has now been released, which has updated C:\Windows\system32\ntoskrnl.exe again.
10.0.26100.3476 (WinBuild.160101.0800)
SHA256 - 0FB338E78146CDA5ECA21415A88BE60DA38121DF48E1B3E9E73401EE9184FBCE
If you look into the strings within C:\Windows\System32\ntoskrnl.exe, the original list included
sppsvc.exe
genvalobj.exe
wininit.exe
lsass.exe
userinit.exe
winlogon.exe
autochk.exe
securityhealthservice.exe
sgrm\sgrmbroker.exe
SIHClient.exe
azshci\HciSvc.exe
fclip.exe
wintesttcbpp.exe
wintesttcbppl.exe
wintestpp.exe
wintestppl.exe
smss.exe
werfaultsecure.exe
csrss.exe
services.exe
wintestnpp.exe
codegentestppl.exe
amtestppl.exe
authtestpp.exe
wintestaudit.exe
KB5052093 added 3 to this:dism.exe,sfc.exe and poqexec.exe
C:\tool\strings64.exe C:\Windows\System32\ntoskrnl.exe | Select-String -Pattern âsfc.exeâ,âdism.exeâ,âpoqexec.exeâ,âcodegentestppl.exeâ
dism.exe
sfc.exe
poqexec.exe
codegentestppl.exe
KB5053598 (March) removed them again:
C:\tool\strings64.exe C:\Windows\System32\ntoskrnl.exe | Select-String -Pattern âsfc.exeâ,âdism.exeâ,âpoqexec.exeâ,âcodegentestppl.exeâ
codegentestppl.exe
The problem appears to be caused by an updated process list in C:\Windows\System32\ntoskrnl.exe, which included sfc.exe, dism.exe and poqexec.exe.
Looking the history of versions of C:\Windows\system32\ntoskrnl.exe,
F17B73CB132AC289BD40247685EE07E92786E7667CF50440C1A37D5110869E5F â 95E38650E89F0151E35E27E2B71F505D52304C117EDDCB448969E85C1657427D â 0FB338E78146CDA5ECA21415A88BE60DA38121DF48E1B3E9E73401EE9184FBCE
95E38650E89F0151E35E27E2B71F505D52304C117EDDCB448969E85C1657427D was the February 25, 2025âKB5052093 (OS Build 26100.3323) Preview release which caused the issue.
March 11, 2025âKB5053598 (OS Build 26100.3476) has now been released which reverted the list of processes, removing sfc.exe, dism.exe and poqexec.exe.
Latest version test:
C:\tool\strings64.exe C:\Windows\System32\ntoskrnl.exe | Select-String -Pattern âsfc.exeâ,âdism.exeâ,âpoqexec.exeâ,âcodegentestppl.exeâ
codegentestppl.exe