Calculating checksums with CertUtil

There are many utilities which can calculate file checksums.

However, in some cases it’s not an option to use a third-party tool. For instance:

  • The system is permanently or temporarily disconnected from a network.
  • Allowed software is restricted due to policies.


But Windows has a built-in tool, which can calculate file checksums: CertUtil

The syntax is:

certutil -hashfile file_to_check.bin [HashAlgorithm]


Among the supported hash algorithms are MD5, SHA1 and SHA256.

Be aware that the hash algorithm has to be in uppercase or the command can fail with:

CertUtil: -hashfile command FAILED: 0xd00000bb (-805306181)
CertUtil: WsResetMetadata


Example of use:

certutil -hashfile c:\Windows\System32\calc.exe MD5


MD5 hash of file c:\Windows\System32\calc.exe:
10 e4 a1 d2 13 2c cb 5c 67 59 f0 38 cd b6 f3 c9
CertUtil: -hashfile command completed successfully.

Adjust Power Options to prevent DRIVER_POWER_STATE_FAILURE (9f) BSOD

I recently updated the NIC driver on my work computer in an attempt to fix a BSOD problem.

Unfortunately it did not help. The computer would still regularly hang and eventually crash when shutting down to sleep mode with:

The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009f (0x0000000000000003, 0xfffffa800d1eba10, 0xfffff80004d3a3d8, 0xfffffa802eba1c60).
A driver has failed to complete a power IRP within a specific time.


Decided to investigate the settings under: Control Panel -> Power Options


Noticed multiple settings called Link State Power Management and decided to disable them.

PCI Express -> Link State Power Management: Off

Low Power Active Mode profile -> Link State Power Management: No Power Saving

Idle mode optimization profile -> Link State Power Management: No Power Saving

(Expecting that the first setting under PCI Express was the important one, but disabled the others just in case)


It seems that none of the standard power plans disable these settings, not even High performance.

If you switch between multiple power plans, you will have to modify them all.


After modifying the power options I have shut down the computer to sleep mode successfully 15 times without a single hang.

Disabling PCIe Link State Power Management seems to have fixed the DRIVER_POWER_STATE_FAILURE (9f) BSOD problems.


My work computer recently hanged when shutting down to sleep mode.

When booting the computer the next day I realized that it had eventually crashed.

This happened again after disabling hyper-threading, so I decided to investigate.


Checked Event Viewer and found:

Log Name: System
Source: Microsoft-Windows-WER-SystemErrorReporting
Event ID: 1001
Task Category: None
Level: Error
Keywords: Classic
The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009f (0x0000000000000003, 0xfffffa800cd5e060, 0xfffff80000b9a3d8, 0xfffffa802e232590). A dump was saved in: C:\Windows\MEMORY.DMP.


Searched online for BSOD 0x0000009f and found:–driver-power-state-failure


Examined the memory dump with WinDbg (x64).

Checked for details about the crash with:

!analyze -v

Part of the result:

A driver has failed to complete a power IRP within a specific time.
Arg1: 0000000000000003, A device object has been blocking an Irp for too long a time
Arg2: fffffa800cd5e060, Physical Device Object of the stack
Arg3: fffff80000b9a3d8, nt!TRIAGE_9F_POWER on Win7 and higher, otherwise the Functional Device Object of the stack
Arg4: fffffa802e232590, The blocked IRP


BUCKET_ID: X64_0x9F_3_POWER_DOWN_Rt64win7_IMAGE_pci.sys

FAILURE_ID_HASH_STRING: km:x64_0x9f_3_power_down_rt64win7_image_pci.sys


Checked for information about the I/O request packet with:

!irp fffffa802e232590


Irp is active with 5 stacks 4 is current (= 0xfffffa802e232738)
No Mdl: No System Buffer: Thread 00000000: Irp stack trace.
cmd flg cl Device File Completion-Context
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[ 0, 0] 0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
>[ 16, 2] 0 e1 fffffa800da84050 00000000 fffff800032ca230-fffffa800eb3bb50 Success Error Cancel pending
*** ERROR: Module load completed but symbols could not be loaded for Rt64win7.sys
\Driver\RTL8167 nt!PopSystemIrpCompletion
Args: 00015400 00000000 00000005 00000003
[ 0, 0] 0 0 00000000 00000000 00000000-fffffa800eb3bb50

Args: 00000000 00000000 00000000 00000000


Examined available information about Rt64win7 with:

lmvm Rt64win7


start end module name
fffff880`05c3a000 fffff880`05d39000 Rt64win7 (no symbols)
Loaded symbol image file: Rt64win7.sys
Image path: \SystemRoot\system32\DRIVERS\Rt64win7.sys
Image name: Rt64win7.sys
Timestamp: Fri Oct 07 11:27:12 2016 (57F76A70)
CheckSum: 0010CDA5
ImageSize: 000FF000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4


Found the driver file in Windows explorer under:


Then checked Properties. The details view confirmed that the driver was for the Realtek network interface card, version: 7.103.1007.2016.


Decided to look for a newer driver from Realtek.

Found, downloaded and installed the current latest version 7.109.

Unfortunately this was not the solution, the problems continued.

However, later on I discovered that adjusting power options seemed effective.

Error when copying large files to USB memory stick

While copying files to a new USB memory stick I encountered unexpected error messages in Windows.


Robocopy failed with:

2017/05/04 21:45:38 ERROR 87 (0x00000057) Copying File f:\Transport\Test\4GB.txt

The parameter is incorrect.


Cmd copy failed with:

The parameter is incorrect.


PowerShell Copy-Item failed with:

Copy-Item : The parameter is incorrect.
At line:1 char:10
+ Copy-Item <<<<  .\4GB.txt G:\
+ CategoryInfo          : NotSpecified: (:) [Copy-Item], IOException
+ FullyQualifiedErrorId : System.IO.IOException,Microsoft.PowerShell.Commands.CopyItemCommand


Windows explorer copy & paste failed with:

The file '4GB.txt' is too large for the destination file system.


This prompted me to check the file system, which was FAT32.

FAT32 has a file size limitation of 4 GB, a problem I have encountered before.

Like before I decided to reformat the USB memory stick to NTFS, which solved the problem.


My work computer recently crashed again with another BSOD.


Checked Event Viewer and found:

Log Name:      System
Source:        Microsoft-Windows-WER-SystemErrorReporting
Event ID:      1001
Level:         Error
Keywords:      Classic
The computer has rebooted from a bugcheck.  The bugcheck was: 0x000000c2 (0x0000000000000007, 0x000000000000109b, 0x0000000000000000, 0xfffffa800cd9d010). A dump was saved in: C:\Windows\MEMORY.DMP.


Examined the memory dump with WinDbg (x64).

Checked for details about the crash with:

!analyze -v

Part of the result:

The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 000000000000109b, (reserved)
Arg3: 0000000000000000, Memory contents of the pool block
Arg4: fffffa800cd9d010, Address of the block of pool being deallocated

Debugging Details:

POOL_ADDRESS:  fffffa800cd9d010 Nonpaged pool



PROCESS_NAME:  vlc.exe


MODULE_NAME: avgtdia

IMAGE_NAME:  avgtdia.sys


Examined the call stack with:



Child-SP          RetAddr           Call Site
fffff880`0db9b1f8 fffff800`031c3bf9 nt!KeBugCheckEx
fffff880`0db9b200 fffff880`01f729c5 nt!ExAllocatePoolWithTag+0x1951
fffff880`0db9b2b0 fffff880`04272775 avgtdia+0xb9c5
fffff880`0db9b330 fffff880`042407bb afd! ?? ::GFJBLGFE::`string'+0xd64c
fffff880`0db9b550 fffff800`033b028e afd!AfdFastIoDeviceControl+0x7ab
fffff880`0db9b8c0 fffff800`033b0896 nt!IopXxxControlFile+0x6be
fffff880`0db9ba00 fffff800`0308c693 nt!NtDeviceIoControlFile+0x56
fffff880`0db9ba70 00000000`73b12e09 nt!KiSystemServiceCopyEnd+0x13
00000000`045af0f8 00000000`00000000 0x73b12e09


The driver avgtdia.sys seemed to cause the crash.


Examined information about the avgtdia driver with:

lm v m avgtdia


start             end                 module name
fffff880`01f67000 fffff880`01fad000   avgtdia    (no symbols)
Loaded symbol image file: avgtdia.sys
Image path: \SystemRoot\system32\DRIVERS\avgtdia.sys
Image name: avgtdia.sys
Timestamp:        Wed Jul 27 15:24:36 2016 (5798B614)
CheckSum:         00053AED
ImageSize:        00046000
Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4


Discovered that avgtdia.sys was: AVG Network connection watcher


This made me suspect that other BSOD crashes were also caused by AVG Internet Security:



I decided to uninstall AVG Internet Security using: AVG Remover

Installed replacement: Avira Antivirus


I used to experience 2 BSOD crashes per week on this computer.

After uninstalling AVG Internet Security, the computer has been running for 1 week without any crashes…

I hope that the root cause has been identified and that the computer will finally be stable and reliable.


Common causes for computer stability problems are failing hard disks, defective memory and buggy drivers.

It seems that some antivirus products can also cause stability problems, possibly combined with specific drivers or other system level software.


My work computer recently crashed with a BSOD just after inserting a USB 3.0 memory stick.

Considering the circumstances I suspected that a USB driver bug caused the crash.


Checked Event Viewer and found:

Log Name:      System
Source:        Microsoft-Windows-WER-SystemErrorReporting
Event ID:      1001
Task Category: None
Level:         Error
Keywords:      Classic
The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000007e (0xffffffffc0000005, 0xfffff88001e685fe, 0xfffff8800394e5a8, 0xfffff8800394de00). A dump was saved in: C:\Windows\MEMORY.DMP.


Examined the memory dump with WinDbg (x64).

Checked for details about the crash with:

!analyze -v

Part of the result:

This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff88001e685fe, The address that the exception occurred at
Arg3: fffff8800394e5a8, Exception Record Address
Arg4: fffff8800394de00, Context Record Address

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

fffff880`01e685fe 4c8b00          mov     r8,qword ptr [rax]

EXCEPTION_RECORD:  fffff8800394e5a8 -- (.exr 0xfffff8800394e5a8)
ExceptionAddress: fffff88001e685fe (iusb3hub+0x00000000000235fe)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000

MODULE_NAME: iusb3hub

IMAGE_NAME:  iusb3hub.sys


Examined the call stack with:



Child-SP          RetAddr           Call Site
fffff880`0394d5d8 fffff800`0344cf24 nt!KeBugCheckEx
fffff880`0394d5e0 fffff800`0340a745 nt!PspUnhandledExceptionInSystemThread+0x24
fffff880`0394d620 fffff800`03101cb4 nt! ?? ::NNGAKEGL::`string'+0x21dc
fffff880`0394d650 fffff800`0310172d nt!_C_specific_handler+0x8c
fffff880`0394d6c0 fffff800`03100505 nt!RtlpExecuteHandlerForException+0xd
fffff880`0394d6f0 fffff800`03111a05 nt!RtlDispatchException+0x415
fffff880`0394ddd0 fffff800`030d5a82 nt!KiDispatchException+0x135
fffff880`0394e470 fffff800`030d45fa nt!KiExceptionDispatch+0xc2
fffff880`0394e650 fffff880`01e685fe nt!KiPageFault+0x23a
fffff880`0394e7e0 fffff880`01e4a2b6 iusb3hub+0x235fe
fffff880`0394e840 fffff880`01e4a055 iusb3hub+0x52b6
fffff880`0394e8b0 fffff880`01e4a7fd iusb3hub+0x5055
fffff880`0394e920 fffff880`01e5c9a7 iusb3hub+0x57fd
fffff880`0394e980 fffff880`01e5c3e4 iusb3hub+0x179a7
fffff880`0394ea90 fffff880`01e69b3b iusb3hub+0x173e4
fffff880`0394eb10 fffff800`033d2413 iusb3hub+0x24b3b
fffff880`0394eb40 fffff800`030df355 nt!IopProcessWorkItem+0x23
fffff880`0394eb70 fffff800`03371236 nt!ExpWorkerThread+0x111
fffff880`0394ec00 fffff800`030c7706 nt!PspSystemThreadStartup+0x5a
fffff880`0394ec40 00000000`00000000 nt!KxStartSystemThread+0x16


Apparently iusb3hub.sys caused an access violation by reading from address 0 (null pointer bug).


Examined information about the iusb3hub driver with:

lmv m iusb3hub


start             end                 module name
fffff880`01e45000 fffff880`01eaa000   iusb3hub   (no symbols)
Loaded symbol image file: iusb3hub.sys
Image path: \SystemRoot\system32\DRIVERS\iusb3hub.sys
Image name: iusb3hub.sys
Timestamp:        Fri Dec 18 16:59:07 2015 (56742D4B)
CheckSum:         0006D07A
ImageSize:        00065000
Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4


Noticed that the driver was more than 1 year old.

Found details about “Intel(R) USB 3.0 Root Hub” in Device Manager.


Decided to search for an updated driver.

Installed and ran Intel Driver Update Utility, which found a newer USB 3.0 driver (

Installed the updated driver and rebooted the system.

Hoping that this will prevent the computer from crashing in the future.

Unattended Windows setup may fail due to long computer name

While testing unattended Windows deployment I encountered another problem.

After the first installation reboot, Windows setup would fail with the error message:

Windows could not parse or process unattend answer file [C:\Windows\Panther\unattend.xml] for pass [specialize]. The answer file is invalid.


When closing the dialogbox the computer restarted.


Then it failed with this error message:

The computer restarted unexpectedly or encountered an unexpected error. Windows instalation cannot proceed. To install Windows, click "OK" to restart the computer, and then restart the installation.


Started troubleshooting by booting into Windows PE.

Started examining the log files under:



Found these error messages in setupact.log:

IBS    The provided unattend file is not valid; hrResult = 0x80220005
IBS    Callback_Unattend_InitEngine:The provided unattend file [C:\Windows\Panther\unattend.xml] is not a valid unattended Setup answer file; hr = 0x1, hrSearched = 0x1, hrDeserialized = 0x0, hrImplicitCtx = 0x0, hrValidated = 0x1, hrResult = 0x80220005
IBS    UnattendErrorFromResults: Error text = Windows could not parse or process unattend answer file [C:\Windows\Panther\unattend.xml] for pass [specialize]. The answer file is invalid.
IBS    Callback_Unattend_InitEngine:An error occurred while finding/loading the unattend file; hr = 0x1, hrResult = 0x80220005


This didn’t reveal the exact cause of the error, but it inspired me to examine unattend.xml.

I transferred unattend.xml to my work computer and then tried opening the unattend.xml file with Windows System Image Manager.


However this failed with:


Validation error on D:\ToBeDeleted\Fail_Info\Panther\unattend.xml, line 18, column 32.

Details: The 'wasPassProcessed' attribute is not declared.


Opened the unattend.xml file in an editor and removed all instances of:



After that the file could be opened in Windows SIM, which now displayed the real error:

The 'ComputerName' element is invalid - The value 'DeployTestPhysical' is invalid according to its datatype 'ComputerNameType' - The actual length is greater than the MaxLength value.


So the problem was that computer name was too long…


The unattend.xml file was modified by a custom program just before deployment on the target computer.

This custom program did not prevent computer names longer than 15 characters.

The problem was fixed by updating the custom program.


Special care should be taken when modifying unattend.xml by scripts or programs.

An invalid unattend.xml file may cause problems during Windows setup, which are not immediately obvious.

Unattended Windows setup may fail due to wrongly encoded password

While testing unattended Windows deployment I encountered a problem.

After the first installation reboot, Windows setup would fail with an empty dialog box:



Followed by the error message:


Windows could not complete the installation. To install Windows on this computer, restart the installation.


Then the machine would countinually reboot and show the last message.


Started troubleshooting by booting into Windows PE.

Then examined setuperr.log and setupact.log under:


However these files contained no useful clues.


I checked the other files left by Windows setup, and examined the files under:


Found this in setuperr.log:

[oobeldr.exe] [Action Queue] : Unattend action failed with exit code 4
[oobeldr.exe] Execution of unattend GCs failed; hr = 0x0; pResults->hrResult = 0x8030000b
[oobeldr.exe] User input error was detected in unattend file. Error: [0x0]

[windeploy.exe] Command [%windir%\system32\oobe\oobeldr.exe /system] failed with exit code [0x8030000b]
[windeploy.exe] Failure occured during online installation.  Online installation cannot complete at this time.; hr = 0x8030000b


But it was a warning in setupact.log which revealed the cause behind the error:

[Shell Unattend] Failed to decode password (0x8007000d)


My initial understanding of the user password format in AutoUnattend.xml turned out to be wrong.

This problem was not discovered by Windows System Image Manager, because AutoUnattend.xml was updated just before deployment by a custom program on the target computer.


Local user passwords are encoded like this in AutoUnattend.xml:

1. Text is initially encoded as unicode / UTF-16.

2. Then a “Password” string is appended to the password.
Example: The password “1234” is represented as “1234Password”

3. Finally the password string is base64 encoded.

Problems when reusing AutoUnattend.xml with new Windows image

I recently experienced problems when reusing AutoUnattend.xml, after having upgraded the Windows image:

From: Windows 10 Enterprise 2015 LTSB

To: Windows 10 Enterprise 2016 LTSB


The unattended installation would start and run, but eventually failed with:


Windows could not apply unattend settings during pass [offlineServicing].


Examined the installation logfiles under:



setuperr.log only contained:

2016-10-20 15:20:20, Error      [0x0606ae] IBS    [SetupCl library] Required profile hive does not exist: [\??\D:\WINDOWS\system32\config\systemprofile\NTUSER.DAT].
2016-10-20 15:20:37, Error      [0x0604a7] IBS    InstantiateCBSUnattendPass: dism.exe returned with failing exit code -2146498555
2016-10-20 15:20:37, Error      [0x060431] IBS    Callback_UnattendInitiatePass: An error occurred while initiating unattend passes; hr = 0x80004005


setupact.log contained no additional useful information.


However cbs_unattend.log contained an explanation:

2016-10-20 15:20:36, Error                 DISM   DISM Package Manager: PID=2348 TID=2368 Failed opening package Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~10.0.10240.16384. - CDISMPackageManager::Internal_CreatePackageByName(hr:0x800f0805)
2016-10-20 15:20:36, Error                 DISM   DISM Package Manager: PID=2348 TID=2368 Failed to get the underlying cbs package. - CDISMPackageManager::OpenPackageByName(hr:0x800f0805)
2016-10-20 15:20:36, Error                 DISM   DISM Package Manager: PID=2348 TID=2368 The specified package is not valid Windows package. - GetCbsErrorMsg


I wondered why the Microsoft-Windows-Foundation-Package could not be opened, so I went back to Windows System Image Manager.


There I noticed that the package was unknown, because the version numbers had changed.

Be aware that I had run: Tools -> Validate Answer File

(Which did not show warnings about this)


Added the new Microsoft-Windows-Foundation-Package

Then copied all the settings

After verifying that all settings had been copied, I deleted the unknown package.

(It would probably have been easier to update the version number in AutoUnattend.xml, which I recommend trying first)


Then ran: Tools -> Validate Answer File

Which now showed these warnings:

Windows Feature is enabled but one or more of its dependencies have not been enabled in the answer file.



I was challenged by this until I found the answer here:


I had to right-click the feature in question and choose: Enable Parent Features



After making these changes new configuration sets / deployment images could be installed successfully.


When reusing AutoUnattend.xml with a new Windows image, please look for unknown packages in Windows SIM in addition to validating the answer file.

If any unknown packages are found, please update the version numbers in AutoUnattend.xml.

Separate, physical trackpoint buttons on Lenovo Thinkpad T440p

The Lenovo Thinkpad T440p (and other models of that generation) is delivered with a touchpad, without separate physical left, middle and right buttons.

Instead the entire pad clicks and reacts depending on the area touched.


In my subjective opinion these buttons feel spongy and imprecise.

In use it’s common to make mistakes by clicking another button than expected.

This makes the laptop less productive and frustrating to use.


However it’s possible to replace the touchpad with the one from the Lenovo Thinkpad T450, which has 3 separate, physical trackpoint buttons.



The first challenge is getting the right replacement part, with the dimensions 10 cm x 7,5 cm.



It’s not available as a separate part from Lenovo, but is sold as part of the keyboard bezel.

The part number I found and used was: 00HN550


Be careful with online sellers claiming to sell touchpads that fit a long range of Thinkpad models.

They may fit electrically, but possibly not physically.

If you are considering performing this replacement, please verify that the part fits your particular Thinkpad model.


The next challenge is to disassemble the laptop and performing the replacement.

I refer to the hardware maintenance manual and online guides.


The final challenge is to solve driver problems on Windows.

The hardware ID for the touchpad is on the motherboard, which remains unchanged.

The default Synaptics Pointing Device drivers are not compatible and won’t work.


Simplest way to solve the driver problems on Windows:

1. Connect a USB mouse, because the trackpoint won’t work reliably until these steps have been completed.

2. Uninstall the Synaptics Pointer Device drivers using Programs and Features.

3. Restart the computer.

4. Remove any remaining Synaptics components by opening Control Panel -> Mouse

If asked: Do you want to uninstall the Synaptics driver now?

Then select yes and OK to the following dialogs:




5. Restart the computer.

6. Now the trackpoint and 3 physical buttons should work with a default mouse driver.

(Be aware that I have disabled the rest of the touchpad, so I don’t know if it works with the default mouse driver)


With Windows 10 extra steps are needed, because it can automatically install incompatible drivers.

This can be prevented by downloading and running the “Show or hide updates” program (wushowhide.diagcab) from:


1. Click: Advanced


2. Deselect: Apply repairs automatically


3. Click: Next

4. Click: Hide updates


5. Select: Synaptics – Pointing Drawing – Synaptics Pointing Device


6. Click: Next

7. Confirm by clicking: Next


8. Click: Close the troubleshooter



Be aware that fully compatible drivers can be downloaded and installed from Lenovo, which will enable full touchpad functionality.

However I’m currently satisfied with a trackpoint and 3 physical buttons, so I have not found the correct drivers or procedure yet.