LabVIEW

Are you still seeing the LSA pop-up?  The Microsoft signature on nimdnsNSP.dll will permit the DLL to load in the local security authority context and will eliminate any warnings or pop-ups related to lsass.exe.  It won't prevent warning logs if something attempts to load that DLL in another security context (in this case, some particular instance of svchost.exe).

We do not see the popup, but the issue we are having is that windows defender is not allowing a few of our computers to boot. If we uninstall the NI software from our computers it will boot. When we put LabVIEW and the drivers back on no boot and blue screen. IT seems to have narrowed it down to the NI dll. I was hoping that updating to a version that was signed my Microsoft would help. It does seem that we can bitlocker the computer to get it to boot but we have to do that every time. 

😧

Yes, that's far worse than just an error in the event logs! Would you mind sharing more info here or through official support channels (text from the blue screen, memory dumps if available, exact version of Windows, etc.)?

Yep let me see if I can pull that together. We have seen two of our systems do this out of many (150ish). It is a little strange that we have so many computers running but we only see this issue on two of them. They are all running Windows 11 but I will get the exact version on the two we are seeing issues with. I will also try to get the rest of the info you asked for. 

---

@GabeJ wrote:

😧

 

Yes, that's far worse than just an error in the event logs! Would you mind sharing more info here or through official support channels (text from the blue screen, memory dumps if available, exact version of Windows, etc.)?

---

Here is the power point that we sent to IT. Keep in mind I did try installing the 2025 Q3 core components after this power point was made. We did not realize that this tread was out here so he had not tried upgrading at that point. It did not help and we are still having the issue of the dll singing issue. I will try to get the rest of the info as it comes available.

Thanks for that info.  I'm curious why ELAM would be involved at all.  nimdnsNSP.dll is a user-mode DLL; I wouldn't expect it to be loaded in a boot-start driver context.  Did the blue screen actually call out nimdnsNSP?

Here are screen shots of what we are seeing. We are still trouble shooting on our side but the ni dll is still showing in the event log as not being signed by Microsoft.

Almost everyone on my team and one the computers we manage (around 150) are seeing this error. Only two so far are having the blue screen problems. 

---

@aeastet wrote:

the ni dll is still showing in the event log as not being signed by Microsoft.

 

To be clear, it is not saying it is not signed by Microsoft.  It is saying that it is not signed with a signature that allows it to work in whatever Protected Process context is being enforced on svchost.exe.  If you are not getting the LSA pop-up and are not getting similar messages in Event Viewer referring to lsass.exe and nimdnsNSP.dll, then the Microsoft signature that is on the DLL is doing its job.  The svchost.exe Event Viewer messages are annoying, but I don't think they should be fatal.

What were the contents of C:\WINDOWS\System32\LogFiles\Srt\SrtTrail.txt referenced in the blue screen?  That may hold some clue as to why those two machines are having those additional problems.

Hi

Maybe another view on this issue may help.

On this updated W11 23H2 computer I have only LabVIEW 2022 Q3 installed as newest.

And System Configuration 2023 Q4. The computer has no undesired behavior.

But the Event Log for CodeIntegrity shows problems. An 'endless' number of the same two failures :

Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe)

attempted to load

\Device\HarddiskVolume3\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll

that did not meet the Microsoft signing level requirements.

Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe)

attempted to load

\Device\HarddiskVolume3\Program Files\Keysight\IO Libraries Suite\LxiMdnsNsp.dll

that did not meet the Microsoft signing level requirements.

They can however both be 'captured' by two different mechanism in the Microsoft checker.

Either as shown above or like this :

Code Integrity determined that a process (\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Platform\4.18.25070.5-0\MpDefenderCoreService.exe)

attempted to load

\Device\HarddiskVolume3\Program Files\National Instruments\Shared\mDNS Responder\nimdnsNSP.dll

that did not meet the Custom 3 / Antimalware signing level requirements.

I have no idea what Microsoft 'signing level' refers to. Only Microsoft software installed.

Now the interesting observation here is that both offending DLLs are related to Apple Bonjour.

One is the NI mDNS version and the other is a Keysight mDNS version. 

And Googling a little I found someone with a similar problem but related to something else :

https://forums.malwarebytes.com/topic/293318-resolved-event-viewer-code-integrity-error/

Code Integrity determined that a process

(\Device\HarddiskVolume4\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe)

attempted to load

\Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll

that did not meet the Custom 3 / Antimalware signing level requirements.

I am running MB 4.5.19 and Windows 10 x64.

 

It looks like Malwarebytes installed the original Apple mDNS version.

 

Three cases where the problem is related to Bonjour seems like a pattern ?

 

On this computer I also have the original Apple Bonjour service running. The DLL is very old :

 

 

Regards