Knowledge Center

The application or DLL is not a valid Windows image
Technical Articles ID:   KB73521
Last Modified:  4/7/2017


McAfee VirusScan Enterprise 8.8 Patch 1 or later

For details of VSE 8.x supported environments, see KB51111.


If you run an On-Demand Scan (ODS), a right-click scan, or open the VirusScan Enterprise (VSE) console, you see a bad image message similar to one of the following:
The application or DLL C:\WINDOWS\system32\msi.dll is not a valid Windows image. Please check this against your installation diskette

The application or DLL C:\Windows\system32\sxwmon32.dll is not a valid Windows image. Please check this against your installation diskette

The application or DLL C:\Windows\system32\AMInit.dll is not a valid Windows image. Please check this against your installation diskette

The application or DLL C:\Windows\system32\Vsxwmon32.dll is not a valid Windows image. Please check this against your installation diskette
The process name listed can include the following:
  • scan32.exe
  • scan64.exe
  • scncfg32.exe
  • mcshield.exe
  • myAgtSvc.exe
  • This issue applies only to 8.7i Patch 5 and VSE 8.8 Patch 1 and later.
  • This is the standard Windows dialog indicating that a third-party DLL is not a valid Windows image. Different executables and DLL files can be affected. This is an example message only.
  • The error has no consequences for the ODS. After you click OK, you see the usual ODS dialog as expected.


After installing VSE 8.8 Patch 1, you cannot start an ODS from the VSE console.

Generally, you do not see a pop-up message, but sometimes you see the following error:
Required DAT is missing or corrupted

If you disable Access Protection (AP), you can run the ODS without any problem.

Sometimes when you run an ODS with AP enabled, you see the following event reported in the event log:
Event ID: 514
Description: Process **\MCSHIELD.EXE pid (1560) contained unsigned or corrupted code and was blocked from performing a privileged operation with a McAfee driver.

System Change

Updated to VSE 8.7i Patch 5, or 8.8 Patch 1.


The Prevent hooking of McAfee processes AP rule was introduced with VSE 8.7i Patch 5 and 8.8 Patch 1. This rule is enabled by default. The improved security offered by this rule protects against unsigned or signed DLL injection if the certificate is from a vendor other than Microsoft and McAfee.

If this issue is caused by Microsoft DLL files that are expected to be trusted, you need to update the Microsoft Certificate Store. This occurs when there is no corresponding or valid certificate for the file.

If the error is a result of another vendor's signed DLL and you trust the injection into the protected process, you need to add the certificate to the McAfee Trust Certificate Store.

Depending on the DLL injection method used by your third-party application, one of the following applies: 
  • Programmatic DLL injection
    Applications may monitor when new processes are started, and invoke code that tries to inject a DLL into the address space of the new process. When that process is one of the McAfee protected processes and the Access Protection rule Prevent hooking of McAfee processes is enabled, the DLL injection attempt fails. It is blocked by the AP rule. 
  • AppInit_DLLs
    Applications might use a Windows DLL hooking method that leverages the registry value AppInit_DLLs to ensure processes load the specified DLL file(s) into their address space. For more information on AppInit_DLLs, see the Microsoft Knowledge Base article at http://support.microsoft.com/kb/197571.

    You can verify if you have such an application installed by inspecting the contents of the registry value:

    x86 (32-bit) systems
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 

    x64 (64-bit) systems
    HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 

    NOTE: 64-bit systems contain both registry locations.


Use this solution if the Microsoft Certificate Store requires updating.

To address the issue regarding MSI.DLL (a Microsoft component), see the Microsoft Knowledge Base article at http://support.microsoft.com/kb/972397.

NOTE: This hotfix is for Windows Installer 4.5. If you have Windows Installer 3.5, you must first upgrade to version 4.5, and then apply the hotfix.
If you have already applied the Microsoft hotfix, run the System File Checker. Type the following command and press ENTER:
sfc /scannow

For more information on using the System File Checker, see the Microsoft Knowledge Base article at http://support.microsoft.com/kb/310747.
In addition to the files listed, this fix also installs an associated security catalog file (KBnumber.cat) that is signed with a Microsoft digital signature.

For additional technical information about how Windows updates root certificates in Windows XP SP2 and SP3, see the Microsoft TechNet article at http://technet.microsoft.com/en-us/library/bb457160.aspx.

For detailed technical information about how Windows updates root certificates in Windows Vista and later, see the Microsoft TechNet article at http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx.

NOTE: For more advanced users, there are other methods to update the certificate store:


To avoid the bad DLL message, import a copy of the digital certificate for the third-party product into the McAfee Trust Certificate Store:
  1. Contact Technical Support.

    To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
    • If you are a registered user, type your User Id and Password, and then click Log In.
    • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.
  2. Provide the .cer file you want to add to Technical Support.
    The .cer certificate file is obtained from the DLL that is affected. If the file does not have a digital certificate, there is no option for avoiding the pop-up message.
  3. Run the executable provided by Technical Support.
    The package uses SuperDAT technology. Therefore, you can run it on individual systems or add it to an ePolicy Orchestrator repository.
  4. Clear the VSE 8.8 scan cache if needed. See KB71905 for best practices.
  5. Restart your computer for the certificate store changes to take effect.
  • To disable Citrix API Hooks on a per-application basis, follow the instructions in the Citrix Document ID CTX10782: http://support.citrix.com/article/CTX107825.
  • If you have installed software from Lumension Security, the following two registry entries are also required:

    CAUTION: This article contains information about opening or modifying the registry.
    • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
    • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
    • Do not run a REG file that is not confirmed to be a genuine registry import file.

64-bit systems
Value Name
Value Data 
c:\Program files (x86)\McAfee\VirusScan Enterprise\Scan32.exe
c:\Program files (x86)\McAfee\VirusScan Enterprise\x64\Scan64.exe

32-bit systems
Value Name
Value Data 
c:\Program files\McAfee\VirusScan Enterprise\Scan32.exe


To help confirm (or eliminate) whether it is a Microsoft file that is untrusted:
  1. Use the Microsoft Sysinternals Process Monitor (procmon.exe) to identify which DLL(s) were denied access from loading. For more information about using this utility, see http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx.
  2. Use Microsoft Sysinternals Signature Checker (sigcheck.exe) to determine if the file has a valid signature. For more information about using this utility, see http://technet.microsoft.com/en-us/sysinternals/bb897441.

    For this problem, use the following command:
Sigcheck -i -r -h <filename>

If this tool shows the file is invalid or unsigned, then it cannot be trusted. See Solution 1 for how to proceed.

NOTE: Reports might indicate that a Microsoft-looking file was untrusted and therefore was blocked from loading, but the component loading it was a trusted component. This leads to new symptoms where the Scan32/Scan64 process crashes. In this scenario, the Microsoft-looking file might actually be malware.


Install Patch 4 for VirusScan Enterprise 8.8.

This patch update includes improved logic for tolerating environments that have expired, but valid, digitally signed Microsoft binaries.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.


CAUTION: Only disable the Common Standard Protection AP rule as a last resort. Because of the evolving nature of malware, the product development team strongly recommends keeping the AP rule enabled. If you disable the rule, you permit foreign code (including malware) to inject its content into critical McAfee processes, which can lead to missed detections and/or a compromised computing environment.

To disable the Common Standard Protection AP rule that prevents McAfee processes from being hooked:
  1. Click Start, Programs, McAfee, VirusScan Console.
  2. Double-click Access Protection.
  3. Select Common Standard Protection.
  4. Deselect both the Block and Report entries for Prevent hooking of McAfee processes (this is enabled by default).
  5. Click OK and exit the VirusScan Console.

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.