What started as a simple hash verification error on a Windows Server 2019 domain controller turned into a deep dive through Microsoft's symbol servers, file archives, and ultimately the discovery of systemic filesystem corruption. This is the story of hunting for a single superseded DLL file and the tools I discovered along the way.
Note : This particular deep dive was the reason I uncovered a problem with the file structure on that domain controller in the WinSXS folder, so while the obtained file did not fix the problem - it was a very interesting learning experience and might help others out.
Initial Problem
It began with this error message:
Hashes for file member [l:12]'P2PGraph.dll' do not match.
Expected: {l:32 ml:4096 b:f76818894844be5c7851c8ade7a0b4382b1f4928896753e48b7208b9ddb5508c}
The system expected P2PGraph.dll to have the SHA-256 hash f76818894844be5c7851c8ade7a0b4382b1f4928896753e48b7208b9ddb5508c, but the actual file had a different hash. Simple enough - just replace the file with the correct version, right?
Wrong.
The First Misconception: Modifying File Hashes
My initial thought was whether I could somehow modify the DLL to produce the required hash. This led me down a brief rabbit hole of investigating:
- PE checksums (which can be modified)
- Digital signature hashes (calculated during signing)
- Custom embedded hashes
But the reality hit quickly: you cannot modify a file to produce a specific SHA-256 hash. SHA-256 is a cryptographic one-way function designed specifically to prevent this. Finding content that produces a predetermined hash would require breaking SHA-256 itself - computationally impossible with current technology.
The Hunt for the Correct File
With modifying the hash off the table, I needed to find the exact version of P2PGraph.dll that would produce the required hash. This began my journey through various file archives and repositories.
Security Shield : Stay vigilant
- Do not take your security shields down and convert a file level corruption into a ransomware/malware attack that introduced new security threats to fix a problem - remember, you are working on a domain controller!
- When you are looking for a DLL file to fix a problem you can get tunnel vision on finding that file, remember that the usual security hygiene still needs to be followed so if you’re downloading file even from a trusted source, make sure you do the necessary, antivirus and anti-malware scans before blindly using these files to fix a problem.
- Even if a website tells you the files of virus free and scanned for malware, don’t trust it, scan it yourself, many of these sites will tell you their files are Free from malware and viruses - great I would recommend you verify that - if you do not have a sandbox, I highly recommend you use the one built into Windows 10/11.
Traditional DLL Download Sites
I started with the usual suspects for downloading system DLLs:
- DLL-files.com - Large database with version history
- DLLme.com - Another comprehensive DLL repository
- Fix4Dll.com - Free DLL downloads and fixes
- DLLDownloader.com - Windows-specific DLL archive
While these sites had P2PGraph.dll listings, none provided the specific version I needed with the exact hash.
The Microsoft Symbol Server Discovery
The breakthrough came when I discovered that P2PGraph.dll information was indexed on WinBIndex - a comprehensive catalog of Windows binaries with download links to Microsoft's official servers.
WinBIndex: The Windows Binary Index
WinBIndex is a remarkable resource created by m417z that indexes Windows files from update packages and provides download links to Microsoft's public symbol server. The key insight is that all binary files are hosted on Microsoft's official symbol server (msdl.microsoft.com), with WinBIndex merely providing the metadata to generate proper download links.
When I searched for my required hash f76818894844be5c7851c8ade7a0b4382b1f4928896753e48b7208b9ddb5508c, I found it wasn't the current version. Instead, I discovered the file I actually needed had hash 853281def4e0b48284f42cb4a8f7887f958a66b6121a07322ec8e2d9732d5325.
Understanding Microsoft Symbol Server URLs
Microsoft's symbol server uses a specific URL structure:
https://msdl.microsoft.com/download/symbols/[filename]/[timestamp+signature]/[filename]
From WinBIndex, I found the correct URL for P2PGraph.dll:
https://msdl.microsoft.com/download/symbols/p2pgraph.dll/974FF97E5d000/p2pgraph.dll
The "Blob" File Mystery
When downloading from Microsoft's symbol server, the file appeared as a "blob" without a proper extension. This is normal - Microsoft serves files as binary data without extensions. The solution was simple:
# Download with proper filename
Invoke-WebRequest -Uri "https://msdl.microsoft.com/download/symbols/p2pgraph.dll
/974FF97E5d000/p2pgraph.dll" -OutFile "P2PGraph.dll"
Or simply rename the downloaded blob file to P2PGraph.dll.
The Hash Verification Reality Check
After downloading and renaming the file, I verified the hash:
Get-FileHash "P2PGraph.dll" -Algorithm SHA256
Result:
Algorithm Hash Path
--------- ---- ----
SHA256 663ED66945F01502CF90F3EF5E943BEBC77110C47AFDC890A8BC8F6 P2PGraph.dll
This didn't match either hash I was expecting. The file from Microsoft's symbol server was yet another version entirely.
Digging Deeper: File Metadata Analysis
Using WinBIndex's detailed view, I found comprehensive metadata for the file I actually needed:
{
"fileInfo": {
"description": "Peer-to-Peer Graphing",
"machineType": 332,
"md5": "48459070d447023f5fdec6f86250aa5e",
"sha1": "38a06339f481897240ce9634d5f90f04cc633f24",
"sha256": "853281def4e0b48284f42cb4a8f7887f958a66b6121a07322ec8e2d9732d5325",
"signingStatus": "Unsigned",
"size": 360960,
"timestamp": 2538600830,
"version": "10.0.17763.1 (WinBuild.160101.0800)",
"virtualSize": 380928
},
"windowsVersions": {
"1809": {
"BASE": {
"sourcePaths": [
"Windows\\SysWOW64\\P2PGraph.dll"
],
"windowsVersionInfo": {
"isoSha256": "07286c9e55e9a5753d461da87e4a2d873fa6fffa33d0f2
25b6d8e4a0ac069ed0",
"releaseDate": "2018-11-13"
}
}
}
}
}
This revealed crucial information:
- The file was from Windows 10 1809 BASE build
- Version:
10.0.17763.1(very early build, pre-RTM) - Located in
Windows\SysWOW64\P2PGraph.dll(32-bit version)
Superseded File Problem
Attempting to construct manual Microsoft Symbol Server URLs using the metadata failed:
# Timestamp (2538600830) in hex = 972E3D5E, Size (360960) in hex = 58600
Invoke-WebRequest -Uri "https://msdl.microsoft.com/download/symbols/p2pgraph.dll/
972E3D5E58600/p2pgraph.dll" -OutFile "P2PGraph_correct.dll"
# Using full hash
Invoke-WebRequest -Uri "https://msdl.microsoft.com/download/symbols/p2pgraph.dll/
853281DEF4E0B48284F42CB4A8F7887F958A66B6121A07322EC8E2D9732D5325/p2pgraph.dll"
-OutFile "P2PGraph_hash.dll"
All attempts returned 404 errors. The file had been superseded by Microsoft and was no longer available through official channels.
VirusTotal: The Confirmation
The breakthrough came when I found the file on VirusTotal:
https://www.virustotal.com/gui/file/853281def4e0b48284f42cb4a8f7887f958a66b61
21a07322ec8e2d9732d5325/details
This confirmed the file existed and validated the hash, but VirusTotal doesn't provide downloads for regular users - only for Enterprise customers, and even then, typically only for malware samples, not clean system files.
The Real Problem: Filesystem Corruption
While investigating why I couldn't copy files from the WinSXS folder, I discovered the underlying issue wasn't just a missing DLL. The symptoms I encountered revealed something much more serious:
Soft Filesystem Corruption Indicators
# Checking multiple DLL files in the folder
Get-ChildItem "C:\DLLCache\P2PGraph\P2PGraph" -Filter "*.dll" |
Get-FileHash -Algorithm SHA256
The problems I found:
- Zero-byte file copies despite having full ownership
- Access denied errors even with explicit permissions
- Missing security tabs on WinSXS folders
- Intermittent I/O failures - sometimes files could be read, sometimes not
Standard diagnostic tools were useless:
# These found nothing wrong
DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannowThe Systemic Nature of the Corruption
If corruption existed in amd64_microsoft-windows-peertopeergraphing_* folders, it likely affected:
x86_*folders (32-bit components)wow64_*folders (32-bit compatibility)msil_*folders (.NET assemblies)msi_*folders (Windows Installer components)policy_*folders (Assembly binding policies)
This explained why hash verification was failing randomly across the system and why updates were failing unpredictably.
The Solution: Clean Build
Given the extent of the corruption and the fact this was a domain controller, the only viable solution was complete replacement:
- Demote the domain controller gracefully
- Swap the disk with a known working Server 2019 image
- Configure network settings (same IP address crucial for AD)
- Re-promote to domain controller
- Allow AD replication to sync everything back
Attempting an in-place upgrade on a corrupt filesystem would have been foolish and potentially catastrophic.
Key Lessons Learned
- WinBIndex is invaluable for finding specific Windows file versions
- Microsoft Symbol Server hosts many but not all Windows binaries
- Superseded files may become unavailable through official channels
- VirusTotal can confirm file existence but rarely allows downloads
Hash Verification
- You cannot modify a file to produce a specific SHA-256 hash
- Hash mismatches often indicate deeper system problems
- Multiple versions of the same file can exist with different hashes
Filesystem Corruption
- DISM and SFC miss soft corruption that causes intermittent failures
- WinSXS corruption affects multiple component folders simultaneously
- Standard diagnostic tools aren't designed for soft filesystem failures
- Replacement is often safer than attempting repairs on critical systems
Useful Resources
- WinBIndex: https://winbindex.m417z.com/ - Windows binary index with Microsoft symbol server links
- Microsoft Symbol Server: https://msdl.microsoft.com/download/symbols/ - Official Microsoft binary hosting
- WinBIndex GitHub: https://github.com/m417z/winbindex - Technical details and background
- VirusTotal: https://www.virustotal.com/ - File hash verification and analysis
Conclusion
What began as a simple hash mismatch revealed systemic filesystem corruption that threatened the stability of a production domain controller. While I never did get that specific P2PGraph.dll file (short of paying for VirusTotal Enterprise), I learned valuable lessons about Microsoft's file distribution systems, the limitations of standard diagnostic tools, and the importance of recognizing when a problem is beyond repair.