deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 03:43:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
82ad395cda6cd6e17b2ebff1dd2ab24d3630ac2c
windows-itpro-docs/windows/keep-secure/audit-system-integrity.md
Jan Backstrom f046a5fec0 tagging update 
change W10 to w10 (lower case), add security pagetype to various
2016-05-26 17:07:01 -07:00

2.6 KiB
Raw Blame History

title, description, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, author
title description ms.assetid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype author
Audit System Integrity (Windows 10) This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem. 942a9a7f-fa31-4067-88c7-f73978bf2034 w10 deploy library security brianlic-msft

Audit System Integrity

Applies to

  • Windows 10
  • Windows 10 Mobile

This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem.

Activities that violate the integrity of the security subsystem include the following:

  • Audited events are lost due to a failure of the auditing system.
  • A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.
  • A remote procedure call (RPC) integrity violation is detected.
  • A code integrity violation with an invalid hash value of an executable file is detected.
  • Cryptographic tasks are performed.

Important:  Violations of security subsystem integrity are critical and could indicate a potential security attack.   Event volume: Low

Default: Success and failure

Event ID Event message
4612 Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
4615 Invalid use of LPC port.
4618 A monitored security event pattern has occurred.
4816 RPC detected an integrity violation while decrypting an incoming message.
5038 Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
5056 A cryptographic self-test was performed.
5057 A cryptographic primitive operation failed.
5060 Verification operation failed.
5061 Cryptographic operation.
5062 A kernel-mode cryptographic self-test was performed.
6281 Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
 

Related topics