1.9 KiB
title, description, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author
| title | description | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | author |
|---|---|---|---|---|---|---|
| 5038(F) Code integrity determined that the image hash of a file is not valid. (Windows 10) | Describes security event 5038(F) Code integrity determined that the image hash of a file is not valid. | security | w10 | deploy | library | Mir0sh |
5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
Applies to
- Windows 10
- Windows Server 2016
The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
This event generates by Code Integrity feature, if signature of a file is not valid.
Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
There is no example of this event in this document.
Subcategory: Audit System Integrity
Event Schema:
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: %filepath\filename%
Security Monitoring Recommendations
- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.