Event ID: 5038

Code integrity determined that the image hash of a file is not valid.

Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:  %1

The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

This event generates by Code Integrity feature if the signature of a file is not valid.

Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.

Microsoft Documentation

Event ID - 5038

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"System Integrity"

How to enable Windows Auditing

Recommended Audit Policy

Operating Systems:

Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:

Audit Failure

Audit Category:

System

Audit Subcategory:

System Integrity

LEFT/RIGHT arrow keys for navigation

Back to List