Event ID 81 — For more details for this event, please refer to the "Details" section

Provider: Microsoft-Windows-CAPI2
Channel: Operational
Level: Informational
Task: VerifyTrust
Opcode: Stop

Description

For more details for this event, please refer to the "Details" section.

Message #

For more details for this event, please refer to the "Details" section

Fields #

Name	Description
`WinVerifyTrust.ActionID`	—
`WinVerifyTrust.UIChoice`	—
`WinVerifyTrust.RevocationCheck`	—
`WinVerifyTrust.StateAction`	—
`WinVerifyTrust.Flags`	—
`WinVerifyTrust.CatalogInfo`	—
`WinVerifyTrust.DigestInfo`	—
`WinVerifyTrust.RegPolicySetting`	—
`WinVerifyTrust.SignatureSettingsFlags`	—
`WinVerifyTrust.SignerInfo`	—
`WinVerifyTrust.CertificateChain`	—
`WinVerifyTrust.TimestampInfo`	—
`WinVerifyTrust.TimestampChain`	—
`WinVerifyTrust.EventAuxInfo`	—
`WinVerifyTrust.CorrelationAuxInfo`	—
`WinVerifyTrust.Result`	—
`EventWriteData` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-CAPI2",
    "guid": "{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}",
    "event_source_name": "",
    "event_id": 81,
    "version": 0,
    "level": 4,
    "task": 80,
    "opcode": 2,
    "keywords": 4611686018427387968,
    "time_created": "2026-03-13T20:00:05.310932+00:00",
    "event_record_id": 3570,
    "correlation": {},
    "execution": {
      "process_id": 3384,
      "thread_id": 2456
    },
    "channel": "Microsoft-Windows-CAPI2/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "WinVerifyTrust": {
      "ActionID": "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
      "UIChoice": {
        "value": "2",
        "Value": "WTD_UI_NONE"
      },
      "RevocationCheck": {
        "value": "1",
        "WTD_REVOKE_WHOLECHAIN": "true"
      },
      "StateAction": {
        "value": "1",
        "Value": "WTD_STATEACTION_VERIFY"
      },
      "Flags": {
        "value": "80001440",
        "WTD_REVOCATION_CHECK_CHAIN": "true",
        "WTD_USE_DEFAULT_OSVER_CHECK": "true",
        "WTD_CACHE_ONLY_URL_RETRIEVAL": "true",
        "CPD_USE_NT5_CHAIN_FLAG": "true"
      },
      "CatalogInfo": {
        "filePath": "C:\\Windows\\system32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\HyperV-UX-UI-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.cat",
        "Member": {
          "tag": "50663E8AAB49E7F04F52B4364ACE3B775A0696EF",
          "filePath": "C:\\Windows\\WinSxS\\msil_microsoft.virtualiz..on.client.resources_31bf3856ad364e35_10.0.22621.1_en-us_916cee91268b6c0a\\Microsoft.Virtualization.client.resources.dll",
          "hasFileHandle": "true",
          "hash": "50663E8AAB49E7F04F52B4364ACE3B775A0696EF",
          "hashFilePath": "\\Windows\\WinSxS\\msil_microsoft.virtualiz..on.client.resources_31bf3856ad364e35_10.0.22621.1_en-us_916cee91268b6c0a\\Microsoft.Virtualization.client.resources.dll"
        }
      },
      "DigestInfo": {
        "digestAlgorithm": "SHA1",
        "digest": "50663E8AAB49E7F04F52B4364ACE3B775A0696EF"
      },
      "RegPolicySetting": {
        "value": "23C00",
        "WTPF_OFFLINEOK_IND": "true",
        "WTPF_OFFLINEOK_COM": "true",
        "WTPF_OFFLINEOKNBU_IND": "true",
        "WTPF_OFFLINEOKNBU_COM": "true",
        "WTPF_IGNOREREVOCATIONONTS": "true"
      },
      "SignatureSettingsFlags": {
        "value": "20000000",
        "WSS_OUT_FILE_SUPPORTS_SEAL": "true"
      },
      "SignerInfo": {
        "DigestAlgorithm": {
          "oid": "2.16.840.1.101.3.4.2.1",
          "hashName": "SHA256"
        }
      },
      "CertificateChain": {
        "chainRef": "{422C2A8A-2D14-43B7-8F70-6DD1C807BC48}"
      },
      "TimestampInfo": {
        "format": "RFC 3161",
        "DigestAlgorithm": {
          "oid": "2.16.840.1.101.3.4.2.1",
          "hashName": "SHA256"
        },
        "SignTime": "2022-05-07T04:33:12.256Z"
      },
      "TimestampChain": {
        "chainRef": "{EB187775-EA45-4715-9648-CA7864F79031}"
      },
      "EventAuxInfo": {
        "ProcessName": "MsSense.exe"
      },
      "CorrelationAuxInfo": {
        "TaskId": "{116ED906-7813-42DD-902B-79FD5BF3FB24}",
        "SeqNumber": "11"
      },
      "Result": {
        "value": "0"
      }
    }
  },
  "message": ""
}

Detection Rules #

View all rules referencing this event →

Splunk # view in reference

Windows SIP WinVerifyTrust Failed Trust Validation source: The following analytic detects failed trust validation attempts using Windows Event Log - CAPI2 (CryptoAPI 2). It specifically triggers on EventID 81, which indicates that "The digital signature of the object did not verify." This detection leverages the CAPI2 Operational log to identify instances where digital signatures fail to validate. Monitoring this activity is crucial as it can indicate attempts to execute untrusted or potentially malicious binaries. If confirmed malicious, this activity could allow attackers to bypass security controls and execute unauthorized code, leading to potential system compromise.