Microsoft-Windows-CodeIntegrity

111 events across 2 channels

Event ID	Title	Channel
3001	Code Integrity determined an unsigned kernel module %2 is loaded into the …	Operational
3002	Code Integrity is unable to verify the image integrity of the file %2 because …	Operational
3003	Code Integrity is unable to verify the image integrity of the file %2 because …	Operational
3004	Windows is unable to verify the image integrity of the file %2 because file hash …	Operational
3005	Code Integrity is unable to verify the image integrity of the file %2 because a …	Operational
3006	Code Integrity found a set of per-page image hashes for the file %2 in a catalog …	Verbose
3007	Code Integrity found a set of per-page image hashes for the file %2 in the image …	Verbose
3008	Code Integrity found a file hash for the file %2 in a catalog %4.	Verbose
3009	Code Integrity found a file hash for the file %2 in the image embedded …	Verbose
3010	Code Integrity was unable to load the %2 catalog.	Operational
3011	Code Integrity successfully loaded the %2 catalog.	Verbose
3012	Code Integrity started loading the %2 catalog.	Verbose
3013	Code Integrity started reloading catalogs.	Verbose
3014	Code Integrity completed reloading catalogs.	Verbose
3015	Code Integrity started validating file hash of %2 file.	Verbose
3016	Code Integrity completed validating file hash.	Verbose
3017	Code Integrity started validating page hashes of %2 file.	Verbose
3018	Code Integrity completed validating page hashes.	Verbose
3019	Code Integrity started loading catalog cache from %2 file.	Verbose
3020	Code Integrity completed loading catalog cache.	Verbose
3021	Code Integrity determined a revoked kernel module %2 is loaded into the system.	Operational
3022	Code Integrity determined a revoked kernel module %2 is loaded into the system.	Operational
3023	The driver %2 is blocked from loading as the driver has been revoked by …	Operational
3024	Windows was unable to update the boot catalog cache file.	Operational
3025	Code Integrity determined kernel module %2 is loaded into the system which does …	Verbose
3026	Code Integrity was unable to load the %2 catalog because the signing certificate …	Operational
3027	Code Integrity started loading catalog %2 from the cache file.	Verbose
3028	Code Integrity started saving catalog cache to %2 file.	Verbose
3029	Code Integrity completed saving catalog cache.	Verbose
3030	Code Integrity saved catalog %2 to the cache file.	Verbose
3032	Code Integrity determined a revoked image %2 is loaded into the system.	Operational
3033	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3034	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3035	Code Integrity determined a revoked image %2 is loaded into the system.	Operational
3036	Windows is unable to verify the integrity of the file %2 because the signing …	Operational
3037	Code Integrity determined an unsigned image %2 is loaded into the system.	Operational
3038	Code Integrity started validating image header of %2 file.	Verbose
3039	Code Integrity completed validating image header.	Verbose
3040	Code Integrity started retrieving the cached data of %2 file.	Verbose
3041	Code Integrity completed retrieval of file cache.	Verbose
3042	Code Integrity started setting the cache of %2 file.	Verbose
3043	Code Integrity completed setting the file cache.	Verbose
3050	Code Integrity completed retrieval of file cache.	Operational
3051	Code Integrity completed retrieval of file cache.	Operational
3052	Code Integrity completed retrieval of file cache.	Operational
3054	Code Integrity started setting the cache of %2 file.	Verbose
3055	Code Integrity completed setting the file cache.	Verbose
3057	Code Integrity completed retrieval of file cache.	Operational
3058	Code Integrity completed retrieval of file cache.	Operational
3059	Code Integrity found a set of per-page image hashes for the file %2 in a catalog …	Verbose
3060	Code Integrity found a set of per-page image hashes for the file %2 in a catalog …	Verbose
3061	Code Integrity found a file hash for the file %2 in a catalog %4.	Verbose
3062	Code Integrity found a file hash for the file %2 in a catalog %4.	Verbose
3063	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3064	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Verbose
3065	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3066	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3067	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3068	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3069	Code Integrity was unable to load the weak crypto policy value from registry.	Operational
3070	Code Integrity was unable to load the weak crypto policy from registry store.	Operational
3071	Code Integrity was unable to load the weak crypto policies.	Operational
3072	Code Integrity determined that the module %2 is not compatible with hypervisor …	Operational
3073	Code Integrity determined that the module %2 is not compatible with strict mode …	Operational
3074	Code Integrity was unable to verify a page for a module verified using …	Operational
3075	Code Integrity determined that process (%4) spent %7 and %8 microseconds for …	Verbose
3076	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3077	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3078	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3079	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3080	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3081	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3082	Code Integrity determined kernel module %2 that did not meet the WHQL …	Operational
3083	Code Integrity determined kernel module %2 that did not meet the WHQL …	Operational
3084	Code Integrity will enable WHQL driver enforcement for this boot session.	Operational
3085	Code Integrity will disable WHQL driver enforcement for this boot session.	Operational
3086	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3087	Code Integrity determined that the kernel module %2 is not compatible with …	Operational
3088	Code Integrity testing module %2 against policy %11.	Verbose
3089	Signature information for another event.	Operational
3090	Code Integrity testing module %2 against policy %11.	Operational
3091	Code Integrity testing module %2 against policy %11.	Operational
3091	Code Integrity testing module %2 against policy %11.	Verbose
3092	Code Integrity testing module %2 against policy %11.	Operational
3092	Code Integrity testing module %2 against policy %11.	Verbose
3093	other (see event data)	Operational
3094	other (see event data)	Operational
3095	Code Integrity policy %5 %2 is set to unrefreshable.	Operational
3096	No change in active Code Integrity policy %5 %2 after refresh.	Operational
3097	Not allowed to refresh Code Integrity policy %5 %2.	Operational
3098	other (see event data)	Operational
3099	Refreshed and activated Code Integrity policy %5 %2.	Operational
3100	Refreshed but not activated Code Integrity policy %5 %2.	Operational
3101	Code Integrity policy refresh started for %1 policies.	Operational
3102	Code Integrity policy refresh finished for %1 policies.	Operational
3103	Ignoring refresh for Code Integrity policy ID %1.	Operational
3104	Windows blocked file %2 which has been disallowed for protected processes.	Operational
3105	Trying to refresh Code Integrity policy with policy ID %1.	Operational
3106	Code Integrity failed to set cache for %2 file due to validation failure.	Verbose
3107	Code Integrity failed to set cache for %2 file because it does not meet signing …	Verbose
3108	Code Integrity successfully switched from %3 mode to %4 mode.	Operational
3109	Code Integrity already switched from %3 mode to %4 mode.	Operational
3110	Code Integrity failed to switch from %3 mode to %4 mode with error code %5.	Operational
3111	Code Integrity determined that a process (%6) attempted to load %2 that is not …	Operational
3112	Code Integrity determined that a process (%4) attempted to load %2 that did not …	Operational
3113	Code Integrity could not update the driver.	Operational
3114	Code Integrity determined that %4 is trying to load %2 which failed the dynamic …	Operational
3115	Code Integrity determined that %4 is trying to load %2 which failed the dynamic …	Operational
3116	Signature information for Code Integrity policy ID %1.	Operational
3117	Code Integrity determined that a process (%4) attempted to load %2 that violated …	Operational
3118	Smart App Control Block Deteails	Operational

Event ID 3001 — Code Integrity determined an unsigned kernel module %2 is loaded into the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Sigma Rules

CodeIntegrity - Unsigned Kernel Module Loaded
Detects the presence of a loaded unsigned kernel module on the system.

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3002 — Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Event ID 3003 — Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system. The image is allowed to load because kernel mode debugger is attached.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Event ID 3004 — Windows is unable to verify the image integrity of the file %2 because file hash could not be found on the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational
Level: 2
Samples: 1

Message

Windows is unable to verify the image integrity of the file %2 because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Example Event

system:
  provider: Microsoft-Windows-CodeIntegrity
  guid: 4EE76BD8-3CF4-44A0-A0AC-3937643E37A3
  event_source_name: ''
  event_id: 3004
  version: 1
  level: 2
  task: 1
  opcode: 104
  keywords: 9223372036854775808
  time_created: '2023-11-06T02:03:39.834684+00:00'
  event_record_id: 2826
  correlation:
    ActivityID: E4DB489E-1037-0002-799D-F2E43710DA01
  execution:
    process_id: 18308
    thread_id: 9372
  channel: Microsoft-Windows-CodeIntegrity/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  FileNameLength: 87
  FileNameBuffer: \Device\HarddiskVolume4\Program Files\Avira\Endpoint Protection
    SDK\amsi\x64\avamsi.dll
  SecureRequired: '0x80000000'
  RequestedSigningLevel: 7
  ProcessNameLength: 81
  ProcessNameBuffer: \Device\HarddiskVolume4\Program Files\Avira\Endpoint Protection
    SDK\wsc_agent.exe
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 3005 — Code Integrity is unable to verify the image integrity of the file %2 because a file hash could not be found on the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity is unable to verify the image integrity of the file %2 because a file hash could not be found on the system. The image is allowed to load because kernel mode debugger is attached.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Event ID 3006 — Code Integrity found a set of per-page image hashes for the file %2 in a catalog %4.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity found a set of per-page image hashes for the file %2 in a catalog %4.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`CatalogNameLength`	—
`CatalogNameBuffer`	—

Event ID 3007 — Code Integrity found a set of per-page image hashes for the file %2 in the image embedded certificate.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity found a set of per-page image hashes for the file %2 in the image embedded certificate.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3008 — Code Integrity found a file hash for the file %2 in a catalog %4.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity found a file hash for the file %2 in a catalog %4.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`CatalogNameLength`	—
`CatalogNameBuffer`	—

Event ID 3009 — Code Integrity found a file hash for the file %2 in the image embedded certificate.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity found a file hash for the file %2 in the image embedded certificate.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3010 — Code Integrity was unable to load the %2 catalog.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational
Level: 3
Samples: 1

Message

Code Integrity was unable to load the %2 catalog. Status %3.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`Status`	—

Example Event

system:
  provider: Microsoft-Windows-CodeIntegrity
  guid: 4EE76BD8-3CF4-44A0-A0AC-3937643E37A3
  event_source_name: ''
  event_id: 3010
  version: 1
  level: 3
  task: 2
  opcode: 100
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:06:57.824463+00:00'
  event_record_id: 22
  correlation:
    ActivityID: DD7B0B6A-4A9E-0001-407E-7BDD9E4AD801
  execution:
    process_id: 5260
    thread_id: 1912
  channel: Microsoft-Windows-CodeIntegrity/Operational
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-18
event_data:
  FileNameLength: 99
  FileNameBuffer: Microsoft-Windows-ServerCore-SKU-Foundation-merged-Package~31bf3856ad364e35~amd64~~10.0.20348.1.cat
  Status: '0xc0000034'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 3011 — Code Integrity successfully loaded the %2 catalog.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity successfully loaded the %2 catalog.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3012 — Code Integrity started loading the %2 catalog.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity started loading the %2 catalog.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3013 — Code Integrity started reloading catalogs.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity started reloading catalogs.

Event ID 3014 — Code Integrity completed reloading catalogs.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity completed reloading catalogs. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3015 — Code Integrity started validating file hash of %2 file.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity started validating file hash of %2 file.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3016 — Code Integrity completed validating file hash.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity completed validating file hash. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3017 — Code Integrity started validating page hashes of %2 file.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity started validating page hashes of %2 file.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3018 — Code Integrity completed validating page hashes.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity completed validating page hashes. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3019 — Code Integrity started loading catalog cache from %2 file.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity started loading catalog cache from %2 file.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3020 — Code Integrity completed loading catalog cache.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity completed loading catalog cache. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3021 — Code Integrity determined a revoked kernel module %2 is loaded into the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined a revoked kernel module %2 is loaded into the system.  Check with the publisher to see if a new signed version of the kernel module is available.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Sigma Rules

CodeIntegrity - Revoked Kernel Driver Loaded
Detects the load of a revoked kernel driver

Event ID 3022 — Code Integrity determined a revoked kernel module %2 is loaded into the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined a revoked kernel module %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Sigma Rules

CodeIntegrity - Revoked Kernel Driver Loaded
Detects the load of a revoked kernel driver

Event ID 3023 — The driver %2 is blocked from loading as the driver has been revoked by Microsoft.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

The driver %2 is blocked from loading as the driver has been revoked by Microsoft.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Sigma Rules

CodeIntegrity - Blocked Driver Load With Revoked Certificate
Detects blocked load attempts of revoked drivers

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3024 — Windows was unable to update the boot catalog cache file.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Windows was unable to update the boot catalog cache file.  Status %1.

Fields

Name	Description
`Status`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3025 — Code Integrity determined kernel module %2 is loaded into the system which does not have a valid embedded digital signature.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity determined kernel module %2 is loaded into the system which does not have a valid embedded digital signature. Check with the publisher to see if an embedded signed version of the kernel module is available.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3026 — Code Integrity was unable to load the %2 catalog because the signing certificate for this catalog has been revoked.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity was unable to load the %2 catalog because the signing certificate for this catalog has been revoked.  This can result in images failing to load because a valid signature cannot be found.  Check with the publisher to see if a new signed version of the catalog and images are available.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3027 — Code Integrity started loading catalog %2 from the cache file.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity started loading catalog %2 from the cache file.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3028 — Code Integrity started saving catalog cache to %2 file.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity started saving catalog cache to %2 file.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3029 — Code Integrity completed saving catalog cache.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity completed saving catalog cache. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3030 — Code Integrity saved catalog %2 to the cache file.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity saved catalog %2 to the cache file.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3032 — Code Integrity determined a revoked image %2 is loaded into the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined a revoked image %2 is loaded into the system.  Check with the publisher to see if a new signed version of the image is available.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Sigma Rules

CodeIntegrity - Revoked Image Loaded
Detects image load events with revoked certificates by code integrity.

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3033 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational
Level: 2
Samples: 1

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`RequestedPolicy`	—
`ValidatedPolicy`	—
`Status`	—

Example Event

system:
  provider: Microsoft-Windows-CodeIntegrity
  guid: 4EE76BD8-3CF4-44A0-A0AC-3937643E37A3
  event_source_name: ''
  event_id: 3033
  version: 0
  level: 2
  task: 1
  opcode: 111
  keywords: 9223372036854775808
  time_created: '2023-11-06T01:54:48.422937+00:00'
  event_record_id: 2821
  correlation:
    ActivityID: E4DB489E-1037-0000-694C-EEE43710DA01
  execution:
    process_id: 16400
    thread_id: 16044
  channel: Microsoft-Windows-CodeIntegrity/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  FileNameLength: 70
  FileNameBuffer: \Device\HarddiskVolume4\Program Files\Avast Software\Avast\aswAMSI.dll
  ProcessNameLength: 52
  ProcessNameBuffer: \Device\HarddiskVolume4\Windows\System32\svchost.exe
  RequestedPolicy: 12
  ValidatedPolicy: 1
  Status: 3221226536
message: ''

Sigma Rules

CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 3034 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`RequestedPolicy`	—
`ValidatedPolicy`	—
`Status`	—

Sigma Rules

CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3035 — Code Integrity determined a revoked image %2 is loaded into the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined a revoked image %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Sigma Rules

CodeIntegrity - Revoked Image Loaded
Detects image load events with revoked certificates by code integrity.

Event ID 3036 — Windows is unable to verify the integrity of the file %2 because the signing certificate has been revoked.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Windows is unable to verify the integrity of the file %2 because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Sigma Rules

CodeIntegrity - Blocked Image Load With Revoked Certificate
Detects blocked image load events with revoked certificates by code integrity.

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3037 — Code Integrity determined an unsigned image %2 is loaded into the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined an unsigned image %2 is loaded into the system. Check with the publisher to see if a signed version of the image is available.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Sigma Rules

CodeIntegrity - Unsigned Image Loaded
Detects loaded unsigned image on the system

Event ID 3038 — Code Integrity started validating image header of %2 file.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity started validating image header of %2 file.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SecureRequired`	—
`RequestedSigningLevel`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—

Event ID 3039 — Code Integrity completed validating image header.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity completed validating image header. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3040 — Code Integrity started retrieving the cached data of %2 file.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity started retrieving the cached data of %2 file.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3041 — Code Integrity completed retrieval of file cache.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity completed retrieval of file cache. Status %1.

Fields

Name	Description
`Status`	—
`CachedFlags`	—
`CacheSource`	—
`CachedPolicy`	—
`State`	—
`StateData`	—

Event ID 3042 — Code Integrity started setting the cache of %2 file.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity started setting the cache of %2 file.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3043 — Code Integrity completed setting the file cache.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity completed setting the file cache. Status %1.

Fields

Name	Description
`Status`	—
`CachedFlags`	—
`CacheSource`	—
`CachedPolicy`	—
`State`	—
`StateData`	—

Event ID 3050 — Code Integrity completed retrieval of file cache.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity completed retrieval of file cache. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3051 — Code Integrity completed retrieval of file cache.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity completed retrieval of file cache. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3052 — Code Integrity completed retrieval of file cache.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity completed retrieval of file cache. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3054 — Code Integrity started setting the cache of %2 file.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity started setting the cache of %2 file.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3055 — Code Integrity completed setting the file cache.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity completed setting the file cache. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3057 — Code Integrity completed retrieval of file cache.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity completed retrieval of file cache. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3058 — Code Integrity completed retrieval of file cache.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity completed retrieval of file cache. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3059 — Code Integrity found a set of per-page image hashes for the file %2 in a catalog %4.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity found a set of per-page image hashes for the file %2 in a catalog %4.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`CatalogNameLength`	—
`CatalogNameBuffer`	—

Event ID 3060 — Code Integrity found a set of per-page image hashes for the file %2 in a catalog %4.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity found a set of per-page image hashes for the file %2 in a catalog %4.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`CatalogNameLength`	—
`CatalogNameBuffer`	—

Event ID 3061 — Code Integrity found a file hash for the file %2 in a catalog %4.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity found a file hash for the file %2 in a catalog %4.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`CatalogNameLength`	—
`CatalogNameBuffer`	—

Event ID 3062 — Code Integrity found a file hash for the file %2 in a catalog %4.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity found a file hash for the file %2 in a catalog %4.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`CatalogNameLength`	—
`CatalogNameBuffer`	—

Event ID 3063 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the security requirements for %5.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the security requirements for %5.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`RequirementType`	—
`Status`	—

Event ID 3064 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the security requirements for %5.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the security requirements for %5. However, due to system policy, the image was allowed to load.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`RequirementType`	—
`Status`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3065 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the security requirements for %5.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the security requirements for %5. However, due to system policy, the image was allowed to load.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`RequirementType`	—
`Status`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3066 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`RequestedPolicy`	—
`ValidatedPolicy`	—
`Status`	—

Event ID 3067 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`RequestedPolicy`	—
`ValidatedPolicy`	—
`Status`	—

Event ID 3068 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`RequestedPolicy`	—
`ValidatedPolicy`	—
`Status`	—

Event ID 3069 — Code Integrity was unable to load the weak crypto policy value from registry.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity was unable to load the weak crypto policy value from registry. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3070 — Code Integrity was unable to load the weak crypto policy from registry store.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity was unable to load the weak crypto policy from registry store. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3071 — Code Integrity was unable to load the weak crypto policies.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity was unable to load the weak crypto policies. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3072 — Code Integrity determined that the module %2 is not compatible with hypervisor enforcement due to it having non-page aligned sections.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that the module %2 is not compatible with hypervisor enforcement due to it having non-page aligned sections.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3073 — Code Integrity determined that the module %2 is not compatible with strict mode hypervisor enforcement due to it having an executable section that ...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that the module %2 is not compatible with strict mode hypervisor enforcement due to it having an executable section that is also writable.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Event ID 3074 — Code Integrity was unable to verify a page for a module verified using hypervisor enforcement.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity was unable to verify a page for a module verified using hypervisor enforcement. Status %1.

Fields

Name	Description
`Status`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3075 — Code Integrity determined that process (%4) spent %7 and %8 microseconds for Code Integrity check and policy check to load %2 with validated %6 sig...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity determined that process (%4) spent %7 and %8 microseconds for Code Integrity check and policy check to load %2 with validated %6 signing level. For all components without EA cache, Code Integrity spent about %9? more time when policy enforced.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`RequestedSigningLevel`	—
`ValidatedSigningLevel`	—
`ElapsedTime`	—
`PolicyElapsedTime`	—
`PercentageTime`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3076 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.

Fields

Name	Description
`FileNameLength`	—
`File Name`	—
`ProcessNameLength`	—
`Process Name`	—
`Requested Signing Level`	—
`Validated Signing Level`	—
`Status`	—
`SHA1 Hash Size`	—
`SHA1 Hash`	—
`SHA256 Hash Size`	—
`SHA256 Hash`	—
`SHA1 Flat Hash Size`	—
`SHA1 Flat Hash`	—
`SHA256 Flat Hash Size`	—
`SHA256 Flat Hash`	—
`USN`	—
`SI Signing Scenario`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—
`PolicyHashSize`	—
`PolicyHash`	—
`OriginalFileNameLength`	—
`OriginalFileName`	—
`InternalNameLength`	—
`InternalName`	—
`FileDescriptionLength`	—
`FileDescription`	—
`ProductNameLength`	—
`ProductName`	—
`FileVersion`	—
`PolicyGUID`	—
`UserWriteable`	—
`PackageFamilyNameLength`	—
`PackageFamilyName`	—
`FileName`	—
`ProcessName`	—
`RequestedSigningLevel`	—
`ValidatedSigningLevel`	—
`SHA1HashSize`	—
`SHA1Hash`	—
`SHA256HashSize`	—
`SHA256Hash`	—
`SHA1FlatHashSize`	—
`SHA1FlatHash`	—
`SHA256FlatHashSize`	—
`SHA256FlatHash`	—
`SISigningScenario`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3077 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy.

Fields

Name	Description
`FileNameLength`	—
`File Name`	—
`ProcessNameLength`	—
`Process Name`	—
`Requested Signing Level`	—
`Validated Signing Level`	—
`Status`	—
`SHA1 Hash Size`	—
`SHA1 Hash`	—
`SHA256 Hash Size`	—
`SHA256 Hash`	—
`SHA1 Flat Hash Size`	—
`SHA1 Flat Hash`	—
`SHA256 Flat Hash Size`	—
`SHA256 Flat Hash`	—
`USN`	—
`SI Signing Scenario`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—
`PolicyHashSize`	—
`PolicyHash`	—
`OriginalFileNameLength`	—
`OriginalFileName`	—
`InternalNameLength`	—
`InternalName`	—
`FileDescriptionLength`	—
`FileDescription`	—
`ProductNameLength`	—
`ProductName`	—
`FileVersion`	—
`PolicyGUID`	—
`UserWriteable`	—
`PackageFamilyNameLength`	—
`PackageFamilyName`	—
`FileName`	—
`ProcessName`	—
`RequestedSigningLevel`	—
`ValidatedSigningLevel`	—
`SHA1HashSize`	—
`SHA1Hash`	—
`SHA256HashSize`	—
`SHA256Hash`	—
`SHA1FlatHashSize`	—
`SHA1FlatHash`	—
`SHA256FlatHashSize`	—
`SHA256FlatHash`	—
`SISigningScenario`	—

Sigma Rules

CodeIntegrity - Blocked Image/Driver Load For Policy Violation
Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3078 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.

Fields

Name	Description
`FileNameLength`	—
`File Name`	—
`ProcessNameLength`	—
`Process Name`	—
`Requested Signing Level`	—
`Validated Signing Level`	—
`Status`	—
`SHA1 Hash Size`	—
`SHA1 Hash`	—
`SHA256 Hash Size`	—
`SHA256 Hash`	—
`USN`	—
`SI Signing Scenario`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—
`PolicyHashSize`	—
`PolicyHash`	—
`OriginalFileNameLength`	—
`OriginalFileName`	—
`InternalNameLength`	—
`InternalName`	—
`FileDescriptionLength`	—
`FileDescription`	—
`ProductNameLength`	—
`ProductName`	—
`FileVersion`	—
`FileName`	—
`ProcessName`	—
`RequestedSigningLevel`	—
`ValidatedSigningLevel`	—
`SHA1HashSize`	—
`SHA1Hash`	—
`SHA256HashSize`	—
`SHA256Hash`	—
`SISigningScenario`	—

Event ID 3079 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy.

Fields

Name	Description
`FileNameLength`	—
`File Name`	—
`ProcessNameLength`	—
`Process Name`	—
`Requested Signing Level`	—
`Validated Signing Level`	—
`Status`	—
`SHA1 Hash Size`	—
`SHA1 Hash`	—
`SHA256 Hash Size`	—
`SHA256 Hash`	—
`USN`	—
`SI Signing Scenario`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—
`PolicyHashSize`	—
`PolicyHash`	—
`OriginalFileNameLength`	—
`OriginalFileName`	—
`InternalNameLength`	—
`InternalName`	—
`FileDescriptionLength`	—
`FileDescription`	—
`ProductNameLength`	—
`ProductName`	—
`FileVersion`	—
`FileName`	—
`ProcessName`	—
`RequestedSigningLevel`	—
`ValidatedSigningLevel`	—
`SHA1HashSize`	—
`SHA1Hash`	—
`SHA256HashSize`	—
`SHA256Hash`	—
`SISigningScenario`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3080 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.

Fields

Name	Description
`FileNameLength`	—
`File Name`	—
`ProcessNameLength`	—
`Process Name`	—
`Requested Signing Level`	—
`Validated Signing Level`	—
`Status`	—
`SHA1 Hash Size`	—
`SHA1 Hash`	—
`SHA256 Hash Size`	—
`SHA256 Hash`	—
`USN`	—
`SI Signing Scenario`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—
`PolicyHashSize`	—
`PolicyHash`	—
`OriginalFileNameLength`	—
`OriginalFileName`	—
`InternalNameLength`	—
`InternalName`	—
`FileDescriptionLength`	—
`FileDescription`	—
`ProductNameLength`	—
`ProductName`	—
`FileVersion`	—
`FileName`	—
`ProcessName`	—
`RequestedSigningLevel`	—
`ValidatedSigningLevel`	—
`SHA1HashSize`	—
`SHA1Hash`	—
`SHA256HashSize`	—
`SHA256Hash`	—
`SISigningScenario`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3081 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy.

Fields

Name	Description
`FileNameLength`	—
`File Name`	—
`ProcessNameLength`	—
`Process Name`	—
`Requested Signing Level`	—
`Validated Signing Level`	—
`Status`	—
`SHA1 Hash Size`	—
`SHA1 Hash`	—
`SHA256 Hash Size`	—
`SHA256 Hash`	—
`USN`	—
`SI Signing Scenario`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—
`PolicyHashSize`	—
`PolicyHash`	—
`OriginalFileNameLength`	—
`OriginalFileName`	—
`InternalNameLength`	—
`InternalName`	—
`FileDescriptionLength`	—
`FileDescription`	—
`ProductNameLength`	—
`ProductName`	—
`FileVersion`	—
`FileName`	—
`ProcessName`	—
`RequestedSigningLevel`	—
`ValidatedSigningLevel`	—
`SHA1HashSize`	—
`SHA1Hash`	—
`SHA256HashSize`	—
`SHA256Hash`	—
`SISigningScenario`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3082 — Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Sigma Rules

CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
Detects loaded kernel modules that did not meet the WHQL signing requirements.

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3083 — Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Sigma Rules

CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
Detects loaded kernel modules that did not meet the WHQL signing requirements.

Event ID 3084 — Code Integrity will enable WHQL driver enforcement for this boot session.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity will enable WHQL driver enforcement for this boot session.  Settings %1. Exemption %2.

Fields

Name	Description
`Settings`	—
`Exemption`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3085 — Code Integrity will disable WHQL driver enforcement for this boot session.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational
Level: 4
Samples: 1

Message

Code Integrity will disable WHQL driver enforcement for this boot session.  Settings %1.

Fields

Name	Description
`Settings`	—
`Exemption`	—

Example Event

system:
  provider: Microsoft-Windows-CodeIntegrity
  guid: 4EE76BD8-3CF4-44A0-A0AC-3937643E37A3
  event_source_name: ''
  event_id: 3085
  version: 0
  level: 4
  task: 20
  opcode: 127
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:52:38.896596+00:00'
  event_record_id: 31
  correlation:
    ActivityID: E0AAB88C-4A9F-0000-8DB8-AAE09F4AD801
  execution:
    process_id: 4
    thread_id: 8
  channel: Microsoft-Windows-CodeIntegrity/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Settings: '0x0'
  Exemption: 1
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 3086 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the signing requirements for Isolated User Mode.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the signing requirements for Isolated User Mode.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`RequestedPolicy`	—
`ValidatedPolicy`	—
`Status`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3087 — Code Integrity determined that the kernel module %2 is not compatible with hypervisor enforcement.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that the kernel module %2 is not compatible with hypervisor enforcement. Status %3.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`Status`	—
`HVCI Audit Failures`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`HVCIAuditFailures`	—

Event ID 3088 — Code Integrity testing module %2 against policy %11.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity testing module %2 against policy %11. Status %3

Fields

Name	Description
`FileNameLength`	—
`FileName`	—
`StatusCode`	—
`ManagedInstallerEnabled`	—
`PassesManagedInstaller`	—
`SmartlockerEnabled`	—
`PassesSmartlocker`	—
`DefenderTrust`	—
`AuditEnabled`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—

Event ID 3089 — Signature information for another event.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational
Level: 4
Samples: 1

Message

Signature information for another event. Match using the Correlation Id.

Fields

Name	Description
`TotalSignatureCount`	—
`Signature`	—
`CacheState`	—
`Hash Size`	—
`Hash`	—
`PageHash`	—
`SignatureType`	—
`ValidatedSigningLevel`	—
`VerificationError`	—
`Flags`	—
`PolicyBits`	—
`NotValidBefore`	—
`NotValidAfter`	—
`PublisherNameLength`	—
`PublisherName`	—
`IssuerNameLength`	—
`IssuerName`	—
`PublisherTBSHashSize`	—
`PublisherTBSHash`	—
`IssuerTBSHashSize`	—
`IssuerTBSHash`	—

Example Event

system:
  provider: Microsoft-Windows-CodeIntegrity
  guid: 4EE76BD8-3CF4-44A0-A0AC-3937643E37A3
  event_source_name: ''
  event_id: 3089
  version: 2
  level: 4
  task: 1
  opcode: 130
  keywords: 9223372036854775808
  time_created: '2023-11-06T02:03:39.834696+00:00'
  event_record_id: 2828
  correlation:
    ActivityID: E4DB489E-1037-0002-799D-F2E43710DA01
  execution:
    process_id: 18308
    thread_id: 9372
  channel: Microsoft-Windows-CodeIntegrity/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  TotalSignatureCount: 2
  Signature: 1
  CacheState: 0
  Hash Size: 32
  Hash: CDFCFB06A61D9DEFD635A74F71DFB6BD5B3531EE7BAD61D942E259156C5F9746
  PageHash: false
  SignatureType: 1
  ValidatedSigningLevel: 8
  VerificationError: 18
  Flags: 0
  PolicyBits: 2050
  NotValidBefore: '2023-04-06T19:16:30.000000Z'
  NotValidAfter: '2024-04-03T19:16:30.000000Z'
  PublisherNameLength: 50
  PublisherName: Microsoft Windows Hardware Compatibility Publisher
  IssuerNameLength: 47
  IssuerName: Microsoft Windows Third Party Component CA 2014
  PublisherTBSHashSize: 32
  PublisherTBSHash: 0F06228DE7BACFBF65D426DF80C4E40C5ABFE5A2A402E6221DEA03B18897DE2B
  IssuerTBSHashSize: 32
  IssuerTBSHash: D8BE9E4D9074088EF818BC6F6FB64955E90378B2754155126FEEBBBD969CF0AE
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations
Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 3090 — Code Integrity testing module %2 against policy %11.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity testing module %2 against policy %11. Status %3

Fields

Name	Description
`FileNameLength`	—
`FileName`	—
`StatusCode`	—
`ManagedInstallerEnabled`	—
`PassesManagedInstaller`	—
`SmartlockerEnabled`	—
`PassesSmartlocker`	—
`DefenderTrust`	—
`AuditEnabled`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3091 — Code Integrity testing module %2 against policy %11.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity testing module %2 against policy %11. Status %3

Fields

Name	Description
`FileNameLength`	—
`FileName`	—
`StatusCode`	—
`ManagedInstallerEnabled`	—
`PassesManagedInstaller`	—
`SmartlockerEnabled`	—
`PassesSmartlocker`	—
`DefenderTrust`	—
`AuditEnabled`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3091 — Code Integrity testing module %2 against policy %11.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity testing module %2 against policy %11. Status %3

Fields

Name	Description
`FileNameLength`	—
`FileName`	—
`StatusCode`	—
`ManagedInstallerEnabled`	—
`PassesManagedInstaller`	—
`SmartlockerEnabled`	—
`PassesSmartlocker`	—
`DefenderTrust`	—
`AuditEnabled`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3092 — Code Integrity testing module %2 against policy %11.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity testing module %2 against policy %11. Status %3

Fields

Name	Description
`FileNameLength`	—
`FileName`	—
`StatusCode`	—
`ManagedInstallerEnabled`	—
`PassesManagedInstaller`	—
`SmartlockerEnabled`	—
`PassesSmartlocker`	—
`DefenderTrust`	—
`AuditEnabled`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3092 — Code Integrity testing module %2 against policy %11.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity testing module %2 against policy %11. Status %3

Fields

Name	Description
`FileNameLength`	—
`FileName`	—
`StatusCode`	—
`ManagedInstallerEnabled`	—
`PassesManagedInstaller`	—
`SmartlockerEnabled`	—
`PassesSmartlocker`	—
`DefenderTrust`	—
`AuditEnabled`	—
`PolicyNameLength`	—
`PolicyName`	—
`PolicyIDLength`	—
`PolicyID`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3093 — other (see event data)

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

other (see event data)

Event ID 3094 — other (see event data)

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

other (see event data)

Event ID 3095 — Code Integrity policy %5 %2 is set to unrefreshable.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity policy %5 %2 is set to unrefreshable. id %4. Status: %6

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`PolicyIdLength`	—
`PolicyIdBuffer`	—
`PolicyGUID`	—
`Status`	—
`Options`	—
`PolicyHashSize`	—
`PolicyHash`	—
`OptionsV2`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3096 — No change in active Code Integrity policy %5 %2 after refresh.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

No change in active Code Integrity policy %5 %2 after refresh. id %4. Status %6

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`PolicyIdLength`	—
`PolicyIdBuffer`	—
`PolicyGUID`	—
`Status`	—
`Options`	—
`PolicyHashSize`	—
`PolicyHash`	—
`OptionsV2`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3097 — Not allowed to refresh Code Integrity policy %5 %2.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Not allowed to refresh Code Integrity policy %5 %2. id %4. Status %6

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`PolicyIdLength`	—
`PolicyIdBuffer`	—
`PolicyGUID`	—
`Status`	—
`Options`	—
`PolicyHashSize`	—
`PolicyHash`	—
`OptionsV2`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3098 — other (see event data)

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

other (see event data)

Event ID 3099 — Refreshed and activated Code Integrity policy %5 %2.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Refreshed and activated Code Integrity policy %5 %2. id %4. Status %6

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`PolicyIdLength`	—
`PolicyIdBuffer`	—
`PolicyGUID`	—
`Status`	—
`Options`	—
`PolicyHashSize`	—
`PolicyHash`	—
`OptionsV2`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3100 — Refreshed but not activated Code Integrity policy %5 %2.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Refreshed but not activated Code Integrity policy %5 %2. id %4. Status %6

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`PolicyIdLength`	—
`PolicyIdBuffer`	—
`PolicyGUID`	—
`Status`	—
`Options`	—
`PolicyHashSize`	—
`PolicyHash`	—
`OptionsV2`	—

Event ID 3101 — Code Integrity policy refresh started for %1 policies.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity policy refresh started for %1 policies.

Fields

Name	Description
`NumberOfPolicies`	—

Event ID 3102 — Code Integrity policy refresh finished for %1 policies.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity policy refresh finished for %1 policies.

Fields

Name	Description
`NumberOfPolicies`	—
`Status`	—

Event ID 3103 — Ignoring refresh for Code Integrity policy ID %1.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Ignoring refresh for Code Integrity policy ID %1. Status %2.

Fields

Name	Description
`PolicyGUID`	—
`Status`	—

Event ID 3104 — Windows blocked file %2 which has been disallowed for protected processes.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Windows blocked file %2 which has been disallowed for protected processes.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—

Sigma Rules

CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
Detects block events for files that are disallowed by code integrity for protected processes

Event ID 3105 — Trying to refresh Code Integrity policy with policy ID %1.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Trying to refresh Code Integrity policy with policy ID %1.

Fields

Name	Description
`PolicyGUID`	—

Event ID 3106 — Code Integrity failed to set cache for %2 file due to validation failure.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity failed to set cache for %2 file due to validation failure. Status %3.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`Status`	—

Event ID 3107 — Code Integrity failed to set cache for %2 file because it does not meet signing level requirements.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Verbose

Message

Code Integrity failed to set cache for %2 file because it does not meet signing level requirements. Status %3.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`Status`	—

Event ID 3108 — Code Integrity successfully switched from %3 mode to %4 mode.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity successfully switched from %3 mode to %4 mode.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`FromMode`	—
`ToMode`	—
`Status`	—

Event ID 3109 — Code Integrity already switched from %3 mode to %4 mode.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity already switched from %3 mode to %4 mode.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`FromMode`	—
`ToMode`	—
`Status`	—

Event ID 3110 — Code Integrity failed to switch from %3 mode to %4 mode with error code %5.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity failed to switch from %3 mode to %4 mode with error code %5.

Fields

Name	Description
`PolicyNameLength`	—
`PolicyNameBuffer`	—
`FromMode`	—
`ToMode`	—
`Status`	—

References

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3111 — Code Integrity determined that a process (%6) attempted to load %2 that is not compatible with hypervisor enforcement.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%6) attempted to load %2 that is not compatible with hypervisor enforcement. Failure bitmap %4. Status %3.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`Status`	—
`HVCI Audit Failures`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`HVCIAuditFailures`	—

Event ID 3112 — Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`ProcessNameLength`	—
`ProcessNameBuffer`	—
`RequestedPolicy`	—
`ValidatedPolicy`	—
`Status`	—

Event ID 3113 — Code Integrity could not update the driver.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity could not update the driver.stl revocation list. Status %1.

Fields

Name	Description
`Status`	—

Event ID 3114 — Code Integrity determined that %4 is trying to load %2 which failed the dynamic code trust verification with error code of %5.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that %4 is trying to load %2 which failed the dynamic code trust verification with error code of %5.

Fields

Name	Description
`FileNameLength`	—
`FileName`	—
`ProcessNameLength`	—
`ProcessName`	—
`Status`	—
`SHA1HashSize`	—
`SHA1Hash`	—
`SHA256HashSize`	—
`SHA256Hash`	—
`SHA256FlatHashSize`	—
`SHA256FlatHash`	—

Event ID 3115 — Code Integrity determined that %4 is trying to load %2 which failed the dynamic code trust verification with error code of %5.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that %4 is trying to load %2 which failed the dynamic code trust verification with error code of %5. However, due to code integrity auditing policy, the image was allowed to load.

Fields

Name	Description
`FileNameLength`	—
`FileName`	—
`ProcessNameLength`	—
`ProcessName`	—
`Status`	—
`SHA1HashSize`	—
`SHA1Hash`	—
`SHA256HashSize`	—
`SHA256Hash`	—
`SHA256FlatHashSize`	—
`SHA256FlatHash`	—

Event ID 3116 — Signature information for Code Integrity policy ID %1.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Signature information for Code Integrity policy ID %1.

Fields

Name	Description
`PolicyGUID`	—
`PublisherNameLength`	—
`PublisherName`	—
`IssuerNameLength`	—
`IssuerName`	—
`PublisherTBSHashSize`	—
`PublisherTBSHash`	—
`IssuerTBSHashSize`	—
`IssuerTBSHash`	—
`EKUsSize`	—
`EKUs`	—
`KnownRoot`	—

Event ID 3117 — Code Integrity determined that a process (%4) attempted to load %2 that violated code integrity policy (Policy ID:%31).

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Code Integrity determined that a process (%4) attempted to load %2 that violated code integrity policy (Policy ID:%31). However, that decision was overriden by an endpoint security policy (Policy ID:%38).

Fields

Name	Description
`FileNameLength`	—
`FileName`	—
`ProcessNameLength`	—
`ProcessName`	—
`SHA1HashSize`	—
`SHA1Hash`	—
`SHA256HashSize`	—
`SHA256Hash`	—
`SHA1FlatHashSize`	—
`SHA1FlatHash`	—
`SHA256FlatHashSize`	—
`SHA256FlatHash`	—
`USN`	—
`SISigningScenario`	—
`OriginalFileNameLength`	—
`OriginalFileName`	—
`InternalNameLength`	—
`InternalName`	—
`FileDescriptionLength`	—
`FileDescription`	—
`ProductNameLength`	—
`ProductName`	—
`FileVersion`	—
`UserWriteable`	—
`PackageFamilyNameLength`	—
`PackageFamilyName`	—
`DenyingPolicyNameLength`	—
`DenyingPolicyName`	—
`DenyingPolicySecureSettingIDLength`	—
`DenyingPolicySecureSettingID`	—
`DenyingPolicyID`	—
`DenyingPolicyHashSize`	—
`DenyingPolicyHash`	—
`OverridingPolicyNameLength`	—
`OverridingPolicyName`	—
`OverridingPolicySecureSettingIDLength`	—
`OverridingPolicySecureSettingID`	—
`OverridingPolicyID`	—
`OverridingPolicyHashSize`	—
`OverridingPolicyHash`	—

Event ID 3118 — Smart App Control Block Deteails

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational

Message

Smart App Control Block Deteails

Fields

Name	Description
`FileNameLength`	—
`FileNameBuffer`	—
`SHA256FlatHashSize`	—
`SHA256FlatHash`	—
`DefenderStatusCode`	—
`DefenderCatDbFailureStage`	—
`DefenderCatDbFailure`	—
`DefenderTrust`	—
`DefenderScanResultDetails`	—
`DefenderTrustExpiryTime`	—
`CachedDefenderTrust`	—
`CachedDefenderTrustExpiryTime`	—
`DefenderClientStatusCode`	—
`DefenderCloudHTTPCode`	—
`DefenderShellExecutedStatusCode`	—
`DefenderShellExecutedClientStatusCode`	—
`DefenderShellExecutedCloudHTTPCode`	—
`DefenderEngineReportGUID`	—
`DefenderShellExecutedEngineReportGUID`	—
`IsUnfriendlyFile`	—
`DefenderCalled`	—
`DefenderCallAttempted`	—
`DefenderCloudCallRequested`	—
`DefenderMadeCloudCall`	—
`DefenderShellExecutedCalled`	—
`DefenderShellExecutedMadeCloudCall`	—
`EADefenderTrustCached`	—
`TTLValid`	—
`DefenderDisabled`	—
`ExternalAuthorizationFlags`	—
`EnablementSwitchType`	—
`PreviousEnablementState`	—
`DefenderThreatNameLength`	—
`DefenderThreatName`	—
`DefenderShellExecutedThreatNameLength`	—
`DefenderShellExecutedThreatName`	—