Microsoft-Windows-CodeIntegrity
111 events across 2 channels
Event ID 3001 — Code Integrity determined an unsigned kernel module FileNameBuffer is loaded into the system.
#Description
Code Integrity determined an unsigned kernel module FileNameBuffer is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SecureRequired HexInt32 | — |
RequestedSigningLevel UInt8 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Unsigned Kernel Module Loaded source high: Detects the presence of a loaded unsigned kernel module on the system.
References #
Event ID 3002 — Code Integrity is unable to verify the image integrity of the file FileNameBuffer because the set of per-page image hashes could not be found on the system.
Description
Code Integrity is unable to verify the image integrity of the file FileNameBuffer because the set of per-page image hashes could not be found on the system.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SecureRequired HexInt32 | — |
RequestedSigningLevel UInt8 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
Event ID 3003 — Code Integrity is unable to verify the image integrity of the file FileNameBuffer because the set of per-page image hashes could not be found on the system.
Event ID 3004 — Windows is unable to verify the image integrity of the file FileNameBuffer because file hash could not be found on the system.
#Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SecureRequired HexInt32 | — |
RequestedSigningLevel UInt8 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CodeIntegrity",
"guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
"event_source_name": "",
"event_id": 3004,
"version": 1,
"level": 2,
"task": 1,
"opcode": 104,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:03:39.834684+00:00",
"event_record_id": 2826,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-799D-F2E43710DA01"
},
"execution": {
"process_id": 18308,
"thread_id": 9372
},
"channel": "Microsoft-Windows-CodeIntegrity/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"FileNameLength": 87,
"FileNameBuffer": "\\Device\\HarddiskVolume4\\Program Files\\Avira\\Endpoint Protection SDK\\amsi\\x64\\avamsi.dll",
"SecureRequired": "0x80000000",
"RequestedSigningLevel": 7,
"ProcessNameLength": 81,
"ProcessNameBuffer": "\\Device\\HarddiskVolume4\\Program Files\\Avira\\Endpoint Protection SDK\\wsc_agent.exe"
},
"message": ""
}
References #
Event ID 3005 — Code Integrity is unable to verify the image integrity of the file FileNameBuffer because a file hash could not be found on the system.
Description
Code Integrity is unable to verify the image integrity of the file FileNameBuffer because a file hash could not be found on the system. The image is allowed to load because kernel mode debugger is attached.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SecureRequired HexInt32 | — |
RequestedSigningLevel UInt8 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
Event ID 3006 — Code Integrity found a set of per-page image hashes for the file FileNameBuffer in a catalog CatalogNameBuffer.
Event ID 3007 — Code Integrity found a set of per-page image hashes for the file FileNameBuffer in the image embedded certificate.
Event ID 3008 — Code Integrity found a file hash for the file FileNameBuffer in a catalog CatalogNameBuffer.
Event ID 3009 — Code Integrity found a file hash for the file FileNameBuffer in the image embedded certificate.
Event ID 3010 — Code Integrity was unable to load the FileNameBuffer catalog.
#Description
Code Integrity was unable to load the FileNameBuffer catalog. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CodeIntegrity",
"guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
"event_source_name": "",
"event_id": 3010,
"version": 1,
"level": 3,
"task": 2,
"opcode": 100,
"keywords": 9223372036854775808,
"time_created": "2022-04-07T17:06:57.824463+00:00",
"event_record_id": 22,
"correlation": {
"ActivityID": "DD7B0B6A-4A9E-0001-407E-7BDD9E4AD801"
},
"execution": {
"process_id": 5260,
"thread_id": 1912
},
"channel": "Microsoft-Windows-CodeIntegrity/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"FileNameLength": 99,
"FileNameBuffer": "Microsoft-Windows-ServerCore-SKU-Foundation-merged-Package~31bf3856ad364e35~amd64~~10.0.20348.1.cat",
"Status": "0xc0000034"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 3011 — Code Integrity successfully loaded the FileNameBuffer catalog.
Event ID 3012 — Code Integrity started loading the FileNameBuffer catalog.
Event ID 3013 — Code Integrity started reloading catalogs.
Description
Code Integrity started reloading catalogs.
Message #
Event ID 3014 — Code Integrity completed reloading catalogs.
Description
Code Integrity completed reloading catalogs. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3015 — Code Integrity started validating file hash of FileNameBuffer file.
Event ID 3016 — Code Integrity completed validating file hash.
Description
Code Integrity completed validating file hash. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3017 — Code Integrity started validating page hashes of FileNameBuffer file.
Event ID 3018 — Code Integrity completed validating page hashes.
Description
Code Integrity completed validating page hashes. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3019 — Code Integrity started loading catalog cache from FileNameBuffer file.
Event ID 3020 — Code Integrity completed loading catalog cache.
Description
Code Integrity completed loading catalog cache. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3021 — Code Integrity determined a revoked kernel module FileNameBuffer is loaded into the system.
Description
Code Integrity determined a revoked kernel module FileNameBuffer is loaded into the system. Check with the publisher to see if a new signed version of the kernel module is available.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SecureRequired HexInt32 | — |
RequestedSigningLevel UInt8 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Revoked Kernel Driver Loaded source high: Detects the load of a revoked kernel driver↳ also matches:Event ID 3022: Code Integrity determined a revoked kernel module FileNameBuffer is loaded into the system.
Event ID 3022 — Code Integrity determined a revoked kernel module FileNameBuffer is loaded into the system.
Description
Code Integrity determined a revoked kernel module FileNameBuffer is loaded into the system. The image is allowed to load because kernel mode debugger is attached.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SecureRequired HexInt32 | — |
RequestedSigningLevel UInt8 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Revoked Kernel Driver Loaded source high: Detects the load of a revoked kernel driver↳ also matches:Event ID 3021: Code Integrity determined a revoked kernel module FileNameBuffer is loaded into the system.
Event ID 3023 — The driver FileNameBuffer is blocked from loading as the driver has been revoked by Microsoft.
#Description
The driver FileNameBuffer is blocked from loading as the driver has been revoked by Microsoft.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SecureRequired HexInt32 | — |
RequestedSigningLevel UInt8 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Blocked Driver Load With Revoked Certificate source high: Detects blocked load attempts of revoked drivers
References #
Event ID 3024 — Windows was unable to update the boot catalog cache file.
Description
Windows was unable to update the boot catalog cache file. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
References #
Event ID 3025 — Code Integrity determined kernel module FileNameBuffer is loaded into the system which does not have a valid embedded digital signature.
Event ID 3026 — Code Integrity was unable to load the FileNameBuffer catalog because the signing certificate for this catalog has been revoked.
Event ID 3027 — Code Integrity started loading catalog FileNameBuffer from the cache file.
Event ID 3028 — Code Integrity started saving catalog cache to FileNameBuffer file.
Event ID 3029 — Code Integrity completed saving catalog cache.
Description
Code Integrity completed saving catalog cache. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3030 — Code Integrity saved catalog FileNameBuffer to the cache file.
Event ID 3032 — Code Integrity determined a revoked image FileNameBuffer is loaded into the system.
#Description
Code Integrity determined a revoked image FileNameBuffer is loaded into the system. Check with the publisher to see if a new signed version of the image is available.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SecureRequired HexInt32 | — |
RequestedSigningLevel UInt8 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Revoked Image Loaded source high: Detects image load events with revoked certificates by code integrity.↳ also matches:Event ID 3035: Code Integrity determined a revoked image FileNameBuffer is loaded into the system.
References #
Event ID 3033 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements.
#Description
Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
RequestedPolicy UInt8 | — |
ValidatedPolicy UInt8 | — |
Status UInt32 | — NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CodeIntegrity",
"guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
"event_source_name": "",
"event_id": 3033,
"version": 0,
"level": 2,
"task": 1,
"opcode": 111,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T01:54:48.422937+00:00",
"event_record_id": 2821,
"correlation": {
"ActivityID": "E4DB489E-1037-0000-694C-EEE43710DA01"
},
"execution": {
"process_id": 16400,
"thread_id": 16044
},
"channel": "Microsoft-Windows-CodeIntegrity/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"FileNameLength": 70,
"FileNameBuffer": "\\Device\\HarddiskVolume4\\Program Files\\Avast Software\\Avast\\aswAMSI.dll",
"ProcessNameLength": 52,
"ProcessNameBuffer": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
"RequestedPolicy": 12,
"ValidatedPolicy": 1,
"Status": 3221226536
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Unmet Signing Level Requirements By File Under Validation source low: Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.↳ also matches:Event ID 3034: Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity p...
References #
Event ID 3034 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity p...
#Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
RequestedPolicy UInt8 | — |
ValidatedPolicy UInt8 | — |
Status UInt32 | — NTSTATUS reference |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Unmet Signing Level Requirements By File Under Validation source low: Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.↳ also matches:Event ID 3033: Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements.
References #
Event ID 3035 — Code Integrity determined a revoked image FileNameBuffer is loaded into the system.
Description
Code Integrity determined a revoked image FileNameBuffer is loaded into the system. The image is allowed to load because kernel mode debugger is attached.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SecureRequired HexInt32 | — |
RequestedSigningLevel UInt8 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Revoked Image Loaded source high: Detects image load events with revoked certificates by code integrity.↳ also matches:Event ID 3032: Code Integrity determined a revoked image FileNameBuffer is loaded into the system.
Event ID 3036 — Windows is unable to verify the integrity of the file FileNameBuffer because the signing certificate has been revoked.
#Description
Windows is unable to verify the integrity of the file FileNameBuffer because the signing certificate has been revoked. Check with the publisher to see if a new signed version of the kernel module is available.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SecureRequired HexInt32 | — |
RequestedSigningLevel UInt8 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Blocked Image Load With Revoked Certificate source high: Detects blocked image load events with revoked certificates by code integrity.
References #
Event ID 3037 — Code Integrity determined an unsigned image FileNameBuffer is loaded into the system.
Description
Code Integrity determined an unsigned image FileNameBuffer is loaded into the system. Check with the publisher to see if a signed version of the image is available.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SecureRequired HexInt32 | — |
RequestedSigningLevel UInt8 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Unsigned Image Loaded source high: Detects loaded unsigned image on the system
Event ID 3038 — Code Integrity started validating image header of FileNameBuffer file.
Event ID 3039 — Code Integrity completed validating image header.
Description
Code Integrity completed validating image header. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3040 — Code Integrity started retrieving the cached data of FileNameBuffer file.
Event ID 3041 — Code Integrity completed retrieval of file cache.
Description
Code Integrity completed retrieval of file cache. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
CachedFlags HexInt32 | — |
CacheSource UInt8 | — |
CachedPolicy UInt8 | — |
State UInt32 | — |
StateData UInt64 | — |
Event ID 3042 — Code Integrity started setting the cache of FileNameBuffer file.
Event ID 3043 — Code Integrity completed setting the file cache.
Description
Code Integrity completed setting the file cache. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
CachedFlags HexInt32 | — |
CacheSource UInt8 | — |
CachedPolicy UInt8 | — |
State UInt32 | — |
StateData UInt64 | — |
Event ID 3050 — Code Integrity completed retrieval of file cache.
Description
Code Integrity completed retrieval of file cache. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3051 — Code Integrity completed retrieval of file cache.
Description
Code Integrity completed retrieval of file cache. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3052 — Code Integrity completed retrieval of file cache.
Description
Code Integrity completed retrieval of file cache. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3054 — Code Integrity started setting the cache of FileNameBuffer file.
Event ID 3055 — Code Integrity completed setting the file cache.
Description
Code Integrity completed setting the file cache. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3057 — Code Integrity completed retrieval of file cache.
Description
Code Integrity completed retrieval of file cache. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3058 — Code Integrity completed retrieval of file cache.
Description
Code Integrity completed retrieval of file cache. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3059 — Code Integrity found a set of per-page image hashes for the file FileNameBuffer in a catalog CatalogNameBuffer.
Event ID 3060 — Code Integrity found a set of per-page image hashes for the file FileNameBuffer in a catalog CatalogNameBuffer.
Event ID 3061 — Code Integrity found a file hash for the file FileNameBuffer in a catalog CatalogNameBuffer.
Event ID 3062 — Code Integrity found a file hash for the file FileNameBuffer in a catalog CatalogNameBuffer.
Event ID 3063 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the security requirements for RequirementType.
Description
Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the security requirements for RequirementType.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
RequirementType UInt8 | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 3064 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the security requirements for RequirementType.
Description
Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the security requirements for RequirementType. However, due to system policy, the image was allowed to load.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
RequirementType UInt8 | — |
Status HexInt32 | — NTSTATUS reference |
References #
Event ID 3065 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the security requirements for RequirementType.
Description
Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the security requirements for RequirementType. However, due to system policy, the image was allowed to load.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
RequirementType UInt8 | — |
Status HexInt32 | — NTSTATUS reference |
References #
Event ID 3066 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity p...
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
RequestedPolicy UInt8 | — |
ValidatedPolicy UInt8 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 3067 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity p...
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
RequestedPolicy UInt8 | — |
ValidatedPolicy UInt8 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 3068 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity p...
Description
Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity policy.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
RequestedPolicy UInt8 | — |
ValidatedPolicy UInt8 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 3069 — Code Integrity was unable to load the weak crypto policy value from registry.
Description
Code Integrity was unable to load the weak crypto policy value from registry. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3070 — Code Integrity was unable to load the weak crypto policy from registry store.
Description
Code Integrity was unable to load the weak crypto policy from registry store. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3071 — Code Integrity was unable to load the weak crypto policies.
Description
Code Integrity was unable to load the weak crypto policies. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3072 — Code Integrity determined that the module FileNameBuffer is not compatible with hypervisor enforcement due to it having non-page aligned sections.
Event ID 3073 — Code Integrity determined that the module FileNameBuffer is not compatible with strict mode hypervisor enforcement due to it having an executable section that ...
Event ID 3074 — Code Integrity was unable to verify a page for a module verified using hypervisor enforcement.
Description
Code Integrity was unable to verify a page for a module verified using hypervisor enforcement. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
References #
Event ID 3075 — Code Integrity determined that process (ProcessNameBuffer) spent ElapsedTime and PolicyElapsedTime microseconds for Code Integrity check and policy check to load FileNameBuffer with validated Valid...
Event ID 3076 — Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p...
#Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
File Name UnicodeString | — |
ProcessNameLength UInt16 | — |
Process Name UnicodeString | — |
Requested Signing Level UInt8 | — |
Validated Signing Level UInt8 | — |
Status HexInt32 | — NTSTATUS reference |
SHA1 Hash Size UInt32 | — |
SHA1 Hash Binary | — |
SHA256 Hash Size UInt32 | — |
SHA256 Hash Binary | — |
SHA1 Flat Hash Size UInt32 | — |
SHA1 Flat Hash Binary | — |
SHA256 Flat Hash Size UInt32 | — |
SHA256 Flat Hash Binary | — |
USN UInt64 | — |
SI Signing Scenario UInt32 | — |
PolicyNameLength UInt16 | — |
PolicyName UnicodeString | — |
PolicyIDLength UInt16 | — |
PolicyID UnicodeString | — |
PolicyHashSize UInt32 | — |
PolicyHash Binary | — |
OriginalFileNameLength UInt16 | — |
OriginalFileName UnicodeString | — |
InternalNameLength UInt16 | — |
InternalName UnicodeString | — |
FileDescriptionLength UInt16 | — |
FileDescription UnicodeString | — |
ProductNameLength UInt16 | — |
ProductName UnicodeString | — |
FileVersion AnsiString | — |
PolicyGUID GUID | — |
UserWriteable Boolean | — |
PackageFamilyNameLength UInt16 | — |
PackageFamilyName UnicodeString | — |
FileName UnicodeString | — |
ProcessName UnicodeString | — |
RequestedSigningLevel UInt8 | — |
ValidatedSigningLevel UInt8 | — |
SHA1HashSize UInt32 | — |
SHA1Hash Binary | — |
SHA256HashSize UInt32 | — |
SHA256Hash Binary | — |
SHA1FlatHashSize UInt32 | — |
SHA1FlatHash Binary | — |
SHA256FlatHashSize UInt32 | — |
SHA256FlatHash Binary | — |
SISigningScenario UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CodeIntegrity",
"guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
"event_source_name": "",
"event_id": 3076,
"version": 5,
"level": 4,
"task": 18,
"opcode": 118,
"keywords": 9223372036854775808,
"time_created": "2025-12-31T19:36:05.795115+00:00",
"event_record_id": 13,
"correlation": {
"ActivityID": "8D2E1BCA-7A8C-0000-9F81-2E8D8C7ADC01"
},
"execution": {
"process_id": 6868,
"thread_id": 7996
},
"channel": "Microsoft-Windows-CodeIntegrity/Operational",
"computer": "WIN11-22H2-X64",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"FileNameLength": 54,
"File Name": "\\Device\\HarddiskVolume4\\Windows\\System32\\wbem\\WMIC.exe",
"ProcessNameLength": 78,
"Process Name": "\\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"Requested Signing Level": 2,
"Validated Signing Level": 12,
"Status": "0xc0e90002",
"SHA1 Hash Size": 20,
"SHA1 Hash": "9CBEBC5A163FC08C9F62AED561265C658C06FC83",
"SHA256 Hash Size": 32,
"SHA256 Hash": "C0BAFA03FEBE627230378761B35F734722137760B5BFD12706EE8D4100E1A142",
"SHA1 Flat Hash Size": 20,
"SHA1 Flat Hash": "CC3C648E9265A68A7E6032076E44413CDD1B10F9",
"SHA256 Flat Hash Size": 32,
"SHA256 Flat Hash": "993A2E38A27807096F75E83E348F15929391CA84B7DDA3D5651FB589787953C3",
"USN": 0,
"SI Signing Scenario": 1,
"PolicyNameLength": 37,
"PolicyName": "VerifiedAndReputableDesktopEvaluation",
"PolicyIDLength": 17,
"PolicyID": "22609.1000.220423",
"PolicyHashSize": 32,
"PolicyHash": "59FCF3FD0476A19E7D2A2A82DF3E49839A4D7C366C156CB636B8854E280E77D9",
"OriginalFileNameLength": 8,
"OriginalFileName": "wmic.exe",
"InternalNameLength": 8,
"InternalName": "wmic.exe",
"FileDescriptionLength": 23,
"FileDescription": "WMI Commandline Utility",
"ProductNameLength": 36,
"ProductName": "Microsoft® Windows® Operating System",
"FileVersion": "10.0.22621.1",
"PolicyGUID": "1283AC0F-FFF1-49AE-ADA1-8A933130CAD6",
"UserWriteable": false,
"PackageFamilyNameLength": 0,
"PackageFamilyName": ""
},
"message": ""
}
References #
Event ID 3077 — Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p...
#Description
Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity policy.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
File Name UnicodeString | — |
ProcessNameLength UInt16 | — |
Process Name UnicodeString | — |
Requested Signing Level UInt8 | — |
Validated Signing Level UInt8 | — |
Status HexInt32 | — NTSTATUS reference |
SHA1 Hash Size UInt32 | — |
SHA1 Hash Binary | — |
SHA256 Hash Size UInt32 | — |
SHA256 Hash Binary | — |
SHA1 Flat Hash Size UInt32 | — |
SHA1 Flat Hash Binary | — |
SHA256 Flat Hash Size UInt32 | — |
SHA256 Flat Hash Binary | — |
USN UInt64 | — |
SI Signing Scenario UInt32 | — |
PolicyNameLength UInt16 | — |
PolicyName UnicodeString | — |
PolicyIDLength UInt16 | — |
PolicyID UnicodeString | — |
PolicyHashSize UInt32 | — |
PolicyHash Binary | — |
OriginalFileNameLength UInt16 | — |
OriginalFileName UnicodeString | — |
InternalNameLength UInt16 | — |
InternalName UnicodeString | — |
FileDescriptionLength UInt16 | — |
FileDescription UnicodeString | — |
ProductNameLength UInt16 | — |
ProductName UnicodeString | — |
FileVersion AnsiString | — |
PolicyGUID GUID | — |
UserWriteable Boolean | — |
PackageFamilyNameLength UInt16 | — |
PackageFamilyName UnicodeString | — |
FileName UnicodeString | — |
ProcessName UnicodeString | — |
RequestedSigningLevel UInt8 | — |
ValidatedSigningLevel UInt8 | — |
SHA1HashSize UInt32 | — |
SHA1Hash Binary | — |
SHA256HashSize UInt32 | — |
SHA256Hash Binary | — |
SHA1FlatHashSize UInt32 | — |
SHA1FlatHash Binary | — |
SHA256FlatHashSize UInt32 | — |
SHA256FlatHash Binary | — |
SISigningScenario UInt32 | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Blocked Image/Driver Load For Policy Violation source high: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
References #
Event ID 3078 — Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p...
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
File Name UnicodeString | — |
ProcessNameLength UInt16 | — |
Process Name UnicodeString | — |
Requested Signing Level UInt8 | — |
Validated Signing Level UInt8 | — |
Status HexInt32 | — NTSTATUS reference |
SHA1 Hash Size UInt32 | — |
SHA1 Hash Binary | — |
SHA256 Hash Size UInt32 | — |
SHA256 Hash Binary | — |
USN UInt64 | — |
SI Signing Scenario UInt32 | — |
PolicyNameLength UInt16 | — |
PolicyName UnicodeString | — |
PolicyIDLength UInt16 | — |
PolicyID UnicodeString | — |
PolicyHashSize UInt32 | — |
PolicyHash Binary | — |
OriginalFileNameLength UInt16 | — |
OriginalFileName UnicodeString | — |
InternalNameLength UInt16 | — |
InternalName UnicodeString | — |
FileDescriptionLength UInt16 | — |
FileDescription UnicodeString | — |
ProductNameLength UInt16 | — |
ProductName UnicodeString | — |
FileVersion AnsiString | — |
FileName UnicodeString | — |
ProcessName UnicodeString | — |
RequestedSigningLevel UInt8 | — |
ValidatedSigningLevel UInt8 | — |
SHA1HashSize UInt32 | — |
SHA1Hash Binary | — |
SHA256HashSize UInt32 | — |
SHA256Hash Binary | — |
SISigningScenario UInt32 | — |
Event ID 3079 — Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p...
Description
Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity policy.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
File Name UnicodeString | — |
ProcessNameLength UInt16 | — |
Process Name UnicodeString | — |
Requested Signing Level UInt8 | — |
Validated Signing Level UInt8 | — |
Status HexInt32 | — NTSTATUS reference |
SHA1 Hash Size UInt32 | — |
SHA1 Hash Binary | — |
SHA256 Hash Size UInt32 | — |
SHA256 Hash Binary | — |
USN UInt64 | — |
SI Signing Scenario UInt32 | — |
PolicyNameLength UInt16 | — |
PolicyName UnicodeString | — |
PolicyIDLength UInt16 | — |
PolicyID UnicodeString | — |
PolicyHashSize UInt32 | — |
PolicyHash Binary | — |
OriginalFileNameLength UInt16 | — |
OriginalFileName UnicodeString | — |
InternalNameLength UInt16 | — |
InternalName UnicodeString | — |
FileDescriptionLength UInt16 | — |
FileDescription UnicodeString | — |
ProductNameLength UInt16 | — |
ProductName UnicodeString | — |
FileVersion AnsiString | — |
FileName UnicodeString | — |
ProcessName UnicodeString | — |
RequestedSigningLevel UInt8 | — |
ValidatedSigningLevel UInt8 | — |
SHA1HashSize UInt32 | — |
SHA1Hash Binary | — |
SHA256HashSize UInt32 | — |
SHA256Hash Binary | — |
SISigningScenario UInt32 | — |
References #
Event ID 3080 — Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p...
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
File Name UnicodeString | — |
ProcessNameLength UInt16 | — |
Process Name UnicodeString | — |
Requested Signing Level UInt8 | — |
Validated Signing Level UInt8 | — |
Status HexInt32 | — NTSTATUS reference |
SHA1 Hash Size UInt32 | — |
SHA1 Hash Binary | — |
SHA256 Hash Size UInt32 | — |
SHA256 Hash Binary | — |
USN UInt64 | — |
SI Signing Scenario UInt32 | — |
PolicyNameLength UInt16 | — |
PolicyName UnicodeString | — |
PolicyIDLength UInt16 | — |
PolicyID UnicodeString | — |
PolicyHashSize UInt32 | — |
PolicyHash Binary | — |
OriginalFileNameLength UInt16 | — |
OriginalFileName UnicodeString | — |
InternalNameLength UInt16 | — |
InternalName UnicodeString | — |
FileDescriptionLength UInt16 | — |
FileDescription UnicodeString | — |
ProductNameLength UInt16 | — |
ProductName UnicodeString | — |
FileVersion AnsiString | — |
FileName UnicodeString | — |
ProcessName UnicodeString | — |
RequestedSigningLevel UInt8 | — |
ValidatedSigningLevel UInt8 | — |
SHA1HashSize UInt32 | — |
SHA1Hash Binary | — |
SHA256HashSize UInt32 | — |
SHA256Hash Binary | — |
SISigningScenario UInt32 | — |
References #
Event ID 3081 — Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p...
Description
Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity policy.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
File Name UnicodeString | — |
ProcessNameLength UInt16 | — |
Process Name UnicodeString | — |
Requested Signing Level UInt8 | — |
Validated Signing Level UInt8 | — |
Status HexInt32 | — NTSTATUS reference |
SHA1 Hash Size UInt32 | — |
SHA1 Hash Binary | — |
SHA256 Hash Size UInt32 | — |
SHA256 Hash Binary | — |
USN UInt64 | — |
SI Signing Scenario UInt32 | — |
PolicyNameLength UInt16 | — |
PolicyName UnicodeString | — |
PolicyIDLength UInt16 | — |
PolicyID UnicodeString | — |
PolicyHashSize UInt32 | — |
PolicyHash Binary | — |
OriginalFileNameLength UInt16 | — |
OriginalFileName UnicodeString | — |
InternalNameLength UInt16 | — |
InternalName UnicodeString | — |
FileDescriptionLength UInt16 | — |
FileDescription UnicodeString | — |
ProductNameLength UInt16 | — |
ProductName UnicodeString | — |
FileVersion AnsiString | — |
FileName UnicodeString | — |
ProcessName UnicodeString | — |
RequestedSigningLevel UInt8 | — |
ValidatedSigningLevel UInt8 | — |
SHA1HashSize UInt32 | — |
SHA1Hash Binary | — |
SHA256HashSize UInt32 | — |
SHA256Hash Binary | — |
SISigningScenario UInt32 | — |
References #
Event ID 3082 — Code Integrity determined kernel module FileNameBuffer that did not meet the WHQL requirements is loaded into the system.
#Description
Code Integrity determined kernel module FileNameBuffer that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module source high: Detects loaded kernel modules that did not meet the WHQL signing requirements.↳ also matches:Event ID 3083: Code Integrity determined kernel module FileNameBuffer that did not meet the WHQL requirements is loaded into the system.
References #
Event ID 3083 — Code Integrity determined kernel module FileNameBuffer that did not meet the WHQL requirements is loaded into the system.
Description
Code Integrity determined kernel module FileNameBuffer that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module source high: Detects loaded kernel modules that did not meet the WHQL signing requirements.↳ also matches:Event ID 3082: Code Integrity determined kernel module FileNameBuffer that did not meet the WHQL requirements is loaded into the system.
Event ID 3084 — Code Integrity will enable WHQL driver enforcement for this boot session.
#Description
Code Integrity will enable WHQL driver enforcement for this boot session. Settings Settings. Exemption Exemption.
Message #
Fields #
| Name | Description |
|---|---|
Settings HexInt32 | — |
Exemption UInt8 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CodeIntegrity",
"guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
"event_source_name": "",
"event_id": 3084,
"version": 0,
"level": 4,
"task": 20,
"opcode": 127,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:10.407182+00:00",
"event_record_id": 875,
"correlation": {
"ActivityID": "164E10E5-B120-0000-E710-4E1620B1DC01"
},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "Microsoft-Windows-CodeIntegrity/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Settings": "0x0",
"Exemption": 1
},
"message": ""
}
References #
Event ID 3085 — Code Integrity will disable WHQL driver enforcement for this boot session.
#Description
Code Integrity will disable WHQL driver enforcement for this boot session. Settings Settings.
Message #
Fields #
| Name | Description |
|---|---|
Settings HexInt32 | — |
Exemption UInt8 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CodeIntegrity",
"guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
"event_source_name": "",
"event_id": 3085,
"version": 0,
"level": 4,
"task": 20,
"opcode": 127,
"keywords": 9223372036854775808,
"time_created": "2022-04-07T16:52:38.896596+00:00",
"event_record_id": 31,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-8DB8-AAE09F4AD801"
},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "Microsoft-Windows-CodeIntegrity/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Settings": "0x0",
"Exemption": 1
},
"message": ""
}
References #
Event ID 3086 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the signing requirements for Isolated User Mode.
Description
Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the signing requirements for Isolated User Mode.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
RequestedPolicy UInt8 | — |
ValidatedPolicy UInt8 | — |
Status UInt32 | — NTSTATUS reference |
References #
Event ID 3087 — Code Integrity determined that the kernel module FileNameBuffer is not compatible with hypervisor enforcement.
Description
Code Integrity determined that the kernel module FileNameBuffer is not compatible with hypervisor enforcement. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
HVCI Audit Failures HexInt32 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
HVCIAuditFailures HexInt32 | — |
Event ID 3088 — Code Integrity testing module FileName against policy PolicyName.
Description
Code Integrity testing module FileName against policy PolicyName. Status StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileName UnicodeString | — |
StatusCode HexInt32 | — |
ManagedInstallerEnabled Boolean | — |
PassesManagedInstaller Boolean | — |
SmartlockerEnabled Boolean | — |
PassesSmartlocker Boolean | — |
DefenderTrust Int32 | — |
AuditEnabled Boolean | — |
PolicyNameLength UInt16 | — |
PolicyName UnicodeString | — |
PolicyIDLength UInt16 | — |
PolicyID UnicodeString | — |
Event ID 3089 — Signature information for another event.
#Description
Signature information for another event. Match using the Correlation Id.
Message #
Fields #
| Name | Description |
|---|---|
TotalSignatureCount UInt32 | — |
Signature UInt32 | — |
CacheState UInt8 | — |
Hash Size UInt32 | — |
Hash Binary | — |
PageHash Boolean | — |
SignatureType UInt8 | — |
ValidatedSigningLevel UInt8 | — |
VerificationError UInt8 | — |
Flags UInt32 | — |
PolicyBits UInt32 | — |
NotValidBefore FILETIME | — |
NotValidAfter FILETIME | — |
PublisherNameLength UInt16 | — |
PublisherName UnicodeString | — |
IssuerNameLength UInt16 | — |
IssuerName UnicodeString | — |
PublisherTBSHashSize UInt32 | — |
PublisherTBSHash Binary | — |
IssuerTBSHashSize UInt32 | — |
IssuerTBSHash Binary | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CodeIntegrity",
"guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
"event_source_name": "",
"event_id": 3089,
"version": 2,
"level": 4,
"task": 1,
"opcode": 130,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T02:03:39.834696+00:00",
"event_record_id": 2828,
"correlation": {
"ActivityID": "E4DB489E-1037-0002-799D-F2E43710DA01"
},
"execution": {
"process_id": 18308,
"thread_id": 9372
},
"channel": "Microsoft-Windows-CodeIntegrity/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"TotalSignatureCount": 2,
"Signature": 1,
"CacheState": 0,
"Hash Size": 32,
"Hash": "CDFCFB06A61D9DEFD635A74F71DFB6BD5B3531EE7BAD61D942E259156C5F9746",
"PageHash": false,
"SignatureType": 1,
"ValidatedSigningLevel": 8,
"VerificationError": 18,
"Flags": 0,
"PolicyBits": 2050,
"NotValidBefore": "2023-04-06T19:16:30.000000Z",
"NotValidAfter": "2024-04-03T19:16:30.000000Z",
"PublisherNameLength": 50,
"PublisherName": "Microsoft Windows Hardware Compatibility Publisher",
"IssuerNameLength": 47,
"IssuerName": "Microsoft Windows Third Party Component CA 2014",
"PublisherTBSHashSize": 32,
"PublisherTBSHash": "0F06228DE7BACFBF65D426DF80C4E40C5ABFE5A2A402E6221DEA03B18897DE2B",
"IssuerTBSHashSize": 32,
"IssuerTBSHash": "D8BE9E4D9074088EF818BC6F6FB64955E90378B2754155126FEEBBBD969CF0AE"
},
"message": ""
}
References #
Event ID 3090 — Code Integrity testing module FileName against policy PolicyName.
Description
Code Integrity testing module FileName against policy PolicyName. Status StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileName UnicodeString | — |
StatusCode HexInt32 | — |
ManagedInstallerEnabled Boolean | — |
PassesManagedInstaller Boolean | — |
SmartlockerEnabled Boolean | — |
PassesSmartlocker Boolean | — |
DefenderTrust Int32 | — |
AuditEnabled Boolean | — |
PolicyNameLength UInt16 | — |
PolicyName UnicodeString | — |
PolicyIDLength UInt16 | — |
PolicyID UnicodeString | — |
References #
Event ID 3091 — Code Integrity testing module FileName against policy PolicyName.
Description
Code Integrity testing module FileName against policy PolicyName. Status StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileName UnicodeString | — |
StatusCode HexInt32 | — |
ManagedInstallerEnabled Boolean | — |
PassesManagedInstaller Boolean | — |
SmartlockerEnabled Boolean | — |
PassesSmartlocker Boolean | — |
DefenderTrust Int32 | — |
AuditEnabled Boolean | — |
PolicyNameLength UInt16 | — |
PolicyName UnicodeString | — |
PolicyIDLength UInt16 | — |
PolicyID UnicodeString | — |
References #
Event ID 3091 — Code Integrity testing module FileName against policy PolicyName.
Description
Code Integrity testing module FileName against policy PolicyName. Status StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileName UnicodeString | — |
StatusCode HexInt32 | — |
ManagedInstallerEnabled Boolean | — |
PassesManagedInstaller Boolean | — |
SmartlockerEnabled Boolean | — |
PassesSmartlocker Boolean | — |
DefenderTrust Int32 | — |
AuditEnabled Boolean | — |
PolicyNameLength UInt16 | — |
PolicyName UnicodeString | — |
PolicyIDLength UInt16 | — |
PolicyID UnicodeString | — |
References #
Event ID 3092 — Code Integrity testing module FileName against policy PolicyName.
Description
Code Integrity testing module FileName against policy PolicyName. Status StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileName UnicodeString | — |
StatusCode HexInt32 | — |
ManagedInstallerEnabled Boolean | — |
PassesManagedInstaller Boolean | — |
SmartlockerEnabled Boolean | — |
PassesSmartlocker Boolean | — |
DefenderTrust Int32 | — |
AuditEnabled Boolean | — |
PolicyNameLength UInt16 | — |
PolicyName UnicodeString | — |
PolicyIDLength UInt16 | — |
PolicyID UnicodeString | — |
References #
Event ID 3092 — Code Integrity testing module FileName against policy PolicyName.
Description
Code Integrity testing module FileName against policy PolicyName. Status StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileName UnicodeString | — |
StatusCode HexInt32 | — |
ManagedInstallerEnabled Boolean | — |
PassesManagedInstaller Boolean | — |
SmartlockerEnabled Boolean | — |
PassesSmartlocker Boolean | — |
DefenderTrust Int32 | — |
AuditEnabled Boolean | — |
PolicyNameLength UInt16 | — |
PolicyName UnicodeString | — |
PolicyIDLength UInt16 | — |
PolicyID UnicodeString | — |
References #
Event ID 3093 — other (see event data)
Description
other (see event data).
Message #
Event ID 3094 — other (see event data)
Description
other (see event data).
Message #
Event ID 3095 — Code Integrity policy PolicyGUID PolicyNameBuffer is set to unrefreshable.
Description
Code Integrity policy PolicyGUID PolicyNameBuffer is set to unrefreshable. id PolicyIdBuffer. Status: Status.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | — |
PolicyNameBuffer UnicodeString | — |
PolicyIdLength UInt16 | — |
PolicyIdBuffer UnicodeString | — |
PolicyGUID GUID | — |
Status HexInt32 | — NTSTATUS reference |
Options HexInt32 | — |
PolicyHashSize UInt32 | — |
PolicyHash Binary | — |
OptionsV2 HexInt32 | — |
References #
Event ID 3096 — No change in active Code Integrity policy PolicyGUID PolicyNameBuffer after refresh.
Description
No change in active Code Integrity policy PolicyGUID PolicyNameBuffer after refresh. id PolicyIdBuffer. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | — |
PolicyNameBuffer UnicodeString | — |
PolicyIdLength UInt16 | — |
PolicyIdBuffer UnicodeString | — |
PolicyGUID GUID | — |
Status HexInt32 | — NTSTATUS reference |
Options HexInt32 | — |
PolicyHashSize UInt32 | — |
PolicyHash Binary | — |
OptionsV2 HexInt32 | — |
References #
Event ID 3097 — Not allowed to refresh Code Integrity policy PolicyGUID PolicyNameBuffer.
Description
Not allowed to refresh Code Integrity policy PolicyGUID PolicyNameBuffer. id PolicyIdBuffer. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | — |
PolicyNameBuffer UnicodeString | — |
PolicyIdLength UInt16 | — |
PolicyIdBuffer UnicodeString | — |
PolicyGUID GUID | — |
Status HexInt32 | — NTSTATUS reference |
Options HexInt32 | — |
PolicyHashSize UInt32 | — |
PolicyHash Binary | — |
OptionsV2 HexInt32 | — |
References #
Event ID 3098 — other (see event data)
Description
other (see event data).
Message #
Event ID 3099 — Refreshed and activated Code Integrity policy PolicyGUID PolicyNameBuffer.
#Description
Refreshed and activated Code Integrity policy PolicyGUID PolicyNameBuffer. id PolicyIdBuffer. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | — |
PolicyNameBuffer UnicodeString | — |
PolicyIdLength UInt16 | — |
PolicyIdBuffer UnicodeString | — |
PolicyGUID GUID | — |
Status HexInt32 | — NTSTATUS reference |
Options HexInt32 | — |
PolicyHashSize UInt32 | — |
PolicyHash Binary | — |
OptionsV2 HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CodeIntegrity",
"guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
"event_source_name": "",
"event_id": 3099,
"version": 1,
"level": 4,
"task": 21,
"opcode": 131,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:27:10.407531+00:00",
"event_record_id": 876,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 8
},
"channel": "Microsoft-Windows-CodeIntegrity/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyNameLength": 31,
"PolicyNameBuffer": "Microsoft Windows Driver Policy",
"PolicyIdLength": 12,
"PolicyIdBuffer": "10.0.25090.0",
"PolicyGUID": "D2BDA982-CCF6-4344-AC5B-0B44427B6816",
"Status": "0x0",
"Options": "0x80881200",
"PolicyHashSize": 32,
"PolicyHash": "2419C1A60EE8761B72CD311792BC04751726C459639F4AAB4AD8FDF78C9DABBD"
},
"message": ""
}
References #
Event ID 3100 — Refreshed but not activated Code Integrity policy PolicyGUID PolicyNameBuffer.
Description
Refreshed but not activated Code Integrity policy PolicyGUID PolicyNameBuffer. id PolicyIdBuffer. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | — |
PolicyNameBuffer UnicodeString | — |
PolicyIdLength UInt16 | — |
PolicyIdBuffer UnicodeString | — |
PolicyGUID GUID | — |
Status HexInt32 | — NTSTATUS reference |
Options HexInt32 | — |
PolicyHashSize UInt32 | — |
PolicyHash Binary | — |
OptionsV2 HexInt32 | — |
Event ID 3101 — Code Integrity policy refresh started for NumberOfPolicies policies.
Description
Code Integrity policy refresh started for NumberOfPolicies policies.
Message #
Fields #
| Name | Description |
|---|---|
NumberOfPolicies UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CodeIntegrity",
"guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
"event_source_name": "",
"event_id": 3101,
"version": 0,
"level": 4,
"task": 21,
"opcode": 131,
"keywords": 9223372036854775808,
"time_created": "2026-02-10T04:30:28.409796+00:00",
"event_record_id": 41,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 9832
},
"channel": "Microsoft-Windows-CodeIntegrity/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"NumberOfPolicies": 3
},
"message": ""
}
Event ID 3102 — Code Integrity policy refresh finished for NumberOfPolicies policies.
Description
Code Integrity policy refresh finished for NumberOfPolicies policies.
Message #
Fields #
| Name | Description |
|---|---|
NumberOfPolicies UInt32 | — |
Status HexInt32 | — NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CodeIntegrity",
"guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
"event_source_name": "",
"event_id": 3102,
"version": 0,
"level": 4,
"task": 21,
"opcode": 131,
"keywords": 9223372036854775808,
"time_created": "2026-02-10T04:30:28.433918+00:00",
"event_record_id": 60,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 9832
},
"channel": "Microsoft-Windows-CodeIntegrity/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"NumberOfPolicies": 1,
"Status": "0x0"
},
"message": ""
}
Event ID 3103 — Ignoring refresh for Code Integrity policy ID PolicyGUID.
Description
Ignoring refresh for Code Integrity policy ID PolicyGUID. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
PolicyGUID GUID | — |
Status HexInt32 | — NTSTATUS reference |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CodeIntegrity",
"guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
"event_source_name": "",
"event_id": 3103,
"version": 1,
"level": 4,
"task": 21,
"opcode": 131,
"keywords": 9223372036854775808,
"time_created": "2026-02-10T04:30:28.433176+00:00",
"event_record_id": 59,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 9832
},
"channel": "Microsoft-Windows-CodeIntegrity/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyGUID": "0939ED82-BFD5-4D32-B58E-D31D3C49715A",
"Status": "0x0"
},
"message": ""
}
Event ID 3104 — Windows blocked file FileNameBuffer which has been disallowed for protected processes.
Description
Windows blocked file FileNameBuffer which has been disallowed for protected processes.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked source high: Detects block events for files that are disallowed by code integrity for protected processes
Event ID 3105 — Trying to refresh Code Integrity policy with policy ID PolicyGUID.
Description
Trying to refresh Code Integrity policy with policy ID PolicyGUID.
Message #
Fields #
| Name | Description |
|---|---|
PolicyGUID GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-CodeIntegrity",
"guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
"event_source_name": "",
"event_id": 3105,
"version": 0,
"level": 4,
"task": 21,
"opcode": 131,
"keywords": 9223372036854775808,
"time_created": "2026-02-10T04:30:28.432922+00:00",
"event_record_id": 58,
"correlation": {},
"execution": {
"process_id": 4,
"thread_id": 9832
},
"channel": "Microsoft-Windows-CodeIntegrity/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"PolicyGUID": "0939ED82-BFD5-4D32-B58E-D31D3C49715A"
},
"message": ""
}
Event ID 3106 — Code Integrity failed to set cache for FileNameBuffer file due to validation failure.
Description
Code Integrity failed to set cache for FileNameBuffer file due to validation failure. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 3107 — Code Integrity failed to set cache for FileNameBuffer file because it does not meet signing level requirements.
Description
Code Integrity failed to set cache for FileNameBuffer file because it does not meet signing level requirements. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 3108 — Code Integrity successfully switched from FromMode mode to ToMode mode.
Description
Code Integrity successfully switched from FromMode mode to ToMode mode.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | — |
PolicyNameBuffer UnicodeString | — |
FromMode UInt8 | — |
ToMode UInt8 | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 3109 — Code Integrity already switched from FromMode mode to ToMode mode.
Description
Code Integrity already switched from FromMode mode to ToMode mode.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | — |
PolicyNameBuffer UnicodeString | — |
FromMode UInt8 | — |
ToMode UInt8 | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 3110 — Code Integrity failed to switch from FromMode mode to ToMode mode with error code Status.
Description
Code Integrity failed to switch from FromMode mode to ToMode mode with error code Status.
Message #
Fields #
| Name | Description |
|---|---|
PolicyNameLength UInt16 | — |
PolicyNameBuffer UnicodeString | — |
FromMode UInt8 | — |
ToMode UInt8 | — |
Status HexInt32 | — NTSTATUS reference |
References #
Event ID 3111 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that is not compatible with hypervisor enforcement.
Description
Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that is not compatible with hypervisor enforcement. Failure bitmap HVCI Audit Failures. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
HVCI Audit Failures HexInt32 | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
HVCIAuditFailures HexInt32 | — |
Event ID 3112 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity p...
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessNameBuffer UnicodeString | — |
RequestedPolicy UInt8 | — |
ValidatedPolicy UInt8 | — |
Status UInt32 | — NTSTATUS reference |
Event ID 3113 — Code Integrity could not update the driver.
Description
Code Integrity could not update the driver.stl revocation list. Status Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 3114 — Code Integrity determined that ProcessName is trying to load FileName which failed the dynamic code trust verification with error code of Status.
Description
Code Integrity determined that ProcessName is trying to load FileName which failed the dynamic code trust verification with error code of Status.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileName UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
SHA1HashSize UInt32 | — |
SHA1Hash Binary | — |
SHA256HashSize UInt32 | — |
SHA256Hash Binary | — |
SHA256FlatHashSize UInt32 | — |
SHA256FlatHash Binary | — |
Event ID 3115 — Code Integrity determined that ProcessName is trying to load FileName which failed the dynamic code trust verification with error code of Status.
Description
Code Integrity determined that is trying to load which failed the dynamic code trust verification with error code of . However, due to code integrity auditing policy, the image was allowed to load.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileName UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessName UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
SHA1HashSize UInt32 | — |
SHA1Hash Binary | — |
SHA256HashSize UInt32 | — |
SHA256Hash Binary | — |
SHA256FlatHashSize UInt32 | — |
SHA256FlatHash Binary | — |
Event ID 3116 — Signature information for Code Integrity policy ID PolicyGUID.
Description
Signature information for Code Integrity policy ID PolicyGUID.
Message #
Fields #
| Name | Description |
|---|---|
PolicyGUID GUID | — |
PublisherNameLength UInt16 | — |
PublisherName UnicodeString | — |
IssuerNameLength UInt16 | — |
IssuerName UnicodeString | — |
PublisherTBSHashSize UInt32 | — |
PublisherTBSHash Binary | — |
IssuerTBSHashSize UInt32 | — |
IssuerTBSHash Binary | — |
EKUsSize UInt32 | — |
EKUs Binary | — |
KnownRoot UInt32 | — |
Event ID 3117 — Code Integrity determined that a process (ProcessName) attempted to load FileName that violated code integrity policy (Policy ID:DenyingPolicyID).
Description
Code Integrity determined that a process () attempted to load that violated code integrity policy (Policy ID:). However, that decision was overriden by an endpoint security policy (Policy ID:).
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileName UnicodeString | — |
ProcessNameLength UInt16 | — |
ProcessName UnicodeString | — |
SHA1HashSize UInt32 | — |
SHA1Hash Binary | — |
SHA256HashSize UInt32 | — |
SHA256Hash Binary | — |
SHA1FlatHashSize UInt32 | — |
SHA1FlatHash Binary | — |
SHA256FlatHashSize UInt32 | — |
SHA256FlatHash Binary | — |
USN UInt64 | — |
SISigningScenario UInt32 | — |
OriginalFileNameLength UInt16 | — |
OriginalFileName UnicodeString | — |
InternalNameLength UInt16 | — |
InternalName UnicodeString | — |
FileDescriptionLength UInt16 | — |
FileDescription UnicodeString | — |
ProductNameLength UInt16 | — |
ProductName UnicodeString | — |
FileVersion AnsiString | — |
UserWriteable Boolean | — |
PackageFamilyNameLength UInt16 | — |
PackageFamilyName UnicodeString | — |
DenyingPolicyNameLength UInt16 | — |
DenyingPolicyName UnicodeString | — |
DenyingPolicySecureSettingIDLength UInt16 | — |
DenyingPolicySecureSettingID UnicodeString | — |
DenyingPolicyID GUID | — |
DenyingPolicyHashSize UInt32 | — |
DenyingPolicyHash Binary | — |
OverridingPolicyNameLength UInt16 | — |
OverridingPolicyName UnicodeString | — |
OverridingPolicySecureSettingIDLength UInt16 | — |
OverridingPolicySecureSettingID UnicodeString | — |
OverridingPolicyID GUID | — |
OverridingPolicyHashSize UInt32 | — |
OverridingPolicyHash Binary | — |
Event ID 3118 — Smart App Control Block Deteails
Description
Smart App Control Block Deteails.
Message #
Fields #
| Name | Description |
|---|---|
FileNameLength UInt16 | — |
FileNameBuffer UnicodeString | — |
SHA256FlatHashSize UInt32 | — |
SHA256FlatHash Binary | — |
DefenderStatusCode HexInt32 | — |
DefenderCatDbFailureStage UInt8 | — |
DefenderCatDbFailure HexInt32 | — |
DefenderTrust Int32 | — |
DefenderScanResultDetails UInt32 | — |
DefenderTrustExpiryTime Int64 | — |
CachedDefenderTrust Int32 | — |
CachedDefenderTrustExpiryTime Int64 | — |
DefenderClientStatusCode Int32 | — |
DefenderCloudHTTPCode HexInt32 | — |
DefenderShellExecutedStatusCode HexInt32 | — |
DefenderShellExecutedClientStatusCode Int32 | — |
DefenderShellExecutedCloudHTTPCode HexInt32 | — |
DefenderEngineReportGUID GUID | — |
DefenderShellExecutedEngineReportGUID GUID | — |
IsUnfriendlyFile Boolean | — |
DefenderCalled Boolean | — |
DefenderCallAttempted Boolean | — |
DefenderCloudCallRequested Boolean | — |
DefenderMadeCloudCall Boolean | — |
DefenderShellExecutedCalled Boolean | — |
DefenderShellExecutedMadeCloudCall Boolean | — |
EADefenderTrustCached Boolean | — |
TTLValid Boolean | — |
DefenderDisabled Boolean | — |
ExternalAuthorizationFlags UInt32 | — |
EnablementSwitchType Int32 | — |
PreviousEnablementState Int32 | — |
DefenderThreatNameLength UInt16 | — |
DefenderThreatName UnicodeString | — |
DefenderShellExecutedThreatNameLength UInt16 | — |
DefenderShellExecutedThreatName UnicodeString | — |