Event ID 3034 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: CreateSection
Opcode: PolicyFailure

Message #

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.

Fields #

Name	Description
`FileNameLength` UInt16	—
`FileNameBuffer` UnicodeString	—
`ProcessNameLength` UInt16	—
`ProcessNameBuffer` UnicodeString	—
`RequestedPolicy` UInt8	—
`ValidatedPolicy` UInt8	—
`Status` UInt32	— NTSTATUS reference

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

CodeIntegrity - Unmet Signing Level Requirements By File Under Validation source low: Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.↳ also matches:Event ID 3033: Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations

Event ID 3034 — Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity p...

Message #

Fields #

Detection Rules #

Sigma # view in reference

Related Events #

References #