Event ID 3036 — Windows is unable to verify the integrity of the file FileNameBuffer because the signing certificate has been revoked.

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational
Collection Priority: Recommended (Yamato Security)
Task: CreateSection
Opcode: RevokedImageNotLoaded

Description

Windows is unable to verify the integrity of the file FileNameBuffer because the signing certificate has been revoked. Check with the publisher to see if a new signed version of the kernel module is available.

Message #

Windows is unable to verify the integrity of the file %2 because the signing certificate has been revoked.  Check with the publisher to see if a new signed version of the kernel module is available.

Fields #

Name	Description
`FileNameLength` UInt16	—
`FileNameBuffer` UnicodeString	—
`SecureRequired` HexInt32	—
`RequestedSigningLevel` UInt8	—
`ProcessNameLength` UInt16	—
`ProcessNameBuffer` UnicodeString	—

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

CodeIntegrity - Blocked Image Load With Revoked Certificate source high: Detects blocked image load events with revoked certificates by code integrity.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations