Event ID 3076 — Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p...

Provider: Microsoft-Windows-CodeIntegrity
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security)
Task: ValidateSIPolicy
Opcode: SiPolicyFailureIgnored

Message #

Code Integrity determined that a process (%4) attempted to load %2 that did not meet the %5 signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.

Fields #

Name	Description
`FileNameLength` UInt16	—
`File Name` UnicodeString	—
`ProcessNameLength` UInt16	—
`Process Name` UnicodeString	—
`Requested Signing Level` UInt8	—
`Validated Signing Level` UInt8	—
`Status` HexInt32	— NTSTATUS reference
`SHA1 Hash Size` UInt32	—
`SHA1 Hash` Binary	—
`SHA256 Hash Size` UInt32	—
`SHA256 Hash` Binary	—
`SHA1 Flat Hash Size` UInt32	—
`SHA1 Flat Hash` Binary	—
`SHA256 Flat Hash Size` UInt32	—
`SHA256 Flat Hash` Binary	—
`USN` UInt64	—
`SI Signing Scenario` UInt32	—
`PolicyNameLength` UInt16	—
`PolicyName` UnicodeString	—
`PolicyIDLength` UInt16	—
`PolicyID` UnicodeString	—
`PolicyHashSize` UInt32	—
`PolicyHash` Binary	—
`OriginalFileNameLength` UInt16	—
`OriginalFileName` UnicodeString	—
`InternalNameLength` UInt16	—
`InternalName` UnicodeString	—
`FileDescriptionLength` UInt16	—
`FileDescription` UnicodeString	—
`ProductNameLength` UInt16	—
`ProductName` UnicodeString	—
`FileVersion` AnsiString	—
`PolicyGUID` GUID	—
`UserWriteable` Boolean	—
`PackageFamilyNameLength` UInt16	—
`PackageFamilyName` UnicodeString	—
`FileName` UnicodeString	—
`ProcessName` UnicodeString	—
`RequestedSigningLevel` UInt8	—
`ValidatedSigningLevel` UInt8	—
`SHA1HashSize` UInt32	—
`SHA1Hash` Binary	—
`SHA256HashSize` UInt32	—
`SHA256Hash` Binary	—
`SHA1FlatHashSize` UInt32	—
`SHA1FlatHash` Binary	—
`SHA256FlatHashSize` UInt32	—
`SHA256FlatHash` Binary	—
`SISigningScenario` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-CodeIntegrity",
    "guid": "4EE76BD8-3CF4-44A0-A0AC-3937643E37A3",
    "event_source_name": "",
    "event_id": 3076,
    "version": 5,
    "level": 4,
    "task": 18,
    "opcode": 118,
    "keywords": 9223372036854775808,
    "time_created": "2025-12-31T19:36:05.795115+00:00",
    "event_record_id": 13,
    "correlation": {
      "ActivityID": "8D2E1BCA-7A8C-0000-9F81-2E8D8C7ADC01"
    },
    "execution": {
      "process_id": 6868,
      "thread_id": 7996
    },
    "channel": "Microsoft-Windows-CodeIntegrity/Operational",
    "computer": "WIN11-22H2-X64",
    "security": {
      "user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
    }
  },
  "event_data": {
    "FileNameLength": 54,
    "File Name": "\\Device\\HarddiskVolume4\\Windows\\System32\\wbem\\WMIC.exe",
    "ProcessNameLength": 78,
    "Process Name": "\\Device\\HarddiskVolume4\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "Requested Signing Level": 2,
    "Validated Signing Level": 12,
    "Status": "0xc0e90002",
    "SHA1 Hash Size": 20,
    "SHA1 Hash": "9CBEBC5A163FC08C9F62AED561265C658C06FC83",
    "SHA256 Hash Size": 32,
    "SHA256 Hash": "C0BAFA03FEBE627230378761B35F734722137760B5BFD12706EE8D4100E1A142",
    "SHA1 Flat Hash Size": 20,
    "SHA1 Flat Hash": "CC3C648E9265A68A7E6032076E44413CDD1B10F9",
    "SHA256 Flat Hash Size": 32,
    "SHA256 Flat Hash": "993A2E38A27807096F75E83E348F15929391CA84B7DDA3D5651FB589787953C3",
    "USN": 0,
    "SI Signing Scenario": 1,
    "PolicyNameLength": 37,
    "PolicyName": "VerifiedAndReputableDesktopEvaluation",
    "PolicyIDLength": 17,
    "PolicyID": "22609.1000.220423",
    "PolicyHashSize": 32,
    "PolicyHash": "59FCF3FD0476A19E7D2A2A82DF3E49839A4D7C366C156CB636B8854E280E77D9",
    "OriginalFileNameLength": 8,
    "OriginalFileName": "wmic.exe",
    "InternalNameLength": 8,
    "InternalName": "wmic.exe",
    "FileDescriptionLength": 23,
    "FileDescription": "WMI Commandline Utility",
    "ProductNameLength": 36,
    "ProductName": "Microsoft® Windows® Operating System",
    "FileVersion": "10.0.22621.1",
    "PolicyGUID": "1283AC0F-FFF1-49AE-ADA1-8A933130CAD6",
    "UserWriteable": false,
    "PackageFamilyNameLength": 0,
    "PackageFamilyName": ""
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/operations/event-id-explanations