Event ID 5038 — Code integrity determined that the image hash of a file is not valid.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: System → System Integrity
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

Message #

Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: %1

Fields #

Name	Description
`FileName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Auditing",
    "guid": "54849625-5478-4994-A5BA-3E3B0328C30D",
    "event_source_name": "",
    "event_id": 5038,
    "version": 0,
    "level": 0,
    "task": 12290,
    "opcode": 0,
    "keywords": 9227875636482146304,
    "time_created": "2026-03-08T23:22:33.111223+00:00",
    "event_record_id": 1559738,
    "correlation": {},
    "execution": {
      "process_id": 4,
      "thread_id": 4964
    },
    "channel": "Security",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "param1": "\\Device\\HarddiskVolume4\\Program Files (x86)\\Microsoft\\EdgeWebView\\Application\\145.0.3800.97\\prefs_enclave_x64.dll"
  },
  "message": ""
}

Community Notes #

May indicate that malware attempted to load an unsigned or tampered driver/system file.

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-system-integrity