Event Id | 3003 |
Source | Microsoft-Windows-CodeIntegrity |
Description | Code Integrity is unable to verify the image integrity of the file %2 because the set of per-page image hashes could not be found on the system. The image is allowed to load because kernel mode debugger is attached. |
Event Information | According to Microsoft : Cause : This event is logged when Code Integrity is unable to verify the image integrity of the file Resolution : Replace the system file by using Startup Repair with kernel debugger attached The page hash of the system file must match the hash stored in the system security catalog. If the hashes do not match, you should replace the system file with a version that has the correct hash. This can be done by using Startup Repair. When a kernel debugger is attached to the computer, Code Integrity checks the integrity of the file but the operating system still loads it. If a kernel debugger is attached to the computer, no further action is required, but we recommend that you replace the system file by using Startup Repair. To replace a system file by using Startup Repair. 1.Insert the Windows product disc. 2.Restart the computer. 3.When prompted, press any key to start the computer from the Windows product disc. 4.Choose the appropriate language settings, and then click Next. 5.Click Repair your computer. 6.Select the operating system you want to repair, and then click Next. 7.On the System Recovery Options menu, click Startup Repair. 8.When Startup Repair has finished, restart the computer. Verify : To verify that user-mode files were sucessfully validated and loaded, confirm that Event ID 3002 or 3003 are no longer being logged to the Microsoft-Windows-CodeIntegrity operational event log channel. To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. To confirm that Event ID 3002 or 3003 are no longer being logged to the Code Integrity operational channel: 1.Click Start, point to Administrative Tools, and then click Event Viewer. 2.Expand Applications and Service Logs, expand Microsoft, expand Windows, expand CodeIntegrity, and then click Operational. 3.Click to sort the events on the Date and Time column. 4.Look for an instance of Event ID 3002 or 3003 that is after the date and time the issue was resolved. 5.If no instances are found, user-mode files are being successfully validated and loaded. |
Reference Links | Event ID 3003 from Microsoft-Windows-CodeIntegrity |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.