| Event Id | 3005 |
| Source | Microsoft-Windows-CodeIntegrity |
| Description | Code Integrity is unable to verify the image integrity of the file %2 because a file hash could not be found on the system. The image is allowed to load because kernel mode debugger is attached. |
| Event Information | According to Microsoft : Cause : This event is logged when Code Integrity is unable to verify the image integrity of the file because a file hash could not be found on the system. Resolution : Update kernel-mode driver with kernel debugger attached When a kernel debugger is attached to the computer, Code Integrity checks the driver file for a digital signature but the operating system still loads it. If a kernel debugger is attached to the computer, no further action is required, but we recommend that you update the kernel-mode driver by using Device Manager. To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. To update a kernel-mode driver by using Device Manager: 1.Copy the signed kernel-mode driver to a location on the local computer. 2.Click Start, and then click Control Panel. 3.Double-click Device Manager. 4.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 5.Right-click the hardware device that needs its driver updated, and then click Update Driver Software. 6.Click Browse my computer for driver software. 7.Click Browse, select the folder where the new driver file exists, and then click Next. 8. Click Finish. Verify You can verify that a kernel-mode driver was successfully validated and loaded by checking its driver status using the command prompt. To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. To verify a kernel-mode driver was successfully validated and loaded: 1.Click Start, point to All Programs, point to Accessories. 2.Right-click Command Prompt, and then click Run as administrator. 3.If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 4.Type sc query type= driver, and then press ENTER. 5.In the list, find the appropriate driver and ensure that 4 RUNNING is displayed in the STATE column. Note: If you know the driver name, type ,b>sc querydriver, where driver is the name of the driver file without the extension, at the command prompt, and then press ENTER. |
| Reference Links | Event ID 3005 from Microsoft-Windows-CodeIntegrity |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.