| Event Id | 5038 |
| Source | Microsoft-Windows-security-auditing |
| Description | Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: |
| Event Information | This Event is logged When Code integrity checks for the image hash of a file, and determines it is not valid.Event id 3002
also logged in Microsoft-Windows-CodeIntegrity/Operational. Reply from Microsoft support: ------------------------------------------------------------------------------------------ Based on my research, first please understand that signature verification is enforced on TCPIP.SYS by code integrity. These spurious entries in the event log stem from the assumption that TCPIP.SYS is loaded only into the kernel. When TCIP.SYS is verified in the kernel load path, the signature is successfully verified using a file hash as TCPIP.SYS is loaded and verified in entirety. However, when TCPIP.SYS is loaded in user mode, it is loaded in a page by page basis. As page hashes are not present in TCPIP.SYS signature, CI(Code integrity) logs an error - even though the file is "correctly" signed. The mandatory kernel enforcement on x64 still enforces signature validation onTCPIP.SYS. On x86, if the signature is invalid in the kernel path, depending on how the file was tampered either TCPIP.SYS will not load, or certain TCPIP.SYS functionality is disabled. It appears that the issue is confined to misleading text in the event log.Unfortunately there are no easy work-around to disable these log entries from being created. Actually this has been reported as a bug and will be resolved in the next OS version. The reason tcpip.sys is getting loaded in user mode is so that someone can check the version information on the driver binary. In spite of the eventlog messages, we know the version information is valid because - if it had been modified by some malicious agent - tcpip.sys would fail its kernel-mode integrity check at boot time. So, there's no danger that ignoring the user-mode messages in the event log would make anyone vulnerable to a driver-modification attack. ------------------------------------------------------------------------------------------ According to one Newsgroup: ------------------------------------------------------------------------------------------ This Event may log in Vista/windows server 2008 when a driver is not digitally signed. ------------------------------------------------------------------------------------------ |
| Reference Links |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.