Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name: <path to file/file name>
|English: This information is only available to subscribers. An example of English, please!|
TD348642 and TF539911 provide information about the Microsoft Code Integrity feature.
This is the reply from Microsoft partner support: From the description, I understand that you got event 5038 on Windows 2008 server. If I am off base, please feel free to let me know.
Based on my research, first please understand that signature verification is enforced on tcpip.sys by code integrity. These spurious entries in the event log stem from the assumption that tcpip.sys is loaded only into the kernel. When tcpip.sys is verified in the kernel load path, the signature is successfully verified using a file hash as tcpip.sys is loaded and verified in entirety. However, when tcpip.sys is loaded in user mode, it is loaded in a page-by-page basis. As page hashes are not present in tcpip.sys signature, CI (Code integrity) logs an error even though the file is "correctly" signed.
The mandatory kernel enforcement on x64 still enforces signature validation on tcpip.sys. On x86, if the signature is invalid in the kernel path, depending on how the file was tampered either tcpip.sys will not load, or certain tcpip.sys functionality is disabled. It appears that the issue is confined to misleading text in the event log.
Unfortunately there are no easy workaround to disable these log entries from being created. Actually this has been reported as a bug and will be resolved in the next OS version. The reason tcpip.sys is getting loaded in user mode is so that someone can check the version information on the driver binary. In spite of the eventlog messages, we know the version information is valid because if some malicious agent had modified it, tcpip.sys would fail its kernel-mode integrity check at boot time. So, there is no danger that ignoring the user-mode messages in the event log would make anyone vulnerable to a driver modification attack.
So you can just ignore the event. If you want to filter the log, you can follow the steps below:
1. Go to event viewer and open the security event log.
2. Right click on Security in the left window pane of the event viewer and click on "Filter Current Log".
3. Now enter "-5038" (with a minus in front) in the field that is marked with "<All Event IDs>" and press OK to exclude all 5038 Events.
4. Right click Security once more and choose "Save Filter to Custom View".
5. Name the Custom View and enter a short description. Click OK. This saves the filtered view under "Custom Views". You can choose or create a new location to save this view if you like.
6. Now you can see the newly created filtered view of the Security Log under "Custom Views".
This behavior happens in Vista when a driver is not digitally signed.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated