Event ID 6281: Code Integrity determined that the page hashes of an image file are not valid.
|Description||This event is generated when code Integrity determined that the page hashes of an image file are not valid.|
- Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory.
- Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions.
- On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
Reasons to monitor event:
- The file could be improperly signed without page hashes or corrupt due to unauthorized modification.
- This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
Event 6281 applies to the following operating systems:
- Windows Server 2008 R2 and 7
- Windows Server 2012 R2 and 8.1
- Windows Server 2016 and 10