Event ID 6281: Code Integrity determined that the page hashes of an image file are not valid.
|Description||This event is generated when code Integrity determined that the page hashes of an image file are not valid.|
- Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory.
- Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions.
- On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
Reasons to monitor event:
- The file could be improperly signed without page hashes or corrupt due to unauthorized modification.
- This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error.
- We recommend monitoring for this event, especially on high value assets or computers, because it can be a sign of a software or configuration issue, or a malicious action.
Event 6281 applies to the following operating systems:
- Windows Server 2008 R2 and 7
- Windows Server 2012 R2 and 8.1
- Windows Server 2016 and 10
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools