Code Integrity Event Log Messages

Code Integrity enforces the requirement that kernel-mode drivers must be signed in order to load. Specifically, Code Integrity runs during the driver loading process in Windows. Whenever a kernel-mode driver is loaded, Code Integrity checks its digital signature to ensure it's valid and signed by an authorized entity.

This page describes the various events that Code Integrity generates to report on the status of driver signing.

You can use the Event Viewer to view Code Integrity events:

  1. Access the Event Viewer through Computer Management or by running Eventvwr.exe from the command line.
  2. Navigate to the following subfolders: Applications and Services Logs->Microsoft->Windows->CodeIntegrity.
  3. Right-click an entry to view event properties and get more information about specific Code Integrity events.

Note

For a full list of Code Integrity event identifiers, see Understanding Application Control events.

The following are warning events that are logged to the Code Integrity operational log:

  • Code Integrity is unable to verify the image integrity of the file <file name> because file hash could not be found on the system.

  • Code Integrity detected an unsigned driver.

    This event is related to Software Quality Monitoring (SQM).

The following are informational events that are logged to the Code Integrity verbose log:

  • Code Integrity found a set of per-page image hashes for the file <file name> in a catalog <catalog name>.

  • Code Integrity found a set of per-page image hashes for the file <file name> in the image embedded certificate.

  • Code Integrity found a file hash for the file <file name> in a catalog <catalog name>.

  • Code Integrity found a file hash for the file <file name> in the image embedded certificate.

  • Code Integrity determined an unsigned kernel module <file name> is loaded into the system. Check with the publisher to see whether a signed version of the kernel module is available.

  • Code Integrity is unable to verify the image integrity of the file <file name> because the set of per-page image hashes could not be found on the system.

  • Code Integrity is unable to verify the image integrity of the file <file name> because the set of per-page image hashes could not be found on the system. The image is allowed to load because kernel mode debugger is attached.

  • Code Integrity is unable to verify the image integrity of the file <file name> because a file hash could not be found on the system. The image is allowed to load because kernel mode debugger is attached.

  • Code Integrity was unable to load the <file name> catalog.

  • Code Integrity successfully loaded the <file name> catalog.