Elastic Windows Event Explorer


Publisher - Microsoft-Windows-CodeIntegrity

Event ID 3022 v1

Message:

Code Integrity determined a revoked kernel module %{FileNameBuffer} is loaded into the system. The image is allowed to load because kernel mode debugger is attached.

Event Data:

# Name In Type
Out Type
1 FileNameLength win:UInt16 xs:unsignedShort
2 FileNameBuffer win:UnicodeString xs:string
3 SecureRequired win:HexInt32 win:HexInt32
4 RequestedSigningLevel win:UInt8 xs:unsignedByte
5 ProcessNameLength win:UInt16 xs:unsignedShort
6 ProcessNameBuffer win:UnicodeString xs:string

Observed Windows Versions:

Version: 1

Fingerprint: ULQXWVX2T44UM