Elastic Windows Event Explorer


Publisher - Microsoft-Windows-CodeIntegrity

Event ID 3076 v4

Message:

Code Integrity determined that a process (%{Process Name}) attempted to load %{File Name} that did not meet the %{Requested Signing Level} signing level requirements or violated code integrity policy. However, due to code integrity auditing policy, the image was allowed to load.

Event Data:

# Name In Type
Out Type
1 FileNameLength win:UInt16 xs:unsignedShort
2 File Name win:UnicodeString xs:string
3 ProcessNameLength win:UInt16 xs:unsignedShort
4 Process Name win:UnicodeString xs:string
5 Requested Signing Level win:UInt8 xs:unsignedByte
6 Validated Signing Level win:UInt8 xs:unsignedByte
7 Status win:HexInt32 win:HexInt32
8 SHA1 Hash Size win:UInt32 xs:unsignedInt
9 SHA1 Hash win:Binary xs:hexBinary
10 SHA256 Hash Size win:UInt32 xs:unsignedInt
11 SHA256 Hash win:Binary xs:hexBinary
12 SHA1 Flat Hash Size win:UInt32 xs:unsignedInt
13 SHA1 Flat Hash win:Binary xs:hexBinary
14 SHA256 Flat Hash Size win:UInt32 xs:unsignedInt
15 SHA256 Flat Hash win:Binary xs:hexBinary
16 USN win:UInt64 win:HexInt64
17 SI Signing Scenario win:UInt32 xs:unsignedInt
18 PolicyNameLength win:UInt16 xs:unsignedShort
19 PolicyName win:UnicodeString xs:string
20 PolicyIDLength win:UInt16 xs:unsignedShort
21 PolicyID win:UnicodeString xs:string
22 PolicyHashSize win:UInt32 xs:unsignedInt
23 PolicyHash win:Binary xs:hexBinary
24 OriginalFileNameLength win:UInt16 xs:unsignedShort
25 OriginalFileName win:UnicodeString xs:string
26 InternalNameLength win:UInt16 xs:unsignedShort
27 InternalName win:UnicodeString xs:string
28 FileDescriptionLength win:UInt16 xs:unsignedShort
29 FileDescription win:UnicodeString xs:string
30 ProductNameLength win:UInt16 xs:unsignedShort
31 ProductName win:UnicodeString xs:string
32 FileVersion win:AnsiString xs:string

Observed Windows Versions:

Version: 4

Fingerprint: 2DNJR5KTCBPMU