Event-o-Pedia EventID 5038 - Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

	Event Details
	User Activity->System Events->Windows 2008->EventID 5038 - Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

EventID 5038 - Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

Linked Event:

Sample:

        Code integrity determined that the image hash of a file is not valid.  The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

        File Name:	%1

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows Vista (2008) Windows 7 (2008 R2) Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	System
Source	Microsoft-Windows-Security-Auditing
TaskCategory	System Integrity
EventId	5038

Field Matching

Field	Description	Stored in	Sample Value
When	At what date and time a user activity originated in the system.	DateTime
Who	Account or user name under which the activity occured.	User
What	The type of activity occurred (e.g. Logon, Password Changed, etc.)	"Invalid image hash"	Invalid image hash
Where	The name of the workstation/server where the activity was logged.	Computer
Where From	The name of the workstation/server where the activity was initiated from.	-	10.10.10.10
Severity	Specify the seriousness of the event.	"Low"	Low
WhoDomain		-
WhereDomain		-
File Name	File Name	File Name