Audit System Integrity

Updated: June 15, 2009

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting determines whether the operating system audits events that violate the integrity of the security subsystem, which can include any of the following events:

  • Audited events are lost due to a failure of the auditing system.

  • A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.

  • A remote procedure call (RPC) integrity violation is detected.

  • A code integrity violation with an invalid hash value of an executable file is detected.

  • Cryptographic tasks are performed.

ImportantImportant
Violations of security subsystem integrity are critical and could indicate a potential security attack.

Event volume: Low

Default: Success and failure

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista, unless otherwise noted.

 

Event ID Event message

4612

Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

4615

Invalid use of LPC port.

4618

A monitored security event pattern has occurred.

4816

RPC detected an integrity violation while decrypting an incoming message.

5038

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

5056

A cryptographic self-test was performed.

5057

A cryptographic primitive operation failed.

5060

Verification operation failed.

5061

Cryptographic operation.

5062

A kernel-mode cryptographic self-test was performed.

6281

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

noteNote
This event is logged only on computers running Windows Server 2008 R2 or Windows 7.

Community Additions

ADD
Show: