6281 Code Integrity determined that the page hashes of an image file are not valid
Written when Code Integrity determines that the page hashes of an image file are not valid. It captures tampering or corruption at the level of individual memory pages of a running image.
Overview
The subcategory is Audit System Integrity. It is generated when Code Integrity determines that the hash of a page (a small unit in memory) of a loaded image does not match the expected value. Whereas a whole-file hash mismatch is 5038, 6281 indicates a per-page mismatch.
How it is triggered
- When, during signature verification, the hash of some page of an image is invalid.
- Besides disk corruption, it can occur from tampering (patching) of the executing image in memory.
Security review points
- A page-hash mismatch indicates part of the executing image may have been tampered with (dynamic code patching, injection, etc.). Occurrence on a driver or system file in particular is serious. Check the file.
- Together with whole-file hash mismatch 5038 and load denial 6410, track signs of tampered-code execution.
Notes for log review
- It can also occur from disk corruption. Separate whether the file is a known legitimate one, corrupt, or tampered.
- Confirm page-hash mismatches on system files and drivers at high priority.
Key fields
| Field | Meaning |
|---|---|
File Name | The file whose page hashes were found invalid |