6410 Code integrity determined that a file does not meet the requirements to load into a process
Written when Code Integrity determines that a file does not meet the requirements to load into a process. It captures attempts to load a DLL/module that violates the signature or integrity policy.
Overview
The subcategory is Audit System Integrity. It is generated when Code Integrity determines that a file does not meet the security requirements (signature, WDAC policy, etc.) to be loaded into a process. Unlike a hash mismatch 5038, it indicates load eligibility based on requirements (policy).
How it is triggered
- When a process tries to load a DLL/module that does not meet the code-integrity policy (signature requirements, WDAC/app-control policy, etc.).
Security review points
- An attempt to load a non-compliant module can indicate injection of an unsigned or malicious DLL (DLL side-loading, etc.) or an attempt to run unauthorized code. Check the file and the loading process.
- In environments running WDAC (application control), it maps directly to detecting policy violations. Together with hash mismatch 5038 and page hash 6281, track signs of tampered or unauthorized code execution.
Notes for log review
- It carries meaning in environments running signature requirements or app-control policy. Check the profile of the file denied loading (unsigned, unknown).
- Confirm attempts to load unsigned DLLs into system processes at high priority.
Key fields
| Field | Meaning |
|---|---|
File Name | The file that did not meet the load requirements |
Process | The loading process |