{
  "id": "5038",
  "source": "windows_security",
  "category": "CodeIntegrity",
  "name": "Code integrity determined image hash is not valid",
  "priority": "P2",
  "applicable_version": "Windows Server 2008 R2 and later",
  "last_reviewed": "2026-07-13",
  "definition": "Windows Security Event ID 5038 records Code Integrity rejecting a file because its image hash is not valid.",
  "trigger_scenarios": "This event is generated by Code Integrity when a file signature is not valid, including unauthorized modification or disk/device error conditions.",
  "key_fields": [
    {
      "field": "File Name",
      "explanation": "The path of the file whose image hash was not valid. Microsoft documents the schema as File Name: %filepath\\filename%."
    },
    {
      "field": "Computer",
      "explanation": "Identifies the host where an unsigned, modified, or corrupt driver or system file attempted to load."
    },
    {
      "field": "Code Integrity context",
      "explanation": "Microsoft notes Code Integrity validates driver or system file integrity each time loaded into memory, and x64 kernel-mode drivers must be digitally signed."
    }
  ],
  "false_positives": [
    "Microsoft notes disk device error or file corruption can produce this event.",
    "Broken third-party driver updates can create repeated 5038 events until the vendor package is repaired."
  ],
  "related_event_ids": [
    "5035",
    "4688",
    "7045"
  ],
  "attck_mapping": [
    {
      "technique_id": "T1553.002",
      "technique_name": "Subvert Trust Controls: Code Signing"
    }
  ],
  "detection_notes": "Alert when File Name is under C:\\Windows\\System32\\drivers, C:\\Windows\\System32, or a security product directory and the file is unsigned, newly modified, or appears immediately before service or driver failure. Microsoft documents Event 5038 as invalid image hash/signature telemetry and states Code Integrity checks drivers or system files as they load; this supports T1553.002 Code Signing when an attacker tampers with a signed trust path or loads modified code. Correlate with 5035, driver-load telemetry, file-write events, and vendor update timing before containment.",
  "kql_snippet": "SecurityEvent\n| where EventID == 5038\n| project TimeGenerated, Computer, Account",
  "spl_snippet": "index=wineventlog EventCode=5038 | table _time, host",
  "sample_log": "EventID: 5038\nComputer: HOST01\nFile Name: C:\\Windows\\System32\\drivers\\bad.sys",
  "source_url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5038",
  "route": "/windows-events/5038/",
  "canonical_url": "https://soceventlookup.com/windows-events/5038/",
  "json_url": "/api/events/windows-security/5038.json"
}
