Thousands of event id 5038

Question

Thousands of event id 5038

Gray, Jeff 1

We have dozens of windows 11 pro workstations where the security event log records thousands of entries per day with event id 5038. We have Crowdstrike Falcon sensors on all of our workstations. Crowdstrike keeps blaming Microsoft and tells us to submit a case with MS. Looking up the error, techs say you can safely ignore this error, but the problem is that it fills the user's security log after 5 or 6 days and it will not allow a user to log in until the log file is cleared. We do not allow users to be administrators of their machine, so an admin has to log in and clear the log, this we cannot ignore. Anyone else experiencing this? And if so, do you have a solution.

Crowdstrike tells me that Microsoft engineers requested that any customer with this behavior should open their own case with Microsoft and reference the ticket number – 2201120060000454. Problem is we do not have a Microsoft TAM or an escalation engineer that Crowdstike says we should contact.

The file that it keeps flagging is \Device\HarddiskVolume3\Windows\System32\ScriptControl64_15908.dll. If you ask me, since this is a Crowdstrike file it should be a Crowdstrike issue, but what do I know.

Locked Question. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

2 answers

Answer 1

Hello

Event ID 5038 indicates that the image hash of a file is not valid, which can be due to unauthorized modification or a potential disk device error. Given that the flagged file is associated with Crowdstrike, it does seem logical to consider it a Crowdstrike issue. Here's a summary of the issues and some potential steps you could take:

Summary of Issues:

Event ID 5038:Thousands of security log entries daily, filling up the log and preventing user logins.
Crowdstrike's Response:Crowdstrike is pointing to Microsoft, suggesting these logs can be ignored but filling up the log file becomes a problem.
Microsoft Case:Crowdstrike provided a Microsoft ticket number but you lack a Microsoft Technical Account Manager (TAM) or escalation engineer to contact directly.
Specific File:The file \Device\HarddiskVolume3\Windows\System32\ScriptControl64_15908.dll is being flagged, which appears to be related to Crowdstrike.

Potential Steps:

Temporary Workaround (Increasing Log Size):

- Increase Log Size:Temporarily increase the maximum size of the Security Event Log to prevent it from filling up too quickly. This is a stop-gap measure but might give you some breathing room.

- Open Event Viewer.

- Right-click "Security" log and select "Properties."

- Increase the log size.

Automate Log Clearance:

- Script: Set up a scheduled task using a script to clear the security logs at regular intervals.

- Example script:

```powershell

wevtutil clear-log Security

```

- Ensure this complies with your organization's log retention policies.

Reduce Logging for Specific IDs:

- Audit Policy:If appropriate, adjust the security audit policy to reduce logging for specific event IDs.

- Group Policy Editor: Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies

Contact Microsoft Support:

- Even without a Microsoft TAM, you can still open a support case with Microsoft. Provide the referenced ticket number.

- Microsoft Support:You can open a support case via the Microsoft support website or through your Microsoft 365 admin portal if applicable.

Re-engage Crowdstrike:

- Provide detailed logs and emphasize the operational impact (users unable to log in).

- Request escalation within Crowdstrike for further assistance.

- If they maintain it's a Microsoft issue due to the flagged file, push for more specific evidence or an official statement.

Check for Updates:

- Ensure you are running the latest versions of both Windows and Crowdstrike Falcon sensors, as updates may contain fixes for such issues.

Long-term Solutions:

Unified Logging Strategy:Work on a longer-term solution for unified logging, perhaps involving SIEM solutions.
Security Log Management:Implement centralized logging solutions to better handle large volumes of security events without impacting the workstation's log file size.

Final Note:

Given that the flagged file is associated with Crowdstrike, it indeed seems logical that Crowdstrike should take a more active role in resolving this issue.

John Straffin 0 Reputation points

2025-04-30T20:15:43.1366667+00:00

CrowdStrike reports the following regarding this issue:

All Falcon Sensor components including DLLs are correctly signed and registered with Microsoft, but there is an issue where AMSI DLLs which are not signed (built) by Microsoft, would trigger this event logging.

The following is a summary of why this issue occurs:

Microsoft AMSI allows third party anti-malware vendors to be notified of script content and other potential sources of fileless malware by registering as an AMSI provider

CrowdStrike's ScriptControll.DLL is registered with the OS as an AMSI provider using interfaces provided by Microsoft

When AMSI determines that script content needs to be scanned in a process, the AMSI providers are loaded in that process

On Windows due to Microsoft's OS design, processes have different signing requirements, and not every process can load all DLLs

AMSI will attempt to load ScriptControl.DLL in processes regardless of whether a third party vendor could ever meet the Microsoft's signing requirements

This results in the event log errors

Additional Information

The signing requirements are dictated and controlled by Microsoft, no third party vendor has control over this process

This is a design limitation in AMSI, only Microsoft can address this

Answer 2

Wesley Li 11,280

Hello

Do you have any other questions?

What is the current progress of the issue?

Thanks

Share via

Thousands of event id 5038

2 answers