6281 Audit failure

Question

We are receiving frequent audit failures in our company system. The event id is 6281.

Event 6281 occurred at 31-01-2021 01:32:30.

Date Time: 31-01-2021 01:32:30
Event Source: Microsoft-Windows-Security-Auditing
Event Category: 12290
Event Type: Information
Event ID: 6281
Event Log Name: HardwareEvents
User: N/A
Computer: XXXXXX
Description:
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume4\Windows\System32\aepic.dll
Event Parameters:
\Device\HarddiskVolume4\Windows\System32\aepic.dll
%String2%
%String3%

Kindly explain the reason behind this failure.

Answer 1

Hello,

Thank you so much for posting here.

We could kindly have a check whether something here could be helpful.

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6281

https://answers.microsoft.com/en-us/windows/forum/windows_7-performance/how-to-solve-event-6281-seems-to-be-the-cause-of/cbbda510-9da6-4a49-98ac-f1e924bf1243

We mainly focus on on-premises AD. As per my understanding, this issue is more related to system integrity issue. Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem. Once we audit this, there will be event logs recorded such as 6281.

Thank you so much for your understanding and support.

Best regards,
Hannah Xiong

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.