Windows Defender & Event ID 5038

Eagle51 · 30 Oct 2017

Anyone else seeing this or know what the issue might be?
I've noticed lately, on my HP Envy laptop (see specs) ... every time Windows Defender Updates, I get two Event Id 5038 errors.

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5038</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2017-10-30T17:55:07.764628100Z" />
<EventRecordID>52167</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="128" />
<Channel>Security</Channel>
<Computer>EAGLE-HP</Computer>
<Security />
</System>
- <EventData>
<Data Name="param1">\Device\HarddiskVolume3\Windows\System32\MpEngineStore\MpKslfbb3ad3a.sys</Data>
</EventData>
</Event>

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5038</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2017-10-30T17:55:06.667979200Z" />
<EventRecordID>52166</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="488" />
<Channel>Security</Channel>
<Computer>EAGLE-HP</Computer>
<Security />
</System>
- <EventData>
<Data Name="param1">\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Definition Updates\{76A494C8-D093-4CE8-9D00-50A07483D55A}\MpKsl6589f933.sys</Data>
</EventData>
</Event>

Note: According to diskpart ... volume 3 is my EFI volume ... I ran HP's EFI Diagnostics and it reports no issues.

DISKPART> list volume

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 E DVD-ROM 0 B No Media
Volume 1 C Local NTFS Partition 654 GB Healthy Boot
Volume 2 D Local NTFS Partition 276 GB Healthy
Volume 3 EFI SYSTEM FAT32 Partition 550 MB Healthy System

Things I've done ...
HDD Tune & SeaTools - reports no issues with HDD
Chkdsk (/x/f/r) - reports no issues
Dism & Sfc - reports no issues
Defender & Malwarebytes -reports no issues (rand full scans with both including rootkits for MB)
Adware - reports no issues
Rkill - reports no issues
TDSKiller - reports no issues

dencal · 31 Oct 2017

Posted on Microsoft Community web site....Hope it helps.

I have these 2 ID Events 5038 and 6281 on Windows 10. Can you help me - Microsoft Community

Eagle51 · 31 Oct 2017

Hey dencal,
Thanks, I had seen that post and tried those, but forgot to mention it. I turned Safe Boot off and deleted the pagefile.sys last night and just now manually checked updates and Defender updated with no Event Id 5038. Now to turn Safe Boot back on and see if it the Event Id 5038 comes back.

Note: With no Event Id 5038 that xxxxxx.sys file actually shows up in the C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{xxxxx-xxxx-xxxx-xxxx-xxxxx} folder (where it didn't before) and no MpEngineStore folder is created or left in C:\Windows\System32

Eagle51 · 01 Nov 2017

Update ...
I turned Secure Boot back on and Windows Defender updated without generating Event Id 5038. Just guessing here, but I think when I cleaned up my partitions (duplicate winre) ... I had 100mb un-allocated partition stuck between the EFI System (450mb) and MSR(16mb) partitions. I extended the EFI partition from 450mb to 550mb to get rid of it and in doing that ... I changed/messed up something with Secure Boot. I guess ... turning it off and back on fixed it.