Windows 10: Windows Defender & Event ID 5038

Anyone else seeing this or know what the issue might be?
I've noticed lately, on my HP Envy laptop (see specs) ... every time Windows Defender Updates, I get two Event Id 5038 errors.

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5038</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2017-10-30T17:55:07.764628100Z" />
<EventRecordID>52167</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="128" />
<Channel>Security</Channel>
<Computer>EAGLE-HP</Computer>
<Security />
</System>
- <EventData>
<Data Name="param1">\Device\HarddiskVolume3\Windows\System32\MpEngineStore\MpKslfbb3ad3a.sys</Data>
</EventData>
</Event>

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5038</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2017-10-30T17:55:06.667979200Z" />
<EventRecordID>52166</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="488" />
<Channel>Security</Channel>
<Computer>EAGLE-HP</Computer>
<Security />
</System>
- <EventData>
<Data Name="param1">\Device\HarddiskVolume3\ProgramData\Microsoft\Windows Defender\Definition Updates\{76A494C8-D093-4CE8-9D00-50A07483D55A}\MpKsl6589f933.sys</Data>
</EventData>
</Event>

Note: According to diskpart ... volume 3 is my EFI volume ... I ran HP's EFI Diagnostics and it reports no issues.

DISKPART> list volume

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 E DVD-ROM 0 B No Media
Volume 1 C Local NTFS Partition 654 GB Healthy Boot
Volume 2 D Local NTFS Partition 276 GB Healthy
Volume 3 EFI SYSTEM FAT32 Partition 550 MB Healthy System

Things I've done ...
HDD Tune & SeaTools - reports no issues with HDD
Chkdsk (/x/f/r) - reports no issues
Dism & Sfc - reports no issues
Defender & Malwarebytes -reports no issues (rand full scans with both including rootkits for MB)
Adware - reports no issues
Rkill - reports no issues
TDSKiller - reports no issues

:)

 

VPN connection from E61i

See my reply here:

/discussions/board/message?board.id=connectivity&message.id=5038

 

Windows defender ofline scan

Peter,

Event viewer maintains a record of the scan starting at

Application & service logs,

Microsoft,

Windows,

Windows defender,

Operational,

Event IDs 2030, 5007

• WDO failures that Windows knew about would be recorded as EventID 2031
  
• but WDO failures while Windows was not running would not be recorded.

But there is no record of its completion unless it finds malware detections to report in

Windows defender security centre,

Virus & threat protection,

Scan history.

• The Last scan entry in that dialog refers to Windows defender itself not WDO.

Denis

 

Posted on Microsoft Community web site....Hope it helps.

I have these 2 ID Events 5038 and 6281 on Windows 10. Can you help me - Microsoft Community

 

Hey dencal,
Thanks, I had seen that post and tried those, but forgot to mention it. I turned Safe Boot off and deleted the pagefile.sys last night and just now manually checked updates and Defender updated with no Event Id 5038. Now to turn Safe Boot back on and see if it the Event Id 5038 comes back.

Note: With no Event Id 5038 that xxxxxx.sys file actually shows up in the C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{xxxxx-xxxx-xxxx-xxxx-xxxxx} folder (where it didn't before) and no MpEngineStore folder is created or left in C:\Windows\System32

 

Update ...
I turned Secure Boot back on and Windows Defender updated without generating Event Id 5038. Just guessing here, but I think when I cleaned up my partitions (duplicate winre) ... I had 100mb un-allocated partition stuck between the EFI System (450mb) and MSR(16mb) partitions. I extended the EFI partition from 450mb to 550mb to get rid of it and in doing that ... I changed/messed up something with Secure Boot. I guess ... turning it off and back on fixed it.