Windows Security Auditing events referencing 0patchLoader.dll or 0patchLoaderX64.dll

Mitja Kolsek -

On Windows 7 / Server 2008 and newer Windows systems, the Security log may show multiple "Microsoft Windows Security Auditing" events with ID 6281 and the following text:

Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Program Files (x86)\0patch\Agent\0patchLoaderX64.dll


We haven't been able to determine why Windows log these events despite our DLLs being properly signed, but "Code Integrity" comes in various flavors on Windows, from preventing non-Microsoft-signed drivers from loading under Secure Boot, to preventing non-Microsoft-signed DLLs from getting loaded into certain processes such as Edge's rendering processes on Windows 10. It is possible that we have stumbled on some undocumented Windows behavior.

We currently aren't aware of any way to prevent these events from being logged with our present design of 0patch Agent, so we recommend ignoring them when they reference 0patchLoader.dll or 0patchLoaderX64.dll.


Have more questions? Submit a request


Please sign in to leave a comment.