I was going through Event Viewer today to see what I could scare up, when I found Microsoft Windows security auditing throwing Event ID 6281.
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. File Name: \Device\HarddiskVolume4\Windows\System32\efswrt.dll
Use the System File Checker tool to repair missing or corrupted system files https://support.microsoft.com/en-us/kb/929833
I attempted to run SFC /scannow and it came back with the message:
Windows Resource Protection found corrupt files but was unable to fix some of them. Details are included in the CBS.Log %WinDir%\Logs\CBS\CBS.log
I received the same result when running SFC from Safe Mode.
From here, I moved on to try DISM
Fix Windows Update errors by using the DISM or System Update Readiness Tool https://support.microsoft.com/en-us/kb/947821
Ran DISM /Online /Cleanup-Image /RestoreHealth
Error: 0x800f081f The source files could not be found. Use the "Source" option to specify the location of the files that are required to restore the feature. For more information on specifying a source location, see http://go.microsoft.com/fwlink/?LinkId=243077.
Before rushing off to specify a source file, I decided to try one more thing
Ran DISM /Online /Cleanup-Image /CheckHealth
The component store is repairable. The operation completed successfully.
DISM indicates that the component store is repairable. I inferred from this statement that it was worth specifying a source file.
In hindsight, it would have been best to run /CheckHealth before /RestoreHealth, as /CheckHealth completes very quickly, and allows the operator to know if DISM can be of any further use.
A Microsoft TechNet article entitled Repair a Windows Image (https://technet.microsoft.com/en-us/library/hh824869.aspx, applies to Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2) suggests the following sequence:
First scan the image to check for corruption using Dism /Online /Cleanup-Image /ScanHealth
Then check the image to see whether any corruption has been detected using Dism /Online /Cleanup-Image /CheckHealth
Mounted a Windows 10 ISO with build 10586.
Ran DISM /Online /Cleanup-Image /RestoreHealth /Source:wim:F:\sources\install.wim:1 /limitaccess
The restore operation completed successfully. The operation completed successfully.
Finally, I returned to SFC
Ran sfc /scannow
Windows Resource Protection found corrupt files and successfully repaired them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not supported in offline servicing scenarios.
I will monitor my logs periodically to see if this resolved the hash failure found by Microsoft Windows security auditing.