When Memory Integrity also known as Hypervisor-protected Code Integrity or HVCI is enabled on Windows 11, it blocks drivers that do not meet the Windows Hardware Compatibility Program or WHCP signing requirements. This can cause devices like printers, graphics cards, or storage controllers to stop working. The blocked driver is recorded in the system event log with a specific hash value that identifies it. This article explains how to read that hash from the Event Viewer, how to match it to the driver file, and how to decide whether to update the driver or disable HVCI.
Key Takeaways: Diagnose HVCI Driver Blocks by Reading WHCP Hash Values
- Event Viewer > Windows Logs > System > Filter Current Log > Event ID 3043: Shows the WHCP hash value for each blocked driver.
- PowerShell Get-WinEvent -FilterHashtable: Retrieves all HVCI-related block events in one command for faster diagnosis.
- WHCP hash in the event details: Identifies the exact driver file that failed the HVCI signature check.
Why HVCI Blocks Drivers With Missing WHCP Signatures
HVCI uses virtualization-based security to run kernel-mode code integrity checks inside a secure isolated environment. It requires all drivers loaded into the Windows kernel to be signed with a WHCP certificate. Drivers signed with an older cross-signed certificate or an untrusted certificate are blocked. When a driver is blocked, Windows writes Event ID 3043 to the System log. The event contains a field called WHCP Hash which is a SHA-256 hash of the driver file. This hash allows you to identify the exact driver file even if the filename is not shown in the event.
What Is a WHCP Hash Value
The WHCP hash is a 64-character hexadecimal string generated from the binary content of the driver file. It is unique to that specific version of the driver. Microsoft uses this hash in the HVCI block event so that administrators can locate the driver on disk or in a driver store without relying on the filename which can be misleading or duplicated.
Where the WHCP Hash Appears in Event ID 3043
Event ID 3043 contains a block of XML or text data. In the Details tab of the event, look for the field named WHCPHash or whcpHash. The value is a string of 64 lowercase hex characters. If the event uses the legacy format, the hash may appear after the text “WHCP Hash:” in the General tab. In both cases copy the full hash string.
Steps to Find the Blocked Driver Using the WHCP Hash
Method 1: Using Event Viewer to Find the WHCP Hash
- Open Event Viewer
Press Win + R, typeeventvwr.msc, and press Enter. - Navigate to the System log
In the left pane expand Windows Logs and select System. - Filter by Event ID 3043
Click Filter Current Log in the Actions pane. In the Event IDs box type3043and click OK. - Open the blocked driver event
Double-click any event in the filtered list. Look for the General tab or Details tab. In the Details tab select Friendly View and find theWHCPHashfield. Copy the 64-character hash.
Method 2: Using PowerShell to Get the WHCP Hash Faster
- Open PowerShell as Administrator
Right-click the Start button and select Windows Terminal (Admin) or PowerShell (Admin). - Run the Get-WinEvent command
Type the following command and press Enter:Get-WinEvent -FilterHashtable @{LogName='System'; Id=3043} | Format-List TimeCreated, Message - Locate the WHCP hash in the output
Scroll through the output. Each event shows aMessagefield that contains the WHCP hash. Copy the hash string from the message.
Method 3: Match the WHCP Hash to a Driver File on Disk
- Open a Command Prompt as Administrator
Press Win + R, typecmd, then press Ctrl + Shift + Enter. - Change to the driver repository folder
Typecd %SystemRoot%\System32\DriverStore\FileRepositoryand press Enter. - Generate hashes for all .sys files in the folder
Type the following command and press Enter:for /r %i in (sys) do @certutil -hashfile "%i" SHA256 | find /v "SHA256" | find /v "CertUtil" >> driverhashes.txt
This creates a file calleddriverhashes.txtin the current folder with hashes and file paths. - Search the hash file for the WHCP hash
Typefindstr "your-64-char-hash" driverhashes.txtreplacing the placeholder with the actual hash. The output shows the full path to the driver file that matches.
Common Issues When Diagnosing HVCI Driver Blocks
No Event ID 3043 Found in the System Log
If HVCI is enabled but no 3043 events appear, the block may be recorded as Event ID 3042 instead. Filter by both 3042 and 3043. If still no events, check that HVCI is actually turned on by going to Windows Security > Device Security > Core Isolation > Memory Integrity. If it shows Off, no driver blocks are being generated.
The WHCP Hash Does Not Match Any .sys File in DriverStore
The blocked driver may have been removed from the DriverStore by a Windows Update or a driver cleanup tool. In that case the hash cannot be matched to a file on disk. You can look up the hash on the Microsoft Update Catalog website by searching for the hash string. If the driver was published through Windows Update, the catalog entry will show the driver name and version.
Multiple Drivers Are Blocked With the Same Hash
A single .sys file can be used by multiple devices. The hash is computed on the file content, not the device instance. If the same hash appears in multiple 3043 events, it means the same driver file was loaded for different hardware IDs. Updating that one driver resolves all blocks for that file.
Event ID 3043 vs Event ID 3042: HVCI Block Differences
| Item | Event ID 3043 | Event ID 3042 |
|---|---|---|
| Description | Logs a driver that was blocked by HVCI | Logs a driver that failed the WHCP check but was allowed to load in audit mode |
| WHCP hash present | Yes | Yes |
| Driver actually blocked | Yes | No |
| Audit mode only | No | Yes |
Event ID 3042 appears only when HVCI is in audit mode. Audit mode is a diagnostic setting that logs what would be blocked without actually blocking the driver. Event ID 3043 appears when HVCI is fully enabled and the driver is prevented from loading. Both events contain the WHCP hash and can be diagnosed using the same methods.
To use the WHCP hash from a 3042 event, follow the same steps as for 3043. The hash format and location in the event details are identical. The difference is that with 3042 the driver is still running so you can test whether removing or updating the driver causes problems before you fully enable HVCI.
After you identify the driver file, check the manufacturer’s website for a WHCP-signed version. If no signed version exists, you have two options. You can uninstall the device and use a different driver that is WHCP-compliant. Or you can turn off Memory Integrity in Windows Security > Device Security > Core Isolation which allows the driver to load but reduces the security protection of HVCI.