SysInternals SigCheck + system32, syswow64, sysnative

[jcgriff2]

SysInternals SigCheck

Verify that images are digitally signed and dump version information with this simple command-line utility.

http://technet.microsoft.com/en-us/sysinternals/bb897441
http://live.sysinternals.com/sigcheck.exe

I was asked about \system32 and \sysnative directories.

They are one in the same; sysnative = virtual version of system32

[FONT=Lucida Console]
Command: [COLOR=Navy][B]sigcheck.exe -a -h -m C:\Windows\[COLOR=Red]system32[/COLOR]\ntoskrnl.exe[/B][/COLOR]

c:\windows\system32\ntoskrnl.exe:
	Verified:	Signed
	Catalog:	C:\Windows\[color=red]system32[/color]\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_3_for_KB2556532~31bf3856ad364e35~amd64~~6.1.1.1.cat
	Signers:
		Microsoft Windows
		Microsoft Windows Verification PCA
		Microsoft Root Certificate Authority
	Signing date:	06:40 6/28/2011
	Publisher:	Microsoft Corporation
	Description:	NT Kernel & System
	Product:	Microsoft® Windows® Operating System
	Version:	6.1.7601.17640
	File version:	6.1.7601.17640 (win7sp1_gdr.110622-1506)
	Strong Name:	Unsigned
	Original Name:	ntkrnlmp.exe
	Internal Name:	ntkrnlmp.exe
	Copyright:	© Microsoft Corporation. All rights reserved.
	Comments:	n/a
	MD5:	577841951e8bad6ea8288106693cd39f
	SHA1:	91e05c8683321b9decab95f420b09b666ff91c51
	SHA256:	182f18543494d82c86ce833937b628c4413b9f0baafe750706c0ad0b484e0dc2
[/FONT]

[FONT=Lucida Console]
Command: [COLOR=Navy][B]sigcheck.exe -a -h -m C:\Windows\[COLOR=Red]Sysnative[/COLOR]\ntoskrnl.exe[/B][/COLOR]

c:\windows\sysnative\ntoskrnl.exe:
	Verified:	Signed
	Catalog:	C:\Windows[color=red]\system32[/color]\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_3_for_KB2556532~31bf3856ad364e35~amd64~~6.1.1.1.cat
	Signers:
		Microsoft Windows
		Microsoft Windows Verification PCA
		Microsoft Root Certificate Authority
	Signing date:	06:40 6/28/2011
	Publisher:	Microsoft Corporation
	Description:	NT Kernel & System
	Product:	Microsoft® Windows® Operating System
	Version:	6.1.7601.17640
	File version:	6.1.7601.17640 (win7sp1_gdr.110622-1506)
	Strong Name:	Unsigned
	Original Name:	ntkrnlmp.exe
	Internal Name:	ntkrnlmp.exe
	Copyright:	© Microsoft Corporation. All rights reserved.
	Comments:	n/a
	MD5:	577841951e8bad6ea8288106693cd39f
	SHA1:	91e05c8683321b9decab95f420b09b666ff91c51
	SHA256:	182f18543494d82c86ce833937b628c4413b9f0baafe750706c0ad0b484e0dc2
[/FONT]

 

[jcgriff2]

So what does that mean in English? :lol:

An x86 app running under x64 attempting to access \windows\system32 will be redirected to \windows\syswow64, yet report it is in \system32. The x86 app needs to look for \windows\sysnative, which is a virtual copy of \system32

In x64 -
\windows\system32 = 64-bit
\windows\syswow64 = 32-bit
\windows\sysnative = virtual copy of \system32

I found this out the hard way back in 2008 when testing my new BSOD scripts on a new Vista x64 system and could not find the Event Viewer logs. It was my very 1st x64 system.

It took me a few days of digging and testing to figure it all out:

Location of Event Logs - HP x64 - dv5-1000us
Vista x64 - %windir%\syswow64, \system32 and \sysnative

The easiest way to see for yourself... run HiJackThis, which is an x86 app.
- click SCAN
- click SAVE LOG

HJT EXE - http://www.trendmicro.com/ftp/products/hijackthis/beta/HijackThis.exe
From this site - HijackThis - Trend Micro USA

HJT executed on an x64 system - note the Unknown owner and file missing. You won't see these entries if running HJT on an x86 system.

Even though it clearly reports \system32 - HJT is really reporting \syswow64, but doesn't know it; hence the reason for Unknown ... -

[FONT=Lucida Console]Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:11:18, on 2/14/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal
<... snip ...>
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - [color=#dc1400]Unknown owner[/color] - C:\Windows\System32\alg.exe ([color=#000066]file missing[/color])
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - [color=#dc1400]Unknown owner[/color] - C:\Windows\System32\lsass.exe ([color=#000066]file missing[/color])
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\fxssvc.exe ([color=#000066]file missing[/color])
O23 - Service: HP Service (hpsrv) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\Hpservice.exe ([color=#000066]file missing[/color])
O23 - Service: @keyiso.dll,-100 (KeyIso) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\lsass.exe ([color=#000066]file missing[/color])
O23 - Service: @comres.dll,-2797 (MSDTC) - [color=#dc1400]Unknown owner[/color] - C:\Windows\System32\msdtc.exe ([color=#000066]file missing[/color])
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\lsass.exe ([color=#000066]file missing[/color])
O23 - Service: NVIDIA Display Driver Service (NVSvc) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\nvvsvc.exe ([color=#000066]file missing[/color])
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\lsass.exe ([color=#000066]file missing[/color])
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\locator.exe ([color=#000066]file missing[/color])
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\lsass.exe ([color=#000066]file missing[/color])
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - [color=#dc1400]Unknown owner[/color] - C:\Windows\System32\snmptrap.exe ([color=#000066]file missing[/color])
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - [color=#dc1400]Unknown owner[/color] - C:\Windows\System32\spoolsv.exe ([color=#000066]file missing[/color])
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\sppsvc.exe ([color=#000066]file missing[/color])
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\STacSV64.exe
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\UI0Detect.exe ([color=#000066]file missing[/color])
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\lsass.exe ([color=#000066]file missing[/color])
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - [color=#dc1400]Unknown owner[/color] - C:\Windows\System32\vds.exe ([color=#000066]file missing[/color])
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\vssvc.exe ([color=#000066]file missing[/color])
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\Wat\WatAdminSvc.exe ([color=#000066]file missing[/color])
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\wbengine.exe ([color=#000066]file missing[/color])
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - [color=#dc1400]Unknown owner[/color] - C:\Windows\system32\wbem\WmiApSrv.exe ([color=#000066]file missing[/color])

--
End of file - 11247 bytes
[/FONT]

---

I ran SigCheck to show \sysnative = \system32

 

[jcgriff2]

Yep. :)

File System Redirector (Windows)

How to Suppress and Bypass System32 File System Redirect to SysWOW64 Folder with Sysnative » Tip and Trick

File redirection is designed to prevent x86 programs making erroneous calls to x64 Windows subsystem or receiving unrecognized calls back from the x64 subsystem.

On the other hand, \sysnative is used by x86 programs designed to recognize x64 environments to prevent file redirection which would normally occur in WoW64. Obviously, an older x86 app that wasn't initially designed to be cross-compatible with an x64 environment will not use the \sysnative exemption.