SysInternals SIGCHECK
SysInternals Sigcheck scans the system & verifies digital certification.
Mark Russinovich explains the use of Sigcheck in this 2012 Microsoft TechEd video (starts at 1638s) - Malware Hunting with the Sysinternals Tools -
Sigcheck is just 1 of 73 stand-alone executables found in the SysInternals Suite, available free from Microsoft TechNet.
To perform a recursive sub-directory scan of \windows (see video @ 1665s):
To perform a recursive sub-directory scan of \windows (see video @ 1665s):
- Download Sigcheck & save to Documents
- Bring up an elevated Admin CMD prompt; copy/paste the following (EULA will appear 1st time execution; click "Accept"):
Code:
cd /d %windir% & "%userprofile%\documents\sigcheck" -e -s -u * 1>0 & start /max notepad 0It will take a few minutes to complete.
A Notepad will open with the results.
A Notepad will open with the results.
Code:
[FONT=Lucida Console]C:\Windows\LSASecretsDump.exe:
Verified: Unsigned
Link date: 06:27 11/29/2009
Publisher: NirSoft
Description: LSASecretsDump
Product: LSASecretsDump
Version: 1.21
File version: 1.21
C:\Windows\ST6UNST.EXE:
Verified: Unsigned
Link date: 00:37 02/24/2004
Publisher: Microsoft Corporation
Description: Visual Basic Setup Toolkit Uninstaller
Product: Microsoft® Visual Basic for Windows
Version: 6.00.9782
File version: 6.00.9782
C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\58196a9215d9ed7453d4da854cd40581\ComSvcConfig.ni.exe:
Verified: Unsigned
Link date: 02:43 09/29/2010
Publisher: Microsoft Corporation
Description: ComSvcConfig.exe
Product: Microsoft® .NET Framework
Version: 3.0.4506.5420
File version: 3.0.4506.5420 (Win7SP1.030729-5400)
C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\09c2fc2e6fb391b9b68b220a4ca9a83e\dfsvc.ni.exe:
Verified: Unsigned
Link date: 01:43 06/04/2009
Publisher: Microsoft Corporation
Description: dfsvc.exe
Product: Microsoft® .NET Framework
Version: 2.0.50727.4927
File version: 2.0.50727.4927 (NetFXspW7.050727-4900)
C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\68d7de90f7a20fdcc7bed5f513ff5a5f\MSBuild.ni.exe:
Verified: Unsigned
Link date: 20:46 05/22/2009
Publisher: Microsoft Corporation
Description: MSBuild.exe
Product: Microsoft® .NET Framework
Version: 3.5.30729.4926
File version: 3.5.30729.4926 built by: NetFXw7
C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\3b2ef6e84430a07a5b87a4fd2ac68969\Narrator.ni.exe:
Verified: Unsigned
Link date: 01:30 11/20/2010
Publisher: Microsoft Corporation
Description: Narrator
Product: Microsoft® Windows® Operating System
Version: 6.1.7601.17514
File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\4887489f50210be650432a982d01800f\PresentationFontCache.ni.exe:
Verified: Unsigned
Link date: 21:22 05/22/2009
Publisher: Microsoft Corporation
Description: PresentationFontCache.exe
Product: Microsoft® .NET Framework
Version: 3.0.6920.4902
File version: 3.0.6920.4902 built by: NetFXw7
C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\405750446c2533817879ccad7b30dc54\SMSvcHost.ni.exe:
Verified: Unsigned
Link date: 02:43 09/29/2010
Publisher: Microsoft Corporation
Description: SMSvcHost.exe
Product: Microsoft® .NET Framework
Version: 3.0.4506.5420
File version: 3.0.4506.5420 (Win7SP1.030729-5400)
C:\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\4aa9a083362ad7a5bf3b126745c69a74\WsatConfig.ni.exe:
Verified: Unsigned
Link date: 02:43 09/29/2010
Publisher: Microsoft Corporation
Description: MB Version update tool
Product: Microsoft® .NET Framework
Version: 3.0.4506.5420
File version: 3.0.4506.5420 (Win7SP1.030729-5400)
C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\fdb14e50d68f95342dc03c610c19d809\ComSvcConfig.ni.exe:
Verified: Unsigned
Link date: 02:43 09/29/2010
Publisher: Microsoft Corporation
Description: ComSvcConfig.exe
Product: Microsoft® .NET Framework
Version: 3.0.4506.5420
File version: 3.0.4506.5420 (Win7SP1.030729-5400)
C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\0c0332e0630632b7d4ebe502bb38f4a0\dfsvc.ni.exe:
Verified: Unsigned
Link date: 01:43 06/04/2009
Publisher: Microsoft Corporation
Description: dfsvc.exe
Product: Microsoft® .NET Framework
Version: 2.0.50727.4927
File version: 2.0.50727.4927 (NetFXspW7.050727-4900)
C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\94db84eb2d96fbeb8d5e33bbfd414848\MSBuild.ni.exe:
Verified: Unsigned
Link date: 03:09 09/29/2010
Publisher: Microsoft Corporation
Description: MSBuild.exe
Product: Microsoft® .NET Framework
Version: 3.5.30729.5420
File version: 3.5.30729.5420 built by: Win7SP1
C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\3691df557cb72328949d008ae3828d3e\Narrator.ni.exe:
Verified: Unsigned
Link date: 01:30 11/20/2010
Publisher: Microsoft Corporation
Description: Narrator
Product: Microsoft® Windows® Operating System
Version: 6.1.7601.17514
File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationFontCac#\39d46439b9a28783911227cb0af99358\PresentationFontCache.ni.exe:
Verified: Unsigned
Link date: 21:22 05/22/2009
Publisher: Microsoft Corporation
Description: PresentationFontCache.exe
Product: Microsoft® .NET Framework
Version: 3.0.6920.4902
File version: 3.0.6920.4902 built by: NetFXw7
C:\Windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\6fb4d4415f90e7895a985570ad1d7dad\SMSvcHost.ni.exe:
Verified: Unsigned
Link date: 02:43 09/29/2010
Publisher: Microsoft Corporation
Description: SMSvcHost.exe
Product: Microsoft® .NET Framework
Version: 3.0.4506.5420
File version: 3.0.4506.5420 (Win7SP1.030729-5400)
C:\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\021d15f8a9ff41bdada8a84fa6c37628\WsatConfig.ni.exe:
Verified: Unsigned
Link date: 02:43 09/29/2010
Publisher: Microsoft Corporation
Description: MB Version update tool
Product: Microsoft® .NET Framework
Version: 3.0.4506.5420
File version: 3.0.4506.5420 (Win7SP1.030729-5400)
C:\Windows\assembly\NativeImages_v4.0.30319_32\Blend\17c655baddb5885e03ca6085a787109d\Blend.ni.exe:
Verified: Unsigned
Link date: 21:45 05/25/2010
Publisher: Microsoft Corporation
Description: Microsoft Expression Blend 4
Product: n/a
Version: 4.0.20525.0
File version: 4.0.20525.0
C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\f42140074d38463c2d48c012d60d98cd\ComSvcConfig.ni.exe:
Verified: Unsigned
Link date: 05:40 03/18/2010
Publisher: Microsoft Corporation
Description: ComSvcConfig.exe
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 (RTMRel.030319-0100)
C:\Windows\assembly\NativeImages_v4.0.30319_32\Design\3fdedfe9baa08afc3d7904af82f764db\Design.ni.exe:
Verified: Unsigned
Link date: 09:59 05/16/2010
Publisher: Microsoft Corporation
Description: Microsoft Expression Design
Product: n/a
Version: 7.0.20516.0
File version: 7.0.20516.0
C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\46477be438c431f09e4d23ec47604f8e\dfsvc.ni.exe:
Verified: Unsigned
Link date: 04:17 03/18/2010
Publisher: Microsoft Corporation
Description: dfsvc.exe
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 (RTMRel.030319-0100)
C:\Windows\assembly\NativeImages_v4.0.30319_32\EEScreen\bb304bd4e5daa58ad8de3931ba7b5029\EEScreen.ni.exe:
Verified: Unsigned
Link date: 03:30 05/25/2010
Publisher: Microsoft Corporation
Description: Expression Encoder Screen Capture
Product: n/a
Version: 4.0.1639.0
File version: 4.0.1639.0
C:\Windows\assembly\NativeImages_v4.0.30319_32\Encoder\a1a7e7861adfcfd0a7f325dc08228abf\Encoder.ni.exe:
Verified: Unsigned
Link date: 03:32 05/25/2010
Publisher: Microsoft Corporation
Description: Encoder
Product: Expression Encoder
Version: 4.0.1639.0
File version: 4.0.1639.0
C:\Windows\assembly\NativeImages_v4.0.30319_32\Expression.DevServer\8a8bcc94f4868f27eba190e65e2864d2\Expression.DevServer.ni.exe:
Verified: Unsigned
Link date: 03:45 07/04/2011
Publisher: n/a
Description: Microsoft Expression Development Server
Product: n/a
Version: 4.0.1303.0
File version: 4.0.1303.0
C:\Windows\assembly\NativeImages_v4.0.30319_32\ExpressionWeb\bcc5cae21fd94efae54b984d4b2ceff7\ExpressionWeb.ni.exe:
Verified: Unsigned
Link date: 03:56 07/04/2011
Publisher: Microsoft Corporation
Description: Microsoft Expression Web 4
Product: Microsoft Expression Web 4
Version: 4.0.1303.0
File version: 4.0.1303.0
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Workflow.#\357904603025093857c712ea72108779\Microsoft.Workflow.Compiler.ni.exe:
Verified: Unsigned
Link date: 05:40 03/18/2010
Publisher: Microsoft Corporation
Description: Microsoft.Workflow.Compiler.exe
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 (RTMRel.030319-0100)
C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\95987fd4d0e565a611d7fc39f14e31b3\MSBuild.ni.exe:
Verified: Unsigned
Link date: 04:42 03/18/2010
Publisher: Microsoft Corporation
Description: MSBuild.exe
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 built by: RTMRel
C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\1e1386796a1995ba88cecd52cbe5c8e3\SMSvcHost.ni.exe:
Verified: Unsigned
Link date: 05:39 03/18/2010
Publisher: Microsoft Corporation
Description: SMSvcHost.exe
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 (RTMRel.030319-0100)
C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\bb6763a59a1c917c214c239f7cc5aab4\WsatConfig.ni.exe:
Verified: Unsigned
Link date: 05:40 03/18/2010
Publisher: Microsoft Corporation
Description: MB Version update tool
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 (RTMRel.030319-0100)
C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\7e75d18be3dfb255760c6f319a3b89b6\ComSvcConfig.ni.exe:
Verified: Unsigned
Link date: 05:40 03/18/2010
Publisher: Microsoft Corporation
Description: ComSvcConfig.exe
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 (RTMRel.030319-0100)
C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\7556d108505633af76ca7651ea12d79c\dfsvc.ni.exe:
Verified: Unsigned
Link date: 04:17 03/18/2010
Publisher: Microsoft Corporation
Description: dfsvc.exe
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 (RTMRel.030319-0100)
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Workflow.#\11a577a0a2a11f0a618e4e6e3ece2163\Microsoft.Workflow.Compiler.ni.exe:
Verified: Unsigned
Link date: 05:40 03/18/2010
Publisher: Microsoft Corporation
Description: Microsoft.Workflow.Compiler.exe
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 (RTMRel.030319-0100)
C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\6a224cc42688bd4baf6ea6743cf51a0c\MSBuild.ni.exe:
Verified: Unsigned
Link date: 09:17 03/18/2010
Publisher: Microsoft Corporation
Description: MSBuild.exe
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 built by: RTMRel
C:\Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\ae8dd08ebc15514d21c6e57314dc8d0c\MSBuild.ni.exe:
Verified: Unsigned
Link date: 09:17 03/18/2010
Publisher: Microsoft Corporation
Description: MSBuild.exe
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 built by: RTMRel
C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\b22341a364e193c7159c266841076ea0\SMSvcHost.ni.exe:
Verified: Unsigned
Link date: 05:39 03/18/2010
Publisher: Microsoft Corporation
Description: SMSvcHost.exe
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 (RTMRel.030319-0100)
C:\Windows\assembly\NativeImages_v4.0.30319_64\WsatConfig\768b26b22fc0aac237ed0620b8774451\WsatConfig.ni.exe:
Verified: Unsigned
Link date: 05:40 03/18/2010
Publisher: Microsoft Corporation
Description: MB Version update tool
Product: Microsoft® .NET Framework
Version: 4.0.30319.1
File version: 4.0.30319.1 (RTMRel.030319-0100)
C:\Windows\Auto Refresh Pro\uninstall.exe:
Verified: Unsigned
Link date: 10:41 11/06/2008
Publisher: n/a
Description: Setup Application
Product: Setup Factory 8.0 Runtime
Version: 8.1.1006.0
File version: 8.1.1006.0
C:\Windows\Installer\$PatchCache$\Managed\D139D8F5032B3F749A0CC0C84A953A23\4.0.1165\xWeb.Expression.DevServer.exe:
Verified: Unsigned
Link date: 17:23 05/24/2010
Publisher: n/a
Description: Microsoft Expression Development Server
Product: n/a
Version: 4.0.1165.0
File version: 4.0.1165.0
C:\Windows\Installer\{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}\ARPPRODUCTICON.exe:
Verified: Unsigned
Link date: 00:52 08/02/2010
Publisher: Flexera Software, Inc.
Description: InstallShield
Product: InstallShield
Version: 17.0
File version: 17.0.714
C:\Windows\Installer\{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe:
Verified: Unsigned
Link date: 00:52 08/02/2010
Publisher: Flexera Software, Inc.
Description: InstallShield
Product: InstallShield
Version: 17.0
File version: 17.0.714
C:\Windows\Installer\{3F04067F-0DA5-4F48-9A89-6FCFD2A9E040}\ARPPRODUCTICON.exe:
Verified: Unsigned
Link date: 00:43 05/10/2008
Publisher: Acresso Software Inc.
Description: InstallShield
Product: InstallShield
Version: 15.0
File version: 15.0.498
C:\Windows\Installer\{3F04067F-0DA5-4F48-9A89-6FCFD2A9E040}\NewShortcut1.exe:
Verified: Unsigned
Link date: 00:43 05/10/2008
Publisher: Acresso Software Inc.
Description: InstallShield
Product: InstallShield
Version: 15.0
File version: 15.0.498
C:\Windows\Installer\{3F04067F-0DA5-4F48-9A89-6FCFD2A9E040}\NewShortcut2_E92C273FB9F642AAB106402602207308.exe:
Verified: Unsigned
Link date: 00:43 05/10/2008
Publisher: Acresso Software Inc.
Description: InstallShield
Product: InstallShield
Version: 15.0
File version: 15.0.498
C:\Windows\Installer\{5BCC634A-58AD-42F9-B3C6-2EA52F81CF85}\Icon0E6ED660.exe:
Verified: Unsigned
Link date: 11:56 08/22/1997
Publisher: n/a
Description: n/a
Product: n/a
Version: n/a
File version: n/a
C:\Windows\Installer\{B34596EA-E180-4313-A82A-DE0955F39B27}\misc.exe.D0DF3458_A845_11D3_8D0A_0050046416B9.exe:
Verified: Unsigned
Link date: 15:24 11/30/2000
Publisher: n/a
Description: n/a
Product: n/a
Version: n/a
File version: n/a
C:\Windows\Installer\{C0E8FE43-C35B-451D-B35F-D4BD056D70E7}\IconEF5C48881.exe:
Verified: Unsigned
Link date: 11:56 08/22/1997
Publisher: n/a
Description: n/a
Product: n/a
Version: n/a
File version: n/a
C:\Windows\JMCR_DIR\JMInsDrv.exe:
Verified: Unsigned
Link date: 22:49 09/22/2008
Publisher: JMicron Technology Corporation
Description: JMicron Driver Installation Program
Product: JMicron Driver Installation Program
Version: 1.00.00.00
File version: 1.00.00.00 built by: WinDDK
C:\Windows\JMCR_DIR\setup.exe:
Verified: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Link date: 22:42 10/21/2008
Publisher: JMicron Technology Corp.
Description: JMicron Setup Application
Product: JMicron Setup Application
Version: 1, 1, 0, 6
File version: 1, 1, 0, 6
C:\Windows\System32\dsfkregsvr.exe:
Verified: Unsigned
Link date: 00:06 02/09/2010
Publisher: Microsoft Corporation
Description: Application for registering kernel COM Objects
Product: Microsoft® Windows® Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_wdk.100208-1538)
C:\Windows\System32\dxcpl.exe:
Verified: Unsigned
Link date: 00:24 02/10/2012
Publisher: Microsoft Corporation
Description: Microsoft DirectX Control Panel
Product: Microsoft® DirectX for Windows®
Version: 4.08.01.0612
File version: 4.08.01.0612
C:\Windows\SysWOW64\dxcpl.exe:
Verified: Unsigned
Link date: 00:49 02/10/2012
Publisher: Microsoft Corporation
Description: Microsoft DirectX Control Panel
Product: Microsoft® DirectX for Windows®
Version: 4.08.01.0612
File version: 4.08.01.0612[/FONT]Sigcheck switches -
Code:
[FONT=Lucida Console][COLOR="#555555"]C:\Users\PalmDesert\Documents>[/COLOR][B]sigcheck /?[/B]
[NO-PARSE]Sigcheck v1.91 - File version and signature viewer
Copyright (C) 2004-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
usage: sigcheck [-a][-h][-i][-e][-n][[-s]|[-v]|[-m]][-q][-r][-u][-c catalog file] <file or directory>
-a Show extended version information
-c Look for signature in the specified catalog file
-e Scan executable images only (regardless of their extension)
-h Show file hashes
-i Show catalog name and image signers
-m Dump manifest
-n Only show file version number
-q Quiet (no banner)
-r Disable check for certificate revocation
-s Recurse subdirectories
-u Show unsigned files only
-v Csv output[/NO-PARSE] [/FONT]Additional info - https://www.sysnative.com/forums/bs...als-sigcheck-system32-syswow64-sysnative.html
Regards. . .
jcgriff2
Regards. . .
jcgriff2
Last edited:
