Pin Me

Use SigCheck to Validate System Files

written by: Tom Olzak, CISSP•edited by: Ronda Bowen•updated: 7/4/2011

Knowing the system files and other application components on your computer are genuine is an important part of troubleshooting anomalous behavior or cleaning critical systems. It can also come in handy when determining who to blame when your computer frequently displays the BSOD.

  • slide 1 of 3

    The Challenge

    System administrators and security analysts often need to assess the validity of Windows system and application files loaded on a critical end-point or server device. Questions about where files came from, whether the files shown in a directory listing have been maliciously modified, whether a troublesome version is present, or which vendor to call when a driver is named as the cause of a BSOD, are quickly answered.

    This information isn't always easy to get. Sometime, it requires searching the Internet hoping to find enough information to satisfy our requirements. However, SigCheck can produce a wealth of information on NT, W2K, and XP systems in seconds.

  • slide 2 of 3

    SigCheck

    SigCheck is a free downloadable command-line utility from Sysinternals. As with most Sysinternals applications, it comes with a long list of command line parameters which enhance its flexibility. See Figure 1.SigCheck Parameters Entering SigCheck c:\Windows\System32 produces the following output:Checking System32 Folder If you need file hash values and relationships to other files, they're quickly retrieved by entering SigCheck -h -m c:\Windows\System32, resulting in the following:Hash Values And if you want to know whether the listed file name matches the internal file name, try SigCheck -a c:\Windows\System32. This produces an extended information listing, as shown below:SigCheck Extended Output If you need the output from SigCheck as input to a script or a database, export to a CSV file is supported.

  • slide 3 of 3

    The Final Word

    SigCheck provides information not readily available through capabilities provided via the operating system. Particularly useful are hash value and internal name values. Hash values can be fed into online services to check for known malicious files. See Where's the hash? for more information on how to use hash values for file validation.

    This is the final article in the Sysinternals series, in which I looked at 10 free security utilities. These are just a small part of the collection of system administration tools available at the Sysinternals site.