Use SigCheck to Validate System Files

System administrators and security analysts often need to assess the validity of Windows system and application files loaded on a critical end-point or server device. Questions about where files came from, whether the files shown in a directory listing have been maliciously modified, whether a troublesome version is present, or which vendor to call when a driver is named as the cause of a BSOD, are quickly answered.

This information isn't always easy to get. Sometime, it requires searching the Internet hoping to find enough information to satisfy our requirements. However, SigCheck can produce a wealth of information on NT, W2K, and XP systems in seconds.

SigCheck is a free downloadable command-line utility from Sysinternals. As with most Sysinternals applications, it comes with a long list of command line parameters which enhance its flexibility. See Figure 1.

Entering SigCheck c:\Windows\System32 produces the following output:If you need file hash values and relationships to other files, they're quickly retrieved by entering SigCheck -h -m c:\Windows\System32, resulting in the following:And if you want to know whether the listed file name matches the internal file name, try SigCheck -a c:\Windows\System32. This produces an extended information listing, as shown below:If you need the output from SigCheck as input to a script or a database, export to a CSV file is supported.

SigCheck provides information not readily available through capabilities provided via the operating system. Particularly useful are hash value and internal name values. Hash values can be fed into online services to check for known malicious files. See Where's the hash? for more information on how to use hash values for file validation.

This is the final article in the Sysinternals series, in which I looked at 10 free security utilities. These are just a small part of the collection of system administration tools available at the Sysinternals site.