SigCheck Validates System Files

The Challenge

System administrators and security analysts often need to assess the validity of Windows system and application files loaded on a critical end-point or server device. Questions about where files came from, whether the files shown in a directory listing have been maliciously modified, whether a troublesome version is present, or which vendor to call when a driver is named as the cause of a BSOD, are quickly answered.

This information isn't always easy to get. Sometime, it requires searching the Internet hoping to find enough information to satisfy our requirements. However, SigCheck can produce a wealth of information on NT, W2K, and XP systems in seconds.

SigCheck

SigCheck is a free downloadable command-line utility from Sysinternals. As with most Sysinternals applications, it comes with a long list of command line parameters which enhance its flexibility. See Figure 1.

SigCheck Parameters

Entering SigCheck c:\Windows\System32 produces the following output:

Checking System32 Folder

If you need file hash values and relationships to other files, they're quickly retrieved by entering SigCheck -h -m c:\Windows\System32, resulting in the following:

Hash Values

And if you want to know whether the listed file name matches the internal file name, try SigCheck -a c:\Windows\System32. This produces an extended information listing, as shown below:

SigCheck Extended Output

If you need the output from SigCheck as input to a script or a database, export to a CSV file is supported.

The Final Word

SigCheck provides information not readily available through capabilities provided via the operating system. Particularly useful are hash value and internal name values. Hash values can be fed into online services to check for known malicious files. See Where's the hash? for more information on how to use hash values for file validation.

This is the final article in the Sysinternals series, in which I looked at 10 free security utilities. These are just a small part of the collection of system administration tools available at the Sysinternals site.

This post is part of the series: Use SysInternals security utilities to manage network and system security

SysInternals provides free security utilities for managing Microsoft Windows networks and systems. Available for download from Microsoft, they provide a powerful set of applications for oversight and protection of network assets.
  1. Validate System Access with AccessChk
  2. Streamline Kiosk Operation with Auto-logon
  3. Enumerate Windows File and Folder Access with AccessEnum
  4. LogonSessions and PsLoggedOn to Oversee and Manage System Access
  5. Use Autoruns to Improve Performance and Identify Malware
  6. Manage, Monitor, and Kill Windows Processes with Process Explorer
  7. PSExec: Free Security Testing and System Management Tool
  8. PsLogList: Free Utility to Parse and Review Windows Logs
  9. Map System Configs with PsInfo
  10. Use SigCheck to Validate System Files