System administrators and security analysts often need to assess the validity of Windows system and application files loaded on a critical end-point or server device. Questions about where files came from, whether the files shown in a directory listing have been maliciously modified, whether a troublesome version is present, or which vendor to call when a driver is named as the cause of a BSOD, are quickly answered.
This information isn't always easy to get. Sometime, it requires searching the Internet hoping to find enough information to satisfy our requirements. However, SigCheck can produce a wealth of information on NT, W2K, and XP systems in seconds.
SigCheck is a free downloadable command-line utility from Sysinternals. As with most Sysinternals applications, it comes with a long list of command line parameters which enhance its flexibility. See Figure 1.
Entering SigCheck c:\Windows\System32 produces the following output:
If you need file hash values and relationships to other files, they're quickly retrieved by entering SigCheck -h -m c:\Windows\System32, resulting in the following:
And if you want to know whether the listed file name matches the internal file name, try SigCheck -a c:\Windows\System32. This produces an extended information listing, as shown below:
If you need the output from SigCheck as input to a script or a database, export to a CSV file is supported.
The Final Word
SigCheck provides information not readily available through capabilities provided via the operating system. Particularly useful are hash value and internal name values. Hash values can be fed into online services to check for known malicious files. See Where's the hash? for more information on how to use hash values for file validation.
This is the final article in the Sysinternals series, in which I looked at 10 free security utilities. These are just a small part of the collection of system administration tools available at the Sysinternals site.
This post is part of the series: Use SysInternals security utilities to manage network and system security
- Validate System Access with AccessChk
- Streamline Kiosk Operation with Auto-logon
- Enumerate Windows File and Folder Access with AccessEnum
- LogonSessions and PsLoggedOn to Oversee and Manage System Access
- Use Autoruns to Improve Performance and Identify Malware
- Manage, Monitor, and Kill Windows Processes with Process Explorer
- PSExec: Free Security Testing and System Management Tool
- PsLogList: Free Utility to Parse and Review Windows Logs
- Map System Configs with PsInfo
- Use SigCheck to Validate System Files