SIGCHECK - CMD
Overview
sigcheck
is a command-line utility primarily used for verifying the digital signatures and version information of Windows executable files (EXE, DLL, SYS, etc.). Developed by Sysinternals, it helps in confirming the authenticity and integrity of the processes and files on a Windows system. This tool is indispensable for security diagnostics and forensic analysis, allowing administrators to ascertain the legitimacy of their system files and detect potentially malicious alterations.
Syntax
sigcheck
provides a straightforward CLI syntax:
sigcheck [-a][-h][-i][-e][-u][-s][-q][-r][-nobanner] [-c|-ct][-accepteula] <path to file or directory>
Parameters:
<path to file or directory>
: Specifies the target file or directory for signature verification.
Options/Flags
- -a: Show all information.
- -c: Print output in CSV format. Includes information such as signing date, signer, and issuing certifying authority.
- -ct: Print output in tab-delimited format.
- -e: Scan executable files only.
- -h: Show file hashes.
- -i: Show catalog information.
- -nobanner: Do not display the banner.
- -q: Quiet mode. Suppress most of the output; only show warnings and errors.
- -r: Check for certificate revocation.
- -s: Recurse subdirectories.
- -u: Show unsigned files only.
- -accepteula: Automatically accept the End User License Agreement.
Examples
-
Check a single file:
sigcheck C:\Windows\System32\kernel32.dll
Displays the certificate and version details of
kernel32.dll
. -
Verify signatures of all executable files in a directory:
sigcheck -e -s C:\Windows\System32
Checks all executables in the
System32
folder and its subdirectories. -
Generate a CSV report of unsigned files:
sigcheck -u -c C:\Program Files > unsigned.csv
Saves a CSV report of all unsigned files within the
Program Files
directory.
Common Issues
- Access Denied: Ensure you run
sigcheck
with administrative privileges to avoid access-related errors, especially when scanning system directories. - Files Getting Skipped: Files that are locked by the operating system or other applications might not be scanned. A workaround can be to scan at boot time using bootable media.
Integration
sigcheck
can be combined with batch scripts or PowerShell to automate the scanning and logging of file signatures. For instance, a simple script to check signatures and dump the info into a CSV file daily:
@echo off
for /R C:\Path\To\Scan %%f in (*.exe) do (
sigcheck -c %%f >> daily_log.csv
)
Related Commands
- certutil: A more general tool that can handle aspects of certificate management.
- powershell Get-AuthenticodeSignature: PowerShell equivalent for checking digital signatures.
For more in-depth information and updates, visit Sysinternals official webpage.