SIGCHECK - CMD

Overview

sigcheck is a command-line utility primarily used for verifying the digital signatures and version information of Windows executable files (EXE, DLL, SYS, etc.). Developed by Sysinternals, it helps in confirming the authenticity and integrity of the processes and files on a Windows system. This tool is indispensable for security diagnostics and forensic analysis, allowing administrators to ascertain the legitimacy of their system files and detect potentially malicious alterations.

Syntax

sigcheck provides a straightforward CLI syntax:

sigcheck [-a][-h][-i][-e][-u][-s][-q][-r][-nobanner] [-c|-ct][-accepteula] <path to file or directory>

Parameters:

  • <path to file or directory>: Specifies the target file or directory for signature verification.

Options/Flags

  • -a: Show all information.
  • -c: Print output in CSV format. Includes information such as signing date, signer, and issuing certifying authority.
  • -ct: Print output in tab-delimited format.
  • -e: Scan executable files only.
  • -h: Show file hashes.
  • -i: Show catalog information.
  • -nobanner: Do not display the banner.
  • -q: Quiet mode. Suppress most of the output; only show warnings and errors.
  • -r: Check for certificate revocation.
  • -s: Recurse subdirectories.
  • -u: Show unsigned files only.
  • -accepteula: Automatically accept the End User License Agreement.

Examples

  1. Check a single file:

    sigcheck C:\Windows\System32\kernel32.dll

    Displays the certificate and version details of kernel32.dll.

  2. Verify signatures of all executable files in a directory:

    sigcheck -e -s C:\Windows\System32

    Checks all executables in the System32 folder and its subdirectories.

  3. Generate a CSV report of unsigned files:

    sigcheck -u -c C:\Program Files > unsigned.csv

    Saves a CSV report of all unsigned files within the Program Files directory.

Common Issues

  • Access Denied: Ensure you run sigcheck with administrative privileges to avoid access-related errors, especially when scanning system directories.
  • Files Getting Skipped: Files that are locked by the operating system or other applications might not be scanned. A workaround can be to scan at boot time using bootable media.

Integration

sigcheck can be combined with batch scripts or PowerShell to automate the scanning and logging of file signatures. For instance, a simple script to check signatures and dump the info into a CSV file daily:

@echo off
for /R C:\Path\To\Scan %%f in (*.exe) do (
    sigcheck -c %%f >> daily_log.csv
)
  • certutil: A more general tool that can handle aspects of certificate management.
  • powershell Get-AuthenticodeSignature: PowerShell equivalent for checking digital signatures.

For more in-depth information and updates, visit Sysinternals official webpage.