How To Use Sigcheck.exe

[Carin Mita]

Sigcheckexe (File version and signature viewer) is a command-line utility developed by Microsoft Corporation for checking the digital signatures of files. It can be used to verify the authenticity and integrity of files by checking their signatures against the Microsoft certificate.

This tool can be particularly useful for detecting potentially malicious or tampered files within a system. By providing a detailed report on the digital signatures of files, sigcheck.exe helps users identify any potential security risks and ensure the trustworthiness of their files. It is commonly used by system administrators and security professionals to maintain the security and integrity of their systems.

How do we know? Our SpyShelter cybersecurity labs focuses on monitoring different types of Windows PC executables and their behaviors for our popular SpyShelter Antispyware software. Learn more about us, and how our cybersecurity team studies Windows PC executables/processes.

The publisher of an executable is the entity responsible for its distribution and authenticity. Most processes/executables on your PC should be signed. The signature on the executable should have been verified through a third party whose job it is to make sure the entity is who it says it is. Find an unsigned executable? You should consider scanning any completely unsigned .exe on your PC.

The following table contains possible examples of sigcheck.exe being misused. While sigcheck.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

The get_sig_infos function is used to retrieve signature information for files located at a given path or pathsusing the sigcheck.exe utility.It collects information such as file signatures, file version, description, and other relevant details.

This function might be interesting for individuals or developers working with files and file security analysis.It can be particularly useful for tasks like identifying the digital signatures of executable files, verifying fileauthenticity, checking for file tampering, and gathering metadata about files in a specified location.

The function includes error handling mechanisms, such as ignoring exceptions duringthe signature analysis and printing any encountered exceptions for debugging purposes.This helps ensure that the function can handle a variety of scenarios and continue processingfiles even if some exceptions occur.

I have a question. I was on my computer and I got a pop up from HP Support Assistant saying I have a critical update that needs to be installed so I exited out of the pop up and went into HP Support Assistant and it was an alert to get ready for Windows 10 so I dismissed it and the window froze. I turned my computer off then rebooted. I went back into HP Support Assistant and I see the red Caution icon in my Network and Security settings so I click on it and it says that my firewall, anti-virus, spyware, etc are off and my internet security is at risk. So I go to my firewall and it says it is on and then I go to my anti-virus and it says it is on and protecting. I scanned my computer and after a few minutes, the Network and Security settings changed to green check marks on my anti-virus and spyware etc and said my internet security is secured. So I rebooted again to see what would happen and support assistant said the same thing again but changed to secure a few minutes after.

Hi. I removed some malware with AdwCleaner and I used Delfix to delete all of the tools used. I was using System Investigator on SuperAntiSpyware and it found an unknown file called Quarantine.exe. The thumbnail looked like the bug from AdwCleaner but behind jail bars. I scanned it using VirusTotal and it came up as clean but I deleted it soon after anyways. Was this just a reminant from AdwCleaner or something else? Thank you

As you have just recently worked on malware removal/cleanup in the malware removal section and since that thread is still open, it might be a good idea to resume that topic with Maniac HERE.

I went to scan something in my System32 folder in VirusTotal (just to ne sure) and I couldn't find it in my System32 via File search. So I saved it to my desktop in order to scan it and it was clean. I want to put it back where it came from without deleting the file entirely since it is an important part of Windows. I tried to replace the file in the destination but I do not have permission to do that. Is there anyway I can put this file back and not have it on my desktop?

I did not know this could cause potential damage. I do not think I am necessarily infected at the moment but I will ask Maniac about it when he gets back to me on the issue we are currently discussing. I wanted to see if it was malicious or not, but I will not touch anything until i receive advice about it

Hello Confused:

For the future, a better, and certainly less dangerous, method of checking file integrity is to use a passive Microsoft tool (sigcheck.exe) from the Sysinternals collection and when coupled with a Graphical User Interface (GUI) front-end such as Skwire Empire's SigcheckGUI, both VirusTotal and the author's digital signature evaluations may be observed in one window.

Digital Signatures of running process is needed when your want to validate that the softwares actually comes from trusted source and is unmodified by viruses or trojans. You can also check the the executable files (.exe, .dll etc,.) on your system that they are digitally signed. In Microsoft Article, it is stated that:

Method-1: Using windows built-in Signature Verification Program

The windows by-default included the signature verfication program to ensure that the critical system drivers has not been changed. To do this, simply type sigverif.exe in your command prompt.

sigverif.exe

Download SigCheck from here, a command-line utility tools from Windows System Internals to check digital signature of files.

Use the command to find the digital signature of particular file. Here is how I find the digital signature of the .Net Framework 4.0 file. See Fig-3.

.sigcheck.exe

If you want to check the digital signature of all executable files under C:windowssystem32 directory and export the result to your desktop as csv file, use the following command. See Fig-5.

.\sigcheck.exe /c /e C:WindowsSystem32 > %userprofile%DesktopSigCheckResult.csv

3a8082e126