How to manually check the integrity of WRP protected files and registry keys?
I installed Win7 64-bit Home Premium. I tried SFC first, but, from SFC log file I can't tell which files have been checked. Then, I ran Sigverif, it gave me a list of checked files, but some kernel level files are missing. Finally, Sigcheck will thoroughly
scan all files in the specified directory and check for unsigned files. Sigcheck seems perfect at one time but still not goes without any problems. For example,
1. I was able to replace a medium-integrity-level dll file in [system32] directory with a fake one, and Sigcheck will simply skip it without reporting any problem. Not sure why Windows Resource Protection didn't work.
2. I can't find "Digitial Signature" tab in the File Property of [system32/browser.dll] from Explorer, but Sigcheck reported this file is signed on 2009/7/14. Why is this Digital Signature discrepancy?
April 15th, 2011 11:00am
Hi,
Based on my understanding, this utility is used to verify the files are digitally signed and dump version information.
For your question, I do not think this is a discrepancy, Windows 7 just does not show the digital signature in a file property, and this is equal to a file has no
digital signature. So far as I know, the browser.dll is a catalog signed file, and the system saves the digital signature in a catalog file. If you give an Embedded Signature to the file and the tab would appear.
You could refer to the following article:
Catalog Files and Digital Signatures
Due to this is related to the Sysinternals utility, you could also post at the corresponding forum for further help:
Sysinternals Forums
Hope it helps.
Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 19th, 2011 5:39am
Hi Alex,
Thank you for attending this problem. I have read your referenced article. Still not sure if browser.dll is part of a cataloged package though. I used EnhancedMySe7en to check the signature of running processes and services. I
am confused to see some processes and services not signed by Microsoft.
How do you manually check your system? Maybe I can learn from you or other Win 7 users before leaving for Sysinternals
Forums.
Dan Chang
April 19th, 2011 11:23am
Hi,
Based on my understanding, this utility is used to verify the files are digitally signed and dump version information.
For your question, I do not think this is a discrepancy, Windows 7 just does not show the digital signature in a file property, and this is not equal to a file
has no digital signature. So far as I know, the browser.dll is a catalog signed file, and the system saves the digital signature in a catalog file. If you give an Embedded Signature to the file and the tab would appear.
You could refer to the following article:
Catalog Files and Digital Signatures
Due to this is related to the Sysinternals utility, you could also post at the corresponding forum for further help:
Sysinternals Forums
Hope it helps.
Alex Zhao
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 19th, 2011 12:35pm
Hi,
If you use type the following command in command prompt, you could know such files are catalog-singed:
sigcheck -i browser.dll
As far as I know, many files that ship with Windows are catalog-signed. Catalog-signing can improve performance of system in some cases, but is particularly useful
for signing non-executable files that have a file format that does not support embedding signature information.
Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
April 20th, 2011 6:02am
Now, with your referenced command, it further proves sigcheck utility knows where to find the catalog this file's signature belongs to. But, I wonder how users can run hash calculations manually to check the hash finderprint
of the specific file.
Taking my captured sigcheck result as an example,
---------------------------------------------------
C:\Users\ABCD>sigcheck -i c:\windows\system32\browser.dll
Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\browser.dll:
Verified: Signed
Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C
04FC295EE}\nt5.cat
Signers:
Microsoft Windows
Microsoft Windows Verification PCA
Microsoft Root Certificate Authority
Signing date: ?? 11:17 2009/7/14
Publisher: Microsoft Corporation
Description: ??????? DLL
Product: Microsoft?Windows?Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
C:\Users\ABCD>sigcheck -i c:\windows\system32\sigverif.exe
Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\sigverif.exe:
Verified: Signed
Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C
04FC295EE}\ntexe.cat
Signers:
Microsoft Windows
Microsoft Windows Verification PCA
Microsoft Root Certificate Authority
Signing date: ?? 11:17 2009/7/14
Publisher: Microsoft Corporation
Description: ??????
Product: Microsoft?Windows?Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
-----------------------------------------
Sigcheck seems to back up on its own word saying browser.dll is signed on 2009/7/14. But, there are still pieces of puzzle left:
1. I can replace a file in [system32], say d3dx10_34.dll, and then run (sigcheck -e -u c:\windows\system32}. Sigcheck won't report d3dx10_34.dll turned unsigned.
2. How can I manually check any file's signature whether it has its own signature, which can be seen from Explorer, or it belongs to a cataloged package? For example, Sigcheck.exe has its digital signature field in Explorer's file property;
browser.dll belongs to nt5.cat. HashCalc can't open sigcheck.exe, sigverif.exe, and browser.dll for some reason.
3. Any way to check a cataloged package or the system kernels as a whole? For example, I ran HashCalc manually and found nt5.cat has a MD5 #61a42ffd192d138e8467c8fc6457c040 and SHA1 #311cc06de6b6849fc62e7b520b1d2b34faa2c48f. Where do I verify them?
If you don't only count on sigcheck for system integrity, what other utilities do you use?
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2011 1:34am
Now, with your referenced command, it further proves sigcheck utility knows where to find the catalog this file's signature belongs to. But, I wonder how users can run hash calculations manually to check the hash finderprint
of the specific file.
Taking my captured sigcheck result as an example,
---------------------------------------------------
C:\Users\ABCD>sigcheck -i c:\windows\system32\browser.dll
Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\browser.dll:
Verified: Signed
Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C
04FC295EE}\nt5.cat
Signers:
Microsoft Windows
Microsoft Windows Verification PCA
Microsoft Root Certificate Authority
Signing date: ?? 11:17 2009/7/14
Publisher: Microsoft Corporation
Description: ??????? DLL
Product: Microsoft?Windows?Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
C:\Users\ABCD>sigcheck -i c:\windows\system32\sigverif.exe
Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\windows\system32\sigverif.exe:
Verified: Signed
Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C
04FC295EE}\ntexe.cat
Signers:
Microsoft Windows
Microsoft Windows Verification PCA
Microsoft Root Certificate Authority
Signing date: ?? 11:17 2009/7/14
Publisher: Microsoft Corporation
Description: ??????
Product: Microsoft?Windows?Operating System
Version: 6.1.7600.16385
File version: 6.1.7600.16385 (win7_rtm.090713-1255)
-----------------------------------------
Sigcheck seems to back its own words saying browser.dll is signed on 2009/7/14. But, there are still pieces of puzzle left:
1. I can replace a file in [system32], say d3dx10_34.dll, and then run (sigcheck -e -u c:\windows\system32}. Sigcheck won't report d3dx10_34.dll turned unsigned.
2. How can I manually check any file's signature whether it has its own signature, which can be seen from Explorer, or it belongs to a cataloged package? For example, Sigcheck.exe has its digital signature field in Explorer's file property;
browser.dll belongs to nt5.cat. HashCalc can't open sigcheck.exe, sigverif.exe, and browser.dll for some reason.
3. Any way to check a cataloged package or the system kernels as a whole? For example, I ran HashCalc manually and found nt5.cat has a MD5 #61a42ffd192d138e8467c8fc6457c040 and SHA1 #311cc06de6b6849fc62e7b520b1d2b34faa2c48f. Where do I verify them?
If you don't only count on sigcheck for system integrity, what other utilities do you use?
April 21st, 2011 8:31am
System integrity issue is too important to be overlooked. If you are interested but just have no clues either, show that it concerns you as well. Then, when I get updates somewhere else, I will post them here.
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2011 2:48am
System integrity issue is too important to overlook. If you are interested but just have no clues either, show that it concerns you as well. Then, when I get updates somewhere else, I will post them here.
April 23rd, 2011 2:48am
See if this tool helps your cause
SignTool
http://msdn.microsoft.com/en-us/library/aa387764(v=vs.85).aspx
C:\>signtool.exe verify /a /ph /v c:\Windows\System32\browseui.dll
Verifying: c:\Windows\System32\browseui.dll
File is signed in catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-
00C04FC295EE}\Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7
601.17514.cat
Hash of file (sha1): F13A44AA93A2A0864867EB1347E733B69D6B841F
Signing Certificate Chain:
Issued to: Microsoft Root Certificate Authority
Issued by: Microsoft Root Certificate Authority
Expires: Mon May 10 04:58:13 2021
SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072
Issued to: Microsoft Windows Verification PCA
Issued by: Microsoft Root Certificate Authority
Expires: Wed Mar 16 03:35:41 2016
SHA1 hash: 5DF0D7571B0780783960C68B78571FFD7EDAF021
Issued to: Microsoft Windows
Issued by: Microsoft Windows Verification PCA
Expires: Tue Mar 08 03:27:40 2011
SHA1 hash: 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4
The signature is timestamped: Sun Nov 21 01:07:13 2010
Timestamp Verified by:
Issued to: Microsoft Root Certificate Authority
Issued by: Microsoft Root Certificate Authority
Expires: Mon May 10 04:58:13 2021
SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072
Issued to: Microsoft Time-Stamp PCA
Issued by: Microsoft Root Certificate Authority
Expires: Sat Apr 03 18:33:09 2021
SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF
Issued to: Microsoft Time-Stamp Service
Issued by: Microsoft Time-Stamp PCA
Expires: Tue Jul 26 00:52:50 2011
SHA1 hash: 56E832A33DDC8CF2C916DA7CBB1175CBACABAE2C
Embedded page hashes:
0x00000000 D8AAAFEE1209870AEBA785CB73D1848EA8525064
0x00000400 5C5B7B184C40A3A0DC6D0703B50C611EF4E08B7E
0x00001400 0F35FB3E7D145FC4085E574C355FF0759E421707
0x00001e00 3662FC4154B6997A19B0047EED21318013903948
0x00002800 688D2A5A924423103A5FDEC8E4BA865BB28C8023
0x00002e00 29B475CEE1B3982288F1B067476ED006E8EF673B
0x00003000 8EE21D60E463900FEF40DD1334915CA5A866DFA9
0x00003600 0B37FB0E43E932DD773CCB4CB99B660E79AA0C57
0x00003800 0000000000000000000000000000000000000000
Successfully verified: c:\Windows\System32\browseui.dll
Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0
Sumesh P - Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
April 28th, 2011 12:51pm
Hi Sumesh:
I see your advice as a leap forward toward resolving my questions. I will download SDK and give it a try ASAP. In the mean time, I compared my [C:\Windows\System32\browseui.dll] to your posted hashes, and here is my findings and questions:
My [System32\browseui.dll] has a SHA1 hash of 16c76d9b6ba58f95aceb865e94f3e0b8811215d9. How to check it with your posted result? Is SHA1 hash F13A44AA93A2A0864867EB1347E733B69D6B841F for the file browseui.dll itself or or its catalog Microsoft-Windows-Foundation-Package~~~~6.1.7601.17514.cat?
Do you know how to verify browseui.dll's hash with Microsoft officially published HASH? How to do version control check to make sure no older version overwrites a newer one(i.e., DLL Hell) even if they are both signed?
April 29th, 2011 12:51am
I am suggested to use Signtool, from Technet Moderator Sumesh
P - MSFT. Also, I received an email from Microsoft Taiwan saying that I can try to use Fciv(i.e., File Checksum Integrity Verifier) utility 2.05, (see Microsoft Support KB841290).
Signtool will show SHA1 hash as well as other signature info for the specified files. Fciv can generate MD5 or SHA1 hash for the specified files, and it can output hashes to the screen or XML file/database for future comparison. I believe
Fciv's function is similar to fsum.exe to some extent. With these handy tools, I am a step closer to manually checking system files integrity. A key question still needs an answer though:
For the integrity check of the newly installed Win 7 6.1.7600, or Win 7 SP1, or uninstalled DVD files, where to check with a known good XML posted on Microsoft Official sites?
System integrity is simply too important to be compromised. Does anyone care about it or know the answer?
My other posts regarding the same nature of this question:
--------------------------------------------------------------------
1.
http://forum.sysinternals.com/system-utility-for-system-integrity-check_topic25633.html
2.
http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/how-to-authenticate-windows-7-installation-dvds/905d1deb-7566-e011-8dfc-68b599b31bf5
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2011 5:06am
I am suggested to use Signtool, from Technet Moderator Sumesh
P - MSFT. Also, I received an email from Microsoft Taiwan saying that I can try to use Fciv(i.e., File Checksum Integrity) utility 2.05, (see Microsoft Support KB841290).
Signtool will show SHA1 hash as well as other signature info for the specified files. Fciv can generate MD5 or SHA1 hash for the specified files, and it can output hashes to the screen or XML file/database for future comparison. I believe
Fciv's function is similar to fsum.exe to some extent. With these handy tools, I am a step closer to manually checking system files integrity. A key question still needs an answer though:
For the integrity check of the newly installed Win 7 6.1.7600, or Win 7 SP1, or uninstalled DVD files, where to check with a known good XML posted on Microsoft Official sites?
System integrity is simply too important to be compromised. Does anyone care about it or know the answer?
My other posts regarding the same nature of this question:
--------------------------------------------------------------------
1.
http://forum.sysinternals.com/system-utility-for-system-integrity-check_topic25633.html
2.
http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/how-to-authenticate-windows-7-installation-dvds/905d1deb-7566-e011-8dfc-68b599b31bf5
May 4th, 2011 5:07am
We dont have file level hashes published. You will have to create an XML yourself and compare it against a known good copy using the above tools.
Sumesh P - Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 8:21am
What's the point of letting users assume the initially self-created XML is good and then use it as a base for comparison? Releasing publicly some known good XMLs(e.g., installation DVD, newly installed Win7, Win7 SP1) can really help users build their
confidence on Microsoft systems.
May 6th, 2011 4:05am
Hi Sumesh,
You can't deny that users' self-created assumed good XML may not be useful in case of embedded fraud or defective files. Without a valid known good base XML, all those signature and FCIV tools won't help much identifying the problems.
Are you a Microsoft technical support? Since you can't find any officially published XMLs, is it possible to escalate this to Microsoft R&D engineers?
I appreciate your help.
Dan Chang
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2011 5:06am
I understand your concern there. However the only option here seems to be comparing against a freshly built image from a trusted ISO.
Most part of the job is done by SFC to keep system integrity, i have tested and confirmed that
SFC replaces system files if they are modified
SFC uses hash to check file integrity (based on the log)
Not sure why it wouldnt detect the replaced file in your case. If you want to dig into that you will have to open up a case with our support team to review the relevant logs.
Also remember that an easier and recommended approach to identify malware is by using an AntiVirus solution than manually checking file intergrity.
Another utility of your interest is Checksur, it scans a specific spectrum of system files.
Description of the System Update Readiness Tool for Windows Vista, for Windows Server 2008, for Windows 7, and for Windows Server 2008 R2
http://support.microsoft.com/kb/947821
If you need assitance in reviewing the situation with a more in-depth level of support, please visit the below link to see the various paid support options that are available to better meet your needs.
http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
Sumesh P - Microsoft Online Community Support
May 12th, 2011 7:05am
I understand your concern there. However the only option here seems to be comparing against a freshly built image from a trusted ISO.
Most part of the job is done by SFC to keep system integrity, not sure why it wouldnt detect the replaced file in your case. If you want to dig into that you will have to open up a case with our support team to review the relevant logs.
Also remember that an easier and recommended approach to identify malware is by using an AntiVirus solution than manually checking file intergrity.
Another utility of your interest is Checksur, it scans a specific spectrum of system files.
Description of the System Update Readiness Tool for Windows Vista, for Windows Server 2008, for Windows 7, and for Windows Server 2008 R2
http://support.microsoft.com/kb/947821
If you need assitance in reviewing the situation with a more in-depth level of support, please visit the below link to see the various paid support options that are available to better meet your needs.
http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
Sumesh P - Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
May 12th, 2011 7:07am
I bought 32-bit and 64-bit Win 7 DVDs. If there is an officially published hashes XML for ISO image or installation DVD files, it definitely will serve to some degree the purpose of system integrity CHECKABILITY. But, so far I found no answers in "How
to authenticate Windows 7 installation DVDs before installing the system?". (http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/how-to-authenticate-windows-7-installation-dvds/905d1deb-7566-e011-8dfc-68b599b31bf5)
Before reporting my found anomaly to Microsoft support team, I can't even tell if d3dx10_34.dll in [system32] is supposed to be protected by SFC or WRP. SFC's cbs.log won't tell what files have been scanned, nor can I manually check/audit
these files hashes. And I know at least some system kernel level files won't be scanned by Sigverif. Sigcheck will thoroughly scan files in the specified directory though.
I am escalating this question to secure@microsoft.com. Your dedicated help is noted and highly appreciated.
May 12th, 2011 11:02pm
MSDN subscriber downloads does provide ISO level hash information:
https://msdn.microsoft.com/en-us/subscriptions/securedownloads/default.aspx
While it is for the ISOs downloaded online, you may be able to match it with your DVD (RTM/SP1), ofcourse you'll have to create an ISO of your DVD first. [I have not tried or tested it btw]
Sumesh P - Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
May 13th, 2011 1:05am
Hopefully, we will get a definitive answer from
secure@microsoft.com soon, especially regarding any possible differences between US(english) version and international versions because of possible license restrictions such as encryption export restriction.
May 13th, 2011 2:15am