I installed Win7 64-bit Home Premium. I tried SFC first, but, from SFC log file I can't tell which files have been checked. Then, I ran Sigverif, it gave me a list of checked files, but some kernel level files are missing. Finally, Sigcheck will thoroughly scan all files in the specified directory and check for unsigned files. Sigcheck seems perfect at one time but still not goes without any problems. For example, 1. I was able to replace a medium-integrity-level dll file in [system32] directory with a fake one, and Sigcheck will simply skip it without reporting any problem. Not sure why Windows Resource Protection didn't work. 2. I can't find "Digitial Signature" tab in the File Property of [system32/browser.dll] from Explorer, but Sigcheck reported this file is signed on 2009/7/14. Why is this Digital Signature discrepancy?

Hi, Based on my understanding, this utility is used to verify the files are digitally signed and dump version information. For your question, I do not think this is a discrepancy, Windows 7 just does not show the digital signature in a file property, and this is equal to a file has no digital signature. So far as I know, the browser.dll is a catalog signed file, and the system saves the digital signature in a catalog file. If you give an Embedded Signature to the file and the tab would appear. You could refer to the following article: Catalog Files and Digital Signatures Due to this is related to the Sysinternals utility, you could also post at the corresponding forum for further help: Sysinternals Forums Hope it helps. Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Alex, Thank you for attending this problem. I have read your referenced article. Still not sure if browser.dll is part of a cataloged package though. I used EnhancedMySe7en to check the signature of running processes and services. I am confused to see some processes and services not signed by Microsoft. How do you manually check your system? Maybe I can learn from you or other Win 7 users before leaving for Sysinternals Forums. Dan Chang

Hi, Based on my understanding, this utility is used to verify the files are digitally signed and dump version information. For your question, I do not think this is a discrepancy, Windows 7 just does not show the digital signature in a file property, and this is not equal to a file has no digital signature. So far as I know, the browser.dll is a catalog signed file, and the system saves the digital signature in a catalog file. If you give an Embedded Signature to the file and the tab would appear. You could refer to the following article: Catalog Files and Digital Signatures Due to this is related to the Sysinternals utility, you could also post at the corresponding forum for further help: Sysinternals Forums Hope it helps. Alex Zhao Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, If you use type the following command in command prompt, you could know such files are catalog-singed: sigcheck -i browser.dll As far as I know, many files that ship with Windows are catalog-signed. Catalog-signing can improve performance of system in some cases, but is particularly useful for signing non-executable files that have a file format that does not support embedding signature information. Alex ZhaoPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Now, with your referenced command, it further proves sigcheck utility knows where to find the catalog this file's signature belongs to. But, I wonder how users can run hash calculations manually to check the hash finderprint of the specific file. Taking my captured sigcheck result as an example, --------------------------------------------------- C:\Users\ABCD>sigcheck -i c:\windows\system32\browser.dll Sigcheck v1.71 - File version and signature viewer Copyright (C) 2004-2010 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\system32\browser.dll: Verified: Signed Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C 04FC295EE}\nt5.cat Signers: Microsoft Windows Microsoft Windows Verification PCA Microsoft Root Certificate Authority Signing date: ?? 11:17 2009/7/14 Publisher: Microsoft Corporation Description: ??????? DLL Product: Microsoft?Windows?Operating System Version: 6.1.7600.16385 File version: 6.1.7600.16385 (win7_rtm.090713-1255) C:\Users\ABCD>sigcheck -i c:\windows\system32\sigverif.exe Sigcheck v1.71 - File version and signature viewer Copyright (C) 2004-2010 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\system32\sigverif.exe: Verified: Signed Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C 04FC295EE}\ntexe.cat Signers: Microsoft Windows Microsoft Windows Verification PCA Microsoft Root Certificate Authority Signing date: ?? 11:17 2009/7/14 Publisher: Microsoft Corporation Description: ?????? Product: Microsoft?Windows?Operating System Version: 6.1.7600.16385 File version: 6.1.7600.16385 (win7_rtm.090713-1255) ----------------------------------------- Sigcheck seems to back up on its own word saying browser.dll is signed on 2009/7/14. But, there are still pieces of puzzle left: 1. I can replace a file in [system32], say d3dx10_34.dll, and then run (sigcheck -e -u c:\windows\system32}. Sigcheck won't report d3dx10_34.dll turned unsigned. 2. How can I manually check any file's signature whether it has its own signature, which can be seen from Explorer, or it belongs to a cataloged package? For example, Sigcheck.exe has its digital signature field in Explorer's file property; browser.dll belongs to nt5.cat. HashCalc can't open sigcheck.exe, sigverif.exe, and browser.dll for some reason. 3. Any way to check a cataloged package or the system kernels as a whole? For example, I ran HashCalc manually and found nt5.cat has a MD5 #61a42ffd192d138e8467c8fc6457c040 and SHA1 #311cc06de6b6849fc62e7b520b1d2b34faa2c48f. Where do I verify them? If you don't only count on sigcheck for system integrity, what other utilities do you use?

Now, with your referenced command, it further proves sigcheck utility knows where to find the catalog this file's signature belongs to. But, I wonder how users can run hash calculations manually to check the hash finderprint of the specific file. Taking my captured sigcheck result as an example, --------------------------------------------------- C:\Users\ABCD>sigcheck -i c:\windows\system32\browser.dll Sigcheck v1.71 - File version and signature viewer Copyright (C) 2004-2010 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\system32\browser.dll: Verified: Signed Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C 04FC295EE}\nt5.cat Signers: Microsoft Windows Microsoft Windows Verification PCA Microsoft Root Certificate Authority Signing date: ?? 11:17 2009/7/14 Publisher: Microsoft Corporation Description: ??????? DLL Product: Microsoft?Windows?Operating System Version: 6.1.7600.16385 File version: 6.1.7600.16385 (win7_rtm.090713-1255) C:\Users\ABCD>sigcheck -i c:\windows\system32\sigverif.exe Sigcheck v1.71 - File version and signature viewer Copyright (C) 2004-2010 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\system32\sigverif.exe: Verified: Signed Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C 04FC295EE}\ntexe.cat Signers: Microsoft Windows Microsoft Windows Verification PCA Microsoft Root Certificate Authority Signing date: ?? 11:17 2009/7/14 Publisher: Microsoft Corporation Description: ?????? Product: Microsoft?Windows?Operating System Version: 6.1.7600.16385 File version: 6.1.7600.16385 (win7_rtm.090713-1255) ----------------------------------------- Sigcheck seems to back its own words saying browser.dll is signed on 2009/7/14. But, there are still pieces of puzzle left: 1. I can replace a file in [system32], say d3dx10_34.dll, and then run (sigcheck -e -u c:\windows\system32}. Sigcheck won't report d3dx10_34.dll turned unsigned. 2. How can I manually check any file's signature whether it has its own signature, which can be seen from Explorer, or it belongs to a cataloged package? For example, Sigcheck.exe has its digital signature field in Explorer's file property; browser.dll belongs to nt5.cat. HashCalc can't open sigcheck.exe, sigverif.exe, and browser.dll for some reason. 3. Any way to check a cataloged package or the system kernels as a whole? For example, I ran HashCalc manually and found nt5.cat has a MD5 #61a42ffd192d138e8467c8fc6457c040 and SHA1 #311cc06de6b6849fc62e7b520b1d2b34faa2c48f. Where do I verify them? If you don't only count on sigcheck for system integrity, what other utilities do you use?

System integrity issue is too important to be overlooked. If you are interested but just have no clues either, show that it concerns you as well. Then, when I get updates somewhere else, I will post them here.

System integrity issue is too important to overlook. If you are interested but just have no clues either, show that it concerns you as well. Then, when I get updates somewhere else, I will post them here.

See if this tool helps your cause SignTool http://msdn.microsoft.com/en-us/library/aa387764(v=vs.85).aspx C:\>signtool.exe verify /a /ph /v c:\Windows\System32\browseui.dll Verifying: c:\Windows\System32\browseui.dll File is signed in catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5- 00C04FC295EE}\Microsoft-Windows-Foundation-Package~31bf3856ad364e35~amd64~~6.1.7 601.17514.cat Hash of file (sha1): F13A44AA93A2A0864867EB1347E733B69D6B841F Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 04:58:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Verification PCA Issued by: Microsoft Root Certificate Authority Expires: Wed Mar 16 03:35:41 2016 SHA1 hash: 5DF0D7571B0780783960C68B78571FFD7EDAF021 Issued to: Microsoft Windows Issued by: Microsoft Windows Verification PCA Expires: Tue Mar 08 03:27:40 2011 SHA1 hash: 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4 The signature is timestamped: Sun Nov 21 01:07:13 2010 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 04:58:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Time-Stamp PCA Issued by: Microsoft Root Certificate Authority Expires: Sat Apr 03 18:33:09 2021 SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA Expires: Tue Jul 26 00:52:50 2011 SHA1 hash: 56E832A33DDC8CF2C916DA7CBB1175CBACABAE2C Embedded page hashes: 0x00000000 D8AAAFEE1209870AEBA785CB73D1848EA8525064 0x00000400 5C5B7B184C40A3A0DC6D0703B50C611EF4E08B7E 0x00001400 0F35FB3E7D145FC4085E574C355FF0759E421707 0x00001e00 3662FC4154B6997A19B0047EED21318013903948 0x00002800 688D2A5A924423103A5FDEC8E4BA865BB28C8023 0x00002e00 29B475CEE1B3982288F1B067476ED006E8EF673B 0x00003000 8EE21D60E463900FEF40DD1334915CA5A866DFA9 0x00003600 0B37FB0E43E932DD773CCB4CB99B660E79AA0C57 0x00003800 0000000000000000000000000000000000000000 Successfully verified: c:\Windows\System32\browseui.dll Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0 Sumesh P - Microsoft Online Community Support

Hi Sumesh: I see your advice as a leap forward toward resolving my questions. I will download SDK and give it a try ASAP. In the mean time, I compared my [C:\Windows\System32\browseui.dll] to your posted hashes, and here is my findings and questions: My [System32\browseui.dll] has a SHA1 hash of 16c76d9b6ba58f95aceb865e94f3e0b8811215d9. How to check it with your posted result? Is SHA1 hash F13A44AA93A2A0864867EB1347E733B69D6B841F for the file browseui.dll itself or or its catalog Microsoft-Windows-Foundation-Package~~~~6.1.7601.17514.cat? Do you know how to verify browseui.dll's hash with Microsoft officially published HASH? How to do version control check to make sure no older version overwrites a newer one(i.e., DLL Hell) even if they are both signed?

I am suggested to use Signtool, from Technet Moderator Sumesh P - MSFT. Also, I received an email from Microsoft Taiwan saying that I can try to use Fciv(i.e., File Checksum Integrity Verifier) utility 2.05, (see Microsoft Support KB841290). Signtool will show SHA1 hash as well as other signature info for the specified files. Fciv can generate MD5 or SHA1 hash for the specified files, and it can output hashes to the screen or XML file/database for future comparison. I believe Fciv's function is similar to fsum.exe to some extent. With these handy tools, I am a step closer to manually checking system files integrity. A key question still needs an answer though: For the integrity check of the newly installed Win 7 6.1.7600, or Win 7 SP1, or uninstalled DVD files, where to check with a known good XML posted on Microsoft Official sites? System integrity is simply too important to be compromised. Does anyone care about it or know the answer? My other posts regarding the same nature of this question: -------------------------------------------------------------------- 1. http://forum.sysinternals.com/system-utility-for-system-integrity-check_topic25633.html 2. http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/how-to-authenticate-windows-7-installation-dvds/905d1deb-7566-e011-8dfc-68b599b31bf5

I am suggested to use Signtool, from Technet Moderator Sumesh P - MSFT. Also, I received an email from Microsoft Taiwan saying that I can try to use Fciv(i.e., File Checksum Integrity) utility 2.05, (see Microsoft Support KB841290). Signtool will show SHA1 hash as well as other signature info for the specified files. Fciv can generate MD5 or SHA1 hash for the specified files, and it can output hashes to the screen or XML file/database for future comparison. I believe Fciv's function is similar to fsum.exe to some extent. With these handy tools, I am a step closer to manually checking system files integrity. A key question still needs an answer though: For the integrity check of the newly installed Win 7 6.1.7600, or Win 7 SP1, or uninstalled DVD files, where to check with a known good XML posted on Microsoft Official sites? System integrity is simply too important to be compromised. Does anyone care about it or know the answer? My other posts regarding the same nature of this question: -------------------------------------------------------------------- 1. http://forum.sysinternals.com/system-utility-for-system-integrity-check_topic25633.html 2. http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/how-to-authenticate-windows-7-installation-dvds/905d1deb-7566-e011-8dfc-68b599b31bf5

We dont have file level hashes published. You will have to create an XML yourself and compare it against a known good copy using the above tools. Sumesh P - Microsoft Online Community Support

What's the point of letting users assume the initially self-created XML is good and then use it as a base for comparison? Releasing publicly some known good XMLs(e.g., installation DVD, newly installed Win7, Win7 SP1) can really help users build their confidence on Microsoft systems.

Hi Sumesh, You can't deny that users' self-created assumed good XML may not be useful in case of embedded fraud or defective files. Without a valid known good base XML, all those signature and FCIV tools won't help much identifying the problems. Are you a Microsoft technical support? Since you can't find any officially published XMLs, is it possible to escalate this to Microsoft R&D engineers? I appreciate your help. Dan Chang

I understand your concern there. However the only option here seems to be comparing against a freshly built image from a trusted ISO. Most part of the job is done by SFC to keep system integrity, i have tested and confirmed that SFC replaces system files if they are modified SFC uses hash to check file integrity (based on the log) Not sure why it wouldnt detect the replaced file in your case. If you want to dig into that you will have to open up a case with our support team to review the relevant logs. Also remember that an easier and recommended approach to identify malware is by using an AntiVirus solution than manually checking file intergrity. Another utility of your interest is Checksur, it scans a specific spectrum of system files. Description of the System Update Readiness Tool for Windows Vista, for Windows Server 2008, for Windows 7, and for Windows Server 2008 R2 http://support.microsoft.com/kb/947821 If you need assitance in reviewing the situation with a more in-depth level of support, please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone Sumesh P - Microsoft Online Community Support

I understand your concern there. However the only option here seems to be comparing against a freshly built image from a trusted ISO. Most part of the job is done by SFC to keep system integrity, not sure why it wouldnt detect the replaced file in your case. If you want to dig into that you will have to open up a case with our support team to review the relevant logs. Also remember that an easier and recommended approach to identify malware is by using an AntiVirus solution than manually checking file intergrity. Another utility of your interest is Checksur, it scans a specific spectrum of system files. Description of the System Update Readiness Tool for Windows Vista, for Windows Server 2008, for Windows 7, and for Windows Server 2008 R2 http://support.microsoft.com/kb/947821 If you need assitance in reviewing the situation with a more in-depth level of support, please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone Sumesh P - Microsoft Online Community Support

I bought 32-bit and 64-bit Win 7 DVDs. If there is an officially published hashes XML for ISO image or installation DVD files, it definitely will serve to some degree the purpose of system integrity CHECKABILITY. But, so far I found no answers in "How to authenticate Windows 7 installation DVDs before installing the system?". (http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_install/how-to-authenticate-windows-7-installation-dvds/905d1deb-7566-e011-8dfc-68b599b31bf5) Before reporting my found anomaly to Microsoft support team, I can't even tell if d3dx10_34.dll in [system32] is supposed to be protected by SFC or WRP. SFC's cbs.log won't tell what files have been scanned, nor can I manually check/audit these files hashes. And I know at least some system kernel level files won't be scanned by Sigverif. Sigcheck will thoroughly scan files in the specified directory though. I am escalating this question to secure@microsoft.com. Your dedicated help is noted and highly appreciated.

MSDN subscriber downloads does provide ISO level hash information: https://msdn.microsoft.com/en-us/subscriptions/securedownloads/default.aspx While it is for the ISOs downloaded online, you may be able to match it with your DVD (RTM/SP1), ofcourse you'll have to create an ISO of your DVD first. [I have not tried or tested it btw] Sumesh P - Microsoft Online Community Support

Hopefully, we will get a definitive answer from secure@microsoft.com soon, especially regarding any possible differences between US(english) version and international versions because of possible license restrictions such as encryption export restriction.