Windows Sysinternals Administrator's Reference: Security Utilities

  • 6/15/2011
This chapter from Windows Sysinternals Administrator's Reference describes a set of Sysinternals utilities focused on Microsoft Windows security management and operations.
  • SigCheck is a console utility for verifying file digital signatures, listing file hashes, and viewing version information

  • AccessChk is a console utility for searching for objects—such as files, registry keys, and services—that grant permissions to specific users or groups, as well as providing detailed information on permissions granted.

  • AccessEnum is a GUI utility that searches a file or registry hierarchy and identifies where permissions might have been changed.

  • ShareEnum is a GUI utility that enumerates file and printer shares on your network and who can access them.

  • ShellRunAs is a shell extension that restores the ability to run a program under a different user account on Windows Vista.

  • Autologon is a GUI utility that lets you configure a user account for automatic logon when the system boots.

  • LogonSessions is a console utility that enumerates active Local Security Authority (LSA) logon sessions on the current computer.

  • SDelete is a console utility for securely deleting files or folder structures and erasing data in unallocated areas of the hard drive.

SigCheck

SigCheck is a multipurpose console utility for performing security-related functions on one or more files or a folder hierarchy. Its primary purpose is to verify whether files are digitally signed with a trusted certificate. As Figure 8-1 shows, SigCheck can also report catalog and image signer information, calculate file hashes using several hash algorithms, and display extended version information. It can also display a file’s embedded manifest, scan folders for unsigned files, and report results in comma-separated value (CSV) format.

Figure 8-1

Figure 8-1 Output from sigcheck –a –i –h c:\windows\explorer.exe.

A digital signature associated with a file helps to ensure the file’s authenticity and integrity. A verified signature demonstrates that the file came from the owner of the code-signing certificate and that the file has not been modified since its signing. The assurance provided by a code-signing certificate depends largely on the diligence of the certification authority (CA) that issued the certificate to authenticate the proposed owner, on the diligence of the certificate owner to protect the certificate’s private key from disclosure, and on the verifying system not allowing the installation of rogue root CA certificates.

As part of the cost of doing business and providing assurance to customers, most legitimate software publishers will purchase a code-signing certificate from a legitimate CA, such as VeriSign or Thawte, and sign the files they distribute to customer computers. The lack of a valid signature on an executable file that purports to be from a legitimate publisher is reason for suspicion.

SigCheck’s command-line parameters provide numerous options for performing verifications, specifying the files to scan, and formatting output. The syntax is shown here, followed by Table 8-1, which provides a summary of the parameters:

sigcheck.exe [-e] [-s] [-i] [-r] [-u] [-c catalogFile] [-a] [-h] [-m] [-n] [-v] [-q] target

Table 8-1 SigCheck Command-Line Parameters

Parameter

Description

target

Specifies the file or directory to process. It can include wildcard characters.

Signature Verification

–i

Shows the catalog name and image signers.

–r

Checks for certificate revocation.

–u

Reports unsigned files only, including files that have invalid signatures.

–c

Looks for a signature in the specified catalog file.

Which Files to Scan

–e

Scans executable files only. (It looks at the file headers, not the extension, to determine whether a file is an executable.)

–s

Recurses subdirectories.

Additional File Information

–a

Shows extended version information.

–h

Shows file hashes.

–m

Shows the manifest.

–n

Shows the file version number only.

Output Format

–v

CSV output (not compatible with –i or –m).

–q

Quiet (suppresses the banner).

The target parameter is the only required one. It can specify a single file, such as explorer.exe; it can specify multiple files using a wildcard, such as *.dll; or it can specify a folder, using relative or absolute paths. If you specify a folder, SigCheck scans every file in the folder. The following command scans every file in the current folder:

sigcheck .

Signature Verification

Without further parameters, SigCheck reports the following for each file scanned:

  • Verified If the file has been signed with a code-signing certificate that derives from a root certification authority that is trusted on the current computer, and the file has not been modified since its signing, this field reports Signed. If it has not been signed, this field reports Unsigned. If it has been signed but there are problems with the signature, those problems are noted. Problems can include the following: the signing certificate was outside its validity period at the time of the signing; the root authority is not trusted (which can happen with a self-signed certificate, for example); the file has been modified since signing.

  • Signing date Shows the date on which the file was signed. This field shows n/a if the file has not been signed.

  • Publisher The Company Name field from the file’s version resource, if found.

  • Description The Description field from the file’s version resource, if found.

  • Product The Product Name field from the file’s version resource, if found.

  • Version The Product Version field from the file’s version resource, if found. Note that this is from the string portion of the version resource, not the binary value that is used for version comparison.

  • File version The File Version field from the file’s version resource, if found. Note that this, too, is from the string portion of the version resource.

To show additional signature details, add –i to the command line. Using this parameter shows the following two additional fields if the file’s signature is valid:

  • Catalog Reports the file in which the signature is stored. In many cases, the file indicated will be the same as the file that was signed. However, if the file was catalog-signed, the signature will be stored in a separate, signed catalog file. Many files that ship with Windows are catalog-signed. Catalog-signing can improve performance in some cases, but it’s particularly useful for signing nonexecutable files that have a file format that does not support embedding signature information.

  • Signers Shows the Subject CN name from the code-signing certificate and from the CA certificates in its chain.

By default, SigCheck does not check whether the signing certificate has been revoked by its issuer. To verify that the signing certificate and the certificates in its chain have not been revoked, add –r to the command line. Note that revocation checking can add significant network latency to the signature check, because SigCheck has to query certificate revocation list (CRL) distribution points.

To focus your search only for unsigned files, add –u to the command line. SigCheck then scans all specified files, but it reports only those that are not signed or that have signatures that cannot be verified.

Windows maintains a database of signature catalogs to enable quick lookup of signature information based on a file hash. If you want to verify a file against a catalog file that is not registered in the database, specify the catalog file on the SigCheck command line with the –c option.

Which Files to Scan

Most nonexecutable files are not digitally signed with code-signing certificates. Some nonexecutable files that ship with Windows and that are never modified might be catalog-signed, but data files that can be updated—including initialization files, registry hive backing files, document files, and temporary files—are never code-signed. If you scan a folder that contains a large number of such files, you might have difficulty finding the unsigned executable files that are usually of greater interest. To filter out these false positives, you could search just for *.exe, then *.dll, then *.ocx, then *.scr, and so on. The problem with that approach isn’t all the extra work or that you might miss an important extension. The problem is that an executable file with a .tmp extension, or any other extension, or no extension at all can still be launched! And malware authors often hide their files from inspection by masquerading under apparently innocuous file extensions.

So instead of filtering on file extensions, add –e to the SigCheck command line to scan only executable files. When you do, SigCheck will verify whether the file is an executable before verifying its signature and ignore the file if it’s not. Specifically, SigCheck checks whether the first two bytes are MZ. All 16-bit, 32-bit, and 64-bit Windows executables—including applications, DLLs, and system drivers—begin with these bytes. SigCheck ignores the file extension, so executables masquerading under other file extensions still get scanned.

To search a folder hierarchy instead of a single folder, add –s to the SigCheck command line. SigCheck then scans files matching the target parameter in the folder specified by target parameter (or in the current folder if target doesn’t specify a folder) and in all subfolders. The following command scans all *.dll files in and under the C:\Program Files folder:

sigcheck -s "c:\program files\*.dll"

Additional File Information

Add the –a option to extract additional information from every file scanned. Adding –a augments the SigCheck output with these fields:

  • Strong Name If the file is a .NET assembly and has a strong-name signature, this field reports Signed; otherwise, it shows Unsigned. (.NET’s strong-name signing is independent of certificate-based code-signing and does not imply any level of trust.

  • Original Name The Original Name field from the file’s version resource, if found.

  • Internal Name The Internal Name field from the file’s version resource, if found.

  • Copyright The Copyright field from the file’s version resource, if found.

  • Comments The Comments field from the file’s version resource, if found.

A hash is a statistically unique value generated from a block of data using a cryptographic algorithm, such that a small change in the data results in a completely different hash. Because a good hash algorithm makes it computationally infeasible using today’s technology to modify the data without modifying the hash, hashes can be used to detect changes to data from corruption or tampering. If you add the –h option, SigCheck calculates and displays hashes for the files it scans, using the MD5, SHA1 and SHA256 algorithms. These hashes can be compared to hashes calculated on a known-good system to verify file integrity. Hashes are useful for files that are unsigned, but that have known master versions. Also, some file-verification systems rely on hashes instead of signatures.

Application manifests are XML documents that can be embedded in application files. They were first introduced in Windows XP to enable the declaration of required side-by-side assemblies. Windows Vista and Windows 7 each extended the manifest file schema to enable an application to declare its compatibility with Windows versions and whether it requires administrative rights to run. The presence of a Windows Vista-compatible manifest also disables file and registry virtualization for the process. To dump a file’s embedded manifest, add –m to the SigCheck command line. Here is the output from SigCheck reporting its own manifest:

c:\program files\sysinternals\sigcheck.exe:
        Verified:       Signed
        Signing date:   19:14 6/7/2010
        Publisher:      Sysinternals - www.sysinternals.com
        Description:    File version and signature viewer
        Product:        Sysinternals Sigcheck
        Version:        1.70
        File version:   1.70
        Manifest:
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></
requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

To output only the file’s version number, add –n to the SigCheck command line. SigCheck displays only the value of the File Version field in the file’s version resource, if found, and it displays n/a otherwise. This option can be useful in batch files, and it’s best used when specifying a single target file.

Command-line options, of course, can be combined. For example, the following command searches the system32 folder hierarchy for unsigned executable files, displaying hashes and detailed version information for those files:

sigcheck -u -s -e -a -h c:\windows\system32

Output Format

SigCheck normally displays its output as a formatted list, as shown in Figure 8-1. To report output as comma-separated values (CSVs) to enable import into a spreadsheet or database, add –v to the SigCheck command line. SigCheck outputs column headers according to the file information you requested through other command-line options, followed by a line of comma-separated values for each file scanned. Note that the –v option cannot be used with the –i or –m option.

You can suppress the display of the SigCheck banner with the –q option. Removing these lines can help with batch-file processing of SigCheck output as well as with CSV output.