topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 7:02 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: DONE: Tool that lists digitally signed files from a folder/disk  (Read 97606 times)

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #50 on: June 22, 2015, 07:59 PM »
Hi, telealex, and welcome to the DonationCoder site.  I'm on holiday this week but I'll try to take a closer look at your post when I get back.

telealex

  • Participant
  • Joined in 2015
  • *
  • Posts: 2
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #51 on: June 27, 2015, 09:10 AM »
Hi, telealex, and welcome to the DonationCoder site.  I'm on holiday this week but I'll try to take a closer look at your post when I get back.
many thanks

neverlight

  • Participant
  • Joined in 2012
  • *
  • default avatar
  • Posts: 25
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #52 on: July 06, 2015, 03:42 AM »
@skwire, There's also a new version of Sigcheck as of March 10, 2015.  ;)

reveal/hide changelog
This release of Sigcheck, a command-line tool that reports file version, code signing, and hash information, introduces import-hash reporting and support for files larger than 4 GB.



Kind regards,
Marius

pstein

  • Participant
  • Joined in 2007
  • *
  • default avatar
  • Posts: 32
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #53 on: August 10, 2015, 11:50 PM »
I started newest SigCheck GUI for all running processes and found some with a blue question mark.
Among them some important prcoesses like lsass.exe, csrss.exe and spoolsv.exe

What does a blue question mark mean?

They are not checked in Virustotal. Why not?

I cannot open the file location: Why not?

How can I verify otherwise that they are the correct/correctly signed original binaries from Microsoft?

Peter

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #54 on: August 11, 2015, 02:28 AM »
What does a blue question mark mean?

In the Verified column, you should see some text.  "Signed" gets a green check mark; "Unsigned" gets red exclamation point; "A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." gets a yellow exclamation point.  Any other text in there gets a blue question mark.  One example I've seen is, "The timestamp signature and/or certificate could not be verified or is malformed."

They are not checked in Virustotal. Why not?

Are you saying that none of your files have VirusTotal URLs listed?  If so, do you have the appropriate option checked in the Options tab?  FWIW, the VirusTotal URLs appear to be working fine for me under W7/64.  Which OS are you using? 

I cannot open the file location: Why not?

This took some research but should be fixed in the latest version.  In a nutshell, on 64-bit versions of Windows, 32-bit applications such as AutoHotkey run inside WOW64 so calls to certain 64-bit files were getting automatically redirected to the c:\Windows\SysWOW\64 folder.   :-\ :-\ :-\

How can I verify otherwise that they are the correct/correctly signed original binaries from Microsoft?

Again, things appear to be working fine for me.  Which OS are you using?  Please note that I develop and test on Win7/64.  I sometimes test on XP if necessary.  I do not have W8 or W10.

Website | Download
v1.1.0 - 2015-08-11
    ! "Open file location" did not work properly for certain 64-bit files.
      (Thanks, pstein)


pstein

  • Participant
  • Joined in 2007
  • *
  • default avatar
  • Posts: 32
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #55 on: August 11, 2015, 02:46 AM »
I am using 64 bit Win 7 pro.

I am using GUI version 1.0.9 and SigCheck v2.2. Are there an newer versions?
VirusChecks are performed for all but the blue items.

There is no comment absolutely noting in the line except the process name.

Have a look at the following snapshot:

SigcheckGUI Problem.pngDONE: Tool that lists digitally signed files from a folder/disk

So again: Why do I get no further information?


skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #56 on: August 11, 2015, 02:56 AM »
I am using GUI version 1.0.9 and SigCheck v2.2. Are there an newer versions?

Yes.  If you look at the bottom of my previous post, you'll see version 1.1.0.

So again: Why do I get no further information?

*shrug* I don't know.  Are you running the application with administrator rights?  Please note that SigcheckGUI is just a front-end for the sigcheck.exe commandline program that you'll find in your SigcheckGUI folder.  You could try running sigcheck.exe directly on one of those files in question and see what it reports back.  I'd be interested to know.



pstein

  • Participant
  • Joined in 2007
  • *
  • default avatar
  • Posts: 32
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #57 on: August 11, 2015, 05:44 AM »
Ok, with your new version v1.1 it works BUT

On page http://skwire.dcmemb...fp/?page=sigcheckgui
still only v1.0.9 is available and
on page

https://technet.micr...ernals/bb897441.aspx

Sigcheck (cmdline version from sysinternals) v2.2 is already available!

Your package contains only v2.1

Maybe there are problemes with a changed API.

Can you check your GUI with the newest v2.2

?
Peter

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #58 on: August 11, 2015, 09:59 AM »
On page http://skwire.dcmemb...fp/?page=sigcheckgui
still only v1.0.9 is available and

Updated, thank you.

Sigcheck (cmdline version from sysinternals) v2.2 is already available!
Your package contains only v2.1

The EULA of the 2.2 version changed and I'm no longer allowed to distribute sigcheck.exe in the SigcheckGUI download zip.  However, you're free to download the new 2.2 version yourself and copy it into your SigcheckGUI folder.  FWIW, I can't seem to find a changelog for Sigcheck so I'm unsure as to what has changed in the 2.2 version.

pstein

  • Participant
  • Joined in 2007
  • *
  • default avatar
  • Posts: 32
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #59 on: August 11, 2015, 01:20 PM »
However, you're free to download the new 2.2 version yourself and copy it into your SigcheckGUI folder. 

Thats exactly what I did: But GUI v1.1 works only with SigCheck v2.1 and not v2.2

So something important must be changed. You should be able to find out what

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #60 on: August 11, 2015, 01:35 PM »
Thats exactly what I did: But GUI v1.1 works only with SigCheck v2.1 and not v2.2

SigcheckGUI v1.1.0 works fine for me with sigcheck.exe v2.20 in the folder.   :huh:

pstein

  • Participant
  • Joined in 2007
  • *
  • default avatar
  • Posts: 32
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #61 on: August 11, 2015, 01:46 PM »
.....except the blue icon lines which appear with v2.2 but not with v2.1

neverlight

  • Participant
  • Joined in 2012
  • *
  • default avatar
  • Posts: 25
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #62 on: August 18, 2015, 04:10 PM »
I found one small issue. On the other hand, it might be intended (but limited) behavior.
To better illustrate this issue, please consider the following example: if I tick under "View" tab to display only "Signed" files then some cases are ignored. You will get the blue icon and this message under "Verified" : "A certificate was explicitly revoked by its issuer."
Thus, we have another category of files which are signed : "Revoked". This should be displayed under "View" tab. What do you think, @skwire ?  :-[

Additionally, please check my screenshot.


Kind regards,
Marius

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #63 on: August 18, 2015, 04:25 PM »
Thus, we have another category of files which are signed : "Revoked". This should be displayed under "View" tab. What do you think, @skwire ?

Well, I don't know.  I mean, I'm no expert regarding any of this but, without knowing the reason a signature was revoked, I'm not sure I'd put 'Revoked' on the same level as 'Signed'.  Maybe I'm wrong?

neverlight

  • Participant
  • Joined in 2012
  • *
  • default avatar
  • Posts: 25
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #64 on: August 18, 2015, 04:30 PM »
Digital signatures get revoked for example when these are found to be malicious (but present a signature in order to be blacklisted, not by hash but by digital signature ; malicious/blacklisted vendor).

Kind regards,
Marius
« Last Edit: August 18, 2015, 04:57 PM by neverlight »

neverlight

  • Participant
  • Joined in 2012
  • *
  • default avatar
  • Posts: 25
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #65 on: August 18, 2015, 04:48 PM »
Another ignored case is related to altered (signed) files (files that are digitally signed but altered by malicious applications, hex editors etc). These are files where digital signature does not verify.
These are listed under "Unsigned" -- not correct.  Perhaps this is another category of signed files : "Invalid".

Please check my screenshots.

Kind regards,
Marius
« Last Edit: August 18, 2015, 04:55 PM by neverlight »

neverlight

  • Participant
  • Joined in 2012
  • *
  • default avatar
  • Posts: 25
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #66 on: October 01, 2015, 05:57 PM »
.....except the blue icon lines which appear with v2.2 but not with v2.1
Did you try running 'SigcheckGUI' as Administrator?

The reason why I'm asking is because I noticed the following :
1. Right-click on 'sigcheck.exe' ~ Go to 'Compatiblity' tab ~ Check 'Run this program as an administrator' ;
2. Run 'SigcheckGUI.exe' ~ You will notice that ALL files appear with a blue icon.
However, if you run 'SigcheckGUI.exe' as Administrator then the issue is gone.


Kind regards,
Marius

pstein

  • Participant
  • Joined in 2007
  • *
  • default avatar
  • Posts: 32
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #67 on: November 14, 2015, 12:27 AM »
SigCheck GUI does not work with new sigcheck.exe v2.3!

After having downloaded the newest sigcheck.exe v2.3 from MS I copied it to the SigCheck GUI installation folder and started the GUI.

Then I scanned all currently running processes and found lots of processes with a blue question mark icon at the beginning of the line and empty columns.

It seems to me that SigCheck GUI v1.1.0 is incompatible with the sigcheck.exe v2.3 syntax

Could you fix this in a new version?

Thank you
Peter

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #68 on: November 14, 2015, 08:00 PM »
It seems to me that SigCheck GUI v1.1.0 is incompatible with the sigcheck.exe v2.3 syntax
Could you fix this in a new version?

Works fine for me with v2.3.  Is this the same issue you reported when moving from sigcheck v2.1 to v2.2?  If so, are you running BOTH the sigcheck.exe AND SigcheckGUI.exe with administrator rights?  If you're not, following the instructions in neverlight's last post and see if that solves the problem.

pstein

  • Participant
  • Joined in 2007
  • *
  • default avatar
  • Posts: 32
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #69 on: November 15, 2015, 03:24 AM »
Hello skwire:
Yes, it seems to be the same issue as for v2.2. BUT:

Enabling "Run as Administrator" is NOT a solution!
Yes, of cause, I enabled it for both programs but it didn't help.
I even disabled UAC completely - it didn't help.
Moreover: Assume missing the Administrator rights would be the culprit: Then it should not work with v2.1 either!
But everything works fine for v2.1. On the same machine for the same SigCheck GUI installation (but different sigcheck.exe)

At least I would expect some warning in SigCheck GUI like "Please run as Adminstrator" or "Warning: Run without Administrator rights".
But silently suppress some information is not smart.

To give you an impression on how it looks like here I uploaded a snapshot:

http://www.picfront.org/d/9lXK

I would appreciate if you could fix the error.
Thank you

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,612
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #70 on: November 15, 2015, 04:12 AM »
I've been testing on Win10 here, with SigCheckGUI 1.1.0.1 with SigCheck 2.10.0.0 and SigCheck 2.30.0.0, and I can see no different results when checking all running processes. Only 3 unsigned executables, and the rest is all green checks and Signed in the appropriate column, and all columns filled as expected. I've tested with Checksums and VirusTotal checks enabled in consecutive runs, and both with and without Run as Administrator, while UAC is enabled and on the default level.

Might it be that G Data is interfering with SigCheckGUI/SigCheck while it is checking the files? I'm using Avast (Free) here, and that does not interfere AFAICS. You could try to disabled G Data and see if that improves your scan-results, it could see the newer SigCheck version as an 'unknown' or 'unfamiliar' tool, and disallow or delay access resulting in intermittent failures during scanning.
(Experience has learned me over the years that disabling AV and similar tools solves a lot of intermittent and unexplained application failures, and there isn't much the application can do about that, as any workaround you devise comes back to bite you in your butt in the near future)


NB: This forum allows for in-message, on-forum, (image) attachments if you go to the Reply page or Preview your Quick Reply.

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #71 on: November 15, 2015, 11:48 AM »
Enabling "Run as Administrator" is NOT a solution!

Enough with the exclamation points.  They certainly don't inspire me to fix anything.

Yes, of cause, I enabled it for both programs but it didn't help.
I even disabled UAC completely - it didn't help.
Moreover: Assume missing the Administrator rights would be the culprit: Then it should not work with v2.1 either!
But everything works fine for v2.1. On the same machine for the same SigCheck GUI installation (but different sigcheck.exe)

It might appear to be that simple.  However, because you run an anti-virus program which, usually, interferes with all running processes, this might not be the case.

At least I would expect some warning in SigCheck GUI like "Please run as Adminstrator" or "Warning: Run without Administrator rights".
But silently suppress some information is not smart.

I do not suppress anything.  My application works as designed on my machine and on my XP virtual machine.  This makes it difficult to fix your reported issue.

I would appreciate if you could fix the error.
Thank you

What you need to realise is that this is a front-end for sigcheck.exe.  All I'm doing is "running" sigcheck.exe, just as you would in a DOS prompt on your system, and interpreting its output.  There is no programming voodoo I'm using here.  Past that, you are going to have to research and test why your system is getting this error.  You need start up a DOS prompt and run the different sigcheck.exe versions on the processes you get the blue icon for and see if you can figure out why 2.1 works and 2.2/2.3 do not.

For the record, I can confirm that the input and output syntax between all three versions is the same.  I can also tell you that SigcheckGUI uses the following command-line switches:

  • -q -a (used always)
  • -h (used if the compute hash option is enabled)
  • -v (used if the query VirusTotal option is enabled)

So, a typical commandline for this might look like this:

"c:\path\to\sigcheck.exe" -q -a "c:\path\to\SomeExecutable.exe"

If you enable the other options, it would be like this:

"c:\path\to\sigcheck.exe" -q -a -h -v "c:\path\to\SomeExecutable.exe"

Of course, change the "c:\path\to" portions to match the paths on your system.


« Last Edit: February 11, 2016, 01:08 PM by skwire, Reason: Grammar fix. »

neverlight

  • Participant
  • Joined in 2012
  • *
  • default avatar
  • Posts: 25
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #72 on: January 27, 2016, 12:25 PM »
"Copy files" action does not seem to work.  :huh:


Kind regards,
Marius

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #73 on: February 11, 2016, 06:11 PM »
"Copy files" action does not seem to work.  :huh:

Thanks, Marius.   :up:

Website | Download
v1.1.1 - 2016-02-11
    ! Copy files functionality was broken.  (Thanks, neverlight)


David.P

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 207
  • Ergonomics Junkie
    • View Profile
    • Donate to Member
Re: DONE: Tool that lists digitally signed files from a folder/disk
« Reply #74 on: June 26, 2016, 11:31 AM »
Hi forum and skwire,

thank you for the great GUI for Sigcheck!

I ran SigcheckGUI on all *.exe files on the hard drive, and with most of the files, I got a Virustotal result. However, for some files it would either not call Virustotal, or report "unknown" for the result, see below screenshot:



Is there anyting I can do to check those files as well on a batch run of SigcheckGUI?

Thanks again,
David