Display file version number, VirusTotal status, timestamp information, and digital signature details, including certificate chains.
Syntax
sigcheck [-a][-h][-i][-e][-l][-n][[-s]|[-c|-ct]|[-m]][-q][-r][-u][-vt]
[-v[r][s]][-f catalog_file] file_or_directory
sigcheck -d [-c|-ct] file_or_directory
sigcheck -o [-vt][-v[r]] sigcheck_csv_file
sigcheck -t[u][v] [-i] [-c|-ct] <certificate_store_name | * >
Key:
-a Show extended version information.
The entropy measure reported is the bits per byte of information of the file’s contents.
-c CSV output with comma delimiter
-ct CSV output with tab delimiter
-d Dump contents of a catalog file
-e Scan executable images only (regardless of their extension)
-f Look for signature in the specified catalog file
-h Show file hashes
-i Show catalog name and signing chain
-l Traverse symbolic links and directory junctions
-m Dump manifest
-n Only show file version number
-o Performs Virus Total lookups of hashes captured in a CSV file previously captured by
Sighcheck when using the -h option. This usage is intended for scans of offline systems.
-q Quiet (no banner)
-r Disable check for certificate revocation
-s Recurse subdirectories
-t[u][v] Dump contents of specified certificate store ('*' for all stores).
Specify -tu to query the user store (machine store is the default).
Append '-v' to have Sigcheck download the trusted Microsoft root certificate list and only output
valid certificates not rooted to a certificate on that list.
If the site is not accessible, authrootstl.cab or authroot.stl in the current directory are used
instead, if present.
-u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection,
otherwise show only unsigned files.
-v[rs] Query VirusTotal for malware based on file hash.
Add 'r' to open reports for files with non-zero detection.
Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is
specified. Note scan results may not be available for five or more minutes.
-vt Accept the VirusTotal terms of service.Before using VirusTotal features, you must accept at least once.
Without this option you may be interactively prompted if you haven’t already accepted the terms.
VirusTotal.com is a website that performs automated file scanning against over 40 antivirus engines, with an option to upload a file for scanning. You should investigate the purpose of any files found that are not signed.
If scanning a large number of files redirect the output of sigcheck to a text file.
Check an executable file to see if it is 32 bit or 64 bit:
sigcheck notepad.exe | find "MachineType"
An alternative way to test for this is to look for the first occurence of the string "PE" in a text editor. The letters after the PE header denote if the file is 32-bit or 64-bit:
PE L = 32-bit (x86)
PE d† = 64-bit (x64)
Check for unknown/unsigned executable files in your C:\Windows\System32 directory:
C:\> sigcheck.exe -u -e -vt c:\windows\system32
Check for malware files in the C:\Windows\System32 directory (files will NOT be uploaded to VirusTotal):
C:\> sigcheck -vr -vt c:\windows\system32\
Check for malware within executable files only, in C:\Windows\System32 directory and upload any suspect file to VirusTotal:
C:\> sigcheck -vrs -e -vt c:\windows\system32
Return the Windows major/minor version no. by testing a key Windows DLL, this will return the same information as VER but potentially you could run this against a remote machine:
C:\> sigcheck -n C:\Windows\System32\ntoskrnl.exe -nobanner
“The real test of friendship is: can you literally do nothing with the other person? Can you enjoy those moments of life that are utterly simple?” ~ Eugene Kennedy
SIGNTOOL - Digitally sign files.
VER - Display version information.