16 Feb

How to Check for Dangerous Certificates and Unsigned Windows OS Files

Sigcheck is a light weight Windows command-line utility that does an amazing job at scanning the digital certificate stores on your system for anything irregular and not part of the official Microsoft Trusted Root Certificate list.

Additionally, the utility will also check the digital signatures of files and identify all unsigned files in a directory while simultaneously running them against the VirusTotal online virus scanning API which performs scanning against 40 anti-virus engines. This is especially useful for scanning the \Windows\System32 directory, which contains the core operating system files, but could also be used to scan any directory of your choosing.

Let’s walk through each of these functions and go into more depth on using this amazing, free utility.

Using Sigcheck to Inspect your Microsoft Digital Certificate List

SSL certificates are used to authenticate and create a secure channel of communication between a remote server and application users. Any certificate that is added within your Root Certificate Store is considered trusted by the operating system. When fraudulent certificates find their way into your Certificate Store, it can be used to intercept traffic and perform a ‘Man in the Middle’ attack.

A recent example of this type of issue was the Superfish vulnerability which involved a pre-installed self-signed root certificate present on certain Lenovo systems. The certificate was purposely installed by the manufacturer to allow advertisers to intercept and decrypt private web browsing traffic for the purposes of injecting advertisements. This weak self-signed certificate also exposed users to simple but dangerous ‘Man in the Middle’ attacks.

Sigcheck can be used to compare all the certificates present on your Windows operating system to identify anything not present in Microsoft’s Trusted Root Store list. This gives you a good starting point to identify and remove any unwanted certificates present on your system.

I used the following simple command to compare all the certificates installed on my system against the Microsoft Trusted Root Store then export the non-matching certificates to a text file.

Sigcheck.exe -tuv >d:\sigcheck\CertOutput.txt

certcheck certcheck output

Using Sigcheck to Identify Unsigned Files in your System32 Directory

The System32 directory is where Windows stores all core operating system files. Given the sensitive nature of the files located in this directory, it is preferred that anything stored here and is executable be digitally signed. A digital signature gives the user assurance of the integrity and authenticity of the files and confidence that they have not been modified by malware.

With Sigcheck, you can scan the System32 folder and identify anything that is executable but not digitally signed using the following command. I have also included additional parameters to export the file to a CSV file for easy review in Microsoft Excel:

Sigcheck.exe –u –e –s –c c:\windows\system32 >d:\sigcheck\sys32scan_output.csv

system32

unsignedcsv

My export revealed that most all of my print drivers are not digitally signed.

Using Sigcheck to Recursively Scan any Directory for Viruses

Sigcheck can also scan any other directory or even a single file for viruses utilizing VirusTotal’s public API.

A potential advantage of using this scan technique over a traditional virus scanner is the ability to create a batch process or scheduled task and scan directories and systems without the need to install Anti-Virus clients on low power or thin client systems. The following command will do a quick scan, including all sub-directories and export the results to a txt file.

Sigcheck.exe –v -s d:\ >d:\sigcheck\VirusScanOutput.txt

viruscheck

Download the utility and check out all the available options over at Technet: https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx.

Feel free to leave any questions and comments below.

8 thoughts on “How to Check for Dangerous Certificates and Unsigned Windows OS Files

  1. had a lot of unsigned certificates! interesting! thanks!

    also, i think the command should be:

    Sigcheck.exe –v -s d:\ >d:\sigcheck\VirusScanOutput.txt

    • Hi Mac,
      Our first post was November 3rd, 2014. So the blog is going on a year and a half old!

      As for the Checksig tool, I didn’t think it sent any info out to the web unless you called the option to use VirusTotal.

Leave a Reply