Monday, August 22, 2011

Using Sysinternals sigcheck to verify a file's hash

A file's MD5 or SHA-1 file hash is what I often check to verify a particular file's validity. Software developers often publish these hashes to help users determine if the file has been tampered with.

With the Sysinternals tools is a file and signature viewer called sigcheck. Here a short tutorial on how to use sigcheck to get the file hash from a file.

1. Obtain the file hash from the software developer's website or distribution site.
2. Download sigcheck from Microsoft Sysinternals, or better yet get the whole Sysinternals Suite
3. Run sigcheck.exe with the -h parameter against the file.

It will show the file version and the file hashes of the file. Here is an example of sigcheck in action. Here, I used the lophtcrack password auditing software from The website offers a CNET website and an alternative download site. Let's compare the file hashes.

Lophtcrack website says the file must have these hashes:

MD5 Hash: a2fd2af0b3300fea67e6b836f9ca05f2
SHA1 Hash: 142590a4751fa26919cc902d91aa9c92c8e602fd

Here's the hashes obtained from the executable file obtained from the CNET website:

C:\Documents and Settings\machine\My Documents\Downloads>sigcheck -h cnet_lc6setu

Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals -

C:\Documents and Settings\machine\My Documents\Downloads\cnet_lc6setup_v6_0_12a_exe.exe:

Verified: Signed
Signing date: 5:58 AM 7/19/2011
Publisher: CBS Interactive
Description: CNET Installer
Product: CNET Installer
File version:
MD5: 5a888686e6b6744afd3e1c19d84a2b10
SHA1: dadee7f3da2ac8e4916d414fcd500ac85d40cb48
SHA256: a5528ab0650d406a2d526c5608fac24404fe07a49ca90bb4bc1c5dfdc5c912f8

Here's the file obtained directly from lophtcrack's site:

C:\Documents and Settings\machine\My Documents\Downloads>sigcheck -h lc6setup_v6.

Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals -

C:\Documents and Settings\machine\My Documents\Downloads\lc6setup_v6.0.12a.exe:
Verified: Unsigned
File date: 3:03 PM 8/23/2011
Publisher: L0pht Holdings, LLC
Product: L0phtCrack 6
Version: 6.0
File version: 6.0
MD5: a2fd2af0b3300fea67e6b836f9ca05f2
SHA1: 142590a4751fa26919cc902d91 aa9c92c8e602fd
SHA256: 786800c069a0aa6db8ca44f9ec9617294ece72d7d0b5154a88ef77d73784d450

Might be a good idea to use the 2nd file in this instance and not to trust the file from the CNET website

Do you have a better methodology to check if a file has been tampered with or contains malware?

Tuesday, February 8, 2011

Even Microsoft's Bing gets its search results from Google (Hilarious)

I was looking for the Internet Explorer 9 Beta URL and saw that Google's first result for the keyword "Internet Explorer 9" leads to

It was really hilarious that when I searched for the same keyword in Microsoft's Search engine,, the same results came up! :D