How to Find and List Unsigned Executable Files

  • Scripting
  • Published May 4, 2009 Updated Oct 27, 2010

Executable files can (and should be!) digitally signed. Without a digital signature you can never be sure the files on your hard disk have not been tampered with. There is really no exception to this rule, except maybe smaller open source projects that lack the budget to buy the digital certificate required for signing. Digitally signing executable files is so important that Microsoft made it a requirement in the Windows 7 Logo Program. One might think that such a simple yet important thing as signed executables can be taken for granted by now. Well, let’s have a look!

Finding the Black Sheep

I have written a simple batch script that scans a given directory tree for files of a certain type and checks each matching file for a valid digital signature. The script can be downloaded, but here it is in all its beauty:

@echo off
::
:: Author: Helge Klein
::
:: Prints out a list of all unsigned files (NOT digitally signed) whose names match a given pattern.
:: Recursively searches a folder structure beginning at a given base directory.
::
:: Prerequisites:
::
:: - Signtool.exe is used to check the Authenticode signature of executable files.
::   It must be found in the path.
::   Signtool is part of the .NET Framework SDK. Information: http://msdn.microsoft.com/en-us/library/aa387764.aspx
::

::
:: Variables
::
:: Base directory
set SEARCH_BASE="C:\Program Files (x86)"

:: Files to be checked (wildcards allowed). Examples: *.exe or *.dll or *.sys
set FILTER=*.DLL

::
:: Start of script
::
for /f "usebackq tokens=*" %%i in (`^dir /s /b %SEARCH_BASE%\%FILTER%`) do (call :CheckSignature "%%i")

goto :eof


:CheckSignature
signtool.exe verify /pa /q "%~1" 1>nul 2>nul
if errorlevel 1 echo %~1

goto :eof

Results

On the machine I am writing this, the script found 702 unsigned DLLs in the 32-bit program files folder alone. 702!! And most of them not by some open source project but by Microsoft, Citrix, VMWare, Adobe, Sun (Java)… Of course, I have the latest versions installed, so the lack of signatures is not due to me using dated software written in the stone age of computing.

What does my spot check tell us? Security does not seem to be taken seriously enough even by the largest software manufacturers. But unless every executable file is signed, policies blocking unsigned files cannot be put into effect. It looks like it might take some more years before digital signatures can be a truly powerful tool.

Notes

The following file types are considered executable files in the Windows 7 Logo Technical Requirements document: EXE, DLL, OCX, SYS, CPL, DRV, SCR. The document states that all executables must be signed with an Authenticode certificate, but leaves a loophole:

Waivers will be considered only for unsigned third-party redistributables. A proof of communication to request a signed version of the redistributable(s) is required for this waiver to be granted.

Digital SignatureScriptSecuritySigntool

Comments

Related Posts

PowerShell Script: Test Chrome, Firefox & IE Browser Performance

PowerShell Script: Test Chrome, Firefox & IE Browser Performance
There is more than one way to test the performance of web browsers like Chrome, Firefox, or IE, but regardless of how you do it, you need a consistent workload that makes the browsers comparable. Unless you are testing with synthetic benchmarks (which come with a plethora of problems of their own) you need a way to automate browsers opening tabs and loading URLs. This article presents a simple solution to do just that.
Scripting

Useful PowerShell Scriptlets for Files and Folders

What is the best way to learn PowerShell? Never use cmd.exe again! With PowerShell 2.0 on my Windows 7 machine I decided it finally is time to polish my rusty knowledge of the language dating back to the days when PowerShell was still called Monad. In my attempt to re-familiarize myself with PoSh I consciously use it for tasks that would take me mere seconds with other tools like cmd.exe, or even old friends like Perl. But, hey, learning takes time, and there is nothing better than practice! Here are a couple of things I have learned en route.
Scripting

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware