How to Find and List Unsigned Executable Files

  • Scripting
  • Published May 4, 2009 Updated Oct 27, 2010

Executable files can (and should be!) digitally signed. Without a digital signature you can never be sure the files on your hard disk have not been tampered with. There is really no exception to this rule, except maybe smaller open source projects that lack the budget to buy the digital certificate required for signing. Digitally signing executable files is so important that Microsoft made it a requirement in the Windows 7 Logo Program. One might think that such a simple yet important thing as signed executables can be taken for granted by now. Well, let’s have a look!

Finding the Black Sheep

I have written a simple batch script that scans a given directory tree for files of a certain type and checks each matching file for a valid digital signature. The script can be downloaded, but here it is in all its beauty:

@echo off
::
:: Author: Helge Klein
::
:: Prints out a list of all unsigned files (NOT digitally signed) whose names match a given pattern.
:: Recursively searches a folder structure beginning at a given base directory.
::
:: Prerequisites:
::
:: - Signtool.exe is used to check the Authenticode signature of executable files.
::   It must be found in the path.
::   Signtool is part of the .NET Framework SDK. Information: http://msdn.microsoft.com/en-us/library/aa387764.aspx
::

::
:: Variables
::
:: Base directory
set SEARCH_BASE="C:\Program Files (x86)"

:: Files to be checked (wildcards allowed). Examples: *.exe or *.dll or *.sys
set FILTER=*.DLL

::
:: Start of script
::
for /f "usebackq tokens=*" %%i in (`^dir /s /b %SEARCH_BASE%\%FILTER%`) do (call :CheckSignature "%%i")

goto :eof


:CheckSignature
signtool.exe verify /pa /q "%~1" 1>nul 2>nul
if errorlevel 1 echo %~1

goto :eof

Results

On the machine I am writing this, the script found 702 unsigned DLLs in the 32-bit program files folder alone. 702!! And most of them not by some open source project but by Microsoft, Citrix, VMWare, Adobe, Sun (Java)… Of course, I have the latest versions installed, so the lack of signatures is not due to me using dated software written in the stone age of computing.

What does my spot check tell us? Security does not seem to be taken seriously enough even by the largest software manufacturers. But unless every executable file is signed, policies blocking unsigned files cannot be put into effect. It looks like it might take some more years before digital signatures can be a truly powerful tool.

Notes

The following file types are considered executable files in the Windows 7 Logo Technical Requirements document: EXE, DLL, OCX, SYS, CPL, DRV, SCR. The document states that all executables must be signed with an Authenticode certificate, but leaves a loophole:

Waivers will be considered only for unsigned third-party redistributables. A proof of communication to request a signed version of the redistributable(s) is required for this waiver to be granted.

Comments

Related Posts

Syntax Highlighting PowerShell Code in HTML - With a PowerShell Script

When you are publishing PowerShell code on the web, you soon discover that it looks much nicer with syntax highlighting - as did I. There are several ways to add syntax highlighting to your blog or web site, most of which rely on external (Wordpress) plugins or JavaScript on the page. I do not like that approach too much. I prefer to have the syntax highlighting embedded in the HTML code. That way I have full control over the appearance (and the highlighting also works in the RSS feed). The logical solution is to use a script that embeds HTML coloring tags directly into the script.
Scripting

Top 10 IT Security Tips for Individual Users

Top 10 IT Security Tips for Individual Users
This is a list of simple things that will protect you from nearly all the real-world IT security issues affecting individuals and SOHO users. 1. Install All the Updates What Should You Do? Enable automatic updates wherever possible Don’t use obsolete software versions Why Is It Important? Older software versions often have known security issues for which exploits are readily available. This means that even script kiddies can easily attack large numbers of users.
Security