Finding drivers on a user system that are not digitally signed.
Solution:
Windows provides a tool that hist the nail on its head. File Signature Verification Tool by Windows helps the user to find files that are not digitally signed. Since we are interested in drivers, we could target a folder C:\Windows\System32\drivers and find all the driver (.sys) files that are not digitally signed.
Using File Signature Verification Tool:
StartUp:
1. Goto Start->Run.
2. Type in sigverif. This will start the tool (sigverif.exe) and a file signature
verification window pops-up.
Searching Options:
User can search files of specified extensions in a specified folder.
- Check the option that says "Lokk for other files that are not digitally signed"
Under Serach Options:
- Select the file type that can be used for scanning. (like *.sys, *.dll or*.*)
- Select the folder "Look in this folder" option by browsing to the location.
- Check "Include subfolders" for recursive directory listing.
Logging Options:
User can configure the logging options as follows:
- Check the "Save the file signature verification results to a log file"
Under logging options:
- Select "Append/Overwrite existing log file" to either append the results of differents tests in a log file or overwrite the log file for a new test that's triggered every time.
- Log file name: Mention the log file name with appropriate path. Note: Pathnames need not to have (\\) as escape sequences.
Running the tool:
After configuring the tool. click OK and press Start. The tool now starts scanning all the files in all the configured folders to find all the files matching the configuration criterion that are not digitally signed.
Report:
A report of the test is genetated in a log file (configured by user in logging options) that gibes information on:
- Files that are scanned with the folder structure path.
- Files that are digitally signed with information on:
* File Modified date.
* File Version Information, if available.
* Catalog file information in which the file can be found.
* Signing Authority.
- Files that could not be scanned.
Case Study:
Let's say we want to find all the drivers present in C:\Windows\System32\drivers folders and check if they are digitally signed or not. Here are some snapshots that depict the configuration required.
System Specs:
Running the test on WINXP SP3 32 bit system.
2 GB RAM and 320 GB HDD.
Searching Options:
- All the driver files
- Under C:\Windows\System32\drivers folder
- Log the results in SIGVERIF.TXT file.
- Running the tool would yield the results on a UI (in case of files that are not digitally signed) and in the log file.
Results of case Study:
While running the test for the case study, it found some drivers on my laptop that were not digitally signed. Here's a snapshot depicting the unsigned driver files.
Contents of SIGVERIF.TXT Log File:
********************************
Microsoft Signature Verification
Log file generated on 5/17/2010 at 9:59 AM
OS Platform: Windows 2000 (x86), Version: 5.1, Build: 2600, CSDVersion: Service Pack 3
Scan Results: Total Files: 237, Signed: 229, Unsigned: 7, Not Scanned: 1
User-specified search path: *.*
User-specified search pattern: C:\WINDOWS\system32\drivers
File Modified Version Status Catalog Signed By
------------------ ------------ ----------- ------------ ----------- -------------------
[c:\windows\system32\drivers]
1028_dell_lat_d820.m 2/25/2009 None Not Signed N/A
1394bus.sys 4/14/2008 2:5.1 Signed NT5.CAT Microsoft Windows Component Publisher
acpi.sys 4/14/2008 2:5.1 Signed NT5.CAT Microsoft Windows Component Publisher
acpiec.sys 4/14/2008 2:5.1 Signed NT5.CAT Microsoft Windows Component Publisher
aec.sys 4/13/2008 2:5.1 Signed NT5.CAT Microsoft Windows Component Publisher
aegisp.sys 2/25/2009 3.4.9.0 Not Signed N/A
afd.sys 8/14/2008 2:5.1 Signed KB956803.cat Microsoft Windows Component Publisher
Unscanned Files:
------------------
[c:\windows\system32\drivers]
sptd.sys The process cannot access the file because it is being used by another process.
Thus the user gets the information on all the Digitally Signed and Unsigned driver files.
