Forensics, Malware Analysis, Sysinternals

Scan windows for suspicious executable images

> Download Sysinternals Suite.

> Run command line tool(cmd) with administrative privileges.

> To scan Windows for unverified binary images, execute:

c:\path\to\sysinternals_suite\sigcheck.exe -e -u -s c:\

-e Scan executable images only
-u Show unverified files
-s recurse subdirectories

> To scan Windows for unverified binary images and also query VirusTotal during the process, execute:

c:\path\to\sysinternals_suite\sigcheck.exe -e -u -s -vr c:\

-vr Query VirusTotal and Open reports for files with non-zero detection.


c:\path\to\sysinternals_suite\sigcheck.exe -e -u -s -vrs c:\

-vrs Query VirusTotal, Upload to VirusTotal unknown files and Open reports for files with non-zero detection.


  -a      Show extended version information. The entropy measure reported
          is the bits per byte of information of the file's contents.
  -c      CSV output with comma delimiter
  -ct     CSV output with tab delimiter
  -d      Dump contents of a catalog file
  -e      Scan executable images only (regardless of their extension)
  -f      Look for signature in the specified catalog file
  -h      Show file hashes
  -i      Show catalog name and image signers
  -l      Traverse symbolic links and directory junctions
  -m      Dump manifest
  -n      Only show file version number
  -q      Quiet (no banner)
  -r      Disable check for certificate revocation
  -s      Recurse subdirectories
  -t[u]   Dump contents of specified certificate store ('*' for all stores).
          Specify -tu to query the user store (machine store is the default).
  -u      If VirusTotal check is enabled, show files that are unknown
          by VirusTotal or have non-zero detection, otherwise show only
          unsigned files.
  -v[rs]  Query VirusTotal ( for malware based on file hash.
          Add 'r' to open reports for files with non-zero detection. Files
          reported as not previously scanned will be uploaded to VirusTotal
          if the 's' option is specified. Note scan results may not be
          available for five or more minutes.
  -vt     Before using VirusTotal features, you must accept
          VirusTotal terms of service. See:

          If you haven't accepted the terms and you omit this
          option, you will be interactively prompted.