locked
How to manually check the integrity of WRP protected files and registry keys? RRS feed

  • Question

  • I tried SFC first, but, from SFC log file I can't tell which files have been checked. Then, I ran Sigverif, it gave me a list of checked files, but some kernel level files are missing. Finally, Sigcheck will thoroughly scan all files in the specified directory, and check for unsigned files.

    Sigcheck seems perfect but not goes without any problems. For example,

    1. I was able to replace a medium-integrity-level dll file in [system32] with a fake one, and Sigcheck will simply skip it without reporting any problem. Not sure why Windows Resource Protection didn't stop me or restore it either.

    2. I can't find "Digitial Signature" tab in File Property from Explorer, but Sigcheck reported this file is signed on 2009/7/14. Why is this Digital Signature inconsistency?

    Any suggestions? How to manually check the integrity of WRP protected files and registry keys?

    Friday, April 15, 2011 8:58 AM

Answers

  • "ropeslearner" wrote in message news:a7c4428b-82bd-4f26-8d68-0b11043570a1...

    I tried SFC first, but, from SFC log file I can't tell which files have been checked. Then, I ran Sigverif, it gave me a list of checked files, but some kernel level files are missing. Finally, Sigcheck will thoroughly scan all files in the specified directory, and check for unsigned files.

    Sigcheck seems perfect but not goes without any problems. For example,

    1. I was able to replace a medium-integrity-level dll file in [system32] with a fake one, and Sigcheck will simply skip it without reporting any problem. Not sure why Windows Resource Protection didn't stop me or restore it either.

    2. I can't find "Digitial Signature" tab in File Property from Explorer, but Sigcheck reported this file is signed on 2009/7/14. Why is this Digital Signature inconsistency?

    Any suggestions? How to manually check the integrity of WRP protected files and registry keys?


    This appears to have nothing to do with the subject of this forum  - Activation and Validation issues.
    Please repost your query to a more appropriate forum - I would suggest one of the Security forums in the TechNet or MSDN areas.

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, April 15, 2011 9:02 AM
    Moderator

All replies

  • "ropeslearner" wrote in message news:a7c4428b-82bd-4f26-8d68-0b11043570a1...

    I tried SFC first, but, from SFC log file I can't tell which files have been checked. Then, I ran Sigverif, it gave me a list of checked files, but some kernel level files are missing. Finally, Sigcheck will thoroughly scan all files in the specified directory, and check for unsigned files.

    Sigcheck seems perfect but not goes without any problems. For example,

    1. I was able to replace a medium-integrity-level dll file in [system32] with a fake one, and Sigcheck will simply skip it without reporting any problem. Not sure why Windows Resource Protection didn't stop me or restore it either.

    2. I can't find "Digitial Signature" tab in File Property from Explorer, but Sigcheck reported this file is signed on 2009/7/14. Why is this Digital Signature inconsistency?

    Any suggestions? How to manually check the integrity of WRP protected files and registry keys?


    This appears to have nothing to do with the subject of this forum  - Activation and Validation issues.
    Please repost your query to a more appropriate forum - I would suggest one of the Security forums in the TechNet or MSDN areas.

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, April 15, 2011 9:02 AM
    Moderator
  • Well, I searched around the openning forums here. I do see Security forum here as well, but it is said being archived and not recommended for posting new questions. Another forum: [Forums Home > Lync Server Forums > Security] doesn't seem to be highly related to this subject. I assume my question may have something to do with validation, especially regarding how to manually check/validate digital signature to ensure system integrity, thus I posted here.

    I hope those who are interested in how to validate and check system integrity, before or after the activativation of the system, can still join the discussion. But, if keep using this forum is a violation in some form, please let me know.

    Are TechNet's and MSDN's forums more technical oriented? After collecting some users inputs and advices, I may take your advice and try to seek their help.




    Friday, April 15, 2011 9:41 AM
  • "ropeslearner" wrote in message news:2cbbf3d0-630f-4d7c-99b4-61d0ba312d6c...

    Well, I searched around the openning forums here. I do see Security forum here as well, but it is said being archived and not recommended for posting new questions. Another forum: [Forums Home > Lync Server Forums > Security] doesn't seem to be highly related to this subject. I assume my question may have something to do with validation, especially regarding how to manually check/validate digital signature to ensure system integrity, thus I posted here.

    I hope those who are interested in how to validate and check system integrity, before or after the activativation of the system, can still join the discussion. But, if keep using this forum is a violation in some form, please let me know.

    Are TechNet's and MSDN's forums more technical oriented? After collecting some users inputs and advices, I may take your advice and try to seek their help.





    Certainly, the posters in the MSDN and TechNet forums are more likely to have a sensible response to your query :)
    Try posting to the general 'where should I post this' forum here...
    They should be able to point you in the right direction.
     

    --


    Noel Paton | Nil Carborundum Illegitemi | CrashFixPC | The Three-toed Sloth
    Friday, April 15, 2011 11:03 AM
    Moderator
  • It is on Technet now.

    http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/5fbfa259-68ee-4607-8bc3-71595c07446b

    Friday, April 15, 2011 2:55 PM