The Windows Club

Check for dangerous or unsigned Certificates using SigCheck

Some of you may remember SuperFish or eDellRoot. They were unsafe Root Certificates that were installed on users computers without their knowledge. While most anti-malware tools are adept at identifying and removing rogue Certificates, there are some tools like RCC Root Certificate Scanner, which focus on removing dangerous Root Certificates from a Windows computer. SysInternals SigCheck from Microsoft is another tool that not lets you scan and check for dangerous & unsigned certificates, but now even lets you scan all files in a folder with VirusTotal.

Check for Unsigned Certificates using SigCheck

Sigcheck can show the file version number, timestamp information, and digital signature details, including certificate chains. Additionally, the latest version now lets you upload a file for scanning, as well as check a file’s status on VirusTotal, which uses 40 antivirus engines.

To use SigCheck to scan your Windows computer for dangerous & unsafe Certificates, download it from Microsoft and extract the contents of the folder. Now to run the tool, press Shift+Right-click inside the folder. You will see an Open a command window here entry. Click on it.

The tool offers several parameters that you can use. As an example, in the Command Prompt window, you may type the following command for instance and hit Enter:

sigcheck64 -vt

If you are using a 64-bit system, use sigcheck64, else sigcheck.

When you run this command, the tool downloads a list of Trusted Certificates from Microsoft. It then compares your Certificates with this list and then lists those that are not present in the Trusted Certificates list.

If you do find any certificates, you may want to investigate further. If you feel they are dangerous, you may want to remove them. This post will show you how to manage Root Certificates. The Certificate Manager or certmgr.msc in Windows lets you see details about your certificates, export, import, modify, delete or request new certificates. You may also check details about the program which has installed it, and if you can do without the program, you could also consider uninstalling that software.

Use SigCheck to scan folder for unsigned files with VirusTotal

To scan all the files in a folder for unsigned files, you could, for example, use the following command:

sigcheck -u -e c:\windows\system32\

To see the entire list of parameters and the functions they perform, and to download SigCheck, visit Microsoft.