Sigcheck is a command-line utility from the awesome Windows Sysinternals. It’s developed to show file version numbers, timestamp, and digital signature details, including certificate chains. In the recent release, it also includes an option to check file’s status on VirusTotal to see if it’s infected by a virus, just like both Autoruns and Process Explorer.
The basic usage of this tool is simple:
sigcheck [-switches] <file or directory>
There are a lot of switches available but to start something simple, you can just ignore all the switches and only run sigcheck against a file or a folder.
Or, with switch -h to show the hash info about the file.
Or, checking the virus status with switch -v. If it’s the first time using sigcheck with VirusTotal, you will need -vt to accept VirsTotal terms of service.
So let’s go back to the topic, to find out the unsigned executable files in a particular folder, you can use the following sigcheck usage.
sigcheck -u -e directory
The -e is to only scan executable files. A common use of this is to use this against windows system folder c:\windows\system32:
Lastly, with the switches like -c or -ct, you can export the result to a comma delimited or tab delimited CSV file.