How To Find Unsigned Executable Files in A Particular Folder on Windows


Sigcheck is a command-line utility from the awesome Windows Sysinternals. It’s developed to show file version numbers, timestamp, and digital signature details, including certificate chains. In the recent release, it also includes an option to check file’s status on VirusTotal to see if it’s infected by a virus, just like both Autoruns and Process Explorer.

The basic usage of this tool is simple:

sigcheck [-switches] <file or directory>

There are a lot of switches available but to start something simple, you can just ignore all the switches and only run sigcheck against a file or a folder.


Or, with switch -h to show the hash info about the file.

sigcheck hash

Or, checking the virus status with switch -v. If it’s the first time using sigcheck with VirusTotal, you will need -vt to accept VirsTotal terms of service.

sigcheck virustotal

So let’s go back to the topic, to find out the unsigned executable files in a particular folder, you can use the following sigcheck usage.

sigcheck -u -e directory

The -e is to only scan executable files. A common use of this is to use this against windows system folder c:\windows\system32:

sigcheck to find unsigned file

Lastly, with the switches like -c or -ct, you can export the result to a comma delimited or tab delimited CSV file.



Please enter your comment!
Please enter your name here