Author: GuyHoozdis
Subject: Unable to verify mssearch, sqlmangr, sqlservr.exe
Posted: 15 June 2013 at 3:40pm
I don't have a system to replicate your situation, but I'll try my best to answer your question.
If I understand your question you would like to verify the integrity of mssearch.exe, sqlmangr.exe, and sqlservr.exe; by which you mean, these binaries were provided by Microsoft and they have not been modified by any third-party since you have received them.
If you haven't already, you might consider installing the entire SysInternals Suite onto your target machine. You will find a tool called sigcheck in that suite, but you can download it as an individual application too.
You should pay attention to the -i and -h switches for sigcheck; in particular, the "catalog" field of the -i switch will, in the case of a signed file, indicate how the signature is stored on the system. Microsoft system files are most commonly stored in an archive separate from the binary, but third party binaries are more likely to have the digitial signature embedded into the binary itself. In the latter case you can use a PE viewer or even the strings tool to locate the embedded signature information.
Now here is some bad news. I don't think that you can expect sqlmangr.exe or sqlservr.exe to be signed on the platform you are using. That means that you will have to leverage the file hashes that are provided via the -h switch mentioned above. Furthermore, you will have to locate "clean" versions of each of those binaries you mentioned so that you can compare your file hash to the hash of the known-good binary.
Reference
Here are some MSDN pages that might be helpful if you want/need to understand more about these topics/details.
Subject: Unable to verify mssearch, sqlmangr, sqlservr.exe
Posted: 15 June 2013 at 3:40pm
I don't have a system to replicate your situation, but I'll try my best to answer your question.
 Johnny Lee wrote:[...] how would I know if mssearch.exe, sqlmangr.exe, and sqlservr.exe has been digitally signed or not? |
If I understand your question you would like to verify the integrity of mssearch.exe, sqlmangr.exe, and sqlservr.exe; by which you mean, these binaries were provided by Microsoft and they have not been modified by any third-party since you have received them.
If you haven't already, you might consider installing the entire SysInternals Suite onto your target machine. You will find a tool called sigcheck in that suite, but you can download it as an individual application too.
You should pay attention to the -i and -h switches for sigcheck; in particular, the "catalog" field of the -i switch will, in the case of a signed file, indicate how the signature is stored on the system. Microsoft system files are most commonly stored in an archive separate from the binary, but third party binaries are more likely to have the digitial signature embedded into the binary itself. In the latter case you can use a PE viewer or even the strings tool to locate the embedded signature information.
Now here is some bad news. I don't think that you can expect sqlmangr.exe or sqlservr.exe to be signed on the platform you are using. That means that you will have to leverage the file hashes that are provided via the -h switch mentioned above. Furthermore, you will have to locate "clean" versions of each of those binaries you mentioned so that you can compare your file hash to the hash of the known-good binary.
Reference
Here are some MSDN pages that might be helpful if you want/need to understand more about these topics/details.
- Understanding Digital Signatures
- Understanding Authenticode
- Microsoft's CryptoAPI Tools Reference