I've used the following program (obtained from https://msdn.microsoft.com/en-us/librar ... s.85).aspx
), which calls the WinVerifyTrust manually.
Code: Select all
// Copyright (C) Microsoft. All rights reserved.
// Example of verifying the embedded signature of a PE file by using
// the WinVerifyTrust function.
#define _UNICODE 1
#define UNICODE 1
// Link with the Wintrust.lib file.
#pragma comment (lib, "wintrust")
BOOL VerifyEmbeddedSignature(LPCWSTR pwszSourceFile)
// Initialize the WINTRUST_FILE_INFO structure.
memset(&FileData, 0, sizeof(FileData));
FileData.cbStruct = sizeof(WINTRUST_FILE_INFO);
FileData.pcwszFilePath = pwszSourceFile;
FileData.hFile = NULL;
FileData.pgKnownSubject = NULL;
WVTPolicyGUID specifies the policy to apply on the file
WINTRUST_ACTION_GENERIC_VERIFY_V2 policy checks:
1) The certificate used to sign the file chains up to a root
certificate located in the trusted root certificate store. This
implies that the identity of the publisher has been verified by
a certification authority.
2) In cases where user interface is displayed (which this example
does not do), WinVerifyTrust will check for whether the
end entity certificate is stored in the trusted publisher store,
implying that the user trusts content from this publisher.
3) The end entity certificate has sufficient permission to sign
code, as indicated by the presence of a code signing EKU or no
GUID WVTPolicyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
// Initialize the WinVerifyTrust input data structure.
// Default all fields to 0.
memset(&WinTrustData, 0, sizeof(WinTrustData));
WinTrustData.cbStruct = sizeof(WinTrustData);
// Use default code signing EKU.
WinTrustData.pPolicyCallbackData = NULL;
// No data to pass to SIP.
WinTrustData.pSIPClientData = NULL;
// Disable WVT UI.
WinTrustData.dwUIChoice = WTD_UI_NONE;
// No revocation checking.
WinTrustData.fdwRevocationChecks = WTD_REVOKE_NONE;
// Verify an embedded signature on a file.
WinTrustData.dwUnionChoice = WTD_CHOICE_FILE;
// Verify action.
WinTrustData.dwStateAction = WTD_STATEACTION_VERIFY;
// Verification sets this value.
WinTrustData.hWVTStateData = NULL;
// Not used.
WinTrustData.pwszURLReference = NULL;
// This is not applicable if there is no UI because it changes
// the UI to accommodate running applications instead of
// installing applications.
WinTrustData.dwUIContext = 0;
// Set pFile.
WinTrustData.pFile = &FileData;
// WinVerifyTrust verifies signatures as specified by the GUID
// and Wintrust_Data.
lStatus = WinVerifyTrust(
- Hash that represents the subject is trusted.
- Trusted publisher without any verification errors.
- UI was disabled in dwUIChoice. No publisher or
time stamp chain errors.
- UI was enabled in dwUIChoice and the user clicked
"Yes" when asked to install and run the signed
wprintf_s(L"The file \"%s\" is signed and the signature "
// The file was not signed or had a signature
// that was not valid.
// Get the reason for no signature.
dwLastError = GetLastError();
if (TRUST_E_NOSIGNATURE == dwLastError ||
TRUST_E_SUBJECT_FORM_UNKNOWN == dwLastError ||
TRUST_E_PROVIDER_UNKNOWN == dwLastError)
// The file was not signed.
wprintf_s(L"The file \"%s\" is not signed.\n",
// The signature was not valid or there was an error
// opening the file.
wprintf_s(L"An unknown error occurred trying to "
L"verify the signature of the \"%s\" file.\n",
// The hash that represents the subject or the publisher
// is not allowed by the admin or user.
wprintf_s(L"The signature is present, but specifically "
// The user clicked "No" when asked to install and run.
wprintf_s(L"The signature is present, but not "
The hash that represents the subject or the publisher
was not explicitly trusted by the admin and the
admin policy has disabled user trust. No signature,
publisher or time stamp errors.
wprintf_s(L"CRYPT_E_SECURITY_SETTINGS - The hash "
L"representing the subject or the publisher wasn't "
L"explicitly trusted by the admin and admin policy "
L"has disabled user trust. No signature, publisher "
L"or timestamp errors.\n");
// The UI was disabled in dwUIChoice or the admin policy
// has disabled user trust. lStatus contains the
// publisher or time stamp chain error.
wprintf_s(L"Error is: 0x%x.\n",
// Any hWVTStateData must be released by a call with close.
WinTrustData.dwStateAction = WTD_STATEACTION_CLOSE;
lStatus = WinVerifyTrust(
int _tmain(int argc, _TCHAR* argv)
if (argc > 1)
I've called the program manually on a [*]trusted original kernel32.dll and an [*]untrusted custom tital.dll, but only obtained the same information as presented below - both files are not signed, but that is not what I'm looking for. I'm looking for how Windows and programs like IE.exe differentiate between a trusted copy of kernel32.dll and a custom DLL titan.dll, which was copied there by system administrator.
The file "C:\Windows\System32\kernel32.dll" is not signed.
The file "C:\Windows\System32\tital.dll" is not signed.
Additionally, for comparison, I'm adding the descriptions of both files, which can be seen below:
First, the trusted kernel32.dll:
Then, the untrusted titan.dll:
If anybody knows about how the file integrity of the files is checked, I would be more than interested in knowing any details about that. Are the sfc.exe (and other tools like ESET, IE, etc) checking for the description fields of a DLL, like file description, type, file version, product name, product version, copyright, etc? There are two use-cases I'm interested in:
1. Additional DLL or SYS in System32: an application puts an additional DLL or a driver SYS into the kernel32 directory. How does sfc.exe/sysinspector determine the file is genuine or not?
2. Replaced DLL or SYS in System32: an application replaces a DLL or driver SYS in the kernel32 directory (requires administrative privileges). Are there any additional checks being done by the sfc.exe/sysinspector in order to determine if the file is genuine or not? Are there any additional registry entries stored in registry or any files on the filesystem, which contain SHA1 of the previous original DLL, which is being checked by such tools and reported if hash doesn't match?
Any details are welcome.