Is there a database or repository of the legitimate checksums for Microsoft system files? We think we have a 0day on DNS for Windows 2003 SP2 using IRC for command and control. (Latest McAfee does not see an issue). I want to compare our customer's dns.exe and associated DLLs with the real ones. (I will grab a fresh SP2 and hotfixed system to do this, but wonder how to do this in future without needed to do this.)
Asked
Active
Viewed 210 times
2 Answers
1
Have you tried the System File Checker? It is designed to scan Windows sytem files and replace the "bad" ones. It's pretty easy to run from the command-line:
sfc /scannow
Nic
- 13,425
- 17
- 61
- 104
-
SFC, IIRC, compares the files to the ones on the original install disc and will therefore have different checksums/modification dates/file sizes/etc for any updated file. Am I wrong about this? – Kevin M May 13 '10 at 04:03
-
I wasn't aware of this utility (I'm not a Windows guy), but will check it out. – martyvis May 13 '10 at 21:39
0
You need to verify that Windows file protection was on and run the system file checker (SFC) see this KB article for the registry entries to check and SFC/WFP options. Newer versions of windows verify that the exe/DLL for OS files is signed by microsoft before loading.
Jim B
- 24,081
- 4
- 36
- 60