Skip to main content

Sigcheck v2.3

By Mark Russinovich

Published: October 26, 2015

 Download Sigcheck (140 KB)



Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.

usage: sigcheck [-a][-h][-i][-e][-l][-n][[-s]|[-c|-ct]|[-m]][-q][-r][-u][-vt][-v[r][s]][-f catalog file] <file or directory>

usage: sigcheck [-d][-c|-ct] <file or directory>

usage: sigcheck [-t[u]] <certificate store name|*>

-aShow extended version information. The entropy measure reported is the bits per byte of information of the file's contents.
-cCSV output with comma delimiter
-ctCSV output with tab delimiter
-dDump contents of a catalog file
-eScan executable images only (regardless of their extension)
-fLook for signature in the specified catalog file
-hShow file hashes
-iShow catalog name and image signers
-lTraverse symbolic links and directory junctions
-mDump manifest
-nOnly show file version number
-qQuiet (no banner)
-rDisable check for certificate revocation
-sRecurse subdirectories
-t[u]Dump contents of specified certificate store ('*' for all stores). Specify -tu to query the user store (machine store is the default).
-uIf VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.
-v[rs]Query VirusTotal ( for malware based on file hash. Add 'r' to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five of more minutes.
-vtBefore using VirusTotal features, you must accept VirusTotal terms of service. See: If you haven't accepted the terms and you omit this option, you will be interactively prompted.

One way to use the tool is to check for unsigned files in your \Windows\System32 directories with this command:

sigcheck -u -e c:\windows\system32

You should investigate the purpose of any files that are not signed.


Download Sigcheck
(140 KB)



Download Sigcheck
(140 KB)


Runs on:

  • Client: Windows XP and higher.
  • Server: Windows Server 2003 and higher.

Learn More