[Random] How to quickly view a binary’s embedded manifest?


 


The "sigcheck" tool from sysinternals is of great help here. Use the "-m" option to view the embedded manifest.


 


 


Sigcheck v1.63 - File version and signature viewer


Copyright (C) 2004-2009 Mark Russinovich


Sysinternals - www.sysinternals.com


 


usage: \\live.sysinternals.com\tools\sigcheck.exe [-a][-h][-i][-e][-n][[-s]|[-v]|[-m]][-q][-r][-u][-c catalog file] <file or directory>


-a Show extended version information


-c Look for signature in the specified catalog file


-e Scan executable images only (regardless of their extension)


-h Show file hashes


-i Show catalog name and image signers


-m Dump manifest


-n Only show file version number


-q Quiet (no banner)


-r Check for certificate revocation


-s Recurse subdirectories


-u Show unsigned files only


-v Csv output


 


 


Here is an example. We'll use the sigcheck tool on notepad.


 


C:\>\\live.sysinternals.com\tools\sigcheck.exe -m c:\Windows\notepad.exe


 


Sigcheck v1.63 - File version and signature viewer


Copyright (C) 2004-2009 Mark Russinovich


Sysinternals - www.sysinternals.com


 


c:\windows\notepad.exe:


        Verified:       Signed


        Signing date:   5:30 AM 11/2/2006


        Publisher:      Microsoft Corporation


        Description:    Notepad


        Product:        Microsoft« Windows« Operating System


        Version:        6.0.6000.16386


        File version:   6.0.6000.16386 (vista_rtm.061101-2205)


        Manifest:


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>


<!-- Copyright (c) Microsoft Corporation -->


<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">


<assemblyIdentity


    name="Microsoft.Windows.Shell.notepad"


    processorArchitecture="amd64"


    version="5.1.0.0"


    type="win32"/>


<description>Windows Shell</description>


<dependency>


    <dependentAssembly>


        <assemblyIdentity


            type="win32"


            name="Microsoft.Windows.Common-Controls"


            version="6.0.0.0"


            processorArchitecture="*"


            publicKeyToken="6595b64144ccf1df"


            language="*"


        />


    </dependentAssembly>


</dependency>


<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">


    <security>


        <requestedPrivileges>


            <requestedExecutionLevel level="asInvoker" uiAccess="false"/>


        </requestedPrivileges>


    </security>


</trustInfo>


</assembly>


 


 


FYI - You can "net use" into \\live.sysinternals.com\tools and use all the sysinternals tools like process explorer, process monitor etc. Isn't that cool?


 


 


 

Comments (0)

Skip to main content