[Random] How to quickly view a binary's embedded manifest?

Article
12/16/2009

The "sigcheck" tool from sysinternals is of great help here. Use the "-m" option to view the embedded manifest.

Sigcheck v1.63 - File version and signature viewer

usage: \\live.sysinternals.com\tools\sigcheck.exe [-a][-h][-i][-e][-n][[-s]|[-v]|[-m]][-q][-r][-u][-c catalog file] <file or directory>

-a Show extended version information

-c Look for signature in the specified catalog file

-e Scan executable images only (regardless of their extension)

-h Show file hashes

-i Show catalog name and image signers

-m Dump manifest

-n Only show file version number

-q Quiet (no banner)

-r Check for certificate revocation

-s Recurse subdirectories

-u Show unsigned files only

-v Csv output

Here is an example. We'll use the sigcheck tool on notepad.

C:\>\\live.sysinternals.com\tools\sigcheck.exe -m c:\Windows\notepad.exe

Sigcheck v1.63 - File version and signature viewer

Sysinternals - www.sysinternals.com

c:\windows\notepad.exe:

Verified: Signed

Signing date: 5:30 AM 11/2/2006

Publisher: Microsoft Corporation

Description: Notepad

Product: Microsoft« Windows« Operating System

Version: 6.0.6000.16386

File version: 6.0.6000.16386 (vista_rtm.061101-2205)

Manifest:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<assemblyIdentity

name="Microsoft.Windows.Shell.notepad"

processorArchitecture="amd64"

version="5.1.0.0"

type="win32"/>

<description>Windows Shell</description>

<assemblyIdentity

type="win32"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

processorArchitecture="*"

publicKeyToken="6595b64144ccf1df"

language="*"

</dependentAssembly>

</dependency>

</requestedPrivileges>

</security>

</trustInfo>

</assembly>

FYI - You can "net use" into \\live.sysinternals.com\tools and use all the sysinternals tools like process explorer, process monitor etc. Isn't that cool?

[Random] How to quickly view a binary's embedded manifest?

Additional resources