Yes indeed, all Microsoft files are (or should be) digitally signed


Yes indeed, all Microsoft files are (or should be) digitally signed (as far as I’m aware). So I’m not quite sure what commenter Dave is getting at:

The Microsoft file should have embedded vendor/product information saying it’s from Microsoft and will be cryptographically signed by Microsoft. Similarly-named malware won’t be signed by Microsoft, unless Verisign slipped up *again* and issued another bogus certificate.

Wow, this is such a great idea, that it’s been true for many years now. All Microsoft files are digitally signed. They have to be; otherwise, Windows File Protection wouldn’t be able to tell whether this new version of shell32.dll is a security update or just some malware trying to replace a system file. As I noted quite some time ago, you can run the sigverif program to validate the digital signatures of all system files.

Long descriptive names are just as much an opportunity to malware makers as they are to legit software developers. Gee, why would you want to stop a file named “Critical Security Update Service.exe” for example?

And that’s why Windows XP Service Pack 2 added the ability to mark a file as “I got this from the Internet.” (Internet Explorer applies this marking when you download a file from the Internet.) Before you run such a file, Explorer will prompt you with a warning and show you the digital signature information so that you can confirm that the download is what it purports to be and has not been tampered with.

This is just one example of a commenter who suggests that Windows do things that it already does: Drop down lists do let you type multiple characters. Here’s another example. Windows has been multilingual since Windows 2000.

For now, I’m going to keep ignoring them. Just because you say something in my presence and I don’t raise an objection doesn’t mean that I agree. Or that what you said is even true.

Comments (52)
  1. Thomas says:

    I don’t know whether all Microsoft files are digitally signed but I’d suspect not.  According to Microsoft all hardware drivers should be signed and verified?  I don’t know the particulars, just that when doing a fresh XP SP2 install I am warned about installing seven of the hardware drivers coming straight  off the XP install.  

    I don’t know whether these are “technically” Microsoft files and drivers but they all claim to be from Microsoft corp. and they’re all on the install CD, so perhaps Microsoft should have signed and verified them.

    Given that track record I suspect there’s a sizable fraction of Microsoft files that are unsigned.

    [Hence the two parentheticals in the opening sentence. Don’t make me bring back the Nitpicker’s Corner. -Raymond]
  2. DeGustibus says:

    >> Windows has been multilingual since Windows 2000.

    I think the reader was referring to “buy Windows2000/XP/2003 English and being able to set it to Italian”.

    It doesn’t seem to me this can be done on 2000 and/or XP (I may be
    wrong, but really I can’t find the setting…). Things have changed
    with Vista it seems, however.

    [Windows 2000 and Windows XP use the same
    mechanism as Windows Vista: Install the Italian MUI pack. I installed
    the Swedish MUI pack back in 2003 and switched to German in 2006. There was also a brief stretch where I ran Traditional Chinese. -Raymond
    ]
  3. Bob says:

    Is the "I got this from the tubes" bit user-accessible? I don’t see anything about it in SetFileAttributes or any immediately obviously related function.

    Note: I don’t care if it’s write-only, but it seems like a useful tag for files downloaded through means other than Internet Explorer.

  4. anonymous says:

    So why does sigverif show all of the .NET dlls as unsigned?

    [I don’t know but I can guess, and so can you. The
    .NET files are not in the signature catalogs since they don’t
    come from the core OS group. -Raymond
    ]
  5. Leo Davidson says:

    Bob,

    The "downloaded from the Internet" tag is written into an alternative data stream (ADS) on the file, at least if the file lives on an NTFS drive.

    If you search for "Internet Explorer Alternative Data Streams Zone.Identifier" you’ll find a few pages talking about it.

  6. Adrian says:

    Actually, I think the commentor about multiple-character input to a drop-down box is a good idea.  I don’t understand why Raymond thinks the default drop-down control does this.

    Empirically, it seems the drop-down controls look only at the most recently typed character and select the first item that starts with that character.  If several items start with the same character, typing additional characters doesn’t help.  If you type the same character over-and-over, however, the selection will move down through items that start with that character.  That’s something, but it’s not a great solution in a long list.

    [Okay, I sat down and wrote the program. We’ll see it tomorrow since it’s too big to fit in a comment. -Raymond]
  7. Bob says:

    Cool. Thanks, Leo. I doubt I would have found that on my own.

  8. ace says:

    > Raymond: (…)I installed the Swedish MUI (…)

    In case other people didn’t know (like me):

    http://www.microsoft.com/globaldev/DrIntl/faqs/MUIFaq.msp

    "Q: How can I acquire Windows MUI?

    A: The Windows XP/2000 MUI is sold only through Volume Licensing programs such as the Microsoft Open License Program (MOLP / Open), Select, and Enterprise agreement (or with a new computer as an OEM version at customer request). It is not available through retail channels."

  9. DeGustibus says:

    > [Windows 2000 and Windows XP use the same mechanism as Windows Vista: Install the Italian MUI pack. I installed the Swedish MUI pack back in 2003 and switched to German in 2006. There was also a brief stretch where I ran Traditional Chinese. -Raymond]

    Cool. Didn’t know about that :)

  10. MW says:

    "Drop down lists do let you type multiple characters."

    Only if the combo box is created with the CBS_SORT style. A lot of people assume there’s no reason to include the style if the items they’re inserting are already in sorted order.

  11. Dave says:

    Hi, it’s me!

    When I said "should" I just meant "usually do" so there is no disagreement. Actually, if you read the second sentence ("Similarly-named malware won’t be signed by Microsoft..") I think it makes the previous sentence’s use of "should" pretty clear. You simply misunderstood. No sarcasm is needed to deflate a point I didn’t make.

    My point on long file names is that users are suckers for cool sounding names. Many users are quite comfortable with clicking through scary warning dialogs. The more they encounter (I’m talking to you, Vista UAC) the easier it is to click OK.

  12. Aaargh! says:

    “Windows XP Service Pack 2 added the ability to mark a file as “I got this from the Internet.” (Internet Explorer applies this marking when you download a file from the Internet.) “

    How can I, as a user, see this ? It’s one of the things I miss when I have to use Windows instead of a Mac. Normally, when I want to see where I got some piece of documentation from, I just right-click the file and select “Get info”  and the original URL is right there in the file info screen. Really useful when e.g. you need to specify the source of some information in a paper.

    How is this stored in Win32 an where is it exposed in the UI ?

    [Right-click, Properties (approximately equivalent to “Get info” I guess), “This file came from another computer and might be blocked to help protect this computer.” Windows doesn’t track the URL the file came from, since there’s no technical reason to keep it. -Raymond]
  13. Joe Bruno says:

    And however “multilingual” Windows may be, it still isn’t available in English.

    [Old news. No need to rehash. -Raymond]
  14. Carlin says:

    “Only if the combo box is created with the CBS_SORT style. A lot of people assume there’s no reason to include the style if the items they’re inserting are already in sorted order.”

    This is what I was talking about.  Internet Explorer 6 (dunno about 7.  I’m a firefox man myself) does not respond to multiple keys, only the first one.  Sorry I wasn’t more clear in my original post.

    [Oh, I thought your comment was another “Since somebody said ‘drop down’ I’m going to ask an unrelated question about drop downs” type of comment. Sorry. And since it appears that the original point has been confirmed, I guess I can pull that post which I already wrote. It’ll go into the “articles which were written but never posted” dustbin, like the stories about Bob. -Raymond]
  15. Mark says:

    Interesting to notice that sigverif only asserts that the file has a digital signature, not that it is valid. How’s that? Quick test:

    Copy comdlg32.ocx (signed) from system32 to temp or somewhere else.

    Verify the signature with both sigverif and by clicking properties / digital signatures / details. Both seem ok to this point.

    Modify the file by just adding some stuff to the end of it; suggestion:

    copy comdlg32.ocx + con comdlg32.ocx [Return]

    [type some stuff here][F6][Return]

    Verify the signature with both sigverif and by clicking properties / digital signatures / details. The properties page will complain (the digital signature is not valid) while sigverif will just say that it is signed, no complains.

    I know validating the signature is expensive, but is this really by default? Seems to me this could be exploited as a way to inject some code into a system file – getting it to run is something else though.

  16. anonymous says:

    I played around with the Zone-Identifier some time ago but I couldn’t get it working on Windows Server 2003 SP2. Any ideas what could be going wrong?

  17. Simon says:

    But I’d like to read stories about Bob… :)

  18. Aaargh! says:

    “Windows doesn’t track the URL the file came from, since there’s no technical reason to keep it. -Raymond”

    It’s metadata, and quite useful metadata at that, why should you throw it away ?

    If I want to find all the files I got from a certain website, I can do a quick Spotlight search and find out.

    [It wasn’t necessary to achieve the original goal of AES. Perhaps the goals were wrong, in your opinion. -Raymond]
  19. James Curran says:

    I can confirm that not all Microsoft files are signed.  I recall just a couple days ago, downloading a file directly from microsoft.com, and upon installing it, was warned that it was not signed.

    I unfortunately don’t remember exactly what file it was, but I’ll acknowledge that it was neither a Windows component nor part of any major MS application.  It was probably some ancillary tool from MSDN, of approx the PowerToy level.

    [I added two parentheticals in the opening sentence to forestall comments like this and I guess it didn’t work. Don’t make me bring back the Nitpicker’s Corner. -Raymond]
  20. Kip says:

    "I can confirm that not all Microsoft files are signed.  I recall just a couple days ago, downloading a file directly from microsoft.com, and upon installing it, was warned that it was not signed."

    Microsoft is a large company.  Some files are going to slip by without the signature.  I think the "(or should be)" part of the title should have made that clear.

  21. Chris Walken says:

    Along the same lines – but kind of the reverse, when I run an application I have built with VS6.0 in C++ under Vista and the app is loaded from a different computer – or server – Vista always pops up the "The Publisher could not be verified…" message. How does one make that one go away?

  22. BryanK says:

    Chris:  Get a code-signing cert and sign the thing?  (Of course then your cert has to be trusted.)

    Nah, that would be too obvious…  how about copy the file locally?  ;-)

  23. Wolf Logan says:

    "Don’t make me bring back the Nitpicker’s Corner." -Raymond

    If you kids don’t settle down I’ll turn this blog around and we’ll go RIGHT HOME!

  24. Igor says:

    “Oh, I thought your comment was another “Since somebody said ‘drop down’ I’m going to ask an unrelated question about drop downs” type of comment.”

    As far as I can see, this was another person commenting, not the same one.

    “Sorry.”

    For what?

    “And since it appears that the original point has been confirmed, I guess I can pull that post which I already wrote. It’ll go into the “articles which were written but never posted” dustbin, like the stories about Bob.”

    So instead of thanking someone for inspiring you to write something usefull, you are going to “punish” everyone because you misunderstood one person’s comment?

    What exactly do you think you will accomplish by punishing everyone because you believe someone is a jerk or offtopic? We have even less power over that person than you so your punishment won’t have any effect other than pissing people off.

    That kind of punishment would only work in a jail cell where you have say 10 inmates and one of them does something bad. Then you punish all 10 and next time someone tries to misbehave other 9 kick his ass to avoid being punished because of him.

    Note that we are on the Internet, the readers of your blog are not in the same cell and can’t kick each others ass so it simply doesn’t work.

    You are just irking the others who didn’t deserve to be punished and provoke them to act bad themselves because being nice obviously doesn’t make any difference.

    You act so childish sometimes. Better get your act together. What you need is thicker skin.

    [I didn’t consider it inspiration to write something useful. I considered a chore to illustrate something that I thought didn’t need illustrating. So it’s good that it’s gone, but it’s bad that I had to take the time to write it in the first place. -Raymond]
  25. Hey maybe it’s just me but I read that comment as saying "If it were a Microsoft file, it would have a signature." Not as a suggestion to do so. Seems like a silly thing to single someone out for.

  26. EricLippert says:

    > So why does sigverif show all of the .NET dlls as unsigned?

    The .NET DLLs are signed with the Microsoft Strong Name, not with a verisign certificate.  

    Both strong naming and certificate signing provide evidence that a particular chunk of code was produced by a particular organization.  However, there are many differences between strong name signing and certificate signing; key differences in my mind are:

    * Strong name signatures do not "chain" the way certificate signatures do. With certs you can say "trust anyone that this signing authority trusts". With strong names, you have to make an individual trust decision for each.

    * There is no revocation mechanism for strong names.

    * Different certificates have different stated purposes. There is no such mechanism for strong names.

    * Strong names and certificates solve related but different problems. Strong names solve the problem "I am trying to load some code and wish to be certain that I am loading the code I think I am loading."  Certificates solve the problem of "I’m loading code that I don’t know what it does, so I want to only load code from providers that I have a trust relationship with."

  27. mikeb says:

    >> Yes indeed, all Microsoft files are (or should be) digitally signed (as far as I’m aware). <<

    It is true that they should be signed.  Unfortunately, the reality is that not all Microsoft files are signed.  Now, I’m not saying that this is Raymond’s fault or problem, but that doesn’t change the fact that MS does not always sign files that they provide for installation on Windows machines.

    Some examples on my machine:  mdimon.dll, mdm.exe, mscoree.dll, asiserver.exe

    Now, these are not *Windows* files, but I still believe that MS should be more strict about whatever policy they have on signing files for public distribution.  

    It would be nice if I could be reasonably sure that an unsigned file that claims to be from Microsoft was malware.  As it stands today that would simply be crying wolf.

  28. JamesNT says:

    Once again I read down the comments to yet another post on the Old New Thing and mostly what I see are people doing their best to piss Raymond off.

    This blog is one of the most valuable of all the MS blogs.  When are you guys going to get that?

    Maybe Raymond should start up a private blog and invite only those who want to learn to be better programmers and will never require a "Nitpicker’s corner".  Anyone who mouths off gets booted – forever.

    JamesNT

  29. bramster says:

    Had a nice bike ride today.  What else is important?

  30. Can says:

    Actually I’ve always found the Microsoft signing process somewhat limited. The embedded signature ensures the integrity of the file and the company behind it. However what people want to know is whether the file is harmful for their computer (has a serious bug, is malware), whether there are incompatibilites with the software already installed on their system, etc.

    I’m developing a small extension to the Authenticode system, which allows you to embed much richer metadata in your files. The software will also "hook" the verification process and display you this additional metadata in a dialog box. The metadata contains the publisher specific product ID, product name, web site address, description, version, license type, release status, release date, language, category, ESRB rating, system requirements, publisher name and publisher web site address.

    The digital signing of files with extensive metadata could be the solution for malware, but Microsoft has never seen the Authenticode technology in this way. Today it’s just a monopoly of Microsoft and Verisign with an annoying warning dialog box for us.

  31. Thorsten Engler says:

    Actually Raymond, I read this:

    >>>The Microsoft file should have embedded vendor/product information saying it’s from Microsoft and will be cryptographically signed by Microsoft. Similarly-named malware won’t be signed by Microsoft, unless Verisign slipped up *again* and issued another bogus certificate.<<<

    as a statement of fact. (As in "that’s what Microsoft is doing, s o if you want to know if a file is legit, look at the signature").

    As for the "Verisign slipped up *again*", I don’t have a reference  url right now, but sometime in the past it was in the news that Verisign handed out a "Microsoft" certificate to someone without any connections to Microsoft. It naturally was later revoked once that was noticed, but for some time there was a valid signature in the wild which could potentially be used to sign Malware with a "Microsoft" signature.

  32. friscom says:

    ..the question is: why don’t we know (from Microsoft) what files of theirs should be signed and what not?

    How can I state whether a file is correct if I do not know from the beginning if it has a signature?

    To say, in my Win2K3 server the Explorer.exe and Mstsc.exe are unsigned, accordingly to sigverif.

    Should I assume it is not the original? How should I know about them (and all others) before I start investigating without a reference?

  33. Chris says:

    "copy comdlg32.ocx + con comdlg32.ocx … Seems to me this could be exploited as a way to inject some code into a system file – getting it to run is something else though."

    It rather involved being on the other side of this airtight hatchway…

  34. Ema says:

    Lol this is the problem with closed source software…

    You don’t know what cr*p you’re executing ’till your PC will explode…

    In this case Linux and AppArmor are the best…

    Cheers,

    Ema.

  35. Dave says:

    Chris: "It rather involved being on the other side of this airtight hatchway…"

    No, that was Raymond’s second point: "Before you run such a file, Explorer will prompt you with a warning and show you the digital signature…"

    So, if OS believes the signature stays intact on a modified file, it might have an evil payload but the OS will show you the valid signature and give you confidence about running the file. I have no idea whether a real exploit could come from that though. Let’s hope not.

  36. Kuwanger says:

    >copy comdlg32.ocx + con comdlg32.ocx … Seems to me this could be exploited as a way to inject some code into a system file – getting it to run is something else though.

    It rather involved being on the other side of this airtight hatchway…

    The whole point of the signature is to be able to use an untrusted medium as a carrier for trusted content.  If the untrusted medium can modify the trusted content without detection, the trusted content can’t really be trusted.

  37. Ema says:

    Btw, you can "easily" recompute the signature (MD5 SHA-1…). You can do at run time if the OS is a good one (and no, I’m not referring to Millennium Edition II).

    Cheers,

    Ema! :-)

  38. Illuminator says:

    Hey Ema, my Eureka moment came when I abandoned SQLite for SQL Server Compact Edition.

  39. Leo Davidson says:

    The more they encounter (I’m talking to you, Vista UAC) the easier it is to click OK.

    IMO you should blame Explorer for that, not UAC itself. I think UAC is absolutely fine as a mechanism, Explorer just uses it really badly (e.g. prompting you four times to create one directory). The excessive prompting isn’t an inherent part of UAC and there is at least one alternative file manager which will only prompt you once in that example.

  40. Keeron says:

    Leo wrote: "… Explorer just uses it really badly (e.g. prompting you four times to create one directory)…"

    I’ve never seen more than 1 prompt on anything I was doing. And I expected the prompt since it wasn’t a standard user task (like deleting a file off the root, or launching applications like Regedit, etc). That being said, I’ve never also ran into issues where I had to cancel the prompt (IE is in protected mode, running standard user on Vista)

  41. orcmid says:

    I just ran a brand new Vista Home Premium PC through setup for my sister.  As part of adding a Microsoft Laser Desktop 6000 R2 keyboard and mouse (ditching the minimalist keyboard that Dell ships at no extra charge), I had to download two updates for Vista.  These were from http://www.microsoft.com/hardware/downloads.

    Neither of them was signed.  They had "unknown" suppliers — so not even version and origin information, apparently.

    My sister loves the computer.  The Media Center blew her mind, as did the snazzy upgrades to the games.  She’s likely to become addicted to the Mahjong tiles solitaire in a day or two.  She’s ordering broadband today.

  42. Dean Harding says:

    Thank you Ema. I would never have known just how great Linux is had you not hijacked this topic.

    And now that your work is done, that means you can go somewhere else… right?

  43. Ema says:

    Illuminator wrote: "Hey Ema, my Eureka moment came when I abandoned SQLite for SQL Server Compact Edition."

    Why? What do you mean?

    Anyway when you run closed source applications you can only safe with Linux+AppArmor…In Windows you won’t never be safe.

    You don’t receive any sources of the OS, so it can’t be trusted (considering all the cr*p Microsoft guys inserted in new Millenium Edition II – bad graphics performance, bad network performance and so on – personally I don’t know anyone informed about facts that *really* trusts ME II).

    Cheers,

    Ema.

  44. Ema says:

    Sorry I didn’t mean to flame.

    But to be honest I think that I haven’t hijacked the thread.

    Digital signatures is *simply* about trust.

    The root of the problem is when you can’t trust the verifier (because it can be bugged sometimes or you don’t have the sources).

    Simple as cake.

    And staying on topic, with Linux+AppArmor you can take the risk to run unsecure/unverified/closed-source software.

    Is it possible in Windows?

    I’m serious, how can you trust an operative systems that, for example, downgrades hardware performances to *try* to better support DRM?

    Cheers,

    Ema! :-)

  45. Two "microsoft" certificates from verisign have been revoked.

  46. Non-existing os says:

    Earlier OSes than vista can not really be called multilingual in the same sense that vista can. Those old OSes where not as easy to install, or even buy for that matter. Had to use several CDs (no dvds), cost tens of thousand $$$, and was not really ready for prime time, and therefore not promoted especially resolute as an product by ms. Comparable to w2k/xp for alpha or itanium.

  47. Andrei Muraru says:

    It’s there a public API function that would allow me to check that a file was downloaded from the Internet?

    Thanks.

    [Don’t be helpless. There is enough information for you to build a useful search query. I didn’t know the answer either, but after some web searching I got the answer in five minutes. You can do it too. -Raymond]
  48. Igor says:

    Hahaha, I just figured out Denial Of Service attack (well sort of) using this “downloaded from the Internet” attack vector:

    1. Create a text file called nag_user.txt with the following content:

    —snip—

    [ZoneTransfer]

    ZoneID=3

    —snip—

    2. Do this:

    FOR /R C: %i IN (*.exe) DO type nag_user.txt > “%i”:Zone.Identifier

    You should be able to do it as a guest too as long as you have write access.

    It will leave the user with a ton of .exe files asking for confirmation and no easy way of resetting them all (except by using 3rd party utilities like STREAMS).

    [“As long as you have write access.” Well, if you have write access, then just copy pwnz0rd.exe victim.exe. -Raymond]
  49. Igor says:

    Eh, in experimenting with this it seems that I managed to find a real bug.

    1. I constructed a file identical to the nag_user.txt above but without the CR/LF pair at the end of second line.

    2. Then I did this:

    type nag_user.txt > test.exe:Zone.Identifier

    3. Then I got some random binary data (1291 bytes of it in case it matters) which doesn’t contain any 0x00 in it and appended it like this:

    type random.bin >> test.exe:Zone.Identifier

    4. Result is that explorer still shows the file has been downloaded in file properties and offers the unlock button but it runs it without asking!

    [If your goal was to make the file run without a warning, then you’re still trying too hard. Just delete the zone identifier entirely. -Raymond]
  50. Igor says:

    Oops… my mistake, Explorer _does_ prompt to run the file, if you run it from Total Commander then you don’t get a prompt. I guess it is because TC launches applications using some other method (CreateProcess?).

    “Well, if you have write access…”

    I agree, but this is harder to notice and harder to remove unless you are prepared to zap all the streams on all the exe files and you are aware that tools which enable you to do so exist.

    Frankly I don’t know exact ACLs for C: (since mine is formatted as FAT32) but newly formatted NTFS partitions have write access for the Users group and I presume that the same group has write access at least for the Program Files.

    [You’re taking my remark out of context. I was referring to file write access, not directory write access. I thought this was obvious since I was talking about how you can modify a file. -Raymond]
  51. Igor says:

    “Just delete the zone identifier entirely”

    I was actually trying to crash Explorer :)

    It is most curious why Explorer uses INI file format for that setting? Why parse strings when you can have one byte/word/dword?

    [You need a better imagination. Extensibility? -Raymond]
  52. Authenticode says:

    Where can I buy certificates *cheap*? I’m a hobby programmer and want to get rid of the warning.

    If it’s not possible, all I can think of is that MS doesn’t want hobby programmers developing & distributing software for their OS.

Comments are closed.