Where can I get MD5 hash of system files?



speeder
07-10-2005, 12:36 AM
I want to make sure certain files that are named what they are, are
truly that. Where can I get Windows system files MD5 hashes?

I currently suspect ctfmon.exe to be something else, even if I delete
it from the system32 folder it comes back!

C:\WINDOWS\system32\ctfmon.exe
MD5 hash: f40bc97996b8e53799eef1d63996674b
15.360 bytes
version 5.1.2600.2180
OS: WinXP SP2

On a related subject, Iīve noticed that Msinfo32.exe utility will
check for system files that are not digitally signed. How does it do
that, with hash checksums?

Doug Knox MS-MVP
07-10-2005, 12:36 AM
CTFMON.EXE is a valid windows file. The reason it keeps coming back when you delete it is that it is a protected system file. Windows XP keeps a backup copy of files that are considered critical and/or part of the operating system. If you delete one, its restored from the backup by Windows File Protection.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"speeder" <no.spam@invalid.com> wrote in message news:np5q81d4dlhomie9660fpgmhc31ko1k4mj@4ax.com...
>I want to make sure certain files that are named what they are, are
> truly that. Where can I get Windows system files MD5 hashes?
>
> I currently suspect ctfmon.exe to be something else, even if I delete
> it from the system32 folder it comes back!
>
> C:\WINDOWS\system32\ctfmon.exe
> MD5 hash: f40bc97996b8e53799eef1d63996674b
> 15.360 bytes
> version 5.1.2600.2180
> OS: WinXP SP2
>
> On a related subject, Iīve noticed that Msinfo32.exe utility will
> check for system files that are not digitally signed. How does it do
> that, with hash checksums?

speeder
07-10-2005, 12:36 AM
On Thu, 19 May 2005 18:54:37 -0400, "Doug Knox MS-MVP"
<dknox@mvps.org> wrote:

>CTFMON.EXE is a valid windows file. The reason it keeps coming back when you delete it is that it is a protected system file. Windows XP keeps a backup copy of files that are considered critical and/or part of the operating system. If you delete one, its restored from the backup by Windows File Protection.

Thanks for the response Doug, itīs good to hear that.

I would like to keep some control of the many installed system
components and thought of using MD5. If MS does not have a db
somewhere with this I canīt really go forward. Does this exist?

Or maybe this is already provided with the Msinfo32 digital signature
verification function. Is it doing what I think it is doing
(contacting crl.microsoft.com, getting hash sums and comparing with
those on my drive)?

thanks

Doug Knox MS-MVP
07-10-2005, 12:36 AM
I'm not sure if they're using MD5 hashes, or not. There is a local database, but I don't know the exact mechanics of it. It does depend on the digital signature for the executables and other files. More info on Windows File Protection can be found here:

http://support.microsoft.com/?kbid=222193

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"speeder" <no.spam@invalid.com> wrote in message news:0i4s81lbq40luhqap2i2inud1c8k48188h@4ax.com...
> On Thu, 19 May 2005 18:54:37 -0400, "Doug Knox MS-MVP"
> <dknox@mvps.org> wrote:
>
>>CTFMON.EXE is a valid windows file. The reason it keeps coming back when you delete it is that it is a protected system file. Windows XP keeps a backup copy of files that are considered critical and/or part of the operating system. If you delete one, its restored from the backup by Windows File Protection.
>
> Thanks for the response Doug, itīs good to hear that.
>
> I would like to keep some control of the many installed system
> components and thought of using MD5. If MS does not have a db
> somewhere with this I canīt really go forward. Does this exist?
>
> Or maybe this is already provided with the Msinfo32 digital signature
> verification function. Is it doing what I think it is doing
> (contacting crl.microsoft.com, getting hash sums and comparing with
> those on my drive)?
>
> thanks


Where can I get MD5 hash of system files?