Quick Answer
sigcheck.exe is safe. It's a legitimate Sysinternals tool from Microsoft used to verify digital signatures, display certificate data, and collect file metadata for Windows executables.
Is it a Virus?
✔ NO - Safe
Must be in C:\Sysinternals\Sigcheck.exe or C:\Program Files\Sysinternals\Sigcheck.exe
Warning
Unusual location or unknown signer
If sigcheck.exe runs unexpectedly or is found outside Sysinternals, verify the source with official Microsoft download
Can I Disable?
✔ YES
If you do not need it for audits, simply avoid running it or remove the Sysinternals package
What is sigcheck.exe?
sigcheck.exe is the Sysinternals Signature Verification Tool. It checks Windows executables and DLLs to report digital signatures, signer data, and file metadata. It’s a compact command-line utility used by admins for inventory and security checks.
Sigcheck uses Windows APIs to extract signatures, certificate chains, and timestamps, and can compute SHA-1/SHA-256 hashes. It outputs signer, cert details, and file info to aid trust verification and incident response.
Quick Fact: Sigcheck was designed for rapid binary verification and is frequently used in incident response to validate software trust quickly.
Usage Modes
- Signature Verification: Checks that the file is signed and reports the signer
- Certificate Display: Shows the certificate chain and subject details
- Hash Calculation: Computes SHA-1/SHA-256 hashes for integrity checks
Is sigcheck.exe Safe?
Yes, sigcheck.exe is safe when retrieved from the official Sysinternals/Microsoft sources and located in the proper Sysinternals folder.
Is sigcheck.exe a Virus or Malware?
The real sigcheck.exe is NOT a virus. Malware can masquerade with similar names, so verify the path and signature.
How to Tell if sigcheck.exe is Legitimate or Malware
- File Location: Must be in C:\Sysinternals\Sigcheck.exe or C:\Program Files\Sysinternals\Sigcheck.exe
- Digital Signature: Right-click the file -> Properties -> Digital Signatures. Should show a signature from 'Sysinternals, a division of Microsoft Corporation' or 'Microsoft Corporation'.
- Hash Verification: Compare SHA-256 hash with the official value published by Microsoft for the downloaded release.
- Source Integrity: Download Sigcheck only from https://download.sysinternals.com/files/sigcheck.zip and extract to a trusted folder.
Red Flags: If sigcheck.exe is missing the official signature, located in an unexpected folder, or lacks a valid certificate, treat as suspicious and scan with antivirus.
Why Is sigcheck.exe Running on My PC?
Sigcheck.exe runs when an administrator or IT automation tool is performing signature and integrity checks on Windows binaries. It is not a background daemon but can appear during audits or scripted checks.
Reasons it's running:
- Active Inventory or Compliance Scan: A management tool or security suite runs sigcheck to inventory executables and verify trust across endpoints.
- Software Audits and Baselines: During security or software compliance audits, sigcheck reports are collected for risk assessment.
- Imaging or Deployment Processes: Imaging pipelines and deployment scripts verify included binaries with signature data.
- On-Demand Binary Verification: You or a colleague ran sigcheck to verify a downloaded executable before execution.
- Endpoint Monitoring: EDR or endpoint monitoring agents run quick checks to confirm trusted binaries present.
Can I Disable or Remove sigcheck.exe?
Yes, you can disable or remove sigcheck.exe. It is a diagnostic tool, not required for system operation.
How to Stop sigcheck.exe
- End Active Run: If sigcheck.exe is currently running, terminate the process in Task Manager (Ctrl+Shift+Esc) by selecting sigcheck.exe and End Task.
- Remove from Disk: Delete C:\Sysinternals\Sigcheck.exe or C:\Program Files\Sysinternals\Sigcheck.exe to prevent future runs.
- Pause Startup Checks: If part of a deployment script, disable the script execution in your IT automation tool.
- Security Considerations: Keep a copy of the Sysinternals package only if you need legitimate checks; otherwise remove.
- Group Policy or Endpoint Controls: Block execution for non-admin users if required via AppLocker or WDAC rules.
How to Uninstall Sigcheck
- ✔ Delete C:\Sysinternals\Sigcheck.exe (and related Sysinternals tools if not needed)
- ✔ If you installed the Sysinternals Suite via an installer, run the installer again and choose Remove
Common Problems: Sigcheck Errors or Odd Output
If sigcheck.exe returns errors or unexpected results during a verification task:
Common Causes & Solutions
- File not found: Verify the file path exists (C:\Sysinternals\Sigcheck.exe or C:\Program Files\Sysinternals\Sigcheck.exe) and re-run.
- Access denied: Run as Administrator or adjust permissions on the Sysinternals folder.
- Unsigned or invalid signature: Check the signature using signtool and compare to official Microsoft signers.
- Hash mismatch: Download the official hash from Microsoft and compare with the computed SHA-256.
- Signtool not found: Install Windows SDK or point to an existing signtool.exe path in the Windows Kits folder.
- Verbose output: Use the -q option for quiet output and redirect to a file if needed.
Quick Fixes:
1. Run as Administrator and verify path: C:\Sysinternals\Sigcheck.exe
2. Use -nq or -q for concise output and pipe to a log file
3. Compare SHA-256 with official hash file: C:\Sysinternals\sigcheck_sha256.txt
4. Download the latest Sigcheck from the official Sysinternals site
Frequently Asked Questions
Is sigcheck.exe safe?
Yes. If downloaded from the official Sysinternals site and located in a trusted folder (C:\Sysinternals or C:\Program Files\Sysinternals).
What does sigcheck.exe do?
It verifies digital signatures, displays signer information, certificates, and hashes for Windows executables.
Where is sigcheck.exe located?
Typically in C:\Sysinternals\Sigcheck.exe or C:\Program Files\Sysinternals\Sigcheck.exe.
Can sigcheck.exe be used by malware?
Malware can mimic sigcheck.exe; always confirm the path and signature from Microsoft.
How do I verify sigcheck.exe's signature?
Right-click the file, check Digital Signatures, or use signtool verify /pa C:\Sysinternals\Sigcheck.exe.
How do I download sigcheck.exe safely?
Download the Sysinternals Suite from Microsoft’s official site and extract Sigcheck.exe to a trusted folder.