Files in System32/SysWOW64 that aren't present in WinSxS analyzer #1509

binglot · 2020-12-07T23:49:59Z

Allegedly, in modern Windows versions, most files in %windir%\System32 and %windir%\SysWOW64 have a corresponding file (a hard link?) in %windir%\WinSxS. As such, it'd be relatively easy to highlight which files in those directories aren't part of the OS. This would be useful when looking for a malware infection.

Create an analyzer that tags PE files (.EXE/.DLL/.SYS) in System32/SysWOW64 that don't occur in the WinSxS directory. Either by comparing the file system metadata (the "inode" is the same) or the file hash.

Example:

C:\Windows\SysWOW64\net.exe
- inode: 121849
- sha256_hash: d468e6b1b79555ac8bce0300942fd479689eb8f159f3a399848d3bf9b9990a56
C:\Windows\winsxs\x86_microsoft-windows-net-command-line-tool_31bf3856ad364e35_6.1.7600.16385_none_5208a7a3d3caa54c\net.exe
- inode: 121849
- sha256_hash: d468e6b1b79555ac8bce0300942fd479689eb8f159f3a399848d3bf9b9990a56

binglot added the Feature Request label Dec 7, 2020

binglot assigned berggren and kiddinn Dec 7, 2020

binglot added Analyzers and removed Feature Request labels Dec 7, 2020

jaegeral unassigned berggren and kiddinn Jul 7, 2021

jaegeral added this to the Future milestone Jul 7, 2021

berggren added the Feature Request label Jan 2, 2023

berggren removed this from the Future milestone Sep 25, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Files in System32/SysWOW64 that aren't present in WinSxS analyzer #1509

Files in System32/SysWOW64 that aren't present in WinSxS analyzer #1509

binglot commented Dec 7, 2020 •

edited

Files in System32/SysWOW64 that aren't present in WinSxS analyzer #1509

Files in System32/SysWOW64 that aren't present in WinSxS analyzer #1509

Comments

binglot commented Dec 7, 2020 • edited

binglot commented Dec 7, 2020 •

edited