sdbinst.exe

  • File Path: C:\Windows\system32\sdbinst.exe
  • Description: Application Compatibility Database Installer

Hashes

Type Hash
MD5 111F6F0708DA82681BE2B1B25B25BED3
SHA1 3D1D4F53EE96F29EDA84E48425FDD60962D24BDB
SHA256 5C07D2D008652A173B05460570F5B73763CC7E2E094391320E3741C9448AE0F8
SHA384 EC27F97FE8FFFE81730BC42806338422F2FE6863AAF3F1EF7C705BEE696DDD273417F95AE925A29246BC6525D0BB5E97
SHA512 6757D98D74A6E60CC09A5FE27E7EB080F9FAD36614ACE2D00BF75BA3F99F974A52F552C45C4662C925FC4DCE6C8B392FCAE9205B186E81CE51FEB2C1F91C892F
SSDEEP 384:ybwRvEgNKgGXZ/bgtIhaRkZE6SFZKhi/EazdZM9Sy2Bc6zFzWRgW:IwRCJDgtChqmGdZM9Sy2Bc6zFq
IMP 5D01C40092C3C1075F7A8335CD70663B
PESHA1 70565E0F6C4D0255D7930E9BF13C18F91705F2BC
PE256 4712A7173033ACE575AB9437C6E158AC92111E0C287CD75875A533687AF980FD

Runtime Data

Usage (stdout):

Error: Invalid switch --help.
Usage: C:\Windows\system32\sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"

    -? - print this help text.
    -p - Allow SDBs containing patches.
    -q - Quiet mode: prompts are auto-accepted.
    -u - Uninstall.
    -g {guid} - GUID of file (uninstall only).
    -n "name" - Internal name of file (uninstall only).

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\sdbinst.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdbinst.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/5c07d2d008652a173b05460570f5b73763cc7e2e094391320e3741c9448ae0f8/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\sdbinst.exe 63
C:\Windows\system32\sdbinst.exe 88

Possible Misuse

The following table contains possible examples of sdbinst.exe being misused. While sdbinst.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_sdbinst_shim_persistence.yml title: Possible Shim Database Persistence via sdbinst.exe DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml Image\|endswith: '\sdbinst.exe' DRL 1.0
atomic-red-team T1546.011.md A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe #{file_path} MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe -u #{file_path} >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.