sdbinst.exe

  • File Path: C:\WINDOWS\system32\sdbinst.exe
  • Description: Application Compatibility Database Installer

Hashes

Type Hash
MD5 5E460BFBDDC72EE70E67CD636CB72740
SHA1 C50B28850B2E6BFCA56E778CFD3E27D3F84B8E2E
SHA256 BB62C5070224A26CC213F1AB20187F9003FED9C84C388B5B14C519CD85C3F584
SHA384 AC8E4FB28DCC4415670A2B4CE856FF2E2CB8F4376B6E5B75B6AB49318D861ABD20DBC6C826E1A3A64D9C114306ABAD37
SHA512 E83C3C16E411EF5229593250488EBF7695307FA1245DE410BDFBE42540B8C5DB6B3FA10479BCC67009D224F0BF48FE42FA4F0FFA6DD4241036F371111AD35FFE
SSDEEP 384:MVbQ7JU4CQkqfPFJflKEyoSRxnNjRgv1WstuiYi/EfBFQHQh/coDWKgW:M2q6kqnFJfleoUxnY83FQHQh/lB
IMP 5D01C40092C3C1075F7A8335CD70663B
PESHA1 407F42917DABE9BCF4FC56F00CDF43CA98BAC4F4
PE256 73C2C9EC1E3A02213F7B70F90D902E0D05DCAE5209F372EDA8F117D162DECA11

Runtime Data

Usage (stdout):

Error: Invalid switch --help.
Usage: C:\WINDOWS\system32\sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"

    -? - print this help text.
    -p - Allow SDBs containing patches.
    -q - Quiet mode: prompts are auto-accepted.
    -u - Uninstall.
    -g {guid} - GUID of file (uninstall only).
    -n "name" - Internal name of file (uninstall only).

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\sdbinst.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdbinst.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: Unknown

Possible Misuse

The following table contains possible examples of sdbinst.exe being misused. While sdbinst.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_sdbinst_shim_persistence.yml title: Possible Shim Database Persistence via sdbinst.exe DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml Image\|endswith: '\sdbinst.exe' DRL 1.0
atomic-red-team T1546.011.md A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe #{file_path} MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe -u #{file_path} >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.