sdbinst.exe

  • File Path: C:\Windows\system32\sdbinst.exe
  • Description: Application Compatibility Database Installer

Hashes

Type Hash
MD5 6A4B8C7090D67687D9A46E9BEC67FE48
SHA1 3FEA26A8E6E66B373C954F0601EAA22F544341D2
SHA256 E4F4F22E877C3A417EEA12E7B94CB014CA44CDCDD8F28E3875D90DEF937F182D
SHA384 CCAB3F10FA1519B34A4E24497BD7BEB23F6093DFF325316281C5B2F537067CDAB93930F4B9791E7A36CC32D48F320E0C
SHA512 A0E27C7D23BAA4637739913F6DA5B9C8D8AA65AAFE4EF9E1D25D9E819BE6D0FCEFCC78112CB817427B278DAC4CBC5DCE4F521B1FAEBCC42310584862F5A82C5E
SSDEEP 384:s/y/Z0MK6L81zXovOym1a5gOFxYIzr/GdsEri/EXD4pLCIy2BcmQ7WngW:2y/ZhgYfm1WgEWT0WIy2BcmQg
IMP 5D01C40092C3C1075F7A8335CD70663B
PESHA1 1AD379D6F1D33D08742DDD8718C1A4F9DF296888
PE256 80E7233BCFBBF7A7963B0003EDFEFA1225FC4F2BBE102012FAD3D9A0C1D4AA88

Runtime Data

Usage (stdout):

Error: Invalid switch --help.
Usage: C:\Windows\system32\sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"

    -? - print this help text.
    -p - Allow SDBs containing patches.
    -q - Quiet mode: prompts are auto-accepted.
    -u - Uninstall.
    -g {guid} - GUID of file (uninstall only).
    -n "name" - Internal name of file (uninstall only).

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdbinst.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/e4f4f22e877c3a417eea12e7b94cb014ca44cdcdd8f28e3875d90def937f182d/detection/

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\sdbinst.exe 40

Possible Misuse

The following table contains possible examples of sdbinst.exe being misused. While sdbinst.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_sdbinst_shim_persistence.yml title: Possible Shim Database Persistence via sdbinst.exe DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml Image\|endswith: '\sdbinst.exe' DRL 1.0
atomic-red-team T1546.011.md A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe #{file_path} MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe -u #{file_path} >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.