sdbinst.exe

  • File Path: C:\Windows\SysWOW64\sdbinst.exe
  • Description: Application Compatibility Database Installer

Hashes

Type Hash
MD5 9A081E86E9FF0AA957EDA8E8D0624BAC
SHA1 326C4C3E1C05D66F1E646AF7CB2E4A5FEDB026F7
SHA256 837C16C1CA64E6DB32421FC56EFBD80BFCA8E9C8888E9240AB859C43ADAC1442
SHA384 089BCE4CFE6AA2906C5809A55BC5144FB25AF25B28AEF6EF484D2F84413024B89FE9ED9094AB676F84CB07CB63CA84C4
SHA512 D4490E47F58B0229FD368974103A1F3B7F5696B613856AA09E26658823F098AFADE8D050B2D944D7FDE530325053D8A29204EA9E387F9913D3A5654C9833DD29
SSDEEP 384:5ahy/EnSJIKqKziIyt4RRcHAnl+5nRl7Sew1sYmsPDErjWngWuTu:5aJZ+ziI9RRM6IlGUYmsPDEro0Tu
IMP DC04DAC563E65A0D0DAE0ACCC2AC61E2
PESHA1 F504937E50FF3801235B252D9689880AF701E6AF
PE256 545CB407B1D1B3C283F1A225F495530AE151256E9A5FF8E11C33080908A20E1F

Runtime Data

Usage (stdout):

Error: Invalid switch --help.
Usage: C:\Windows\SysWOW64\sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"

    -? - print this help text.
    -p - Allow SDBs containing patches.
    -q - Quiet mode: prompts are auto-accepted.
    -u - Uninstall.
    -g {guid} - GUID of file (uninstall only).
    -n "name" - Internal name of file (uninstall only).

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\sdbinst.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdbinst.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/837c16c1ca64e6db32421fc56efbd80bfca8e9c8888e9240ab859c43adac1442/detection/

File Similarity (ssdeep match)

File Score
C:\WINDOWS\SysWOW64\sdbinst.exe 40

Possible Misuse

The following table contains possible examples of sdbinst.exe being misused. While sdbinst.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_sdbinst_shim_persistence.yml title: Possible Shim Database Persistence via sdbinst.exe DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml Image\|endswith: '\sdbinst.exe' DRL 1.0
atomic-red-team T1546.011.md A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe #{file_path} MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe -u #{file_path} >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.