sdbinst.exe

  • File Path: C:\Windows\system32\sdbinst.exe
  • Description: Application Compatibility Database Installer

Hashes

Type Hash
MD5 B41D427B810504D0479BF2CFBE385009
SHA1 B1FB98279B8FAF449C2BAF52542C7D92B103A25E
SHA256 05C2B18046FD436E9D726C25BF39D62410CA5B295EE5BFD473607E125672076D
SHA384 A940829B2E4C41391C06F25C3AE488C3CF9FB1F623C3E2C35CF622B2A40BEC660C84365739159B03DE3396B09DC83A49
SHA512 ED0194B8D15FAB2C80CB4A7FD34F1CBFBE42B22E447D23D37D68FC5273728716192DAA8F765A79A2FFFF033CDDBDDBA35E90560604DB6D9B45A3E23613551AFC
SSDEEP 384:bHgVSPQlmB8YKtrFoJl0BUuESeBtOB8YmgzpS2jVdg/E0FyRLyUqbhk2BRbmDWDJ:bHgVSIe8XBATuEvm6XMWywUqb22BRy8

Runtime Data

Usage (stdout):

Error: Invalid switch -help.
Usage: C:\Windows\system32\sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"

    -? - print this help text.
    -p - Allow SDBs containing patches.
    -q - Quiet mode: prompts are auto-accepted.
    -u - Uninstall.
    -g {guid} - GUID of file (uninstall only).
    -n "name" - Internal name of file (uninstall only).

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdbinst.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of sdbinst.exe being misused. While sdbinst.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_sdbinst_shim_persistence.yml title: Possible Shim Database Persistence via sdbinst.exe DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml Image\|endswith: '\sdbinst.exe' DRL 1.0
atomic-red-team T1546.011.md A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe #{file_path} MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe -u #{file_path} >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.