sdbinst.exe

  • File Path: C:\WINDOWS\SysWOW64\sdbinst.exe
  • Description: Application Compatibility Database Installer

Hashes

Type Hash
MD5 B7E8600B88014536C31D2E8ACA08D1AD
SHA1 DD47877A9DAEEDDCEF419A1C669575033A469D58
SHA256 EC03B0231B3899D3512DE459A9E87E5C621E77C79CA26C58279F376B61F88DBE
SHA384 F3537804723B77E9F6E8F15DBDD6DC3A72F53230BC8599795D5E6CA88DDD681AD4BC3C3720CBB6771F0BC47D0F3A4015
SHA512 84B03E1BDAB68088634895F0B26A344639DAF7F7E07765F9763A54D11707DF6626A3FBF77EBF2C4CBF0D3F57BE27E9F278E9AD8AA777AA1051B689EF6F4CCA56
SSDEEP 384:ahy/EIp6SJ1UhXZp7RDnD61X8tc5In+OUbaVDGSp/PF7WKgWumg:aSQmUvp7RDD61x5I+yVqSp/PFJ0V
IMP DC04DAC563E65A0D0DAE0ACCC2AC61E2
PESHA1 284FECAD781D7018587481B21847C2622D51BB5F
PE256 964C72039FB094D7C56F0D9121E280FE3369499EA7CF7DC8744103FA9508692C

Runtime Data

Usage (stdout):

Error: Invalid switch --help.
Usage: C:\WINDOWS\SysWOW64\sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"

    -? - print this help text.
    -p - Allow SDBs containing patches.
    -q - Quiet mode: prompts are auto-accepted.
    -u - Uninstall.
    -g {guid} - GUID of file (uninstall only).
    -n "name" - Internal name of file (uninstall only).

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\sdbinst.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdbinst.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.282 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.282
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: Unknown

Possible Misuse

The following table contains possible examples of sdbinst.exe being misused. While sdbinst.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_sdbinst_shim_persistence.yml title: Possible Shim Database Persistence via sdbinst.exe DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml Image\|endswith: '\sdbinst.exe' DRL 1.0
atomic-red-team T1546.011.md A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe #{file_path} MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe -u #{file_path} >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.