sdbinst.exe

  • File Path: C:\Windows\SysWOW64\sdbinst.exe
  • Description: Application Compatibility Database Installer

Hashes

Type Hash
MD5 CE442D417F2D99A7EAA648F4FC34FCF9
SHA1 11077349A52B357444E343F78B4D24DB40C20780
SHA256 3586B73FC4C1260A17BA9C67F2B270179A8CA7F5C820C412758C66B13AEEEF9F
SHA384 2C29C7EDD182F505B4404A5260C2C54590A0D20A121E301FDD94D8BDF36FA18F7EDE43CDFD9AEF160D373EB8C00FFE8E
SHA512 E481298ADAB5C86CB83B26F2C7CDA3D8DE4C0620F5F7029C04B7296743A5770370DA0B9207238C22E00508695D7AB2374D687B1588110A4C7D3E51103C161842
SSDEEP 384:g8ZhA/EIJd9/e4b6nErpVB7Xz5ESlIMTL5X/qQj3MZhNChDcSyR7WDgWG4O:gSoZbmEB7Xz5hIY1qQTMTNGDcSe08N

Runtime Data

Usage (stdout):

Error: Invalid switch -help.
Usage: C:\Windows\SysWOW64\sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"

    -? - print this help text.
    -p - Allow SDBs containing patches.
    -q - Quiet mode: prompts are auto-accepted.
    -u - Uninstall.
    -g {guid} - GUID of file (uninstall only).
    -n "name" - Internal name of file (uninstall only).

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdbinst.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of sdbinst.exe being misused. While sdbinst.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_sdbinst_shim_persistence.yml title: Possible Shim Database Persistence via sdbinst.exe DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml Image\|endswith: '\sdbinst.exe' DRL 1.0
atomic-red-team T1546.011.md A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe #{file_path} MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe -u #{file_path} >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.