sdbinst.exe

  • File Path: C:\Windows\SysWOW64\sdbinst.exe
  • Description: Application Compatibility Database Installer

Hashes

Type Hash
MD5 E594E2B361FC6EB218344500AFB7EBB6
SHA1 FD68D800C401EE6F6C0E22C2A74D2D2C1B1A6173
SHA256 BB28E2D992B439A01FC6385BE08C78254A304DD867C2C725A5EAC39F67B0C44B
SHA384 4B1ADDEE35F1C98A5EB028201769E7D3430E5D5BFF9D5D2A001D7CEFBEDF55D337BF9E271CCE61103B7C1DAD21AF3EC8
SHA512 6D2A70A36272B9FCCB5D84B204C6B5D2BF1C187FDA605AEAFEABCB2F6B559541C5F2A13433F7AB5ED652BEC414153FEF4F450BDDAAFCD5B6C60025B03CFD5970
SSDEEP 384:VOhy/EcSJPJ4UdeW9A9y6KHSJ/fFpx1RuOQ1s4WPDEiEWYgW:VOOeDcW9oKHSl51YE4WPDEiG
IMP DC04DAC563E65A0D0DAE0ACCC2AC61E2
PESHA1 6DA3324C9F83ECD4BD7B7B74C85022297BC5AD17
PE256 F7C4887DC97ED08ABDCBE9D324F5685699477FCDA47D2B73BA541081F4C60864

Runtime Data

Usage (stdout):

Error: Invalid switch --help.
Usage: C:\Windows\SysWOW64\sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"

    -? - print this help text.
    -p - Allow SDBs containing patches.
    -q - Quiet mode: prompts are auto-accepted.
    -u - Uninstall.
    -g {guid} - GUID of file (uninstall only).
    -n "name" - Internal name of file (uninstall only).

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\sdbinst.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdbinst.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1320 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1320
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: Unknown

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\sdbinst.exe 86
C:\Windows\SysWOW64\sdbinst.exe 86

Possible Misuse

The following table contains possible examples of sdbinst.exe being misused. While sdbinst.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_sdbinst_shim_persistence.yml title: Possible Shim Database Persistence via sdbinst.exe DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml description: Detects installation of a new shim using sdbinst.exe. A shim can be used to load malicious DLLs into applications. DRL 1.0
sigma proc_creation_win_sdbinst_shim_persistence.yml Image\|endswith: '\sdbinst.exe' DRL 1.0
atomic-red-team T1546.011.md A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in: MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe #{file_path} MIT License. © 2018 Red Canary
atomic-red-team T1546.011.md sdbinst.exe -u #{file_path} >nul 2>&1 MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.