Use Microsoft's Sigcheck 2.0 to check all files in a folder on Virustotal

Martin Brinkmann
Oct 28, 2013
Updated • Oct 28, 2013
Antivirus, Tutorials

Microsoft has released Sigcheck 2.0 a couple of days ago. The excellent program enables you to verify information about files -- including digital certificates, version numbers and timestamp information - by pointing it to a folder that you want checked.

While that makes it an excellent tool for experienced Windows users and admins, its reliance on the command prompt is probably the main reason why it is not used by more users of the system.

Integration of the popular Virustotal API in Sigcheck could change that dramatically on the other hand. While you still need to run the program from the Windows command prompt, you can now send all files of a folder to Virustotal to return a list of files that at least one of the antivirus engines detected as malicious.

Using Sigcheck and Virustotal

Sigcheck 2.0 ships with three parameters that control Virustotal usage, they are:

  • -u Shows files that are unknown by Virustotal or have non-zero detection.
  • -v [rn] Queries the Virustotal service by using file hashes. The "r" option adds reports for files with non-zero detection, the "n" option prevents the uploading of files that are unknown to Virustotal.
  • -vt This accepts the terms of service of Virustotal.

Here are a couple of examples of how you can use the new Virustotal integration of Sigcheck:

sigcheck -vrn -vt c:\windows\system32\

This  scans the c:\windows\system32\ folder and checks the hash of the files against Virustotal's database. Unknown files are not uploaded to Virustotal.

sigcheck -u -vt c:\windows\system32\

This command limits the output to files that are unknown to Virustotal, and files that at least one engine reports as malware.

Tip: If you scan a folder with lots of files, or use the -s parameter to include subdirectories in the scan, you may want to redirect the report to a text file by appenending > c:\users\username\downloads\output.txt to the command.

sigcheck -u -v -vt -s c:\temp\ > c:\users\martin\downloads\output.txt

The command will  check file hashes on Virustotal and upload any file where no hash is found. It will then add all files with at least one malware hit or that are unknown by Virustotal to the output.txt file. The -s command will include files in subdirectories in the scan.

You can check out all available parameters by following the link to the Microsoft Sysinternals website. There you can also download the application to your system.

As far as system requirements go, it requires at least Windows XP on the client side and Windows Server 2003 on the server side.

Closing Words

The integration of Virustotal scan options improves the scenarios where you can make use of the software. While it is still great for its original functionality, it can now also be used to scan files found in a folder quickly using the remote virus scanning service.

Now Read: Keep your Sysinternal programs up to date


Previous Post: «
Next Post: «


  1. AJ North said on November 14, 2016 at 11:37 am

    Sigcheck version 2.54 was released on 2016.08.29.

    There is also a free third-party GUI (Graphical User Interface) for Sigcheck, SigcheckGUI – .

    1. Scott R said on December 5, 2018 at 12:29 am

      By the way noted v2.20 is the last one supported for Win XP. For V2.54 Vista or higher needed.

  2. Shala Tucker said on July 21, 2016 at 7:25 pm

    This is not a reply but a question. Almost every time I am on my computer it stops responding for approx. 45 seconds and the search circle sits and spins. The cursor will not move during this 45 seconds. Then the screen goes blank and shortly thereafter the screen goes back to the original page. Can you give any insight into what might be causing this?

    Thanks, Shala Tucker

    P.S. I have windows pro in a refurbished Optiplex 780. Dell.

  3. dragonduder said on November 1, 2013 at 6:16 pm

    Very cool, this is why I love this blog. Anyone have any good batch file ideas that this could apply to? Like maybe scan my downloads folder every now and then? I’d like to find a way to use this in conjunction with the process talked about in this makeuseof article

  4. hessam said on October 28, 2013 at 4:51 pm
  5. imu said on October 28, 2013 at 3:37 pm

    BTW. would you run this tool on your computer ?
    Scan it with VT first of course :)

    1. Rick said on October 28, 2013 at 7:22 pm

      It’s likely a false-positive given what the app is doing. Anytime an app is going into the registry or security catalogs, you will get a number of hits from the AVs.

      If you are just looking to see LSA information, you can use the nirsoft tool And why one needs only the hash info on logon security info has always confused me.

    2. Martin Brinkmann said on October 28, 2013 at 3:43 pm

      I think I would not, even if it is likely a false positive.

  6. imu said on October 28, 2013 at 2:59 pm

    Great tool but…they really need to re-think the way files are checked, maybe by excluding those “looking for attention” antivirus engines and relay only on mainstream ones cos when I firs ran it I got like million false positives :(
    So for now I’d say it’s better to run Sigcheck without Virustotal and use this feature only if the first scan finds something worth attention.
    Martin,did you notice this too?

    1. Martin Brinkmann said on October 28, 2013 at 3:09 pm

      Nowadays, I almost expect to see one or two false positives when I scan a file on Virustotal.

      1. imu said on October 28, 2013 at 3:25 pm

        Sure but when you run it without opening the output in the browser then you see just the numbers so you can’t tell if they are false or not and so for me this is a huge downside of this new feature.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.