Didier Stevens

Friday 26 July 2013

MSI: The Case Of The Invalid Signature

Filed under: Forensics,Malware,Windows 7 — Didier Stevens @ 22:01

I found a suspicious file on a Windows XP machine. I was able to trace its origin back to a Windows Installer package (.msi). This package in c:\windows\installer had an invalid digital signature. Like this:


Very suspicious.

A bit later I found another msi package containing the same suspicious file. But this time, the package had a valid digital signature. What’s going on?

After a deep dive into the internals of msi packages, I found the answer.

When an msi package is installed, it is cached inside the Windows Installer directory (%windir%\Installer). Prior to Windows Installer 5.0 (released with Windows 7), cached packages were stripped of their embedded cab files. But with digitally signed msi files, the signature remained inside the file: the digitally signed file was modified, hence the signature was invalidated. This behavior changed with Windows Installer 5.0: cached packages are no longer stripped, hence the signature remains valid.

This blogpost by Heath Stewart explains this change in more detail. Unfortunately, my Google-skills were not good enough to find this blogpost prior to my deep dive into msi files. Hindsight Googling FTW! 😉


  1. […] In case you missed it, I posted this during the weekend: MSI: The Case Of The Invalid Signature. […]

    Pingback by OHM2013 | Didier Stevens — Monday 29 July 2013 @ 0:01

  2. “This behavior changed with Windows Installer 5.0: cached packages are no longer stripped, hence the signature remains valid.” Trust Microsoft to make it less secure with an ‘upgrade’, this makes the digital signature effectively irrelevant in this context.

    Comment by David J Dunmore — Friday 2 August 2013 @ 14:39

  3. […] Some time ago I had to figure out if a file was embedded inside another file. […]

    Pingback by Finding Contained Files | Didier Stevens — Monday 7 October 2013 @ 0:01

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.