SHA256 of file on the client is different from the value returned on the BigFix console

vhenry 2021-05-17 19:59:28 UTC #1

Hello,

I ran the windows command “CertUtil -hashfile” on a BigFix client for the powershell.exe file which returned a value different from the value that BigFix console returned when I queried for the property "sha2_256 of ". I gave the exact folder path so I don’t understand why we are seeing different 64-character sha256 values.
Could someone throw some light on this?

Thank you,
Jennifer

trn 2021-05-17 20:09:44 UTC #2

Is this on a 64 bit box? If so, there are two files called “powershell.exe” and you need to tell it to look at the 64 bit path (by default, it will find the 32 bit version)

vhenry 2021-05-17 20:25:26 UTC #3

Yes, it is on a 64 bit box. But there is only powershell.exe that I see in that path…

JasonWalker 2021-05-17 20:40:33 UTC #4

Please list the exact query you ran.

A common confusion for instance is

Q: sha1 of "c:\windows\system32\powershell.exe"

Versus

Q: sha1 of file "c:\windows\system32\powershell.exe"

The first returns the sha1 of the string starting with “c:”, not the file content

vhenry 2021-05-17 21:54:40 UTC #5

This is the query used-
sha2_256 of file “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”

A: 8133502266008b77de7921451e1210b0ef3f0ed2db7d8d3ee0c3350d856fa6fa

Command used on the client directly-
C:\Windows\System32\WindowsPowerShell\v1.0>CertUtil -hashfile powershell.exe SHA256

A: ba4038fd20e474c047be8aad5bfacdb1bfc1ddbe12f803f473b7918d8d819436

JasonWalker 2021-05-17 22:38:57 UTC #6

Try

sha256 of file “WindowsPowerShell\v1.0\powershell.exe" of native system folder

By default the client would have retrieved the 32-bit version of PowerShell.exe (from \windows\syswow64, as it is transparently redirected to the 32-bit folder)

vhenry 2021-05-18 17:51:20 UTC #7

Thank you, Jason! That worked…

JasonWalker 2021-05-18 18:37:28 UTC #8

In case it helps, there are several different ways to reach this file. Note that the real “c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe” file has a size of 446976, while the 32-bit redirected version that is actually at “c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe” has a size of 431616. Sometimes when we are taking a pathname from somewhere else (a registry value, shortcut target, file entry, etc.) it’s not so easy to reformat as file "partial\path\something.exe" of native system folder ; instead it may be useful to reference x64 file "c:\full\path\to\something.exe" or native file "c:\full\path\to\something.exe"

q: (pathname of it, size of it) of file "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe"
A: c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe, 431616

q: (pathname of it, size of it) of file "WindowsPowerShell\v1.0\powershell.exe" of system folder
A: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe, 431616

q: (pathname of it, size of it) of file "WindowsPowerShell\v1.0\powershell.exe" of system x32 folder
A: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe, 431616

q: (pathname of it, size of it) of file "WindowsPowerShell\v1.0\powershell.exe" of native system folder
A: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe, 446976

q: (pathname of it, size of it) of file "WindowsPowerShell\v1.0\powershell.exe" of system x64 folder
A: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe, 446976

q: (pathname of it, size of it) of file "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe"
A: c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe, 431616

q: (pathname of it, size of it) of x32 file  "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe"
A: c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe, 431616

q: (pathname of it, size of it) of native file "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe"
A: c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe, 446976

q: (pathname of it, size of it) of x64 file "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe"
A: c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe, 446976

Filename in System32