What hash type is used by DISM / SFC?

0

What hash type is represented below?

Example 1: 0h+p0j3/Y9s1ly0mqtU741bzLjqz12mDQGKtVScMeKg=

Example 2: uNryI5MYSV5U5O1NuFPGYexSxm2nLFrRXVqga+nQjw4=

These hashes came from the CBS.log file after running Window's DISM utility. Here's the full line:

2017-03-11 20:46:08, Info                  CSI    00000005 Hashes for file member \SystemRoot\WinSxS\amd64_microsoft-windows-c...appxmain.resources_31bf3856ad364e35_10.0.14393.206_sr-..-cs_8caf1c5c152c5f9f\resources.sr-Latn-CS.pri do not match actual file [l:24]'resources.sr-Latn-CS.pri' :
  Found: {l:32 0h+p0j3/Y9s1ly0mqtU741bzLjqz12mDQGKtVScMeKg=} Expected: {l:32 uNryI5MYSV5U5O1NuFPGYexSxm2nLFrRXVqga+nQjw4=}

It resembles Base64 but that can't be it, because the hash is always the same length with different size files. I also thought maybe it's not the hash itself, but the Base64 of something like MD5 or SHA, but Base64-decoding this string also doesn't help.

Thank you.

Telmo Marques

Posted 2017-03-11T21:18:57.793

Reputation: 103

Base64 is just a way of representing arbitrary binary as text, in a form more compact than spelling out bytes as hex. You can't "decode" it into anything recognisable because there's no "string" to decode to; you just get the raw data of the hash back. If you Base64-decode it into raw data and then encode the data as hex chars, you'll get the 'typical' representation of a hash that you might be familiar with. – Bob – 2017-03-12T10:27:20.353

Answers

2

Windows uses SHA256 for hashing files in WinSxS:

<dsig:DigestMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />

Here is the content for the FlashUtil_ActiveX.dll:

<file name="FlashUtil_ActiveX.dll" destinationPath="$(runtime.system32)\Macromed\Flash\" sourceName="FlashUtil_ActiveX.dll" sourcePath=".\" importPath="$(build.nttree)\adobe\flash\">
    <securityDescriptor name="WRP_FILE_DEFAULT_SDDL" />
    <asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2">
      <dsig:Transforms xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
      </dsig:Transforms>
      <dsig:DigestMethod xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />
      <dsig:DigestValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">22R1ba1WE7oyGXwA0vGwywUOw/Hw/27MqRmwHJpL04g=</dsig:DigestValue>
    </asmv2:hash>
  </file>

Under dsig:DigestValue you see the expected hash. If Windows scans the files it creates the hash for the actual file and compares it to this hash in the manifest files in WinSxS.

magicandre1981

Posted 2017-03-11T21:18:57.793

Reputation: 86 560

Asked: 2017-03-11T21:18:57.793

Viewed: 409 times

Active: 2017-03-12T08:32:54.250