How can I verify that a Windows XP POS operating system executable is authentic?

11

I have a 3rd party firewall that alerted me that msiexec.exe was replaced by another version. The timing didn't correspond to an OS update, so I was worried a bad actor replaced the exe. How can I verify the signature of the exe?

EDIT: I found this link at Microsoft which shows this, and it matches on byte size and file date:

Versions and Sizes of files

I'd feel better if it had a hash too, but it looks like it's not nefarious.

As suggested in harrymc's answer, I ran sfc /scannnow and it came out clean. Thanks!

Dale

Posted 2018-12-12T20:31:30.820

Reputation: 413

2Suspicious indeed, as XP is not in active support. You could maybe check the history in Windows Update and run sfc /scannow, if they exists in XP Embedded. Reboot the device before starting. – harrymc – 2018-12-12T20:43:15.913

1sfc /scannow is exactly what I needed! – Dale – 2018-12-12T20:48:35.877

1Since you like it, I added it as an answer. – harrymc – 2018-12-12T20:51:50.653

Answers

14

Windows XP Embedded POSReady is now on extended support until April 9, 2019. This means no new features and fewer bug fixes and patches. It is entirely possible that this update was legitimate, but is better checked. It is also possible that the firewall detected just now a change that happened some time in the past.

Possible checks:

  • Verify the history in Windows Update,
  • Run sfc /scannow to check system integrity.

Reboot the device before starting, just in case.

harrymc

Posted 2018-12-12T20:31:30.820

Reputation: 306 093

15XP POS (essentially XP embedded) is for one more year. – Joshua – 2018-12-12T22:31:07.960

Asked: 2018-12-12T20:31:30.820

Viewed: 1 520 times

Active: 2018-12-13T11:09:59.737