The other day I got bored and decided to do a little PowerShell one-liner on my Windows 10 gaming rig. I wanted to see if I have any DLL’s that are unsigned or invalid in my C:\Windows directories. I was surprised to find I did in fact have two odd DLL’s.
In PowerShell you can run the following command as administrator. You will get a graphical GridView to look at the list of unsigned dll’s.
Get-ChildItem c:\Windows\*.dll | Get-AuthenticodeSignature | where Status -notlike “Valid” | Select Status,Path| Out-GridView
You can add -r to Get-ChildItem for recursive search. You will get a lot of records if you do this.

These are older dll’s

I went ahead and generated a SHA256 hash to search Virus Total.

VirusTotal didn’t have the Hash so I uploaded the file.
Virus total had some hits

The Hybrid-Analysis report didn’t care for the PE_File.DLL as well but it’s probably a false positive.
The first thing to keep in mind is this doesn’t mean any of these are bad. But I did take the step of removing some of the old Asus utilities that are no longer updated. You will just have to look a little closer on your own.
In my case I saw two DLL’s associated with an older Asus Live update program (I use an Asus motherboard). The DLL’s predate the latest 2019 malware reported by Kaspersky. Anyone have thoughts on this?
The reason I wrote this little blurb is to show how easy it is to work with PowerShell. I should explore more of the features so I can show you the reader some more fun PowerShell features!
2 comments on “Lets use PowerShell to review DLL’s without certs”