Question MS system files report as unsigned

[simmerskool]

I saw that Windows Firewall Control blocked outgoing file \system32\MoUsoCoreWorker.exe hash= 1641BC777962A0522E6C75641DBD2A0E72D84DCC3FC734B609ED51D5D027E1F7
VT reports it clean, published by MS but not signed. MS Update Session Orchestrator. I vaguely understood that older MS files were signed a different way, but this is supposedly a relatively recent MS file, so I would expect analysis to see it as digitally signed with valid signature. I did an internet search but did not find anything helpful to explain this. Does anyone have an explanation for this, and perhaps a link to an source for more info.
thanks.

 

[Bot]

It's possible that the file might have been incorrectly flagged as unsigned due to a glitch or a bug in the system. You can try to verify the digital signature manually by right-clicking the file, selecting 'Properties', and then navigating to the 'Digital Signatures' tab. If the issue persists, consider updating your system or reinstalling the file. Here's a link to a Microsoft support thread discussing similar issues: Redirecting

 

[simmerskool]

It's possible that the file might have been incorrectly flagged as unsigned due to a glitch or a bug in the system. You can try to verify the digital signature manually by right-clicking the file, selecting 'Properties', and then navigating to the 'Digital Signatures' tab. If the issue persists, consider updating your system or reinstalling the file. Here's a link to a Microsoft support thread discussing similar issues: Redirecting

thanks but, yes I did look at "properties" and it lists publisher as MS but not with a digital signature. I will look at the "redirecting" link you sent.

 

[Bot]

thanks but, yes I did look at "properties" and it lists publisher as MS but not with a digital signature. I will look at the "redirecting" link you sent.

You're welcome! If the issue persists after checking the link, it might be worth reaching out to Microsoft Support directly. They should be able to provide more specific assistance.

 

[simmerskool]

You're welcome! If the issue persists after checking the link, it might be worth reaching out to Microsoft Support directly. They should be able to provide more specific assistance.

the link you redirected me to is a MS link about SFC scans. this system has a no integrity violations.

 

[lokamoka820]

I noticed that too, and not only MoUsoCoreWorker.exe file but there are more files including smart screen too.

 

[Bot]

the link you redirected me to is a MS link about SFC scans. this system has a no integrity violations.

My apologies for the confusion. In this case, reaching out to Microsoft Support directly might be the best course of action. They can provide more specific guidance on your issue.

 

[simmerskool]

I noticed that too, and not only MoUsoCoreWorker.exe file but there are more files including smart screen too.

yes, I would just like to understand what is going on with this. maybe @Trident knows??

 

[TairikuOkami]

Well, 11 has 2 versions of this file, not in System32 though. One is bigger, maybe because of the included certificate, the smaller one is not signed, probably for compatibility purposes?

 

[lokamoka820]

yes, I would just like to understand what is going on with this. maybe @Trident knows??

I guess you are using WFC in "Learning Mode", this mode will block connections generated by not digitally signed program or the signature is not valid, that why it is blocked MoUsoCoreWorker.exe, but why it is not signed, it is Microsoft related question which I don't have answer.

 

[simmerskool]

I guess you are using WFC in "Learning Mode", this mode will block connections generated by not digitally signed program or the signature is not valid, that why it is blocked MoUsoCoreWorker.exe, but why it is not signed, it is Microsoft related question which I don't have answer.

WFC was in Medium filtering (recommended). running win10_VM. WFC blocked it (unsigned?) and then I allowed it, but then after the fact wanted to see what it was... originally I thought it was mouse... not mouso

 

[lokamoka820]

WFC was in Medium filtering (recommended). running win10_VM. WFC blocked it (unsigned?) and then I allowed it, but then after the fact wanted to see what it was... originally I thought it was mouse... not mouso

I think what WFC missing is to add rules to allow all Windows system services to be able to connect to internet, whatever it is signed or not. It will be perfect then.

 

[simmerskool]

I think what WFC missing is to add rules to allow all Windows system services to be able to connect to internet, whatever it is signed or not. It will be perfect then.

I think WFC includes / included all the default rules. I don't mind that WFC blocked mousocoreworker.exe if / since it is unsigned MS file. WFC blocked it with a popup asking whether to allow > block > or block this time.

 

[TairikuOkami]

You can always restrict the process by IP ranges via port 443, it should connect to MS domains only.

4.224.0.0-4.239.255.255,13.64.0.0-13.107.255.255,20.33.0.0-20.128.255.255,40.74.0.0-40.125.127.255,40.126.128.0-40.127.255.255,51.10.0.0-51.13.255.255,51.103.0.0-51.105.255.255,51.124.0.0-51.124.255.255,52.96.0.0-52.115.255.255,52.145.0.0-52.191.255.255

 

[silversurfer]

I saw that Windows Firewall Control blocked outgoing file \system32\MoUsoCoreWorker.exe hash= 1641BC777962A0522E6C75641DBD2A0E72D84DCC3FC734B609ED51D5D027E1F7
VT reports it clean, published by MS but not signed. MS Update Session Orchestrator. I vaguely understood that older MS files were signed a different way, but this is supposedly a relatively recent MS file, so I would expect analysis to see it as digitally signed with valid signature. I did an internet search but did not find anything helpful to explain this. Does anyone have an explanation for this, and perhaps a link to an source for more info.
thanks.

@simmerskool did you check for Digital Signature of "MoUsoCoreWorker.exe" via Windows Explorer? take a look to screenshots below:

The file "MoUsoCoreWorker.exe" here seems digitally signed by MS => VirusTotal

 

[Andy Ful]

@simmerskool,

On older Windows builds that file is signed by Microsoft in the catalog (many system files are signed in this way). You can use the Microsoft signtool to verify the signature.

SignTool - Win32 apps

Learn how to use SignTool, a command-line tool that digitally signs files, verifies the signatures in files, and time stamps files.

learn.microsoft.com

Here is the screenshot from Windows 10 22H2.

When the file is signed in the catalog, the certificate is not embedded in the executable, so it is not recognized as signed, by Explorer or Virus Total.
On Windows 11 23H2 the file is in another location ( c:\Windows\UUS\amd64\ ) and has an embedded certificate. It can be checked in Explorer (file Properties)

 

[lokamoka820]

I have too many MoUsoCoreWorker.exe processes some are signed and some are not, is this normal?

 

[silversurfer]

I have too many MoUsoCoreWorker.exe processes some are signed and some are not, is this normal?

View attachment 285470

Yes when all are in the known folders/file locations, looks like the case in your screenshot compared to my system W11

 

[simmerskool]

@simmerskool did you check for Digital Signature of "MoUsoCoreWorker.exe" via Windows Explorer? take a look to screenshots below:

The file "MoUsoCoreWorker.exe" here seems digitally signed by MS => VirusTotal

View attachment 285463View attachment 285464

@silversurfer thanks for sending this... BUT when I open explorer | Properties for mousocoreworker there is no tab "digital signature" for this file!
VT says it is NOT signed; however sigcheck (sysinternals) does not list as unsigned, ergo signed. Also sfc /scannow of this VM does not find any integrity violations. I feel like Robby the Robot "shoot the commander" (or to be or not to be)... I again uploaded the file to VT which reports that it is NOT signed. so if anything, NOW should I be MORE concerned...

 

[simmerskool]

@simmerskool,

On older Windows builds that file is signed by Microsoft in the catalog (many system files are signed in this way). You can use the Microsoft signtool to verify the signature.

SignTool - Win32 apps

Learn how to use SignTool, a command-line tool that digitally signs files, verifies the signatures in files, and time stamps files.

learn.microsoft.com

Here is the screenshot from Windows 10 22H2.

View attachment 285465

When the file is signed in the catalog, the certificate is not embedded in the executable, so it is not recognized as signed, by Explorer or Virus Total.
On Windows 11 23H2 the file is in another location ( c:\Windows\UUS\amd64\ ) and has an embedded certificate. It can be checked in Explorer (file Properties)

View attachment 285466

thanks, so far I have run sigverif and sigcheck (sysinternals) on win10_vm Properties for this file does NOT have a "Digitial Signature" tab. Thanks for this info! I'll run signtool as you suggest!
EDIT: fyi signtool seems not be be installed, and looks like I'd need to install a Developer toolkit or something like that to the extent I follow that page, it seems to assume the reader is past that point in the discussion. But thanks, you confirmed what I vaguely understood...