Is my Windows 10 OS the real deal?

Discussion in 'Windows 10' started by Eximo, Sep 11, 2016.

  1. Eximo

    Eximo MDL Novice

    Sep 11, 2016
    6
    1
    0
    I'm wondering if there is a way to check the hashes on an ISO that I don't have anymore. I'm using it right now as my OS.

    I want to compare it with the ISOs suggested on this forum. I downloaded mine from TPB last year and since the anniversary update, I've been noticing many 'events' in the event viewer. (I'm thinking this could just be because I need a KMS update or something, though)

    If I can't get hashes, is there another way to check if this is a recommended ISO copy?

    While reading some posts here, I've seen it thrown out there that people shouldn't download these OS ISO's from TPB. I understand this now, but unfortunatley, I didn't before I installed the OS. So I figured I'd ask and see if I could put my mind at ease.

    Thanks, folks.
     
  2. ofernandofilo

    ofernandofilo MDL Member

    Sep 26, 2015
    211
    128
    10
    #3 ofernandofilo, Sep 11, 2016
    Last edited: Sep 11, 2016
    Your question in the background is very interesting.

    I start answering that I do not know the answer. But this does not prevent me to plan one.

    First what is an installation of an OS?

    (a) A set of official files, (b) a set of configurations of these official files, (c) a set of unofficial files, mainly drivers and third-party programs, (d) a set of settings for unofficial files (e) and the set of user files. Finally, it should not exist (f) a set of harmful files installed on the system.

    You can list hash of all the original system files (a). Could someone do it for you, if not already exist. It's pretty labor intensive and I don't known anyone who has ever made it.

    Settings's hash (b) already has something more complicated. Even because we we're dealing with a much closer setting customizations. A silly example would be: I use a different wallpaper of you, and so our settings are different, but this is not a sign that my or your system are false.

    Very similar explanations could be given for cases (c) and (d). Despite being something even more personalized, and therefore more difficult to recognize as "original" or not.

    So you should ignore your personal files, and I suppose you know them all by name, including the files that perhaps are temporary, related to navigation, installations, etc.

    Finally, you should believe in a set of security tools that would scan all your files looking for known threats. Like any security tool is failure, the chance to get false positives or false negatives is very high.

    Your question is rather interesting, but the solutions to it seem all extremely laborious.

    I know I did not answer you, but I just wanted to show you one way.

    TL;DR: Rely on your security tools or do a full re-installation of the system using original installers.


    cheers
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. EFA11

    EFA11 Avatar Guru

    Oct 7, 2010
    8,730
    6,671
    270
    The only way to know if your ISO was untouched and genuine is to have the file with you and generate the SHA1 or higher hash of it and compare the SHA1 to MSDN.

    Where or who you get the ISO from does not matter so long as that SHA1 matches MSDN. The naming of the file doesn't matter either. It can be windows 10 red headed step child #6.RARF and you can still check its hash and see if its genuine. I would suggest at least renaming that file windows10.ISO just so its usable from an *.ISO extension standpoint :)

    As far as telling of the system is genuine. If you are unsure of its been tampered with, simply get rid of the install and start over. The process is simple once installed, simply go to settings->update and recovery and do a clean install from there. IF it cannot complete the refresh (without saving apps and personal files) there is a good chance something has been changed.

    Personally, I will leave it at just reinstall from a known genuine ISO and put any and all worries aside.
     
  4. Eximo

    Eximo MDL Novice

    Sep 11, 2016
    6
    1
    0
    #5 Eximo, Sep 11, 2016
    Last edited: Sep 11, 2016
    (OP)
    I appreciate the help, guys.

    Excellent source for getting the hashes, thank you. I am having an issue identifying my release, though. It's a multiple edition copy but the only one that has that feature and is updated in August is the IoT one but that's not the right one. I must be missing something. I'm running: Win 10 Pro, x64, 1607, build 14393.

    I can't find my system hash to match one too anyway, though, and after reading ofernandofilo's post, it sounds like figuring that out might be more trouble than it's worth.

    # 3 Ofernandofilo, you actually answered quite a few questions I had regarding checking hashes, thank you. I was wondering if I'd be able to tell if an ISO has been manipulated with security tools. No doubt the only way I could ever be 100% sure is by reinstalling.

    #4 EFA11, Unfortunately, I don't have the ISO I installed from anymore to check the SHA1 that way. I was hoping reinstalling wasn't my only option but that may be the route I have to go. Definitely would be a bummer, though.

    I'm probably just being paranoid about it and if I can fix my issues another way, I will likely do that instead. But I wouldn't want some hacker to have access to my OS either.

    Maybe I should ask; if I were to assume the worst and for the sake of conversation just say I installed the OS from a compromised ISO, what kind of terrible things could befall me? The problems I'm having are likely unrelated to the original ISO but they are as follows:


    • Since the Anniversary Update, I get event ID 1017: Security-SPP 0xC004E016, which I assume to be activation related even though I've deactivated via cmd line and updated and reran KMSpico and MTK. That particular event happens about 6 times every time I boot and every night at 11:59pm.

      I also get event ID 10016: DistributedCOM. I'm pretty sure I know how to fix it but didn't want to because from what I read, it connects me to Microsoft in unclear ways. I could be mistaken but from what I understand, it's not an important event to worry about and probably wasn't causing my crashes. (I think I fixed the crashes by reactivating and updating KMSpico, though.)

      Finally, I get a warning event ID 414 about tasks misconfiguration relating to VisualStudio, even though I uninstalled it. But I'm not real worried about that one.

    Also, in the future, can I use ISOs and bootable USB tools straight from the Microsoft website? Seems to me that would be no different than getting a safe ISO from a forum such as this. I assume KMSpico would work just fine with it but I don't really know much about it.

    Thanks for your time, everyone.
     
  5. EFA11

    EFA11 Avatar Guru

    Oct 7, 2010
    8,730
    6,671
    270
    Many things could happen with a compromised ISO. Firstly, your OS is compromised before it is even installed.
    You could be attacking websites as part of a bot net, you could literally be attacking any website or other target like oh FBI.Gov (thats happened a few times lol).
    Anything you do, financial, private or otherwise could also be compromised. e.g. You have children, you have pictures of your children at a family reunion. Some bugger is out there selling pictures to porn sites. Sick people do very sick things, profit is profit to many.

    Maybe these are extreme, but they are real world possibilities of a compromised system in today's world.

    As far as the errors go, it is possible someone tried to hack the security for activation. You could try running sfc /scannow in an elevated(admin) cmd prompt, and see if it can make 100% and correct the errors.

    I still support the idea of doing a clean install of the OS with a clean ISO. If you need a specific ISO and have trouble locating it here at MDL, post the MSDN file name and hash, and we will make sure you get it.
     
  6. lobo11

    lobo11 TOMAHAWK CHOP

    Feb 16, 2012
    6,539
    4,989
    210
    #7 lobo11, Sep 11, 2016
    Last edited: Sep 11, 2016
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. pf100

    pf100 MDL Expert

    Oct 22, 2010
    1,086
    1,463
    60
    No, there isn't.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Eximo

    Eximo MDL Novice

    Sep 11, 2016
    6
    1
    0
    Scary stuff #6 EFA11. Let's hope they haven't been using me to hack into CIA HQ. I've had this installed for about a year now and no suits knocking on my door yet. Fingers crossed! =)

    Appreciate the link to the pure ISOs #7 lobo11. My understanding is that MSDN is for developers. Does it have anything particularly special or just comes with VisualStudio and other tools?

    I did scan the ISO and there wasn't anything but I assumed that doesn't mean it hasn't been tampered with. Checking out hitman now, thanks, #8 Katzenfreund.

    I was worried you might say that, #9 pf100.

    Thanks so much for all the feedback and help, folks. I'm gonna go ahead and open another thread regarding my warnings and events in event viewer and see if I can find some help to repair them.
     
  9. Eximo

    Eximo MDL Novice

    Sep 11, 2016
    6
    1
    0
    I just wanted to quickly address the fix I found for the 1017 security-SPP activation errors I was getting that I listed in post #5.

    Uninstalling Microsoft Office most likely fixed this issue, it hasn't happened for a few days.

    Just wanted to post that solution for someone to try if they run up against the same problems.