samhain file integrity scanner | online documentation


Using Samhain on Windows



This document aims to explain how to compile and run samhain on Windows with the Cygwin POSIX emulation layer, and how to install it as a service. These instructions have been written by Kris Dom, who has tested this on WinXP Professional, with additions by Geries Handal and Jorge Morgado.

Interix / Services For UNIX

Samhain can also be used with Interix/SFU 3.5. Note that in Interix, the Windows filesystem is referred as /dev/fs/C, while in Cygwin it is /cygdrive/c (both refers to the C: drive; other drives are analogous).

Older versions of samhain would need to be built with ./configure --disable-mail (i.e. without support for email logging) because Interix does not provide some of the required functionality to build the email module. This issue should be fixed as of samhain version 2.0.7 (not tested).
[Based on information kindly provided by Geries Handal].

Cygwin installation procedure to compile samhain

Cygwin download

You don't need to download and install All packages. It is enough to keep the Default and then add the following additional packages:

Category Devel -> gcc: C compiler upgrade helper
Category Devel -> make: The GNU version of the 'make' utility
Category Libs -> minires: A simple synchronous non caching stub resolver

When selecting these packages, Cygwin installer will automatically add other packages based on their dependencies. The package minires is only necessary for a minimal Cygwin installation (below). [Kindly pointed out by Jorge Morgado].

Cygwin installation

Samhain install procedure (used 'samhain 1.8.7a' in this procedure)

(in the following procedure I use my personal preferences)

Cygwin minimal installation procedure to run samhain

It seems that start/stop/restart the service does not work if samhain is configured to run as a daemon, because the Windows service manager cannot track the forked daemon process.

Therefore, if you run Samhain as a Windows service, it might be better to configure it as a 'normal' process which does not fork a daemon:

[Rainer Wichmann].

Also see http://support.microsoft.com/kb/q137890/ for information regarding the creation of a user-defined service.

Note: the first time I tried to install samhain as an NT service, I first installed a default Cygwin on the system. This however made things much more complex. I think when there is no Cygwin installed, it is more easy to install Samhain as a service.

Troubleshooting samhain

[Rainer Wichmann] I had some problems at first getting it to run as a Windows service. Some tips:

[Tip from Jorge Morgado] If you, like me, have a Windows server not part of any domain and (for security reasons) you even turn off DNS resolution, you might probably get the following error when initializing the baseline database:

  ---------   sh_unix.c  ---   1487 ---------
  According to uname, your nodename is yourcomputername, but your resolver
  library cannot resolve this nodename to a FQDN.
  Rather, it resolves this to yourcomputername.
  For more information, see the entry about self-resolving under
  'Most frequently' in the FAQ that you will find in the docs/ subdirectory
  ----------------------------------------------

To fix this problem open the Registry Editor and create the following entries under the key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

Name: Domain
Type: REG_SZ
Data: your.domain.name

Name: NV Domain
Type: REG_SZ
Data: your.domain.name

The NV Domain registry value contains the computer's primary DNS suffix while the Domain registry value contains the computer's primary DNS domain. This will make the warning message go away.