![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 99%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETW%3C/text%3E%3C/svg%3E)
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 47%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 16%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Ask Gemini (I prefer Copilot, but just like that today)
- Question
I think it is limitation of VirusTotal more.
- Gemini
You're right to suspect VirusTotal limitations, even if the error message is misleading! While "A device attached to the system is not functioning" usually points to something low-level like network stack, it can be a symptom of hitting VirusTotal's API limits, especially if sigcheck isn't designed to explicitly parse all possible API responses (like a 429 or 204 for rate limiting) and translate them into a user-friendly message.
Here's why it's highly plausible it's related to VirusTotal limitations, and how that generic error might surface:
How VirusTotal Limits Manifest:
- Public API:
- 500 requests per day.
- 4 requests per minute.
- Not for commercial use or business workflows.
__HTTP 204 No Content:__ In older API v2, this was the common response code for hitting the rate limit. ```__Why "A device attached to the system is not functioning" might appear:__
Generic Error Handling: Sigcheck (and other Sysinternals tools that integrate with VT) might not have highly granular error handling for all possible HTTP response codes from VirusTotal. If it receives a 429 or 204 response, and it's not explicitly expecting to translate that into "Quota Exceeded," it might fall back to a generic Windows error like "A device attached to the system is not functioning," implying an underlying communication failure rather than a specific API refusal.
Abrupt Connection Termination: When VirusTotal's servers actively rate-limit you, they might simply close the connection or send a response that sigcheck's underlying network library doesn't interpret gracefully, leading to a low-level network stack error.
TLS Handshake Issues (related to rate limits): In some cases, repeated rapid requests can lead to issues during the TLS handshake itself if the server is actively trying to block you, which sigcheck might interpret as a "device not functioning" issue.
Evidence Supporting Your Theory:
- Your own experience: If it sometimes works but then stops, and you're making many requests, rate limits are the prime suspect.
The Microsoft Q&A thread: The user there describes the exact same error ("A device attached to the system is not functioning") when using sigcheck64 -vt on Server 2019 in an Azure VM, after updates. This strongly suggests a system-wide behavior or interaction, and given the context of VirusTotal scanning, hitting limits is highly probable. They also state "I ran sigcheck and now the wheels have fallen off, in the output every file, including those with a hash, is 'A device ...'". This indicates a systemic issue, consistent with being temporarily blocked by VirusTotal.
What to do if you suspect it's a VT limit:
Confirm your API Key status: Go to your VirusTotal account page (virustotal.com/gui/my-apikey). Check your "API key" section to see your daily and minute quota usage. If you see it nearing or exceeding limits, that's your confirmation.
Wait it out: The simplest test is to just stop using sigcheck -vt for several hours (or until the next UTC day for daily limits) and then try again. If it starts working, it was almost certainly a rate limit.
Implement Delays (if scripting): If you're using a script to call sigcheck repeatedly, ensure you're adhering to the 4 requests/minute limit (e.g., Start-Sleep -Seconds 15 between calls in PowerShell).
Prioritize Hash Lookups: As discussed before, get all hashes first, then query VT. Only upload files that are truly unknown.
Consider a Premium API: If this is for a business, security operation, or any high-volume, continuous use, the Public API is not suitable. You will hit limits, and it's against their terms of service. A Premium API subscription is designed for such scenarios and offers vastly higher (or no explicit) rate limits.
While the error message is unhelpful, your intuition about it being a VirusTotal limitation is likely correct, especially if you're making frequent queries.I think it is limitation of VirusTotal more.
You're right to suspect VirusTotal limitations, even if the error message is misleading! While "A device attached to the system is not functioning" usually points to something low-level like network stack, it can be a symptom of hitting VirusTotal's API limits, especially if sigcheck isn't designed to explicitly parse all possible API responses (like a 429 or 204 for rate limiting) and translate them into a user-friendly message.
Here's why it's highly plausible it's related to VirusTotal limitations, and how that generic error might surface:
How VirusTotal Limits Manifest:
Public API:
500 requests per day.
__4 requests per minute.__
__Not for commercial use or business workflows.__
When you hit these limits, VirusTotal's API responds with:
__HTTP 429 Too Many Requests:__ This is the standard HTTP status code for rate limiting in API v3.
__HTTP 204 No Content:__ In older API v2, this was the common response code for hitting the rate limit.
```__Why "A device attached to the system is not functioning" might appear:__
__Generic Error Handling:__ `Sigcheck` (and other Sysinternals tools that integrate with VT) might not have highly granular error handling for _all_ possible HTTP response codes from VirusTotal. If it receives a 429 or 204 response, and it's not explicitly expecting to translate that into "Quota Exceeded," it might fall back to a generic Windows error like "A device attached to the system is not functioning," implying an underlying communication failure rather than a specific API refusal.
__Abrupt Connection Termination:__ When VirusTotal's servers actively rate-limit you, they might simply close the connection or send a response that `sigcheck`'s underlying network library doesn't interpret gracefully, leading to a low-level network stack error.
__TLS Handshake Issues (related to rate limits):__ In some cases, repeated rapid requests can lead to issues during the TLS handshake itself if the server is actively trying to block you, which `sigcheck` might interpret as a "device not functioning" issue.
__Evidence Supporting Your Theory:__
__Your own experience:__ If it works sometimes but then stops, and you're making many requests, rate limits are the prime suspect.
__The Microsoft Q&A thread:__ The user there describes the _exact_ same error ("A device attached to the system is not functioning") when using `sigcheck64 -vt` on Server 2019 in an Azure VM, _after_ updates. This strongly suggests a system-wide behavior or interaction, and given the context of VirusTotal scanning, hitting limits is highly probable. They also state "I ran sigcheck and now the wheels have fallen off, in the output every file, including those with a hash, is 'A device ...'". This indicates a systemic issue, consistent with being temporarily blocked by VirusTotal.
__What to do if you suspect it's a VT limit:__
__Confirm your API Key status:__ Go to your VirusTotal account page (`virustotal.com/gui/my-apikey`). Check your "API key" section to see your daily and minute quota usage. If you see it nearing or exceeding limits, that's your confirmation.
__Wait it out:__ The simplest test is to just stop using `sigcheck -vt` for several hours (or until the next UTC day for daily limits) and then try again. If it starts working, it was almost certainly a rate limit.
__Implement Delays (if scripting):__ If you're using a script to call `sigcheck` repeatedly, ensure you're adhering to the 4 requests/minute limit (e.g., `Start-Sleep -Seconds 15` between calls in PowerShell).
__Prioritize Hash Lookups:__ As discussed before, get all hashes first, then query VT. Only upload files that are truly unknown.
__Consider a Premium API:__ If this is for a business, security operation, or any high-volume, continuous use, the Public API is not suitable. You _will_ hit limits, and it's against their terms of service. A Premium API subscription is designed for such scenarios and offers vastly higher (or no explicit) rate limits.
While the error message is unhelpful, your intuition about it being a VirusTotal limitation is likely correct, especially if you're making frequent queries.
Have a nice day !
PS
I'm not sure, but two-three year ago, more or less, this limitation did not exist.
I try Sigcheck scanning "only" 50 files. Work. After that if run it again, I will receive the message that you talk about.
Now I change my IP, run again with 50 new files and work again.
So for now, I think VirusTotal check not the Machine ID but "only" the IP.
If you are better than me (I'm sure) just create a batch file who do all that automatically, suppose you have 1000 file (.dll, .exe) to be scanned. I do that manually for now. Maybe I will ask a bot to write a script for me, or maybe you will make one and put here...
:)
Sure the best, for my brain, will be to learn batch / script programming.