ComputerDefaults.exe

  • File Path: C:\Windows\system32\ComputerDefaults.exe
  • Description: Set Program Access and Computer Defaults Control Panel

Screenshot

ComputerDefaults.exe

Hashes

Type Hash
MD5 3F032A1BDF4D7DF2F43FE7C0410AC175
SHA1 1D9CFDB4C324543CC3231029913D735D6EE27C70
SHA256 4978AD7650C44D4239ED6B77267DD21D50D33BBD3D875ACE4131F2DED3A11804
SHA384 7C564FD80D41AEA6A7BAB82152322511CC0EB782BDC64739A9871E94FDD5393E2EBC09F56032FEC0AF3B0EDC0B6E9A95
SHA512 C281C1009D2CF7CC41E45B39E3EFBBAD3AED091A21FAC30EE369281BAF4C0D9AC190B321E9BE891092BCE7FC2DDEC2195F67A5B6E70CA680BE4F9205090130A4
SSDEEP 1536:gS1tjONtCc7jFGPURDoq4OZZZLlCIibk:7HOocRD68wbk

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ComputerDefaults.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\ComputerDefaults.exe 54
C:\WINDOWS\system32\ComputerDefaults.exe 60
C:\Windows\system32\ComputerDefaults.exe 52
C:\windows\system32\ComputerDefaults.exe 66
C:\Windows\system32\ComputerDefaults.exe 50
C:\Windows\system32\xwizard.exe 52
C:\windows\system32\xwizard.exe 54
C:\Windows\system32\xwizard.exe 46
C:\WINDOWS\system32\xwizard.exe 50
C:\WINDOWS\system32\xwizard.exe 47
C:\Windows\system32\xwizard.exe 47
C:\windows\SysWOW64\ComputerDefaults.exe 65
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 54
C:\Windows\SysWOW64\ComputerDefaults.exe 66
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 35
C:\Windows\SysWOW64\ComputerDefaults.exe 50
C:\Windows\SysWOW64\ComputerDefaults.exe 50
C:\WINDOWS\SysWOW64\xwizard.exe 55
C:\Windows\SysWOW64\xwizard.exe 57
C:\Windows\SysWOW64\xwizard.exe 52
C:\windows\SysWOW64\xwizard.exe 54
C:\Windows\SysWOW64\xwizard.exe 50
C:\WINDOWS\SysWOW64\xwizard.exe 54

Possible Misuse

The following table contains possible examples of ComputerDefaults.exe being misused. While ComputerDefaults.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_computerdefaults.yml title: UAC Bypass Using ComputerDefaults DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml description: Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59) DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml Image: 'C:\Windows\System32\ComputerDefaults.exe' DRL 1.0
sigma registry_event_shell_open_keys_manipulation.yml description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) DRL 1.0
atomic-red-team index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process “C:\Windows\System32\ComputerDefaults.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.