ComputerDefaults.exe

  • File Path: C:\WINDOWS\system32\ComputerDefaults.exe
  • Description: Set Program Access and Computer Defaults Control Panel

Screenshot

ComputerDefaults.exe

Hashes

Type Hash
MD5 495F18535BBBA007A18EC5EE708318FE
SHA1 991100111548B5CC7A09C65797543898DAB34FD3
SHA256 64959878420834FFDF17823F1CC507261F1CEF286FF476777C4F3DA7D17AFA24
SHA384 B7A78F8D1E754C809EDCAD5B21C93A7662ED7F0CDBC8CC58746E6A2D1149C0C28E12001EB2ACB70B134B5350D5BE086F
SHA512 AB16974E135CC74C26A58D01820026DCBB57DD52C2DA143CE96AA4F6BC4CDDDA3926A1B07E9429C430F653503C7A8A679BC0DA4A6FB657057890D9FC4D752B4B
SSDEEP 1536:wFLvIy+SgFCoiFAono+AGbMAvy4URDoq4OZZZLlCIibe:wp7+X+oVgMTRRD68wbe

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ComputerDefaults.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 54
C:\WINDOWS\system32\ComputerDefaults.exe 54
C:\Windows\system32\ComputerDefaults.exe 50
C:\windows\system32\ComputerDefaults.exe 54
C:\Windows\system32\ComputerDefaults.exe 49
C:\Windows\system32\xwizard.exe 46
C:\windows\system32\xwizard.exe 49
C:\Windows\system32\xwizard.exe 40
C:\WINDOWS\system32\xwizard.exe 50
C:\WINDOWS\system32\xwizard.exe 52
C:\Windows\system32\xwizard.exe 49
C:\windows\SysWOW64\ComputerDefaults.exe 50
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 54
C:\Windows\SysWOW64\ComputerDefaults.exe 55
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 41
C:\Windows\SysWOW64\ComputerDefaults.exe 54
C:\Windows\SysWOW64\ComputerDefaults.exe 49
C:\WINDOWS\SysWOW64\xwizard.exe 47
C:\Windows\SysWOW64\xwizard.exe 52
C:\Windows\SysWOW64\xwizard.exe 47
C:\windows\SysWOW64\xwizard.exe 50
C:\Windows\SysWOW64\xwizard.exe 46
C:\WINDOWS\SysWOW64\xwizard.exe 54

Possible Misuse

The following table contains possible examples of ComputerDefaults.exe being misused. While ComputerDefaults.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_computerdefaults.yml title: UAC Bypass Using ComputerDefaults DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml description: Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59) DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml Image: 'C:\Windows\System32\ComputerDefaults.exe' DRL 1.0
sigma registry_event_shell_open_keys_manipulation.yml description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) DRL 1.0
atomic-red-team index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process “C:\Windows\System32\ComputerDefaults.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.