ComputerDefaults.exe

  • File Path: C:\Windows\SysWOW64\ComputerDefaults.exe
  • Description: Set Program Access and Computer Defaults Control Panel

Screenshot

ComputerDefaults.exe

Hashes

Type Hash
MD5 4A007FCF54D0379B75D1FA50F840D62B
SHA1 A98C4E058A204C66FA86AB3604E96FD3A1C092E9
SHA256 56B15C941CDBB2E28654B21FC3B6ED8CA75B322B9F86DDEC681DDA7CC032DA4F
SHA384 58DF4C471ED50154B896E18B9B53B76C8B34EF2ED28F9BA6EAA799222F534081913A5CAC84E60C657EE436E9E73EF7F2
SHA512 AA3CCAA7222B283B9E9303EF0766A76A37D9F8871525448097EBD79F12D4E7F967CE2A57F79318C0466C83A03A1AE0207844BD7DC2E21FD4550FD06A11EAC41B
SSDEEP 768:KuqzHgMawU6O/6RJ66K8GlTWs2IkRDzsq4ytZZZL2YCX4ibkp/:KngMM+TGVURDoq4OZZZLlCIibkp

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ComputerDefaults.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 66
C:\WINDOWS\system32\ComputerDefaults.exe 55
C:\WINDOWS\system32\ComputerDefaults.exe 58
C:\Windows\system32\ComputerDefaults.exe 50
C:\windows\system32\ComputerDefaults.exe 74
C:\Windows\system32\ComputerDefaults.exe 50
C:\Windows\system32\xwizard.exe 54
C:\windows\system32\xwizard.exe 57
C:\Windows\system32\xwizard.exe 46
C:\WINDOWS\system32\xwizard.exe 54
C:\WINDOWS\system32\xwizard.exe 47
C:\Windows\system32\xwizard.exe 50
C:\windows\SysWOW64\ComputerDefaults.exe 71
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 52
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 54
C:\Windows\SysWOW64\ComputerDefaults.exe 52
C:\Windows\SysWOW64\ComputerDefaults.exe 52
C:\WINDOWS\SysWOW64\xwizard.exe 60
C:\Windows\SysWOW64\xwizard.exe 68
C:\Windows\SysWOW64\xwizard.exe 60
C:\windows\SysWOW64\xwizard.exe 68
C:\Windows\SysWOW64\xwizard.exe 61
C:\WINDOWS\SysWOW64\xwizard.exe 63

Possible Misuse

The following table contains possible examples of ComputerDefaults.exe being misused. While ComputerDefaults.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_computerdefaults.yml title: UAC Bypass Using ComputerDefaults DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml description: Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59) DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml Image: 'C:\Windows\System32\ComputerDefaults.exe' DRL 1.0
sigma registry_event_shell_open_keys_manipulation.yml description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) DRL 1.0
atomic-red-team index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process “C:\Windows\System32\ComputerDefaults.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.