ComputerDefaults.exe

  • File Path: C:\WINDOWS\system32\ComputerDefaults.exe
  • Description: Set Program Access and Computer Defaults Control Panel

Screenshot

ComputerDefaults.exe

Hashes

Type Hash
MD5 640693107EE411D8E862AB115D7B4639
SHA1 497435F5727C5BFE31331BA245E9B7B95DC69D2A
SHA256 A2794BE7CB7A4AD2F526FE91CA95A36B2EC1648B288088EAA4809402C7B2C6F4
SHA384 FF7FA8E659AB5918ED5EE646BAC39684B39648E42DB9B4838B5F9D1AFAA9B86C566DC111BBFBFF27880A315BED660BE0
SHA512 3A554FE1D8D23F06AC86BB078B3E5B4815722ADBACBF9492B5B7AD27BF27D44DD948387268DEDC2943AFC3557EF234E8882475C813CC5F5F4AB566E52BBB03DB
SSDEEP 1536:dgNHZFWWfpClwPXUiy+URDoq4OZZZLlCIib8:CHp3MPXRD68wb8
IMP F80FC6EF610CC28E0F47123BDB00C150
PESHA1 3974B3B7DE2B7FE88EF63C6705CDD30D99CE468A
PE256 B29C19426DA2307FDC028F16E7AC927B48CD2E2DA0EECC82A79AA71EB0D5FEBE

Runtime Data

Child Processes:

csrss.exe winlogon.exe

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\ComputerDefaults.exe.mui File
(RW-) C:\Windows\System32 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\2\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-1128764013-3361508229-3049782613-1001 Section

Loaded Modules:

Path
C:\WINDOWS\system32\ComputerDefaults.exe
C:\WINDOWS\System32\GDI32.dll
C:\WINDOWS\System32\gdi32full.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcp_win.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\SHELL32.dll
C:\WINDOWS\System32\ucrtbase.dll
C:\WINDOWS\System32\USER32.dll
C:\WINDOWS\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ComputerDefaults.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/a2794be7cb7a4ad2f526fe91ca95a36b2ec1648b288088eaa4809402c7b2c6f4/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 60
C:\WINDOWS\system32\ComputerDefaults.exe 54
C:\Windows\system32\ComputerDefaults.exe 50
C:\windows\system32\ComputerDefaults.exe 58
C:\Windows\system32\ComputerDefaults.exe 49
C:\Windows\system32\xwizard.exe 52
C:\windows\system32\xwizard.exe 50
C:\Windows\system32\xwizard.exe 41
C:\WINDOWS\system32\xwizard.exe 47
C:\WINDOWS\system32\xwizard.exe 52
C:\Windows\system32\xwizard.exe 50
C:\windows\SysWOW64\ComputerDefaults.exe 60
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 50
C:\Windows\SysWOW64\ComputerDefaults.exe 58
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 43
C:\Windows\SysWOW64\ComputerDefaults.exe 54
C:\Windows\SysWOW64\ComputerDefaults.exe 50
C:\WINDOWS\SysWOW64\xwizard.exe 49
C:\Windows\SysWOW64\xwizard.exe 52
C:\Windows\SysWOW64\xwizard.exe 58
C:\windows\SysWOW64\xwizard.exe 50
C:\Windows\SysWOW64\xwizard.exe 49
C:\WINDOWS\SysWOW64\xwizard.exe 57

Possible Misuse

The following table contains possible examples of ComputerDefaults.exe being misused. While ComputerDefaults.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_computerdefaults.yml title: UAC Bypass Using ComputerDefaults DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml description: Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59) DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml Image: 'C:\Windows\System32\ComputerDefaults.exe' DRL 1.0
sigma registry_event_shell_open_keys_manipulation.yml description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) DRL 1.0
atomic-red-team index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process “C:\Windows\System32\ComputerDefaults.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.