ComputerDefaults.exe

  • File Path: C:\WINDOWS\SysWOW64\ComputerDefaults.exe
  • Description: Set Program Access and Computer Defaults Control Panel

Screenshot

ComputerDefaults.exe

Hashes

Type Hash
MD5 BD0729A2D7916574DD17040F85CD4C7F
SHA1 C608C7B42538B941DBA599DDF2618B81081608B9
SHA256 FDAD0CE82AD32734C00DD26AE6705076C4432B74F77F0C8832A93EB470598E63
SHA384 F6A0C1A99C4E42F54CCF7857D9DF80100B8CC331BA7BC87B07D0149C34AF8DAB99171C7D3EDDE94CED1BF9D1FDAFB22A
SHA512 1C76D989530F22CB07A347D0AE55D9C1B1F277D731C2F581BB23A82D54728606F37AC62864F055BC43A6407EC5DF5917C8828581ADF3BF7C1C95EEDB88F432AF
SSDEEP 768:x6woERo5Q2p05ekL9QxjT/yHDTWs2IkRDzsq4ytZZZL2YCX4ib87:x6woERo5Q2p05ek6dyHXURDoq4OZZZLp
IMP BAF2B2A54FA5E51B646474C16C67DFE7
PESHA1 0AC1A78D35D497B453339D2E29EDD800DA5991EE
PE256 8BA1579358409325100509904215EE174510DD9A38B7A3055A13B4730B73796E

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\ComputerDefaults.exe.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_e541a94fcce8ed6d File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\2\BaseNamedObjects\windows_webcache_counters_{9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC}_S-1-5-21-1128764013-3361508229-3049782613-1001 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\ComputerDefaults.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ComputerDefaults.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/fdad0ce82ad32734c00dd26ae6705076c4432b74f77f0c8832a93eb470598e63/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 35
C:\WINDOWS\system32\ComputerDefaults.exe 41
C:\WINDOWS\system32\ComputerDefaults.exe 43
C:\Windows\system32\ComputerDefaults.exe 40
C:\windows\system32\ComputerDefaults.exe 63
C:\Windows\system32\ComputerDefaults.exe 40
C:\Windows\system32\xwizard.exe 36
C:\windows\system32\xwizard.exe 44
C:\Windows\system32\xwizard.exe 33
C:\WINDOWS\system32\xwizard.exe 40
C:\WINDOWS\system32\xwizard.exe 43
C:\Windows\system32\xwizard.exe 40
C:\windows\SysWOW64\ComputerDefaults.exe 65
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 43
C:\Windows\SysWOW64\ComputerDefaults.exe 54
C:\Windows\SysWOW64\ComputerDefaults.exe 43
C:\Windows\SysWOW64\ComputerDefaults.exe 43
C:\WINDOWS\SysWOW64\xwizard.exe 40
C:\Windows\SysWOW64\xwizard.exe 57
C:\Windows\SysWOW64\xwizard.exe 40
C:\windows\SysWOW64\xwizard.exe 41
C:\Windows\SysWOW64\xwizard.exe 43
C:\WINDOWS\SysWOW64\xwizard.exe 41

Possible Misuse

The following table contains possible examples of ComputerDefaults.exe being misused. While ComputerDefaults.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_computerdefaults.yml title: UAC Bypass Using ComputerDefaults DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml description: Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59) DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml Image: 'C:\Windows\System32\ComputerDefaults.exe' DRL 1.0
sigma registry_event_shell_open_keys_manipulation.yml description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) DRL 1.0
atomic-red-team index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process “C:\Windows\System32\ComputerDefaults.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.