ComputerDefaults.exe

  • File Path: C:\windows\system32\ComputerDefaults.exe
  • Description: Set Program Access and Computer Defaults Control Panel

Screenshot

ComputerDefaults.exe

Hashes

Type Hash
MD5 C18B586CA8F414A47D9CBA263361692B
SHA1 2CF09D6EB60B35A190001894EDCD7D766481E642
SHA256 B288FF09EBFB68BB2375F6F60B2E47E85E3813DEBDA6E01411D7AACA5BF01B9C
SHA384 3DCAD4043F3BF1D5E4F7886B721229937D7E96B37A6239DE78C39115E1B5302C2D204701FD57FD62ED4632ADEAE62BD5
SHA512 B53552FCA1CEC57268272D01007DF72E0C8E81F90701A8919CA7E4215567DFAF3EA5716CE05AEF6C889064D99891176729792C3BD1574FCCF5C74CF0E65A14F3
SSDEEP 768:KYgUpmPTWs2IkRDzsq4ytZZZL2YCX4ibR:KYSURDoq4OZZZLlCIibR

Signature

  • Status: The file C:\windows\system32\ComputerDefaults.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: ComputerDefaults.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 66
C:\WINDOWS\system32\ComputerDefaults.exe 54
C:\WINDOWS\system32\ComputerDefaults.exe 58
C:\Windows\system32\ComputerDefaults.exe 52
C:\Windows\system32\ComputerDefaults.exe 54
C:\Windows\system32\xwizard.exe 60
C:\windows\system32\xwizard.exe 57
C:\Windows\system32\xwizard.exe 47
C:\WINDOWS\system32\xwizard.exe 52
C:\WINDOWS\system32\xwizard.exe 52
C:\Windows\system32\xwizard.exe 54
C:\windows\SysWOW64\ComputerDefaults.exe 82
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 57
C:\Windows\SysWOW64\ComputerDefaults.exe 74
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 63
C:\Windows\SysWOW64\ComputerDefaults.exe 58
C:\Windows\SysWOW64\ComputerDefaults.exe 54
C:\WINDOWS\SysWOW64\xwizard.exe 63
C:\Windows\SysWOW64\xwizard.exe 69
C:\Windows\SysWOW64\xwizard.exe 63
C:\windows\SysWOW64\xwizard.exe 61
C:\Windows\SysWOW64\xwizard.exe 61
C:\WINDOWS\SysWOW64\xwizard.exe 66

Possible Misuse

The following table contains possible examples of ComputerDefaults.exe being misused. While ComputerDefaults.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_computerdefaults.yml title: UAC Bypass Using ComputerDefaults DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml description: Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59) DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml Image: 'C:\Windows\System32\ComputerDefaults.exe' DRL 1.0
sigma registry_event_shell_open_keys_manipulation.yml description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) DRL 1.0
atomic-red-team index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process “C:\Windows\System32\ComputerDefaults.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.