ComputerDefaults.exe

  • File Path: C:\Windows\SysWOW64\ComputerDefaults.exe
  • Description: Set Program Access and Computer Defaults Control Panel

Screenshot

ComputerDefaults.exe

Hashes

Type Hash
MD5 CFA65B13918526579371C138108A7DDB
SHA1 28BC560C542C405E08001F95C4EA0511E5211035
SHA256 4C70FEA1C4F9B78955EB840C11C6C81F1D860485E090526A8E8176D98B1BE3D6
SHA384 3989AB6092EE411EC1631EE668FDE3013DDF38CC2723D44A84FA1B54C9869855E469D51244D568DFCCF4406E3077B9ED
SHA512 7AD417E862C38F1032B300735C00050435F0DD1D816E93B9A466ADF3BC092BE770EBF59C1617DB2281C7CF982A75E6C93D927D5784132AA2C6292F3E950ECA88
SSDEEP 1536:lxNHwdSsszF8tbVBATYqyrURDoq4OZZZLlCIibz2:VHwdSfSfBATYXwRD68wbz2
IMP DCF24A295065FCFB6B7F451585917C44
PESHA1 0B74426EBDF2F11D7BA0FC89E4C04B53B90A26E4
PE256 330CA68230D8EFE439E8E6F896C43A8B0891AE1E4FF288959E4922DBDE351C74

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\ComputerDefaults.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ComputerDefaults.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/4c70fea1c4f9b78955eb840c11c6c81f1d860485e090526a8e8176d98b1be3d6/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 50
C:\WINDOWS\system32\ComputerDefaults.exe 54
C:\WINDOWS\system32\ComputerDefaults.exe 54
C:\Windows\system32\ComputerDefaults.exe 47
C:\windows\system32\ComputerDefaults.exe 58
C:\Windows\system32\ComputerDefaults.exe 50
C:\Windows\system32\xwizard.exe 47
C:\windows\system32\xwizard.exe 54
C:\Windows\system32\xwizard.exe 40
C:\WINDOWS\system32\xwizard.exe 52
C:\WINDOWS\system32\xwizard.exe 47
C:\Windows\system32\xwizard.exe 49
C:\windows\SysWOW64\ComputerDefaults.exe 57
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 50
C:\Windows\SysWOW64\ComputerDefaults.exe 52
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 43
C:\Windows\SysWOW64\ComputerDefaults.exe 49
C:\WINDOWS\SysWOW64\xwizard.exe 49
C:\Windows\SysWOW64\xwizard.exe 55
C:\Windows\SysWOW64\xwizard.exe 55
C:\windows\SysWOW64\xwizard.exe 54
C:\Windows\SysWOW64\xwizard.exe 50
C:\WINDOWS\SysWOW64\xwizard.exe 50

Possible Misuse

The following table contains possible examples of ComputerDefaults.exe being misused. While ComputerDefaults.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_computerdefaults.yml title: UAC Bypass Using ComputerDefaults DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml description: Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59) DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml Image: 'C:\Windows\System32\ComputerDefaults.exe' DRL 1.0
sigma registry_event_shell_open_keys_manipulation.yml description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) DRL 1.0
atomic-red-team index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process “C:\Windows\System32\ComputerDefaults.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.