• File Path: C:\Windows\system32\DiskSnapshot.exe
  • Description: DiskSnapshot.exe


Type Hash
MD5 AA2947CE60C08B3C728994938AD03BFC
SHA1 F04C0220A87DF743A936D58C4F7C42A3AF0B0CCC
SHA256 9F677C2796047B08BDC6EE30FB9DD5C4BB0948726B34D97B880A46AF580D0859
SHA384 131399E36947292431036DD66ECDA05E41A50FD2F5A0EACFE252EED9C15BCF81FED9B9D3E6F464B7860A149E6FB110DC
SHA512 70CDE99FA111C967FB873528280BB68212BB363DD747A92B26D63540097558F23BBE2FFEAC9CC25B76ACAAE5878578067A14B4E84B545672B1A679466142F821
SSDEEP 1536:oUXgqagabifeWsFMtGhynZrsjTD7wObLRaecOPfGeLIcY+xAz4qgfXEGRdx:vGWsFMtGhynZrsjTD7wObLRaecOP+eMy

Runtime Data

Usage (stderr):

DiskSnapshot.exe [options]
	-c console output
	-i (deprecated) detail data to console
	-s (deprecated) summary data to console
	-u process large volumes (no limit)
	-j [config] specifies an alternate config file
	-w [output-file] dumps MFT to a file (v arg required) for testing or reparsing
	-r [input-file] parses a previously dumped MFT file
	-v [volume][path] specifies volume(+path) to process, e.g. "d:" or "d:\foo" 
	-e prints out escalation keywords
	-p disable privacy

Child Processes:



  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: DiskSnapshot.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

MIT License. Copyright (c) 2020-2021 Strontic.