DiskSnapshot.exe
- File Path:
C:\Windows\system32\DiskSnapshot.exe - Description: DiskSnapshot.exe
Hashes
| Type | Hash |
|---|---|
| MD5 | AA2947CE60C08B3C728994938AD03BFC |
| SHA1 | F04C0220A87DF743A936D58C4F7C42A3AF0B0CCC |
| SHA256 | 9F677C2796047B08BDC6EE30FB9DD5C4BB0948726B34D97B880A46AF580D0859 |
| SHA384 | 131399E36947292431036DD66ECDA05E41A50FD2F5A0EACFE252EED9C15BCF81FED9B9D3E6F464B7860A149E6FB110DC |
| SHA512 | 70CDE99FA111C967FB873528280BB68212BB363DD747A92B26D63540097558F23BBE2FFEAC9CC25B76ACAAE5878578067A14B4E84B545672B1A679466142F821 |
| SSDEEP | 1536:oUXgqagabifeWsFMtGhynZrsjTD7wObLRaecOPfGeLIcY+xAz4qgfXEGRdx:vGWsFMtGhynZrsjTD7wObLRaecOP+eMy |
Runtime Data
Usage (stderr):
DiskSnapshot.exe [options]
-c console output
-i (deprecated) detail data to console
-s (deprecated) summary data to console
-u process large volumes (no limit)
-j [config] specifies an alternate config file
-w [output-file] dumps MFT to a file (v arg required) for testing or reparsing
-r [input-file] parses a previously dumped MFT file
-v [volume][path] specifies volume(+path) to process, e.g. "d:" or "d:\foo"
-e prints out escalation keywords
-p disable privacy
Child Processes:
conhost.exe
Signature
- Status: Signature verified.
- Serial:
33000000BCE120FDD27CC8EE930000000000BC - Thumbprint:
E85459B23C232DB3CB94C7A56D47678F58E8E51E - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: DiskSnapshot.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.14393.0 (rs1_release.160715-1616)
- Product Version: 10.0.14393.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
MIT License. Copyright (c) 2020-2021 Strontic.