PATHPING.EXE

  • File Path: C:\Windows\system32\PATHPING.EXE
  • Description: TCP/IP PathPing Command

Hashes

Type Hash
MD5 5FB848A0BC3322AD439CD83602B2B420
SHA1 411F82573E003FB6BE7294EA335143F3F6355AC5
SHA256 96A0FA913D1688D61496B0001F5264FC1727C9A7AF9232D1EB02811252ED1908
SHA384 FD944F062FF4B8FC0C81F4467245C118AE06D3EE7EA59DF7D66DE3248434C221CD7C53A73106C491B14755C3E688619D
SHA512 391AE1C8CA8C39DBACA9CCE8F14EFB048F6D8C56B3206BD0E432B2EEE5BE223516303099E88A1ACC9499B4F598DE12BBFDDB867D5A45FC8A189BC2694C5FE881
SSDEEP 384:dmSjRRQsfowYYmUO68sd2HMWU6ltmTL8SdxW6AW:BY+LdL+4TL8I
IMP 527F94868035A5EFB9B24DFA6322F29D
PESHA1 765D87E1C72DE0F6D71FB333053BF387AAEE0C9F
PE256 400AFDB027767975109C89D67C661C9F964058094E1B42977DC81140A1AB08BC

Runtime Data

Usage (stdout):

--help is not a valid command option.

Usage: pathping [-g host-list] [-h maximum_hops] [-i address] [-n] 
                [-p period] [-q num_queries] [-w timeout] 
                [-4] [-6] target_name

Options:
    -g host-list     Loose source route along host-list.
    -h maximum_hops  Maximum number of hops to search for target.
    -i address       Use the specified source address. 
    -n               Do not resolve addresses to hostnames.
    -p period        Wait period milliseconds between pings.
    -q num_queries   Number of queries per hop.
    -w timeout       Wait timeout milliseconds for each reply.
    -4               Force using IPv4.
    -6               Force using IPv6.

Child Processes:

conhost.exe

Open Handles:

Path Type
(RW-) C:\Users\user File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\DNSAPI.dll
C:\Windows\system32\IPHLPAPI.DLL
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\system32\mswsock.dll
C:\Windows\System32\NSI.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\PATHPING.EXE
C:\Windows\System32\rasadhlp.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\WS2_32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: pathping.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/96a0fa913d1688d61496b0001f5264fc1727c9a7af9232d1eb02811252ed1908/detection/

Possible Misuse

The following table contains possible examples of PATHPING.EXE being misused. While PATHPING.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_webshell_detection.yml - '\pathping.exe' DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


pathping

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Provides information about network latency and network loss at intermediate hops between a source and destination. This command sends multiple echo Request messages to each router between a source and destination, over a period of time, and then computes results based on the packets returned from each router. Because this command displays the degree of packet loss at any given router or link, you can determine which routers or subnets might be having network problems. Used without parameters, this command displays help.

[!NOTE] This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

Additionally, this command identifies which routers are on the path, same as using the tracert command. Howevever, this command also sends pings periodically to all of the routers over a specified time period and computes statistics based on the number returned from each.

Syntax

pathping [/n] [/h <maximumhops>] [/g <hostlist>] [/p <Period>] [/q <numqueries> [/w <timeout>] [/i <IPaddress>] [/4 <IPv4>] [/6 <IPv6>][<targetname>]

Parameters

Parameter Description
/n Prevents pathping from attempting to resolve the IP addresses of intermediate routers to their names. This might expedite the display of pathping results.
/h <maximumhops> Specifies the maximum number of hops in the path to search for the target (destination). The default is 30 hops.
/g <hostlist> Specifies that the echo Request messages use the Loose Source Route option in the IP header with the set of intermediate destinations specified in hostlist. With loose source routing, successive intermediate destinations can be separated by one or multiple routers. The maximum number of addresses or names in the host list is 9. The hostlist is a series of IP addresses (in dotted decimal notation) separated by spaces.
/p <period> Specifies the number of milliseconds to wait between consecutive pings. The default is 250 milliseconds (1/4 second). This parameter sends individual pings to each intermediate hop. Because of this, the interval between two pings sent to the same hop is period multiplied by the number of hops.
/q <numqueries> Specifies the number of echo Request messages sent to each router in the path. The default is 100 queries.
/w <timeout> Specifies the number of milliseconds to wait for each reply. The default is 3000 milliseconds (3 seconds). This parameter sends multiple pings in parallel. Because of this, the amount of time specified in the timeout parameter isn’t bounded by the amount of time specified in the period parameter for waiting between pings.
/i <IPaddress> Specifies the source address.
/4 <IPv4> Specifies that pathping uses IPv4 only.
/6 <IPv6> Specifies that pathping uses IPv6 only.
<targetname> Specifies the destination, which is identified either by IP address or host name.
/? Displays help at the command prompt.
Remarks
  • All parameters are case-sensitive.

  • To avoid network congestion and to minimize the effects of burst losses, pings should be sent at a sufficiently slow pace.

Example of the pathping command output

D:\>pathping /n contoso1
Tracing route to contoso1 [10.54.1.196]
over a maximum of 30 hops:
  0  172.16.87.35
  1  172.16.87.218
  2  192.168.52.1
  3  192.168.80.1
  4  10.54.247.14
  5  10.54.1.196
computing statistics for 125 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  address
  0                                           172.16.87.35
                                0/ 100 =  0%   |
  1   41ms     0/ 100 =  0%     0/ 100 =  0%  172.16.87.218
                               13/ 100 = 13%   |
  2   22ms    16/ 100 = 16%     3/ 100 =  3%  192.168.52.1
                                0/ 100 =  0%   |
  3   24ms    13/ 100 = 13%     0/ 100 =  0%  192.168.80.1
                                0/ 100 =  0%   |
  4   21ms    14/ 100 = 14%     1/ 100 =  1%  10.54.247.14
                                0/ 100 =  0%   |
  5   24ms    13/ 100 = 13%     0/ 100 =  0%  10.54.1.196
Trace complete.

When pathping is run, the first results list the path. Next, a busy message is displayed for approximately 90 seconds (the time varies by hop count). During this time, information is gathered from all routers previously listed and from the links between them. At the end of this period, the test results are displayed.

In the above sample report, the This Node/Link, Lost/Sent = Pct and address columns show that the link between 172.16.87.218 and 192.168.52.1 is dropping 13% of the packets. The routers at hops 2 and 4 are also dropping packets addressed to them, but this loss doesn’t affect their ability to forward traffic that isn’t addressed to them.

The loss rates displayed for the links, identified as a vertical bar (** ) in the **address column, indicate link congestion that is causing the loss of packets that are being forwarded on the path. The loss rates displayed for routers (identified by their IP addresses) indicate that these routers might be overloaded.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.