PATHPING.EXE

File Path: C:\WINDOWS\system32\PATHPING.EXE
Description: TCP/IP PathPing Command

Hashes

Type	Hash
MD5	`E569A7BA5C8CF15DBB79B18563939ED1`
SHA1	`CFC5C1ED1D916F92CA0276BDB4C1E2C5138AEA19`
SHA256	`9BF3289456E40A0F8BC5C4B1920F764BB5A45C19BC92D2B4D348FD64EE367460`
SHA384	`CAB13EF2FA92703CADE531A55C21FC7F8A1290ECCC2B328E40BE7E7FF4F022AE247CF7CB6C53C86E1FEB8CECEB409603`
SHA512	`79B03E63AD213B257FE2B4191720FD63E2ED79B100FDF7A719F87D75F889FB9A569497D640F83BFE1D2EF0A356EBB037B9FEC1A474517900D685A20C7F18DE5B`
SSDEEP	`384:ihhn9RQsXowY4m7r68bd2JqLWb5ztmTL8SNgfWUAW:oYNHdkB94TL8J`

Runtime Data

Usage (stdout):

Usage: pathping [-g host-list] [-h maximum_hops] [-i address] [-n] 
                [-p period] [-q num_queries] [-w timeout] 
                [-4] [-6] target_name

Options:
    -g host-list     Loose source route along host-list.
    -h maximum_hops  Maximum number of hops to search for target.
    -i address       Use the specified source address. 
    -n               Do not resolve addresses to hostnames.
    -p period        Wait period milliseconds between pings.
    -q num_queries   Number of queries per hop.
    -w timeout       Wait timeout milliseconds for each reply.
    -4               Force using IPv4.
    -6               Force using IPv6.

Child Processes:

conhost.exe

Signature

Status: Signature verified.
Serial: 330000023241FB59996DCC4DFF000000000232
Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: pathping.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.18362.1 (WinBuild.160101.0800)
Product Version: 10.0.18362.1
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of PATHPING.EXE being misused. While PATHPING.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_webshell_detection.yml	`- '\pathping.exe'`	DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

pathping

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Provides information about network latency and network loss at intermediate hops between a source and destination. This command sends multiple echo Request messages to each router between a source and destination, over a period of time, and then computes results based on the packets returned from each router. Because this command displays the degree of packet loss at any given router or link, you can determine which routers or subnets might be having network problems. Used without parameters, this command displays help.

[!NOTE] This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

Additionally, this command identifies which routers are on the path, same as using the tracert command. Howevever, this command also sends pings periodically to all of the routers over a specified time period and computes statistics based on the number returned from each.

Syntax

pathping [/n] [/h <maximumhops>] [/g <hostlist>] [/p <Period>] [/q <numqueries> [/w <timeout>] [/i <IPaddress>] [/4 <IPv4>] [/6 <IPv6>][<targetname>]

Parameters

Parameter	Description
/n	Prevents pathping from attempting to resolve the IP addresses of intermediate routers to their names. This might expedite the display of pathping results.
/h `<maximumhops>`	Specifies the maximum number of hops in the path to search for the target (destination). The default is 30 hops.
/g `<hostlist>`	Specifies that the echo Request messages use the Loose Source Route option in the IP header with the set of intermediate destinations specified in hostlist. With loose source routing, successive intermediate destinations can be separated by one or multiple routers. The maximum number of addresses or names in the host list is 9. The hostlist is a series of IP addresses (in dotted decimal notation) separated by spaces.
/p `<period>`	Specifies the number of milliseconds to wait between consecutive pings. The default is 250 milliseconds (1/4 second). This parameter sends individual pings to each intermediate hop. Because of this, the interval between two pings sent to the same hop is period multiplied by the number of hops.
/q `<numqueries>`	Specifies the number of echo Request messages sent to each router in the path. The default is 100 queries.
/w `<timeout>`	Specifies the number of milliseconds to wait for each reply. The default is 3000 milliseconds (3 seconds). This parameter sends multiple pings in parallel. Because of this, the amount of time specified in the timeout parameter isn’t bounded by the amount of time specified in the period parameter for waiting between pings.
/i `<IPaddress>`	Specifies the source address.
/4 `<IPv4>`	Specifies that pathping uses IPv4 only.
/6 `<IPv6>`	Specifies that pathping uses IPv6 only.
`<targetname>`	Specifies the destination, which is identified either by IP address or host name.
/?	Displays help at the command prompt.

Remarks

All parameters are case-sensitive.
To avoid network congestion and to minimize the effects of burst losses, pings should be sent at a sufficiently slow pace.

Example of the pathping command output

D:\>pathping /n contoso1
Tracing route to contoso1 [10.54.1.196]
over a maximum of 30 hops:
  0  172.16.87.35
  1  172.16.87.218
  2  192.168.52.1
  3  192.168.80.1
  4  10.54.247.14
  5  10.54.1.196
computing statistics for 125 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  address
  0                                           172.16.87.35
                                0/ 100 =  0%   |
  1   41ms     0/ 100 =  0%     0/ 100 =  0%  172.16.87.218
                               13/ 100 = 13%   |
  2   22ms    16/ 100 = 16%     3/ 100 =  3%  192.168.52.1
                                0/ 100 =  0%   |
  3   24ms    13/ 100 = 13%     0/ 100 =  0%  192.168.80.1
                                0/ 100 =  0%   |
  4   21ms    14/ 100 = 14%     1/ 100 =  1%  10.54.247.14
                                0/ 100 =  0%   |
  5   24ms    13/ 100 = 13%     0/ 100 =  0%  10.54.1.196
Trace complete.

When pathping is run, the first results list the path. Next, a busy message is displayed for approximately 90 seconds (the time varies by hop count). During this time, information is gathered from all routers previously listed and from the links between them. At the end of this period, the test results are displayed.

In the above sample report, the This Node/Link, Lost/Sent = Pct and address columns show that the link between 172.16.87.218 and 192.168.52.1 is dropping 13% of the packets. The routers at hops 2 and 4 are also dropping packets addressed to them, but this loss doesn’t affect their ability to forward traffic that isn’t addressed to them.

The loss rates displayed for the links, identified as a vertical bar (**

) in the **address column, indicate link congestion that is causing the loss of packets that are being forwarded on the path. The loss rates displayed for routers (identified by their IP addresses) indicate that these routers might be overloaded.