PktMon.exe

  • File Path: C:\WINDOWS\system32\PktMon.exe
  • Description: Packet Monitor

Hashes

Type Hash
MD5 2B65BC360DD7C4C290231DEE93A0CE75
SHA1 8A758206BE69385E418E3633970556EE16B167F9
SHA256 395364BAE8EB95FE58397F4B408A1D8BC3205529A375B979409DD9FD0E26A00C
SHA384 91158EE37D5976E479E96A0195869FA26B417934A83319D45D826B1A8730825DCAFE14B96F4EAF2FE46D9707EDAA2F94
SHA512 D2760181E94847A47A4ECAEDE288D12C82BD25EB05FE57881FF1DDDDBDECD106D21DEBC9A8E9399A36D8A3944E8D57BB11FA8CD082FAAA531AF2300AAD46C5D3
SSDEEP 3072:uJEmhfWDN/2qhND+jvMEXAxzkFD2D/o2Kwa5wGz+R4dx:5md4R2qhND+jEvxzkFaZs+Rw

Runtime Data

Usage (stdout):

pktmon { filter | comp | reset | start | stop } [OPTIONS | help]
    Monitor internal packet propagation and packet drop reports.

Commands
    filter     Manage packet filters.
    comp       Manage registered components.

    reset      Reset counters to zero.
    start      Start packet monitoring.
    stop       Stop monitoring.
    format     Convert log file to text.
    unload     Unload PktMon driver.

help
    Show help text for a command.


Usage (stderr):

Unknown command '-help'. See pktmon  help.

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PktMon.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of PktMon.exe being misused. While PktMon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_pcap_drivers.yml - 'pktmon' DRL 1.0
LOLBAS Pktmon.yml Name: Pktmon.exe  
LOLBAS Pktmon.yml - Command: pktmon.exe start --etw  
LOLBAS Pktmon.yml Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop  
LOLBAS Pktmon.yml - Command: pktmon.exe filter add -p 445  
LOLBAS Pktmon.yml - Path: c:\windows\system32\pktmon.exe  
LOLBAS Pktmon.yml - Path: c:\windows\syswow64\pktmon.exe  

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


pktmon

Applies to: Windows Server 2022, Windows Server 2019, Windows 10, Azure Stack HCI, Azure Stack Hub, Azure

Packet Monitor (Pktmon) is an in-box, cross-component network diagnostics tool for Windows. It can be used for advanced packet capture and event collection, drop detection, filtering, and counting. Pktmon is especially helpful in virtualization scenarios such as container networking and SDN, because it provides visibility within the networking stack.

Syntax

pktmon { filter | list | start | stop | status | unload | counters | reset | etl2txt | etl2pcap | hex2pkt | help } [options]

Commands

Command Description
pktmon filter Manage packet filters.
pktmon list List packet processing components.
pktmon start Start packet capture and event collection.
pktmon stop Stop data collection.
pktmon status Query current status.
pktmon unload Unload PktMon driver.
pktmon counters Display current packet counters.
pktmon reset Reset packet counters to zero.
pktmon etl2txt Convert log file to text format.
pktmon etl2pcap Convert log file to pcapng format.
pktmon hex2pkt Decode packet in hexadecimal format.
pktmon help Show help text for specific command.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.