• File Path: C:\WINDOWS\system32\PktMon.exe
  • Description: Packet Monitor


Type Hash
MD5 2B65BC360DD7C4C290231DEE93A0CE75
SHA1 8A758206BE69385E418E3633970556EE16B167F9
SHA256 395364BAE8EB95FE58397F4B408A1D8BC3205529A375B979409DD9FD0E26A00C
SHA384 91158EE37D5976E479E96A0195869FA26B417934A83319D45D826B1A8730825DCAFE14B96F4EAF2FE46D9707EDAA2F94
SHA512 D2760181E94847A47A4ECAEDE288D12C82BD25EB05FE57881FF1DDDDBDECD106D21DEBC9A8E9399A36D8A3944E8D57BB11FA8CD082FAAA531AF2300AAD46C5D3
SSDEEP 3072:uJEmhfWDN/2qhND+jvMEXAxzkFD2D/o2Kwa5wGz+R4dx:5md4R2qhND+jEvxzkFaZs+Rw

Runtime Data

Usage (stdout):

pktmon { filter | comp | reset | start | stop } [OPTIONS | help]
    Monitor internal packet propagation and packet drop reports.

    filter     Manage packet filters.
    comp       Manage registered components.

    reset      Reset counters to zero.
    start      Start packet monitoring.
    stop       Stop monitoring.
    format     Convert log file to text.
    unload     Unload PktMon driver.

    Show help text for a command.

Usage (stderr):

Unknown command '-help'. See pktmon  help.


  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PktMon.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of PktMon.exe being misused. While PktMon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_pcap_drivers.yml - '*pktmon*' DRL 1.0
LOLBAS Pktmon.yml Name: Pktmon.exe  
LOLBAS Pktmon.yml - Command: pktmon.exe start --etw  
LOLBAS Pktmon.yml Description: Will start a packet capture and store log file as PktMon.etl. Use pktmon.exe stop  
LOLBAS Pktmon.yml - Command: pktmon.exe filter add -p 445  
LOLBAS Pktmon.yml - Path: c:\windows\system32\pktmon.exe  
LOLBAS Pktmon.yml - Path: c:\windows\syswow64\pktmon.exe  

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows 10, Azure Stack HCI, Azure Stack Hub, Azure

Packet Monitor (Pktmon) is an in-box, cross-component network diagnostics tool for Windows. It can be used for packet capture, drop detection, filtering, and counting. Pktmon is especially helpful in virtualization scenarios such as container networking and SDN, because it provides visibility within the networking stack.


pktmon { filter | comp | reset | counters | format | list | start | stop | pcapng | unload | help } [options]


Command Description
pktmon filter Manage packet filters.
pktmon comp Manage registered components.
pktmon reset Reset counters to zero.
pktmon counters Query packet counters.
pktmon format Convert log file to text.
pktmon list List all active components.
pktmon start Start packet monitoring.
pktmon stop Stop packet monitoring.
pktmon pcapng Convert log file to pcapng format.
pktmon unload Unload pktmon driver.
pktmon help Displays a short summary of subcommands.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.