PsInfo64.exe

  • File Path: C:\SysinternalsSuite\PsInfo64.exe
  • Description: Local and remote system information viewer

Hashes

Type Hash
MD5 EFA2F8F73B3559711149DFDEB8BC288E
SHA1 453C70E4B12ECABE860866165AD39DE6361215FD
SHA256 EF5CF80C8448BF0907C634A3251CC348B1D36BB5AD8F31F23B11D12AA7F63BCB
SHA384 65C8A849396B76DE937CC1CE05AE8003C76F618B81F69B3FFABE1F318FEC01CDC4C43626598415F6F68F2E35F78C3D82
SHA512 63F75A3D639A912E2E3966E9D410F8E1C52B75300518BB5083853EF2633C7E109C037EA2B66CED57BD5B319866A14BCD92254CB38AB9EC7B99465B0A8A8F5F3E
SSDEEP 6144:0aNJZh5a45XRueuTI52O17cNq7tncFSsTTB8YS6SBjyxgg4Lf4fC:0aFi45z2ancFn/0jlJ
IMP 807DBAB54231983BC1DD8E3031EBDF02
PESHA1 692C54C6D34C123831D6AF01E7F6D439B9E2F1FA
PE256 156397FDFCA0ECF355BB435079AA1889965FE942273C5CEC7322760D328BED97

Runtime Data

Usage (stdout):


PsInfo v1.78 - Local and remote system information viewer
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

PsInfo returns information about a local or remote Windows NT/2000/XP system.

Usage: psinfo [-h] [-s] [-d] [-c [-t delimiter]] [filter] [\\computer[,computer[,..]]|@file [-u Username [-p Password]]]
     -u        Specifies optional user name for login to
               remote computer.
     -p        Specifies password for user name.
     -h        Show installed hotfixes.
     -s        Show installed software.
     -d        Show disk volume information.
     -c        Print in CSV format
     -t        The default delimiter for the -c option is a comma,
               but can be overriden with the specified character. Use
               "\t" to specify tab.
     filter    Psinfo will only show data for the field matching the filter.
               e.g. "psinfo service" lists only the service pack field.
     computer  Direct PsInfo to perform the command on the remote
               computer or computers specified. If you omit the computer
               name PsInfo runs the command on the local system, 
               and if you specify a wildcard (\\*), PsInfo runs the
               command on all computers in the current domain.
     @file     PsInfo will run against the computers listed in the file
               specified.
     -nobanner Do not display the startup banner and copyright message.

Child Processes:

conhost.exe

Open Handles:

Path Type
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.488_none_4238de57f6b64d28 File
(RW-) C:\xCyclopedia File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\SysinternalsSuite\PsInfo64.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 330000010A2C79AED7797BA6AC00010000010A
  • Thumbprint: 3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC
  • Issuer: CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Psinfo.exe
  • Product Name: Sysinternals PsInfo
  • Company Name: Sysinternals - www.sysinternals.com
  • File Version: 1.78
  • Product Version: 1.78
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 2001-2016 Mark Russinovich
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/ef5cf80c8448bf0907c634a3251cc348b1d36bb5ad8f31f23b11d12aa7f63bcb/detection/

Possible Misuse

The following table contains possible examples of PsInfo64.exe being misused. While PsInfo64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_false_sysinternalsuite.yml - '\psInfo64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.