TRACERT.EXE
- File Path:
C:\Windows\system32\TRACERT.EXE - Description: TCP/IP Traceroute Command
Hashes
| Type | Hash |
|---|---|
| MD5 | FE01242CC5414473B0BF3A09D4216D3D |
| SHA1 | 6D8D0CE1EB068D30D88376DA5D5E1B133F5D8390 |
| SHA256 | A7A0CB3A7867D8CE594DAEBFC7571EB5CD59BE321D4D45296BE378EFE66109A2 |
| SHA384 | A858F6A9E9B1428FEF4642673BADB6A86474AED39CA75CA47486BC226F0EBD61296E42094269FA71D8EA2F208B9BEC3B |
| SHA512 | 70C253534FD51F0281CE9A58C6EA90B7FF5ADA6A0A22DCF95488E397B9F9C335EF632ECF037A5805C1BEADE529975CDD74D23EEADDF956D70494C451DF9175B9 |
| SSDEEP | 384:NYdbSRXUC+tQnnmoTRw3lYs9Q7aQMlmZL1ysWWlaW:NXj+mnu3Y6QZL1f |
| IMP | 7A80F2FE2DD40125FA241B4F53DF08D1 |
| PESHA1 | 750E5247B4033A42277CB1D874BC1988CDBC7B54 |
| PE256 | DF347FB5CF06659358F00A845B6D76C82B991ED029E36950992246D6D86B5B94 |
Runtime Data
Usage (stdout):
--help is not a valid command option.
Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout]
[-R] [-S srcaddr] [-4] [-6] target_name
Options:
-d Do not resolve addresses to hostnames.
-h maximum_hops Maximum number of hops to search for target.
-j host-list Loose source route along host-list (IPv4-only).
-w timeout Wait timeout milliseconds for each reply.
-R Trace round-trip path (IPv6-only).
-S srcaddr Source address to use (IPv6-only).
-4 Force using IPv4.
-6 Force using IPv6.
Child Processes:
conhost.exe
Open Handles:
| Path | Type |
|---|---|
| (RW-) C:\Users\user | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\DNSAPI.dll |
| C:\Windows\system32\IPHLPAPI.DLL |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\system32\mswsock.dll |
| C:\Windows\System32\NSI.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\rasadhlp.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\system32\TRACERT.EXE |
| C:\Windows\System32\WS2_32.dll |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: tracert.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/70
- VirusTotal Link: https://www.virustotal.com/gui/file/a7a0cb3a7867d8ce594daebfc7571eb5cd59be321d4d45296be378efe66109a2/detection/
Possible Misuse
The following table contains possible examples of TRACERT.EXE being misused. While TRACERT.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_multiple_suspicious_cli.yml | - tracert.exe |
DRL 1.0 |
| sigma | proc_creation_win_webshell_detection.yml | - '\tracert.exe' |
DRL 1.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
tracert
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This diagnostic tool determines the path taken to a destination by sending Internet Control Message Protocol (ICMP) echo Request or ICMPv6 messages to the destination with incrementally increasing time to live (TTL) field values. Each router along the path is required to decrement the TTL in an IP packet by at least 1 before forwarding it. Effectively, the TTL is a maximum link counter. When the TTL on a packet reaches 0, the router is expected to return an ICMP time Exceeded message to the source computer.
This command determines the path by sending the first echo Request message with a TTL of 1 and incrementing the TTL by 1 on each subsequent transmission until the target responds or the maximum number of hops is reached. The maximum number of hops is 30 by default and can be specified using the /h parameter.
The path is determined by examining the ICMP time Exceeded messages returned by intermediate routers and the echo Reply message returned by the destination. However, some routers do not return time Exceeded messages for packets with expired TTL values and are invisible to the tracert command. In this case, a row of asterisks (*) is displayed for that hop. The path displayed is the list of near/side router interfaces of the routers in the path between a source host and a destination. The near/side interface is the interface of the router that is closest to the sending host in the path.
[!IMPORTANT] This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.
To trace a path and provide network latency and packet loss for each router and link in the path, use the pathping command command.
Syntax
tracert [/d] [/h <maximumhops>] [/j <hostlist>] [/w <timeout>] [/R] [/S <srcaddr>] [/4][/6] <targetname>
Parameters
| Parameter | Description |
|---|---|
| /d | Stops attempts to resolve the IP addresses of intermediate routers to their names. This can speed up the return of results. |
/h <maximumhops> |
Specifies the maximum number of hops in the path to search for the target (destination). The default is 30 hops. |
/j <hostlist> |
Specifies that echo Request messages use the Loose Source Route option in the IP header with the set of intermediate destinations specified in <hostlist>. With loose source routing, successive intermediate destinations can be separated by one or multiple routers. The maximum number of addresses or names in the list is 9. The <hostlist> is a series of IP addresses (in dotted decimal notation) separated by spaces. Use this parameter only when tracing IPv4 addresses. |
/w <timeout> |
Specifies the amount of time in milliseconds to wait for the ICMP time Exceeded or echo Reply message corresponding to a given echo Request message to be received. If not received within the time-out, an asterisk (*) is displayed. The default time-out is 4000 (4 seconds). |
| /R | Specifies that the IPv6 Routing extension header be used to send an echo Request message to the local host, using the destination as an intermediate destination and testing the reverse route. |
/S <srcaddr> |
Specifies the source address to use in the echo Request messages. Use this parameter only when tracing IPv6 addresses. |
| /4 | Specifies that tracert.exe can use only IPv4 for this trace. |
| /6 | Specifies that tracert.exe can use only IPv6 for this trace. |
<targetname> |
Specifies the destination, identified either by IP address or host name. |
| /? | Displays help at the command prompt. |
Examples
To trace the path to the host named corp7.microsoft.com, type:
tracert corp7.microsoft.com
To trace the path to the host named corp7.microsoft.com and prevent the resolution of each IP address to its name, type:
tracert /d corp7.microsoft.com
To trace the path to the host named corp7.microsoft.com and use the loose source route 10.12.0.1/10.29.3.1/10.1.44.1, type:
tracert /j 10.12.0.1 10.29.3.1 10.1.44.1 corp7.microsoft.com
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.