TRACERT.EXE

  • File Path: C:\Windows\system32\TRACERT.EXE
  • Description: TCP/IP Traceroute Command

Hashes

Type Hash
MD5 FE01242CC5414473B0BF3A09D4216D3D
SHA1 6D8D0CE1EB068D30D88376DA5D5E1B133F5D8390
SHA256 A7A0CB3A7867D8CE594DAEBFC7571EB5CD59BE321D4D45296BE378EFE66109A2
SHA384 A858F6A9E9B1428FEF4642673BADB6A86474AED39CA75CA47486BC226F0EBD61296E42094269FA71D8EA2F208B9BEC3B
SHA512 70C253534FD51F0281CE9A58C6EA90B7FF5ADA6A0A22DCF95488E397B9F9C335EF632ECF037A5805C1BEADE529975CDD74D23EEADDF956D70494C451DF9175B9
SSDEEP 384:NYdbSRXUC+tQnnmoTRw3lYs9Q7aQMlmZL1ysWWlaW:NXj+mnu3Y6QZL1f
IMP 7A80F2FE2DD40125FA241B4F53DF08D1
PESHA1 750E5247B4033A42277CB1D874BC1988CDBC7B54
PE256 DF347FB5CF06659358F00A845B6D76C82B991ED029E36950992246D6D86B5B94

Runtime Data

Usage (stdout):

--help is not a valid command option.

Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] 
               [-R] [-S srcaddr] [-4] [-6] target_name

Options:
    -d                 Do not resolve addresses to hostnames.
    -h maximum_hops    Maximum number of hops to search for target.
    -j host-list       Loose source route along host-list (IPv4-only).
    -w timeout         Wait timeout milliseconds for each reply.
    -R                 Trace round-trip path (IPv6-only).
    -S srcaddr         Source address to use (IPv6-only).
    -4                 Force using IPv4.
    -6                 Force using IPv6.

Child Processes:

conhost.exe

Open Handles:

Path Type
(RW-) C:\Users\user File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\DNSAPI.dll
C:\Windows\system32\IPHLPAPI.DLL
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\system32\mswsock.dll
C:\Windows\System32\NSI.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\rasadhlp.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\system32\TRACERT.EXE
C:\Windows\System32\WS2_32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: tracert.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/a7a0cb3a7867d8ce594daebfc7571eb5cd59be321d4d45296be378efe66109a2/detection/

Possible Misuse

The following table contains possible examples of TRACERT.EXE being misused. While TRACERT.EXE is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_multiple_suspicious_cli.yml - tracert.exe DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\tracert.exe' DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


tracert

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

This diagnostic tool determines the path taken to a destination by sending Internet Control Message Protocol (ICMP) echo Request or ICMPv6 messages to the destination with incrementally increasing time to live (TTL) field values. Each router along the path is required to decrement the TTL in an IP packet by at least 1 before forwarding it. Effectively, the TTL is a maximum link counter. When the TTL on a packet reaches 0, the router is expected to return an ICMP time Exceeded message to the source computer.

This command determines the path by sending the first echo Request message with a TTL of 1 and incrementing the TTL by 1 on each subsequent transmission until the target responds or the maximum number of hops is reached. The maximum number of hops is 30 by default and can be specified using the /h parameter.

The path is determined by examining the ICMP time Exceeded messages returned by intermediate routers and the echo Reply message returned by the destination. However, some routers do not return time Exceeded messages for packets with expired TTL values and are invisible to the tracert command. In this case, a row of asterisks (*) is displayed for that hop. The path displayed is the list of near/side router interfaces of the routers in the path between a source host and a destination. The near/side interface is the interface of the router that is closest to the sending host in the path.

[!IMPORTANT] This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

To trace a path and provide network latency and packet loss for each router and link in the path, use the pathping command command.

Syntax

tracert [/d] [/h <maximumhops>] [/j <hostlist>] [/w <timeout>] [/R] [/S <srcaddr>] [/4][/6] <targetname>

Parameters

Parameter Description
/d Stops attempts to resolve the IP addresses of intermediate routers to their names. This can speed up the return of results.
/h <maximumhops> Specifies the maximum number of hops in the path to search for the target (destination). The default is 30 hops.
/j <hostlist> Specifies that echo Request messages use the Loose Source Route option in the IP header with the set of intermediate destinations specified in <hostlist>. With loose source routing, successive intermediate destinations can be separated by one or multiple routers. The maximum number of addresses or names in the list is 9. The <hostlist> is a series of IP addresses (in dotted decimal notation) separated by spaces. Use this parameter only when tracing IPv4 addresses.
/w <timeout> Specifies the amount of time in milliseconds to wait for the ICMP time Exceeded or echo Reply message corresponding to a given echo Request message to be received. If not received within the time-out, an asterisk (*) is displayed. The default time-out is 4000 (4 seconds).
/R Specifies that the IPv6 Routing extension header be used to send an echo Request message to the local host, using the destination as an intermediate destination and testing the reverse route.
/S <srcaddr> Specifies the source address to use in the echo Request messages. Use this parameter only when tracing IPv6 addresses.
/4 Specifies that tracert.exe can use only IPv4 for this trace.
/6 Specifies that tracert.exe can use only IPv6 for this trace.
<targetname> Specifies the destination, identified either by IP address or host name.
/? Displays help at the command prompt.

Examples

To trace the path to the host named corp7.microsoft.com, type:

tracert corp7.microsoft.com

To trace the path to the host named corp7.microsoft.com and prevent the resolution of each IP address to its name, type:

tracert /d corp7.microsoft.com

To trace the path to the host named corp7.microsoft.com and use the loose source route 10.12.0.1/10.29.3.1/10.1.44.1, type:

tracert /j 10.12.0.1 10.29.3.1 10.1.44.1 corp7.microsoft.com

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.