WSReset.exe

  • File Path: C:\Windows\system32\WSReset.exe
  • Description: This tool resets the Windows Store without changing account settings or deleting installed apps

Hashes

Type Hash
MD5 374AB8022CA5EE56684BC28626F36F73
SHA1 DCEE9A0D93C86B79E93D13421C24CF1D71C3EA26
SHA256 BF90ECD7CEA6870A9EF6E8CC818C993F0904CC89CB5CE8E8843972B26F05B29E
SHA384 4604365CB7AA28B1C0E5368D4A4BF09E8529C7DF4BC6BA9F0E4E589D9A98EA80D8D87BEF98E513E4113ADF2E28252A53
SHA512 9A0313C63635467A3EFB997FF3EA07576CC3FC245165099F5DC7A1CC9DD8A5890B3BA8E6C1F95DA1C69DBE3A13975BF820890BF5CB93343F5C467E2C7D5F7AEC
SSDEEP 768:8YcyPDMz6IlkiK7sOq5+TGRNsn4FOBkStBWg:pjOlisOq5z6g0Yg

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WSReset.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\WSCollect.exe 40
C:\Windows\system32\WSCollect.exe 43
C:\Windows\system32\WSCollect.exe 44
C:\Windows\system32\WSCollect.exe 41
C:\Windows\system32\WSCollect.exe 44
C:\WINDOWS\system32\WSCollect.exe 41
C:\Windows\system32\WSReset.exe 44
C:\Windows\system32\WSReset.exe 44
C:\WINDOWS\system32\WSReset.exe 47
C:\Windows\system32\WSReset.exe 38
C:\WINDOWS\system32\WSReset.exe 43

Possible Misuse

The following table contains possible examples of WSReset.exe being misused. While WSReset.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_wsreset.yml title: UAC Bypass WSReset DRL 1.0
sigma proc_creation_win_uac_bypass_wsreset.yml description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config DRL 1.0
sigma proc_creation_win_uac_bypass_wsreset.yml - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ DRL 1.0
sigma proc_creation_win_uac_bypass_wsreset.yml Image\|endswith: '\wsreset.exe' DRL 1.0
sigma proc_creation_win_uac_wsreset.yml title: Bypass UAC via WSReset.exe DRL 1.0
sigma proc_creation_win_uac_wsreset.yml description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. DRL 1.0
sigma proc_creation_win_uac_wsreset.yml ParentImage\|endswith: '\wsreset.exe' DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml title: Wsreset UAC Bypass DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml - '\WSreset.exe' DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml - Unknown sub processes of Wsreset.exe DRL 1.0
sigma registry_event_bypass_via_wsreset.yml title: UAC Bypass Via Wsreset DRL 1.0
sigma registry_event_bypass_via_wsreset.yml description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. DRL 1.0
sigma registry_event_bypass_via_wsreset.yml - https://lolbas-project.github.io/lolbas/Binaries/Wsreset DRL 1.0
LOLBAS Wsreset.yml Name: Wsreset.exe  
LOLBAS Wsreset.yml - Command: wsreset.exe  
LOLBAS Wsreset.yml Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user.  
LOLBAS Wsreset.yml - Path: C:\Windows\System32\wsreset.exe  
LOLBAS Wsreset.yml - IOC: wsreset.exe launching child process other than mmc.exe  
atomic-red-team T1548.002.md Target: \system32\WSReset.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.