WSReset.exe

File Path: C:\Windows\system32\WSReset.exe
Description: This tool resets the Windows Store without changing account settings or deleting installed apps

Hashes

Type	Hash
MD5	`5E3561D98BD5FB1D20098FAA0384FAA8`
SHA1	`C07CCAA16C161776C35E3D056AFCC2A6B0816616`
SHA256	`2F59CFE63442B61F8AAEF0E1471D40DBC8AE91D4697BDE7699E9D0F3F1AECE1A`
SHA384	`C76796CBCF21BD5D521824B3D0EE94740B0056A6CE67CA6D48944F34D9E57001C24D1760E47C5681F7C7D8D9DC493365`
SHA512	`D8CDE2587B92DFA15DEF287BB0043D142A9329AAE8670963F179E6118D3BB1E758CBB9FDCD8F43065EDAF15EDBD9E25C2068D854DF5E5CA5C4C6BC883FD4904E`
SSDEEP	`768:lqaVflIeB+juij5G2IZB/0w41Nsn4FOBkStBWl:zrHEjuS5G2OiGg0Yl`
IMP	`AB03184F9306BF7E8482C6F987BA1832`
PESHA1	`C37AA6C7605DB8E918364E6FA5D1151464FC50AC`
PE256	`7BE5E0C0526780EC0D1044DD325585940466917B9E1C25FDE2F0822F562886F2`

Runtime Data

Child Processes:

conhost.exe

Open Handles:

Path	Type
(RW-) C:\Users\user	File
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*cversions.2	Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters	Section

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\WSReset.exe

Signature

Status: Signature verified.
Serial: 33000002EC6579AD1E670890130000000002EC
Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: WSReset.exe
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.19041.746 (WinBuild.160101.0800)
Product Version: 10.0.19041.746
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.
Machine Type: 64-bit

File Scan

VirusTotal Detections: 0/72
VirusTotal Link: https://www.virustotal.com/gui/file/2f59cfe63442b61f8aaef0e1471d40dbc8ae91d4697bde7699e9d0f3f1aece1a/detection

File Similarity (ssdeep match)

File	Score
C:\WINDOWS\system32\WSCollect.exe	38
C:\Windows\system32\WSCollect.exe	44
C:\Windows\system32\WSCollect.exe	43
C:\Windows\system32\WSCollect.exe	46
C:\Windows\system32\WSCollect.exe	43
C:\WINDOWS\system32\WSCollect.exe	44
C:\Windows\system32\WSReset.exe	46
C:\Windows\system32\WSReset.exe	44
C:\WINDOWS\system32\WSReset.exe	43
C:\Windows\system32\WSReset.exe	47
C:\WINDOWS\system32\WSReset.exe	50

Possible Misuse

The following table contains possible examples of WSReset.exe being misused. While WSReset.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_uac_bypass_wsreset.yml	`title: UAC Bypass WSReset`	DRL 1.0
sigma	proc_creation_win_uac_bypass_wsreset.yml	`description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config`	DRL 1.0
sigma	proc_creation_win_uac_bypass_wsreset.yml	`- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/`	DRL 1.0
sigma	proc_creation_win_uac_bypass_wsreset.yml	`Image\\|endswith: '\wsreset.exe'`	DRL 1.0
sigma	proc_creation_win_uac_wsreset.yml	`title: Bypass UAC via WSReset.exe`	DRL 1.0
sigma	proc_creation_win_uac_wsreset.yml	`description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.`	DRL 1.0
sigma	proc_creation_win_uac_wsreset.yml	`ParentImage\\|endswith: '\wsreset.exe'`	DRL 1.0
sigma	proc_creation_win_wsreset_uac_bypass.yml	`title: Wsreset UAC Bypass`	DRL 1.0
sigma	proc_creation_win_wsreset_uac_bypass.yml	`description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC`	DRL 1.0
sigma	proc_creation_win_wsreset_uac_bypass.yml	`- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/`	DRL 1.0
sigma	proc_creation_win_wsreset_uac_bypass.yml	`- '\WSreset.exe'`	DRL 1.0
sigma	proc_creation_win_wsreset_uac_bypass.yml	`- Unknown sub processes of Wsreset.exe`	DRL 1.0
sigma	registry_event_bypass_via_wsreset.yml	`title: UAC Bypass Via Wsreset`	DRL 1.0
sigma	registry_event_bypass_via_wsreset.yml	`description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.`	DRL 1.0
sigma	registry_event_bypass_via_wsreset.yml	`- https://lolbas-project.github.io/lolbas/Binaries/Wsreset`	DRL 1.0
LOLBAS	Wsreset.yml	`Name: Wsreset.exe`
LOLBAS	Wsreset.yml	`- Command: wsreset.exe`
LOLBAS	Wsreset.yml	`Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user.`
LOLBAS	Wsreset.yml	`- Path: C:\Windows\System32\wsreset.exe`
LOLBAS	Wsreset.yml	`- IOC: wsreset.exe launching child process other than mmc.exe`
atomic-red-team	T1548.002.md	Target: \system32\WSReset.exe	MIT License. © 2018 Red Canary