WSReset.exe

  • File Path: C:\Windows\system32\WSReset.exe
  • Description: This tool resets the Windows Store without changing account settings or deleting installed apps

Hashes

Type Hash
MD5 C08D9492A11813196000AF9E4F5EE23F
SHA1 2404225C00764ADB780FF21C06890CFB3FA327F0
SHA256 E1E8F9FB5503A7EC9731BC81CDD3F428001C2AFB0528CF99DA451C5220A1580F
SHA384 39474778BF617D16343F3FCADF197C268EA1B9409B5C6C3DD16061188A75F9AA4E638A9F82182301FD81B9989A7352C6
SHA512 6F3539EC0F15184F887D2CC8417D5133FBED65666A8FA4459351422F408401B13CCBA3162B9BF8693E5F24858DD72155FF1EB7409ECF6692FDFFD4CA1C53BEBF
SSDEEP 768:lJKVfVIDwlvjEFLSj1cKSSSzSSoMo9b1Nsn4FOBkStBW/:mbiMjEFLi1tFGg0Y/
IMP AB03184F9306BF7E8482C6F987BA1832
PESHA1 AAE557C6EDB843CB97C908076D2453840BC752D8
PE256 A82F5E43E6F796FA94FAABA7CA3FC0252817753CB4B36E916EE57BB457F9255B

Runtime Data

Child Processes:

conhost.exe

Open Handles:

Path Type
(RW-) C:\Users\user File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\WSReset.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WSReset.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/e1e8f9fb5503a7ec9731bc81cdd3f428001c2afb0528cf99da451c5220a1580f/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\WSCollect.exe 40
C:\Windows\system32\WSCollect.exe 43
C:\Windows\system32\WSCollect.exe 44
C:\Windows\system32\WSCollect.exe 43
C:\Windows\system32\WSCollect.exe 43
C:\WINDOWS\system32\WSCollect.exe 40
C:\Windows\system32\WSReset.exe 46
C:\Windows\system32\WSReset.exe 38
C:\Windows\system32\WSReset.exe 47
C:\WINDOWS\system32\WSReset.exe 40
C:\WINDOWS\system32\WSReset.exe 46

Possible Misuse

The following table contains possible examples of WSReset.exe being misused. While WSReset.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_wsreset.yml title: UAC Bypass WSReset DRL 1.0
sigma proc_creation_win_uac_bypass_wsreset.yml description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config DRL 1.0
sigma proc_creation_win_uac_bypass_wsreset.yml - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ DRL 1.0
sigma proc_creation_win_uac_bypass_wsreset.yml Image\|endswith: '\wsreset.exe' DRL 1.0
sigma proc_creation_win_uac_wsreset.yml title: Bypass UAC via WSReset.exe DRL 1.0
sigma proc_creation_win_uac_wsreset.yml description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. DRL 1.0
sigma proc_creation_win_uac_wsreset.yml ParentImage\|endswith: '\wsreset.exe' DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml title: Wsreset UAC Bypass DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml - '\WSreset.exe' DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml - Unknown sub processes of Wsreset.exe DRL 1.0
sigma registry_event_bypass_via_wsreset.yml title: UAC Bypass Via Wsreset DRL 1.0
sigma registry_event_bypass_via_wsreset.yml description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. DRL 1.0
sigma registry_event_bypass_via_wsreset.yml - https://lolbas-project.github.io/lolbas/Binaries/Wsreset DRL 1.0
LOLBAS Wsreset.yml Name: Wsreset.exe  
LOLBAS Wsreset.yml - Command: wsreset.exe  
LOLBAS Wsreset.yml Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user.  
LOLBAS Wsreset.yml - Path: C:\Windows\System32\wsreset.exe  
LOLBAS Wsreset.yml - IOC: wsreset.exe launching child process other than mmc.exe  
atomic-red-team T1548.002.md Target: \system32\WSReset.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.