WSReset.exe

  • File Path: C:\WINDOWS\system32\WSReset.exe
  • Description: This tool resets the Windows Store without changing account settings or deleting installed apps

Hashes

Type Hash
MD5 FB3CE16149961934341850A6F1ED869E
SHA1 4A1D3889E640A619706A8A6C8BCFDC3397C1883F
SHA256 8D7AB0E208A39AD318B3F3837483F34E0FA1C3F20EDF287FB7C8D8FA1AC63A2F
SHA384 3D60F18CF584368E9DC03C3D7143B9EF3634EA91AD2D3D1C15BF49A74111391485CAA5106B9C1EE3A9A84E075E3CB4F4
SHA512 7E996D645B53C7C8D7257975D52C033B019855ED7E20C8EC27BB4CF7C4E828DD6B0F17E922AB94EF30CBBB77CA37AF95862DD058441A67C265F6DB58ABF859E6
SSDEEP 768:qnEer5SoQTaOS00qaZMW9w1Nsn4FOBkStBWr:I/8h3S00qaZcGg0Yr

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WSReset.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.145 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.145
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\WSCollect.exe 46
C:\Windows\system32\WSCollect.exe 43
C:\Windows\system32\WSCollect.exe 40
C:\Windows\system32\WSCollect.exe 40
C:\Windows\system32\WSCollect.exe 44
C:\WINDOWS\system32\WSCollect.exe 43
C:\Windows\system32\WSReset.exe 63
C:\Windows\system32\WSReset.exe 43
C:\Windows\system32\WSReset.exe 50
C:\WINDOWS\system32\WSReset.exe 47
C:\Windows\system32\WSReset.exe 46

Possible Misuse

The following table contains possible examples of WSReset.exe being misused. While WSReset.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_wsreset.yml title: UAC Bypass WSReset DRL 1.0
sigma proc_creation_win_uac_bypass_wsreset.yml description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config DRL 1.0
sigma proc_creation_win_uac_bypass_wsreset.yml - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ DRL 1.0
sigma proc_creation_win_uac_bypass_wsreset.yml Image\|endswith: '\wsreset.exe' DRL 1.0
sigma proc_creation_win_uac_wsreset.yml title: Bypass UAC via WSReset.exe DRL 1.0
sigma proc_creation_win_uac_wsreset.yml description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. DRL 1.0
sigma proc_creation_win_uac_wsreset.yml ParentImage\|endswith: '\wsreset.exe' DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml title: Wsreset UAC Bypass DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml - '\WSreset.exe' DRL 1.0
sigma proc_creation_win_wsreset_uac_bypass.yml - Unknown sub processes of Wsreset.exe DRL 1.0
sigma registry_event_bypass_via_wsreset.yml title: UAC Bypass Via Wsreset DRL 1.0
sigma registry_event_bypass_via_wsreset.yml description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. DRL 1.0
sigma registry_event_bypass_via_wsreset.yml - https://lolbas-project.github.io/lolbas/Binaries/Wsreset DRL 1.0
LOLBAS Wsreset.yml Name: Wsreset.exe  
LOLBAS Wsreset.yml - Command: wsreset.exe  
LOLBAS Wsreset.yml Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user.  
LOLBAS Wsreset.yml - Path: C:\Windows\System32\wsreset.exe  
LOLBAS Wsreset.yml - IOC: wsreset.exe launching child process other than mmc.exe  
atomic-red-team T1548.002.md Target: \system32\WSReset.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.