WinMgmt.exe

  • File Path: C:\Windows\system32\wbem\WinMgmt.exe
  • Description: WMI Service Control Utility

Hashes

Type Hash
MD5 7EEBC2D73DB966BC35A8031FA60FC161
SHA1 1CE5CC0376C2D939A56AEFD57465EA5D2E311DA9
SHA256 720A7ADB445F98C7A71F406711A4AFF6C0E3143AA18A12DF851B806D2D5B00FD
SHA384 7277500DC1EF5FF3C9D916AEA774E06C16FA6CBA22702BC09812171300C0DFF742D3218D1876B7D53754D23E39334728
SHA512 50F88D2093F0D9A3117B4C491AD58FF9E14341C9952385EF5160521938569EB93A46BD51700F193F64A38D17D7EE5C18A99ED948EB76FAFD8C677EC4DD141084
SSDEEP 1536:tX//E02UqhgvRdShIPoANJLlAXuSXv+qSFEAeOFt:omRshIPFJRAhP2EAeU
IMP 2C3AB885FA820ED6993A6974E34AA636
PESHA1 6FA978BB29316380B066BE6DA093C7EFB212FD3D
PE256 49D9CC5F2C07BAD54B4992C3C821155D5A626822D553C51D6CA2EF3EB632C4EB

Runtime Data

Usage (stdout):

Invalid parameter

Windows Management Instrumentation

Usage:  winmgmt	[/backup <filename>] [/restore <filename> <flag>]
		[/resyncperf] [/standalonehost [<level>]] [/sharedhost]
		[/verifyrepository [<path>]] [/salvagerepository]
		[/resetrepository]

/backup <filename>
	Causes WMI to back up the repository to the specified file name. The
	filename argument should contain the full path to the file location.
	This process requires a write lock on the repository so that write
	operations to the repository are suspended until the backup process is
	completed.

/restore <filename> <flag>
	Manually restores the WMI repository from the specified backup file.
	The filename argument should contain the full path to the backup file
	location. To perform the restore operation, WMI saves the existing
	repository to write back if the operation fails. Then the repository is
	restored from the backup file that is specified in the filename
	argument. If exclusive access to the repository cannot be achieved,
	existing clients are disconnected from WMI. The flag argument must be a
	1 (force - disconnect users and restore) or 0 (default - restore if no
	users connected) and specifies the restore mode.

/resyncperf
	Registers the system performance libraries with WMI.

/standalonehost [<level>]
	Moves the Winmgmt service to a standalone Svchost process that has a
	fixed DCOM endpoint. The default endpoint is "ncacn_ip_tcp.0.24158".
	However, the endpoint may be changed by running Dcomcnfg.exe. The level
	argument is the authentication level for the Svchost process. If level
	is not specified, the default is 4 (RPC_C_AUTHN_LEVEL_PKT).

/sharedhost
	Moves the Winmgmt service into the shared Svchost process.

/verifyrepository [<path>]
	Performs a consistency check on the WMI repository. When you add the
	/verifyrepository switch without the <path> argument, then the live
	repository currently used by WMI is verified. When you specify the path
	argument, you can verify any saved copy of the repository. In this
	case, the path argument should contain the full path to the saved
	repository copy. The saved repository should be a copy of the entire
	repository folder.

/salvagerepository
	Performs a consistency check on the WMI repository, and if an
	inconsistency is detected, rebuilds the repository.  The content of the
	inconsistent repository is merged into the rebuilt repository, if it
	can be read. The salvage operation always works with the repository
	that the WMI service is currently using. MOF files that contain the
	#pragma autorecover preprocessor statement are restored to the
	repository.

/resetrepository
	The repository is reset to the initial state when the operating system
	is first installed. MOF files that contain the #pragma autorecover
	preprocessor statement are restored to the repository.


Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\wbem\WinMgmt.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: winmgmt.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/720a7adb445f98c7a71f406711a4aff6c0e3143aa18a12df851b806d2d5b00fd/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\wbem\wbemtest.exe 41
C:\Windows\system32\wbem\wbemtest.exe 43
C:\windows\system32\wbem\wbemtest.exe 47
C:\WINDOWS\system32\wbem\wbemtest.exe 36
C:\Windows\system32\wbem\wbemtest.exe 30
C:\windows\system32\wbem\WinMgmt.exe 82
C:\Windows\system32\wbem\WinMgmt.exe 77
C:\WINDOWS\system32\wbem\WinMgmt.exe 72
C:\Windows\system32\wbem\WinMgmt.exe 77
C:\WINDOWS\system32\wbem\WinMgmt.exe 79
C:\Windows\system32\wbem\WinMgmt.exe 82
C:\Windows\system32\wbem\WinMgmt.exe 77
C:\Windows\system32\wbem\WinMgmt.exe 77
C:\Windows\SysWOW64\wbem\wbemcntl.dll 35
C:\Windows\SysWOW64\wbem\WinMgmt.exe 85
C:\WINDOWS\SysWOW64\wbem\WinMgmt.exe 77
C:\Windows\SysWOW64\wbem\WinMgmt.exe 80
C:\WINDOWS\SysWOW64\wbem\WinMgmt.exe 72
C:\windows\SysWOW64\wbem\WinMgmt.exe 74
C:\Windows\SysWOW64\wbem\WinMgmt.exe 74

MIT License. Copyright (c) 2020-2021 Strontic.