WinMgmt.exe

  • File Path: C:\WINDOWS\SysWOW64\wbem\WinMgmt.exe
  • Description: WMI Service Control Utility

Hashes

Type Hash
MD5 92F019DB0F8F8E1411B721700386834E
SHA1 0BE478AD381945F86E8CB8979597A73BC2952511
SHA256 F9F9A0811DC55B0EFFE71EEC1E8A513AB194E45E29A8B1FCBF5ED17AB0C1BF9A
SHA384 E1F62966B88E5DC20AF336A96347B4D89F9C9DFB49B77F774A655BD387352D8D375F562BF7D9391DB992A7CC57D28A43
SHA512 71F66E4DAD39CDCF6BF43AEB6C87F2DBFAEE58D4786400B86FD6B32CC21D1B6B756015781418EE3ADE5C1D7C8D419079046F9AC73F21198CAC671F2D55B04794
SSDEEP 1536:+4OHRXq0WdShIPoANJLlAXuSXv+qSFEAeOF5:IHwjshIPFJRAhP2EAeQ
IMP 8807B6357F8C4C979DE1B85769E34B08
PESHA1 44B0398D520B779141CEFE9F27897CEB10EFCA4A
PE256 7465D4C788FE527E3243CC6095488C7CD6DC9C03164818FF72956CD22EB76896

Runtime Data

Usage (stdout):

Invalid parameter

Windows Management Instrumentation

Usage:  winmgmt	[/backup <filename>] [/restore <filename> <flag>]
		[/resyncperf] [/standalonehost [<level>]] [/sharedhost]
		[/verifyrepository [<path>]] [/salvagerepository]
		[/resetrepository]

/backup <filename>
	Causes WMI to back up the repository to the specified file name. The
	filename argument should contain the full path to the file location.
	This process requires a write lock on the repository so that write
	operations to the repository are suspended until the backup process is
	completed.

/restore <filename> <flag>
	Manually restores the WMI repository from the specified backup file.
	The filename argument should contain the full path to the backup file
	location. To perform the restore operation, WMI saves the existing
	repository to write back if the operation fails. Then the repository is
	restored from the backup file that is specified in the filename
	argument. If exclusive access to the repository cannot be achieved,
	existing clients are disconnected from WMI. The flag argument must be a
	1 (force - disconnect users and restore) or 0 (default - restore if no
	users connected) and specifies the restore mode.

/resyncperf
	Registers the system performance libraries with WMI.

/standalonehost [<level>]
	Moves the Winmgmt service to a standalone Svchost process that has a
	fixed DCOM endpoint. The default endpoint is "ncacn_ip_tcp.0.24158".
	However, the endpoint may be changed by running Dcomcnfg.exe. The level
	argument is the authentication level for the Svchost process. If level
	is not specified, the default is 4 (RPC_C_AUTHN_LEVEL_PKT).

/sharedhost
	Moves the Winmgmt service into the shared Svchost process.

/verifyrepository [<path>]
	Performs a consistency check on the WMI repository. When you add the
	/verifyrepository switch without the <path> argument, then the live
	repository currently used by WMI is verified. When you specify the path
	argument, you can verify any saved copy of the repository. In this
	case, the path argument should contain the full path to the saved
	repository copy. The saved repository should be a copy of the entire
	repository folder.

/salvagerepository
	Performs a consistency check on the WMI repository, and if an
	inconsistency is detected, rebuilds the repository.  The content of the
	inconsistent repository is merged into the rebuilt repository, if it
	can be read. The salvage operation always works with the repository
	that the WMI service is currently using. MOF files that contain the
	#pragma autorecover preprocessor statement are restored to the
	repository.

/resetrepository
	The repository is reset to the initial state when the operating system
	is first installed. MOF files that contain the #pragma autorecover
	preprocessor statement are restored to the repository.


Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\wbem\WinMgmt.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: winmgmt.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/f9f9a0811dc55b0effe71eec1e8a513ab194e45e29a8b1fcbf5ed17ab0c1bf9a/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\wbem\wbemtest.exe 40
C:\Windows\system32\wbem\wbemtest.exe 40
C:\windows\system32\wbem\wbemtest.exe 50
C:\WINDOWS\system32\wbem\wbemtest.exe 41
C:\Windows\system32\wbem\wbemtest.exe 38
C:\windows\system32\wbem\WinMgmt.exe 75
C:\Windows\system32\wbem\WinMgmt.exe 75
C:\WINDOWS\system32\wbem\WinMgmt.exe 75
C:\Windows\system32\wbem\WinMgmt.exe 75
C:\Windows\system32\wbem\WinMgmt.exe 77
C:\WINDOWS\system32\wbem\WinMgmt.exe 77
C:\Windows\system32\wbem\WinMgmt.exe 80
C:\Windows\system32\wbem\WinMgmt.exe 80
C:\Windows\system32\wbem\WinMgmt.exe 75
C:\Windows\SysWOW64\wbem\wbemcntl.dll 38
C:\Windows\SysWOW64\wbem\WinMgmt.exe 79
C:\Windows\SysWOW64\wbem\WinMgmt.exe 74
C:\WINDOWS\SysWOW64\wbem\WinMgmt.exe 71
C:\windows\SysWOW64\wbem\WinMgmt.exe 69
C:\Windows\SysWOW64\wbem\WinMgmt.exe 74

MIT License. Copyright (c) 2020-2021 Strontic.