WinSAT.exe

  • File Path: C:\Windows\system32\WinSAT.exe
  • Description: Windows System Assessment Tool

Hashes

Type Hash
MD5 715DB53A8064C6DECCF68B7501DF3386
SHA1 99ACD12C3600AD3A7C478E49126DB520BC136304
SHA256 CC31FDCDCE05144EF750B01233D57614CDA7364A73CA26FF68886EBDC650E367
SHA384 C069E9F4D7BDF64983C1315CE0FC1378D63AE0489C012CDEC97F519EC8E78107EB0E7AAFBF17D2FE9F035C2BE2104671
SHA512 9BA9EAEFA1E2E4DA2D14F12B81F2ED0597AB6EB6B32D85851B69BC86D77A6B38810A04AA35FFCBF64484D544F52960F05F4EACA4740CD3674A1D09D8B373CE3C
SSDEEP 49152:R8sgM4nGU8AlipUY2K7G/hDAHlmWC67HyYmq1dKwdfU2bECbe:gBGUkezg/1DFE/
IMP 77CCB5C30DFB942E48EBC52E645CF431
PESHA1 FA83B2D0316B485FDBCE16935B9B05C3C4C71326
PE256 188B5F14467E3DCC2F5AE75C6C113C4DA3139E2141B275EA696B939D5A486C1D

Runtime Data

Usage (stdout):


Windows System Assessment Tool

    
COMMAND LINE USAGE :   
    WINSAT <assessment_name> [switches]

It's necessary to supply an assessment name.  In contrast, switches are optional. 
Valid assessment names already seen in Vista include: 

    formal		run the full set of assessments 

    dwm		Run the Desktop Windows Manager assessment
            - Re-assess the systems graphics capabilities and 
              restart the Desktop Window Manager.

    cpu		Run the CPU assessment.  
    mem		Run the system memory assessment.  
    d3d		Run the d3d assessment 
                (Note that the d3d assessment no longer runs the workload. 
                For backward compatibility, pre-determined scores and metrics are reported.)
    disk		Run the storage assessment
    media		Run the media assessment 			
    mfmedia		Run the Media Foundation based assessment	
    features	Run just the features assessment      		
            - Enumerates the system's features. 
            - It's best used with the -xml <filename> switch 
            to save the data.  
            - The 'eef'switch can be used to enumerate extra 
            features such as optical disks,	memory modules, 
            and other items.
    
PRE-POPULATION: 
The new command-line  options for pre-populating WinSAT assessment results are :  
    
    Winsat prepop [-datastore <directory>] [ -graphics | -cpu | -mem | -disk | -dwm ]


This generates WinSAT xml files whose filenames contain "prepop".  For example :
    0008-09-26 14.48.28.542 Cpu.Assessment (Prepop).WinSAT.xml

The filename pattern is :	
    %IdentifierDerivedFromDate% %Component%.Assessment(Prepop).WinSAT.xml

The datastore directory option specifies an alternative target location for generated xml files. 
If no location is specified, everything is pre-populated to 
    %WINDIR%\performance\winsat\datastore.  

To generate a full set of result xml files, use "winsat prepop".  

It is also possible to pre-populate results for a subsystem, such as CPU, 
subject to the following dependencies:

    The CPU assessment has a secondary dependency on the Memory assessment
    The Memory assessment has a secondary dependency on the CPU assessment
    The Graphics assessment has a secondary dependency on both CPU and Memory assessments
    The DWM assessment can run standalone
    The Disk assessment can run standalone 

If the assessment for a secondary dependency is not present, WinSAT will run the 
secondary assessment along with the requested primary assessment.  

For example,  "winsat prepop -cpu"  will run both the CPU and the Memory test, 
if the xml file for the Memory test is not present.	



OTHER NEW Win7 ASSESSMENT OPTIONS :

    dwmformal	Run Desktop Windows Manager assessment to generate the WinSAT Graphics score
    cpuformal	Run CPU assessment to generate the WinSAT Processor score
    memformal	Run Memory assessment to generate the WinSAT Memory (RAM) score
    graphicsformal	Run Graphics assessment to generate the WinSAT Gaming Graphics score
    diskformal	Run Disk assessment to generate the WinSAT Primary Hard Disk score
            
All formal assessments will save the data (xml files) in 
        %WINDIR%\performance\winsat\datastore.  

If a system has been prepopulated (using files generated by the "winsat prepop" option), 
it is not necessary to run formal assessments.


SUB-ASSESSMENTS:
While investigating results, it may be convenient to look at individual assessments.  
Options for running Gaming Graphics sub-assessments include:

    Winsat graphicsformal3d
    Winsat graphicsformalmedia

    DX9 Variations:  
        Winsat d3d -dx9
        winsat d3d -batch
        winsat d3d -alpha
        winsat d3d -tex
        winsat d3d -alu

    DWM/DX10 variations:  
        Winsat d3d -dx10
        winsat d3d -dx10 -alpha
        winsat d3d -dx10 -tex
        winsat d3d -dx10 -alu
        winsat d3d -dx10 -batch
        winsat d3d -dx10 -geomf4
        winsat d3d -dx10 -geomf27
        winsat d3d -dx10 -geomv8
        winsat d3d -dx10 -gemov32
        winsat d3d -dx10 -cbuffer



OPTIONS FOR FORMAL ASSESSMENTS FOR SUBSEQUENT RUNS ON THE SAME MACHINE:

The default behavior for "WinSAT formal" when a complete set of winsat formal files is present 
and a second "winsat formal" run is requested is to 
    1) Run incrementally if component change implies that an assessment needs to be re-run, 
        e.g. if a video card were updated  
    2) If no component updates were detected, re-run all assessments.

    The restart option enables behavior other than the default.  The syntax is :   	
        Winsat formal -restart [clean|never]
    
        Winsat formal -restart	 	Reruns all assessments. 
        Winsat formal -restart never 	Attempts to run incrementally.
        Winsat formal -restart clean 	Reruns all assessments and provides the same functionality as "forgethistory". 
        Winsat forgethistory		Choosing to forgethistory will rate a machine as if for the first time.


OTHER COMMAND LINE OPTIONS :
    -v			Enables verbose output
    -xml			Saves the XML output to 'filename'

    <command> -log <fn>	Generates a log file associated with the specified command, such as disk
                The -log switch can be used with any WinSAT command.

    viewlog -i <filename> 	Dumps the results of a log file .  
    viewevents 		Used to view relevant winsat events in the event log. 
                (This launches the event log)
    query 			Can be used to query the current datastore.

Usage (stderr):

Error: Unable to run inside of a Virtual Machine.  Please try again running directly on the native hardware.

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\WinSAT.exe

Signature

  • Status: Signature verified.
  • Serial: 330000026551AE1BBD005CBFBD000000000265
  • Thumbprint: E168609353F30FF2373157B4EB8CD519D07A2BFF
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WinSAT.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/cc31fdcdce05144ef750b01233d57614cda7364a73ca26ff68886ebdc650e367/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\WinSAT.exe 49
C:\Windows\system32\WinSAT.exe 54
C:\WINDOWS\system32\WinSAT.exe 43
C:\WINDOWS\system32\WinSAT.exe 47
C:\Windows\system32\WinSAT.exe 52

Possible Misuse

The following table contains possible examples of WinSAT.exe being misused. While WinSAT.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_winsat.yml title: UAC Bypass Abusing Winsat Path Parsing - File DRL 1.0
sigma file_event_win_uac_bypass_winsat.yml description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) DRL 1.0
sigma file_event_win_uac_bypass_winsat.yml - '\AppData\Local\Temp\system32\winsat.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_winsat.yml title: UAC Bypass Abusing Winsat Path Parsing - Process DRL 1.0
sigma proc_creation_win_uac_bypass_winsat.yml description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) DRL 1.0
sigma proc_creation_win_uac_bypass_winsat.yml ParentImage\|endswith: '\AppData\Local\Temp\system32\winsat.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_winsat.yml ParentCommandLine\|contains: 'C:\Windows \system32\winsat.exe' DRL 1.0
sigma registry_event_uac_bypass_winsat.yml title: UAC Bypass Abusing Winsat Path Parsing - Registry DRL 1.0
sigma registry_event_uac_bypass_winsat.yml description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) DRL 1.0
sigma registry_event_uac_bypass_winsat.yml TargetObject\|contains: '\Root\InventoryApplicationFile\winsat.exe\|' DRL 1.0
sigma registry_event_uac_bypass_winsat.yml Details\|endswith: '\appdata\local\temp\system32\winsat.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.