WinSAT.exe

  • File Path: C:\Windows\system32\WinSAT.exe
  • Description: Windows System Assessment Tool

Hashes

Type Hash
MD5 D21AA5C451C43D15B2BA3611F57F2321
SHA1 BD152D8C2467B974DCA7B2B11982D3EA06B2B4F9
SHA256 2380049E6E56B969990C598A3731E8322E8DEF86B08DFE44E452392CF529498D
SHA384 534D32F50C97A3BAC33C98C9F586877A66C1B8DE393C53ED50C435D0F4B0D242B770869F6EFBDBAC4138DE7C7EECB2DA
SHA512 08BE8EB24D22C41623BA482CB89B8995C52BB06555A3F4A24E8075C5C913D760456DFE95C95E347252F2975DB254F32349C55C21E0BD69F4268B48D891915CB7
SSDEEP 49152:/XpiCMrI7ninpTyjY7Q9i9GYmq1dKwdfU2bECbe:PUCUzT1DFE/
IMP 9B913D600A7557750BD6D8AE12F90CF7
PESHA1 D3A43BACE47FC0DBBDC6B42BB1119CD1ADEC65CA
PE256 10E07AC825486FBBF203B579EA74FB16F131F4F2757037B9764C067C80E345CD

Runtime Data

Usage (stdout):


Windows System Assessment Tool

    
COMMAND LINE USAGE :   
    WINSAT <assessment_name> [switches]

It's necessary to supply an assessment name.  In contrast, switches are optional. 
Valid assessment names already seen in Vista include: 

    formal		run the full set of assessments 

    dwm		Run the Desktop Windows Manager assessment
            - Re-assess the systems graphics capabilities and 
              restart the Desktop Window Manager.

    cpu		Run the CPU assessment.  
    mem		Run the system memory assessment.  
    d3d		Run the d3d assessment 
                (Note that the d3d assessment no longer runs the workload. 
                For backward compatibility, pre-determined scores and metrics are reported.)
    disk		Run the storage assessment
    media		Run the media assessment 			
    mfmedia		Run the Media Foundation based assessment	
    features	Run just the features assessment      		
            - Enumerates the system's features. 
            - It's best used with the -xml <filename> switch 
            to save the data.  
            - The 'eef'switch can be used to enumerate extra 
            features such as optical disks,	memory modules, 
            and other items.
    
PRE-POPULATION: 
The new command-line  options for pre-populating WinSAT assessment results are :  
    
    Winsat prepop [-datastore <directory>] [ -graphics | -cpu | -mem | -disk | -dwm ]


This generates WinSAT xml files whose filenames contain "prepop".  For example :
    0008-09-26 14.48.28.542 Cpu.Assessment (Prepop).WinSAT.xml

The filename pattern is :	
    %IdentifierDerivedFromDate% %Component%.Assessment(Prepop).WinSAT.xml

The datastore directory option specifies an alternative target location for generated xml files. 
If no location is specified, everything is pre-populated to 
    %WINDIR%\performance\winsat\datastore.  

To generate a full set of result xml files, use "winsat prepop".  

It is also possible to pre-populate results for a subsystem, such as CPU, 
subject to the following dependencies:

    The CPU assessment has a secondary dependency on the Memory assessment
    The Memory assessment has a secondary dependency on the CPU assessment
    The Graphics assessment has a secondary dependency on both CPU and Memory assessments
    The DWM assessment can run standalone
    The Disk assessment can run standalone 

If the assessment for a secondary dependency is not present, WinSAT will run the 
secondary assessment along with the requested primary assessment.  

For example,  "winsat prepop -cpu"  will run both the CPU and the Memory test, 
if the xml file for the Memory test is not present.	



OTHER NEW Win7 ASSESSMENT OPTIONS :

    dwmformal	Run Desktop Windows Manager assessment to generate the WinSAT Graphics score
    cpuformal	Run CPU assessment to generate the WinSAT Processor score
    memformal	Run Memory assessment to generate the WinSAT Memory (RAM) score
    graphicsformal	Run Graphics assessment to generate the WinSAT Gaming Graphics score
    diskformal	Run Disk assessment to generate the WinSAT Primary Hard Disk score
            
All formal assessments will save the data (xml files) in 
        %WINDIR%\performance\winsat\datastore.  

If a system has been prepopulated (using files generated by the "winsat prepop" option), 
it is not necessary to run formal assessments.


SUB-ASSESSMENTS:
While investigating results, it may be convenient to look at individual assessments.  
Options for running Gaming Graphics sub-assessments include:

    Winsat graphicsformal3d
    Winsat graphicsformalmedia

    DX9 Variations:  
        Winsat d3d -dx9
        winsat d3d -batch
        winsat d3d -alpha
        winsat d3d -tex
        winsat d3d -alu

    DWM/DX10 variations:  
        Winsat d3d -dx10
        winsat d3d -dx10 -alpha
        winsat d3d -dx10 -tex
        winsat d3d -dx10 -alu
        winsat d3d -dx10 -batch
        winsat d3d -dx10 -geomf4
        winsat d3d -dx10 -geomf27
        winsat d3d -dx10 -geomv8
        winsat d3d -dx10 -gemov32
        winsat d3d -dx10 -cbuffer



OPTIONS FOR FORMAL ASSESSMENTS FOR SUBSEQUENT RUNS ON THE SAME MACHINE:

The default behavior for "WinSAT formal" when a complete set of winsat formal files is present 
and a second "winsat formal" run is requested is to 
    1) Run incrementally if component change implies that an assessment needs to be re-run, 
        e.g. if a video card were updated  
    2) If no component updates were detected, re-run all assessments.

    The restart option enables behavior other than the default.  The syntax is :   	
        Winsat formal -restart [clean|never]
    
        Winsat formal -restart	 	Reruns all assessments. 
        Winsat formal -restart never 	Attempts to run incrementally.
        Winsat formal -restart clean 	Reruns all assessments and provides the same functionality as "forgethistory". 
        Winsat forgethistory		Choosing to forgethistory will rate a machine as if for the first time.


OTHER COMMAND LINE OPTIONS :
    -v			Enables verbose output
    -xml			Saves the XML output to 'filename'

    <command> -log <fn>	Generates a log file associated with the specified command, such as disk
                The -log switch can be used with any WinSAT command.

    viewlog -i <filename> 	Dumps the results of a log file .  
    viewevents 		Used to view relevant winsat events in the event log. 
                (This launches the event log)
    query 			Can be used to query the current datastore.

Usage (stderr):

ERROR: Cannot process the command line
       Assessment name 'help' is not valid

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\system32\d3d10.dll
C:\Windows\system32\d3d10_1.dll
C:\Windows\system32\d3d10_1core.dll
C:\Windows\system32\d3d10core.dll
C:\Windows\system32\d3d11.dll
C:\Windows\system32\dxgi.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\ntmarta.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SETUPAPI.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\shlwapi.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\VERSION.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\windows.storage.dll
C:\Windows\system32\WINMM.dll
C:\Windows\system32\WINMMBASE.dll
C:\Windows\system32\WinSAT.exe
C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.17763.1518_none_0f591eb5ade09f35\gdiplus.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WinSAT.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/2380049e6e56b969990c598a3731e8322e8def86b08dfe44e452392cf529498d/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\WinSAT.exe 47
C:\Windows\system32\WinSAT.exe 54
C:\WINDOWS\system32\WinSAT.exe 44
C:\WINDOWS\system32\WinSAT.exe 50
C:\Windows\system32\WinSAT.exe 49

Possible Misuse

The following table contains possible examples of WinSAT.exe being misused. While WinSAT.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_winsat.yml title: UAC Bypass Abusing Winsat Path Parsing - File DRL 1.0
sigma file_event_win_uac_bypass_winsat.yml description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) DRL 1.0
sigma file_event_win_uac_bypass_winsat.yml - '\AppData\Local\Temp\system32\winsat.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_winsat.yml title: UAC Bypass Abusing Winsat Path Parsing - Process DRL 1.0
sigma proc_creation_win_uac_bypass_winsat.yml description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) DRL 1.0
sigma proc_creation_win_uac_bypass_winsat.yml ParentImage\|endswith: '\AppData\Local\Temp\system32\winsat.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_winsat.yml ParentCommandLine\|contains: 'C:\Windows \system32\winsat.exe' DRL 1.0
sigma registry_event_uac_bypass_winsat.yml title: UAC Bypass Abusing Winsat Path Parsing - Registry DRL 1.0
sigma registry_event_uac_bypass_winsat.yml description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) DRL 1.0
sigma registry_event_uac_bypass_winsat.yml TargetObject\|contains: '\Root\InventoryApplicationFile\winsat.exe\|' DRL 1.0
sigma registry_event_uac_bypass_winsat.yml Details\|endswith: '\appdata\local\temp\system32\winsat.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.