• File Path: C:\WINDOWS\system32\WinSAT.exe
  • Description: Windows System Assessment Tool


Type Hash
MD5 E278C34857373A1355D6453555E29CE0
SHA1 22457C5A53D114A474FBE160502B1817F5427BB8
SHA256 938CB65ACA949A1F0FE2CC2CC4EB75A709178EE8572626FA7CF751A99857BC85
SHA384 BB0B1734686279BDE70BBB9D50A336FFEDBA181B3AAF73ED195FB306BF5346542351032A1ADD3042F596E1ACD28D7DE8
SHA512 4341D4A3509C2C44BBF9F0CD114221B9CB5F9F94A29FAC77F04BC74AF8A6C4B252EFE9E68AC68A99928214571BC0C0A039C697744321C0E69735D99BC454D1CE
SSDEEP 49152:vUlaexhax/VJBRSzkEMEMZo2zfzhJkYmq1dKwdfU2bECbe:vkxhk62R1DFE/
IMP 708E2C61CFF480FDCF459D59E28B2658
PESHA1 BBC82C2341217ADC46016C18DE688192A612E1D8
PE256 A7C85105486284EDE7A19EEFAEA3D2882A0F4D9174AA675370331924D37AF8F4

Runtime Data

Usage (stdout):

Windows System Assessment Tool

    WINSAT <assessment_name> [switches]

It's necessary to supply an assessment name.  In contrast, switches are optional. 
Valid assessment names already seen in Vista include: 

    formal		run the full set of assessments 

    dwm		Run the Desktop Windows Manager assessment
            - Re-assess the systems graphics capabilities and 
              restart the Desktop Window Manager.

    cpu		Run the CPU assessment.  
    mem		Run the system memory assessment.  
    d3d		Run the d3d assessment 
                (Note that the d3d assessment no longer runs the workload. 
                For backward compatibility, pre-determined scores and metrics are reported.)
    disk		Run the storage assessment
    media		Run the media assessment 			
    mfmedia		Run the Media Foundation based assessment	
    features	Run just the features assessment      		
            - Enumerates the system's features. 
            - It's best used with the -xml <filename> switch 
            to save the data.  
            - The 'eef'switch can be used to enumerate extra 
            features such as optical disks,	memory modules, 
            and other items.
The new command-line  options for pre-populating WinSAT assessment results are :  
    Winsat prepop [-datastore <directory>] [ -graphics | -cpu | -mem | -disk | -dwm ]

This generates WinSAT xml files whose filenames contain "prepop".  For example :
    0008-09-26 Cpu.Assessment (Prepop).WinSAT.xml

The filename pattern is :	
    %IdentifierDerivedFromDate% %Component%.Assessment(Prepop).WinSAT.xml

The datastore directory option specifies an alternative target location for generated xml files. 
If no location is specified, everything is pre-populated to 

To generate a full set of result xml files, use "winsat prepop".  

It is also possible to pre-populate results for a subsystem, such as CPU, 
subject to the following dependencies:

    The CPU assessment has a secondary dependency on the Memory assessment
    The Memory assessment has a secondary dependency on the CPU assessment
    The Graphics assessment has a secondary dependency on both CPU and Memory assessments
    The DWM assessment can run standalone
    The Disk assessment can run standalone 

If the assessment for a secondary dependency is not present, WinSAT will run the 
secondary assessment along with the requested primary assessment.  

For example,  "winsat prepop -cpu"  will run both the CPU and the Memory test, 
if the xml file for the Memory test is not present.	


    dwmformal	Run Desktop Windows Manager assessment to generate the WinSAT Graphics score
    cpuformal	Run CPU assessment to generate the WinSAT Processor score
    memformal	Run Memory assessment to generate the WinSAT Memory (RAM) score
    graphicsformal	Run Graphics assessment to generate the WinSAT Gaming Graphics score
    diskformal	Run Disk assessment to generate the WinSAT Primary Hard Disk score
All formal assessments will save the data (xml files) in 

If a system has been prepopulated (using files generated by the "winsat prepop" option), 
it is not necessary to run formal assessments.

While investigating results, it may be convenient to look at individual assessments.  
Options for running Gaming Graphics sub-assessments include:

    Winsat graphicsformal3d
    Winsat graphicsformalmedia

    DX9 Variations:  
        Winsat d3d -dx9
        winsat d3d -batch
        winsat d3d -alpha
        winsat d3d -tex
        winsat d3d -alu

    DWM/DX10 variations:  
        Winsat d3d -dx10
        winsat d3d -dx10 -alpha
        winsat d3d -dx10 -tex
        winsat d3d -dx10 -alu
        winsat d3d -dx10 -batch
        winsat d3d -dx10 -geomf4
        winsat d3d -dx10 -geomf27
        winsat d3d -dx10 -geomv8
        winsat d3d -dx10 -gemov32
        winsat d3d -dx10 -cbuffer


The default behavior for "WinSAT formal" when a complete set of winsat formal files is present 
and a second "winsat formal" run is requested is to 
    1) Run incrementally if component change implies that an assessment needs to be re-run, 
        e.g. if a video card were updated  
    2) If no component updates were detected, re-run all assessments.

    The restart option enables behavior other than the default.  The syntax is :   	
        Winsat formal -restart [clean|never]
        Winsat formal -restart	 	Reruns all assessments. 
        Winsat formal -restart never 	Attempts to run incrementally.
        Winsat formal -restart clean 	Reruns all assessments and provides the same functionality as "forgethistory". 
        Winsat forgethistory		Choosing to forgethistory will rate a machine as if for the first time.

    -v			Enables verbose output
    -xml			Saves the XML output to 'filename'

    <command> -log <fn>	Generates a log file associated with the specified command, such as disk
                The -log switch can be used with any WinSAT command.

    viewlog -i <filename> 	Dumps the results of a log file .  
    viewevents 		Used to view relevant winsat events in the event log. 
                (This launches the event log)
    query 			Can be used to query the current datastore.

Usage (stderr):

Error: Unable to run inside of a Virtual Machine.  Please try again running directly on the native hardware.

Loaded Modules:



  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WinSAT.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link:

File Similarity (ssdeep match)

File Score
C:\Windows\system32\WinSAT.exe 50
C:\Windows\system32\WinSAT.exe 43
C:\Windows\system32\WinSAT.exe 44
C:\WINDOWS\system32\WinSAT.exe 46
C:\Windows\system32\WinSAT.exe 43

Possible Misuse

The following table contains possible examples of WinSAT.exe being misused. While WinSAT.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_uac_bypass_winsat.yml title: UAC Bypass Abusing Winsat Path Parsing - File DRL 1.0
sigma file_event_uac_bypass_winsat.yml description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) DRL 1.0
sigma file_event_uac_bypass_winsat.yml - '\AppData\Local\Temp\system32\winsat.exe' DRL 1.0
sigma win_uac_bypass_winsat.yml title: UAC Bypass Abusing Winsat Path Parsing - Process DRL 1.0
sigma win_uac_bypass_winsat.yml description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) DRL 1.0
sigma win_uac_bypass_winsat.yml ParentImage\|endswith: '\AppData\Local\Temp\system32\winsat.exe' DRL 1.0
sigma win_uac_bypass_winsat.yml ParentCommandLine\|contains: 'C:\Windows \system32\winsat.exe' DRL 1.0
sigma registry_event_uac_bypass_winsat.yml title: UAC Bypass Abusing Winsat Path Parsing - Registry DRL 1.0
sigma registry_event_uac_bypass_winsat.yml description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) DRL 1.0
sigma registry_event_uac_bypass_winsat.yml TargetObject\|contains: '\Root\InventoryApplicationFile\winsat.exe\|' DRL 1.0
sigma registry_event_uac_bypass_winsat.yml Details\|endswith: '\appdata\local\temp\system32\winsat.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.