• File Path: C:\Windows\system32\WinSAT.exe
  • Description: Windows System Assessment Tool


Type Hash
MD5 FC2414F108B613366BDE7AE897AB53A1
SHA1 ACEC8C7A1C2535963E11151D3FFE68921FA82625
SHA256 D25B452CCC0FE3A5E39B9BAECD913AFD15758428B52B0C1F50AC85ACA2D3405A
SHA384 E05597B00A8C0E3DE02CA835F4DB981EF8F0FDD3E475285E8FDDF2E58303D1F3ACECD47C35C5E37F91836136C896C3EF
SHA512 F6D2D8463EAD453131ECD18C61EE8F1D88094A54E42A4F158532B3A6BAB1D7DEA02BDC2CDD8C31975C932CAE43528FF8FDBE20D60E3EDB38C1E3B7073E13EC54
SSDEEP 49152:0Mn9l8jZuRDTmPjRI2/MVAptUKDdKKYmq1dKwdfU2bECbe:pKjObbbH1DFE/
IMP 77CCB5C30DFB942E48EBC52E645CF431
PESHA1 B7654195B4380E5672FF4F27AC42F5514E965BB9
PE256 8868E54D0E7E71D92A07AA062B0A50360CB3F5B83C7E201C3F37498F5069EB21

Runtime Data

Usage (stdout):

Windows System Assessment Tool

    WINSAT <assessment_name> [switches]

It's necessary to supply an assessment name.  In contrast, switches are optional. 
Valid assessment names already seen in Vista include: 

    formal		run the full set of assessments 

    dwm		Run the Desktop Windows Manager assessment
            - Re-assess the systems graphics capabilities and 
              restart the Desktop Window Manager.

    cpu		Run the CPU assessment.  
    mem		Run the system memory assessment.  
    d3d		Run the d3d assessment 
                (Note that the d3d assessment no longer runs the workload. 
                For backward compatibility, pre-determined scores and metrics are reported.)
    disk		Run the storage assessment
    media		Run the media assessment 			
    mfmedia		Run the Media Foundation based assessment	
    features	Run just the features assessment      		
            - Enumerates the system's features. 
            - It's best used with the -xml <filename> switch 
            to save the data.  
            - The 'eef'switch can be used to enumerate extra 
            features such as optical disks,	memory modules, 
            and other items.
The new command-line  options for pre-populating WinSAT assessment results are :  
    Winsat prepop [-datastore <directory>] [ -graphics | -cpu | -mem | -disk | -dwm ]

This generates WinSAT xml files whose filenames contain "prepop".  For example :
    0008-09-26 Cpu.Assessment (Prepop).WinSAT.xml

The filename pattern is :	
    %IdentifierDerivedFromDate% %Component%.Assessment(Prepop).WinSAT.xml

The datastore directory option specifies an alternative target location for generated xml files. 
If no location is specified, everything is pre-populated to 

To generate a full set of result xml files, use "winsat prepop".  

It is also possible to pre-populate results for a subsystem, such as CPU, 
subject to the following dependencies:

    The CPU assessment has a secondary dependency on the Memory assessment
    The Memory assessment has a secondary dependency on the CPU assessment
    The Graphics assessment has a secondary dependency on both CPU and Memory assessments
    The DWM assessment can run standalone
    The Disk assessment can run standalone 

If the assessment for a secondary dependency is not present, WinSAT will run the 
secondary assessment along with the requested primary assessment.  

For example,  "winsat prepop -cpu"  will run both the CPU and the Memory test, 
if the xml file for the Memory test is not present.	


    dwmformal	Run Desktop Windows Manager assessment to generate the WinSAT Graphics score
    cpuformal	Run CPU assessment to generate the WinSAT Processor score
    memformal	Run Memory assessment to generate the WinSAT Memory (RAM) score
    graphicsformal	Run Graphics assessment to generate the WinSAT Gaming Graphics score
    diskformal	Run Disk assessment to generate the WinSAT Primary Hard Disk score
All formal assessments will save the data (xml files) in 

If a system has been prepopulated (using files generated by the "winsat prepop" option), 
it is not necessary to run formal assessments.

While investigating results, it may be convenient to look at individual assessments.  
Options for running Gaming Graphics sub-assessments include:

    Winsat graphicsformal3d
    Winsat graphicsformalmedia

    DX9 Variations:  
        Winsat d3d -dx9
        winsat d3d -batch
        winsat d3d -alpha
        winsat d3d -tex
        winsat d3d -alu

    DWM/DX10 variations:  
        Winsat d3d -dx10
        winsat d3d -dx10 -alpha
        winsat d3d -dx10 -tex
        winsat d3d -dx10 -alu
        winsat d3d -dx10 -batch
        winsat d3d -dx10 -geomf4
        winsat d3d -dx10 -geomf27
        winsat d3d -dx10 -geomv8
        winsat d3d -dx10 -gemov32
        winsat d3d -dx10 -cbuffer


The default behavior for "WinSAT formal" when a complete set of winsat formal files is present 
and a second "winsat formal" run is requested is to 
    1) Run incrementally if component change implies that an assessment needs to be re-run, 
        e.g. if a video card were updated  
    2) If no component updates were detected, re-run all assessments.

    The restart option enables behavior other than the default.  The syntax is :   	
        Winsat formal -restart [clean|never]
        Winsat formal -restart	 	Reruns all assessments. 
        Winsat formal -restart never 	Attempts to run incrementally.
        Winsat formal -restart clean 	Reruns all assessments and provides the same functionality as "forgethistory". 
        Winsat forgethistory		Choosing to forgethistory will rate a machine as if for the first time.

    -v			Enables verbose output
    -xml			Saves the XML output to 'filename'

    <command> -log <fn>	Generates a log file associated with the specified command, such as disk
                The -log switch can be used with any WinSAT command.

    viewlog -i <filename> 	Dumps the results of a log file .  
    viewevents 		Used to view relevant winsat events in the event log. 
                (This launches the event log)
    query 			Can be used to query the current datastore.

Usage (stderr):

Error: Unable to run inside of a Virtual Machine.  Please try again running directly on the native hardware.

Loaded Modules:



  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WinSAT.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link:

File Similarity (ssdeep match)

File Score
C:\Windows\system32\WinSAT.exe 49
C:\Windows\system32\WinSAT.exe 52
C:\Windows\system32\WinSAT.exe 49
C:\WINDOWS\system32\WinSAT.exe 43
C:\WINDOWS\system32\WinSAT.exe 50

Possible Misuse

The following table contains possible examples of WinSAT.exe being misused. While WinSAT.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_uac_bypass_winsat.yml title: UAC Bypass Abusing Winsat Path Parsing - File DRL 1.0
sigma file_event_uac_bypass_winsat.yml description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) DRL 1.0
sigma file_event_uac_bypass_winsat.yml - '\AppData\Local\Temp\system32\winsat.exe' DRL 1.0
sigma win_uac_bypass_winsat.yml title: UAC Bypass Abusing Winsat Path Parsing - Process DRL 1.0
sigma win_uac_bypass_winsat.yml description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) DRL 1.0
sigma win_uac_bypass_winsat.yml ParentImage\|endswith: '\AppData\Local\Temp\system32\winsat.exe' DRL 1.0
sigma win_uac_bypass_winsat.yml ParentCommandLine\|contains: 'C:\Windows \system32\winsat.exe' DRL 1.0
sigma registry_event_uac_bypass_winsat.yml title: UAC Bypass Abusing Winsat Path Parsing - Registry DRL 1.0
sigma registry_event_uac_bypass_winsat.yml description: Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52) DRL 1.0
sigma registry_event_uac_bypass_winsat.yml TargetObject\|contains: '\Root\InventoryApplicationFile\winsat.exe\|' DRL 1.0
sigma registry_event_uac_bypass_winsat.yml Details\|endswith: '\appdata\local\temp\system32\winsat.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.