cleanmgr.exe
- File Path:
C:\Windows\system32\cleanmgr.exe - Description: Disk Space Cleanup Manager for Windows
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | D17E532DB343357FC9EBF5E559820BD4 |
| SHA1 | 6EDC7C835D5C3410909999690D0ECF3D3EDB480A |
| SHA256 | A43C79ECAE0D4726157FBB2E9E2E314D3622201678B56DB514AAE50EA84A09F9 |
| SHA384 | A6664786AEB39A5C0170F8BC80A592F0D85C95C267ABB9456DCA980BB0ED4DC548B220357767025C2D878E2D3DE43D80 |
| SHA512 | 225E4959335DEFFF69D91358DDE1DF86CF54A19325F0589A316F57923101BE6A5244F6E845A18CBBD9A017870F5BC150F3D2C8ABC007BD0EE1F125623F0C4778 |
| SSDEEP | 3072:bQVx/3xmYvearjjPFC2bbymKByAEPGRvQhRkKqUa9antF5hvvJkuXpZ:a57XgtmKBFE+ohSKq99UF5hvv/ |
| IMP | 05A7686561BB995BEAD3C54DB2591AD1 |
| PESHA1 | F03F295A9CE64F4891A49DC00A4BB4941894CC67 |
| PE256 | 007BBD0E071911888E111FCC487927AA67A2892703541D724A77216F67799AAF |
Runtime Data
Child Processes:
DismHost.exe
Window Title:
USAGE
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\cleanmgr.exe.mui | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\1\Windows\Theme1175649999 | Section |
| \Windows\Theme601709542 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\advapi32.dll |
| C:\Windows\system32\cleanmgr.exe |
| C:\Windows\System32\combase.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\ole32.dll |
| C:\Windows\System32\OLEAUT32.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\System32\SHELL32.dll |
| C:\Windows\System32\SHLWAPI.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\system32\VSSAPI.DLL |
| C:\Windows\system32\VssTrace.DLL |
| C:\Windows\System32\win32u.dll |
| C:\Windows\System32\WS2_32.dll |
| C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21\COMCTL32.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: CLEANMGR.DLL.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/a43c79ecae0d4726157fbb2e9e2e314d3622201678b56db514aae50ea84a09f9/detection
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of cleanmgr.exe being misused. While cleanmgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_run_folder.yml | - 'C:\Windows\System32\cleanmgr.exe' |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_cleanmgr.yml | description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34) |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_cleanmgr.yml | CommandLine\|endswith: '"\system32\cleanmgr.exe /autoclean /d C:' |
DRL 1.0 |
| sigma | registry_event_bypass_uac_using_silentcleanup_task.yml | description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC |
DRL 1.0 |
| atomic-red-team | T1548.002.md | There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). | MIT License. © 2018 Red Canary |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
cleanmgr
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008 R2
Clears unnecessary files from your computer’s hard disk. You can use command-line options to specify that Cleanmgr cleans up Temp files, Internet files, downloaded files, and Recycle Bin files. You can then schedule the task to run at a specific time by using the Scheduled Tasks tool.
Syntax
cleanmgr [/d <driveletter>] [/sageset:n] [/sagerun:n] [/TUNEUP:n] [/LOWDISK] [/VERYLOWDISK]
Parameters
| Parameter | Description |
|---|---|
/d <driveletter> |
Specifies the drive that you want Disk Cleanup to clean.<p>NOTE: The /d option is not utilized with /sagerun:n. |
| /sageset:n | Displays the Disk Cleanup Settings dialog box and also creates a registry key to store the settings that you select. The n value, which is stored in the registry, allows you to specify tasks for Disk Cleanup to run. The n value can be any integer value from 0 to 9999. |
| /sagerun:n | Runs the specified tasks that are assigned to the n value if you use the /sageset option. All drives on the computer are enumerated and the selected profile runs against each drive. |
| /tuneup:n | Run /sageset and /sagerun for the same n . |
| /lowdisk | Run with the default settings. |
| /verylowdisk | Run with the default settings, no user prompts. |
| /? | Displays help at the command prompt. |
Options
The options for the files that you can specify for Disk Cleanup by using /sageset and /sagerun include:
-
Temporary Setup Files - These are files that were created by a Setup program that is no longer running.
-
Downloaded Program Files - Downloaded program files are ActiveX controls and Java programs that are downloaded automatically from the Internet when you view certain pages. These files are temporarily stored in the Downloaded Program Files folder on the hard disk. This option includes a View Files button so that you can see the files before Disk Cleanup removes them. The button opens the C:\Winnt\Downloaded Program Files folder.
-
Temporary Internet Files - The Temporary Internet Files folder contains Web pages that are stored on your hard disk for quick viewing. Disk Cleanup removes these page but leaves your personalized settings for Web pages intact. This option also includes a View Files button, which opens the C:\Documents and Settings\Username\Local Settings\Temporary Internet Files\Content.IE5 folder.
-
Old Chkdsk Files - When Chkdsk checks a disk for errors, Chkdsk might save lost file fragments as files in the root folder on the disk. These files are unnecessary.
-
Recycle Bin - The Recycle Bin contains files that you have deleted from the computer. These files are not permanently removed until you empty the Recycle Bin. This option includes a View Files button that opens the Recycle Bin.<p>Note: A Recycle Bin may appear in more than one drive, for example, not just in %SystemRoot%.
-
Temporary Files - Programs sometimes store temporary information in a Temp folder. Before a program quits, the program usually deletes this information. You can safely delete temporary files that have not been modified within the last week.
-
Temporary Offline Files - Temporary offline files are local copies of recently used network files. These files are automatically cached so that you can use them after you disconnect from the network. A View Files button opens the Offline Files folder.
-
Offline Files - Offline files are local copies of network files that you specifically want to have available offline so that you can use them after you disconnect from the network. A View Files button opens the Offline Files folder.
-
Compress Old Files - Windows can compress files that you have not used recently. Compressing files saves disk space, but you can still use the files. No files are deleted. Because files are compressed at different rates, the displayed amount of disk space that you will gain is approximate. An Options button permits you to specify the number of days to wait before Disk Cleanup compresses an unused file.
-
Catalog Files for the Content Indexer - The Indexing service speeds up and improves file searches by maintaining an index of the files that are on the disk. These Catalog files remain from a previous indexing operation and can be deleted safely.<p>Note: Catalog File may appear in more than one drive, for example, not just in
%SystemRoot%.
[!NOTE] If you specify cleaning up the drive that contains the Windows installation, all of these options are available on the Disk Cleanup tab. If you specify any other drive, only the Recycle Bin and the Catalog files for content index options are available on the Disk Cleanup tab.
Examples
To run the Disk Cleanup app so that you can use its dialog box to specify options for use later, saving the settings to the set 1, type the following:
cleanmgr /sageset:1
To run Disk Cleanup and include the options that you specified with the cleanmgr /sageset:1 command, type:
cleanmgr /sagerun:1
To run cleanmgr /sageset:1 and cleanmgr /sagerun:1 together, type:
cleanmgr /tuneup:1
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.