compact.exe

• File Path: C:\WINDOWS\SysWOW64\compact.exe
• Description: File Compress Utility

Hashes

Type	Hash
MD5	0BB18C2EFD6001613974ADB7AB53F6C7
SHA1	39D6C389E86A4DE3F0766D0D637CAD8A7C2160D0
SHA256	A6D034A973CA0C55D7568D10D9851DF926F04292279624A5CFA3640F4AAED874
SHA384	0BF74F2F9E4DB94D6146F5CD409835F0F14FEC6EF7CCA46B3E10666FDA06DD1F94DF754D3965FEFC36BB3BAD3DDA5D65
SHA512	E7A0DC1D82FAE9C9BD36EA73A86B0E9AF275D116C6B99AABEB069341E9B407E75F02DB0C7DB3352C7A435BD6CBA0A64DC048E5FAC9167E7B9EEACFFD0ADB335A
SSDEEP	768:UZQMj1pHpIkEjfC3wVuwRdIdGRXj/VMel58YzM1ptxjfATAtn9VIgrIk+UucayFw:UZQMj1pHpTEjfLNiEz2fjtrIk/uIFr1q
IMP	2F681D6796F539A29BE2FD4CBC0E65DF
PESHA1	F0239CBB6B3409FAFD934372128E271DF6CB5A3A
PE256	37344BF99EF39562D124CA7CFAC1109E710A928FE740D24BAE5652457A1A0949

Runtime Data

Usage (stdout):

Displays or alters the compression of files on NTFS partitions.

COMPACT [/C | /U] [/S[:dir]] [/A] [/I] [/F] [/Q] [/EXE[:algorithm]]
        [/CompactOs[:option] [/WinDir:dir]] [filename [...]]

  /C         Compresses the specified files.  Directories will be marked
             so that files added afterward will be compressed unless /EXE
             is specified.
  /U         Uncompresses the specified files.  Directories will be marked
             so that files added afterward will not be compressed.  If
             /EXE is specified, only files compressed as executables will
             be uncompressed; if this is omitted, only NTFS compressed
             files will be uncompressed.
  /S         Performs the specified operation on files in the given
             directory and all subdirectories.  Default "dir" is the
             current directory.
  /A         Displays files with the hidden or system attributes.  These
             files are omitted by default.
  /I         Continues performing the specified operation even after errors
             have occurred.  By default, COMPACT stops when an error is
             encountered.
  /F         Forces the compress operation on all specified files, even
             those which are already compressed.  Already-compressed files
             are skipped by default.
  /Q         Reports only the most essential information.
  /EXE       Use compression optimized for executable files which are read
             frequently and not modified.  Supported algorithms are:
             XPRESS4K  (fastest) (default)
             XPRESS8K
             XPRESS16K
             LZX       (most compact)
  /CompactOs Set or query the system's compression state.  Supported options are:
             query  - Query the system's Compact state.
             always - Compress all OS binaries and set the system state to Compact
                      which remains unless administrator changes it.
             never  - Uncompress all OS binaries and set the system state to non
                      Compact which remains unless administrator changes it.
  /WinDir    Used with /CompactOs:query, when querying the offline OS. Specifies
             the directory where Windows is installed.
  filename   Specifies a pattern, file, or directory.

  Used without parameters, COMPACT displays the compression state of
  the current directory and any files it contains. You may use multiple
  filenames and wildcards.  You must put spaces between multiple
  parameters.

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\compact.exe

Signature

• Status: Signature verified.
• Serial: 33000002ED2C45E4C145CF48440000000002ED
• Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: COMPACT.EXE
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.22000.1 (WinBuild.160101.0800)
• Product Version: 10.0.22000.1
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 32-bit

File Scan

• VirusTotal Detections: 0/73
• VirusTotal Link: https://www.virustotal.com/gui/file/a6d034a973ca0c55d7568d10d9851df926f04292279624a5cfa3640f4aaed874/detection

File Similarity (ssdeep match)

File	Score
C:\WINDOWS\SysWOW64\compact.exe	38
C:\Windows\SysWOW64\compact.exe	44
C:\Windows\SysWOW64\compact.exe	38
C:\Windows\SysWOW64\WofUtil.dll	36

Possible Misuse

The following table contains possible examples of compact.exe being misused. While compact.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
malware-ioc	adjectives.txt	compact	© ESET 2014-2018

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

compact

Displays or alters the compression of files or directories on NTFS partitions. If used without parameters, compact displays the compression state of the current directory and any files it contains.

Syntax

compact [/C | /U] [/S[:dir]] [/A] [/I] [/F] [/Q] [/EXE[:algorithm]] [/CompactOs[:option] [/windir:dir]] [filename [...]]

Parameters

Parameter	Description
/c	Compresses the specified directory or file. Directories are marked so any files added afterwards are compressed, unless the /EXE parameter is specified.
/u	Uncompresses the specified directory or file. Directories are marked so any files added afterwards aren’t compressed. If the /EXE parameter is specified, only files compressed as executables are uncompressed; if you don’t specify the /EXE parameter, only NTFS compressed files are uncompressed.
/s[:<dir>]	Performs the chosen operation on files in the specified directory and all subdirectories. By default, the current directory is used as the <dir> value.
/a	Displays hidden or system files. By default, these files aren’t included.
/i	Continues performing the specified operation, ignoring errors. By default, this command stops when an error is encountered.
/f	Forces compression or uncompression of the specified directory or file. Already-compressed files are skipped by default. The /f parameter is used in the case of a file that was partly compressed when the operation was interrupted by a system crash. To force the file to be compressed in its entirety, use the /c and /f parameters and specify the partially compressed file.
/q	Reports only the most essential information.
/EXE	Uses compression optimized for executable files that are read frequently, but not modified. Supported algorithms are:<ul><li>XPRESS4K (fastest and default value)</li><li>XPRESS8K</li><li>XPRESS16K</li><li>LZX (most compact)</li></ul>
/CompactOs	Sets or queries the system’s compression state. Supported options are:<ul><li>query - Queries the system’s Compact state.</li><li>always - Compresses all operating system binaries and sets the system state to Compact, which remains unless administrator changes it.</li><li>never - Uncompresses all operating system binaries and sets the system state to non-Compact, which remains unless administrator changes it.</li></ul>
/windir	Used with the /CompactOs:query parameter, when querying the offline operating system. Specifies the directory where Windows is installed.
<filename>	Specifies a pattern, file, or directory. You can use multiple file names, and the * and ? wildcard characters.
/?	Displays help at the command prompt.

Remarks

• This command is the command-line version of the NTFS file system compression feature. The compression state of a directory indicates whether files are automatically compressed when they are added to the directory. Setting the compression state of a directory does not necessarily change the compression state of files that are already in the directory.

• You can’t use this command to read, write, or mount volumes compressed using DriveSpace or DoubleSpace. You also can’t use this command to compress file allocation table (FAT) or FAT32 partitions.

Examples

To set the compression state of the current directory, its subdirectories, and existing files, type:

compact /c /s

To set the compression state of files and subdirectories within the current directory, without altering the compression state of the current directory itself, type:

compact /c /s *.*

To compress a volume, from the root directory of the volume, type:

compact /c /i /s:\

[!NOTE] This example sets the compression state of all directories (including the root directory on the volume) and compresses every file on the volume. The /i parameter prevents error messages from interrupting the compression process.

To compress all files with the .bmp file name extension in the \tmp directory and all subdirectories of \tmp, without modifying the compressed attribute of the directories, type:

compact /c /s:\tmp *.bmp

To force complete compression of the file zebra.bmp, which was partially compressed during a system crash, type:

compact /c /f zebra.bmp

To remove the compressed attribute from the directory c:\tmp, without changing the compression state of any files in that directory, type:

compact /u c:\tmp

Additional References

• Command-Line Syntax Key

---

MIT License. Copyright (c) 2020-2021 Strontic.