diskpart.exe

  • File Path: C:\Windows\SysWOW64\diskpart.exe
  • Description: DiskPart

Hashes

Type Hash
MD5 80F589F5084671EE558096AF648936D7
SHA1 DB4163F570E8D597ADC483B5C09B088DD0C0006B
SHA256 24F001784D68CC80E944422807C052C0D2E9E51C75C3CD578DA610576208ABAA
SHA384 59ECFE462D5B2A244734E3AF14A426D3AAE3ADFB1DFBE2E9B2DC3DFFCFAA3A3266D57DA8A67A31306C0D2C0C66690E52
SHA512 21AD20469076D47F76802F6ED7030F2E510C019E9D819AE6E266CB8AC3DD25B99E39C6CF0472106CD7C05CE424396538595A7CE18F1DAA5751D5C5097775F444
SSDEEP 3072:FpPTkkd482hZtTG2IZOmaIoEuImgCh4NYXKAZWcclJDZZflnaK3QxiZeiO:Fpr9drn2MRagCh2CqzDLlnpTzO
IMP 037D23EC0A7AA77EB4DD8BDA72D2A94E
PESHA1 9E1543FBCB732708A9ACF8522067236B035F998A
PE256 7E85440B153582A5A2621DE23AB13081A5E63D0821D67ECE594D24EC9C45E67B

Runtime Data

Usage (stdout):


Microsoft DiskPart version 10.0.17763.1

Copyright (C) Microsoft Corporation.
On computer: Default-PC

Microsoft DiskPart syntax:
	diskpart [/s <script>] [/?]

	/s <script> - Use a DiskPart script.
	/?          - Show this help screen.

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\diskpart.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: diskpart.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/24f001784d68cc80e944422807c052c0d2e9e51c75c3cd578da610576208abaa/detection/

Possible Misuse

The following table contains possible examples of diskpart.exe being misused. While diskpart.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_malware_wannacry.yml # - '\diskpart.exe' # cannot be used in a rule of level critical DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - diskpart.exe DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


diskpart

Applies to: Windows Server 2022, Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2, Windows Server 2008

The diskpart command interpreter helps you manage your computer’s drives (disks, partitions, volumes, or virtual hard disks).

Before you can use diskpart commands, you must first list, and then select an object to give it focus. After an object has focus, any diskpart commands that you type will act on that object.

List available objects

You can list the available objects and determine an object’s number or drive letter by using:

  • list disk - Displays all the disks on the computer.

  • list volume - Displays all the volumes on the computer.

  • list partition - Displays the partitions on the disk that has focus on the computer.

  • list vdisk - Displays all the virtual disks on the computer.

After you run the list commands, an asterisk (*) appears next to the object with focus.

Determine focus

When you select an object, the focus remains on that object until you select a different object. For example, if the focus is set on disk 0 and you select volume 8 on disk 2, the focus shifts from disk 0 to disk 2, volume 8.

Some commands automatically change the focus. For example, when you create a new partition, the focus automatically switches to the new partition.

You can only give focus to a partition on the selected disk. After a partition has focus, the related volume (if any) also has focus. After a volume has focus, the related disk and partition also have focus if the volume maps to a single specific partition. If this isn’t the case, focus on the disk and partition is lost.

Syntax

To start the diskpart command interpreter, at the command prompt type:

diskpart <parameter>

[!IMPORTANT] You must be in your local Administrators group, or a group with similar permissions, to run diskpart.

Parameters

You can run the following commands from the Diskpart command interpreter:

Command Description
active Marks the disk’s partition with focus, as active.
add Mirrors the simple volume with focus to the specified disk.
assign Assigns a drive letter or mount point to the volume with focus.
attach vdisk Attaches (sometimes called mounts or surfaces) a virtual hard disk (VHD) so that it appears on the host computer as a local hard disk drive.
attributes Displays, sets, or clears the attributes of a disk or volume.
automount Enables or disables the automount feature.
break Breaks the mirrored volume with focus into two simple volumes.
clean Removes any and all partition or volume formatting from the disk with focus.
compact vdisk Reduces the physical size of a dynamically expanding virtual hard disk (VHD) file.
convert Converts file allocation table (FAT) and FAT32 volumes to the NTFS file system, leaving existing files and directories intact.
create Creates a partition on a disk, a volume on one or more disks, or a virtual hard disk (VHD).
delete Deletes a partition or a volume.
detach vdisk Stops the selected virtual hard disk (VHD) from appearing as a local hard disk drive on the host computer.
detail Displays information about the selected disk, partition, volume, or virtual hard disk (VHD).
exit Exits the diskpart command interpreter.
expand vdisk Expands a virtual hard disk (VHD) to the size that you specify.
extend Extends the volume or partition with focus, along with its file system, into free (unallocated) space on a disk.
filesystems Displays information about the current file system of the volume with focus and lists the file systems that are supported for formatting the volume.
format Formats a disk to accept Windows files.
gpt Assigns the gpt attribute(s) to the partition with focus on basic GUID partition table (gpt) disks.
help Displays a list of the available commands or detailed help information on a specified command.
import Imports a foreign disk group into the disk group of the local computer.
inactive Marks the system partition or boot partition with focus as inactive on basic master boot record (MBR) disks.
list Displays a list of disks, of partitions in a disk, of volumes in a disk, or of virtual hard disks (VHDs).
merge vdisk Merges a differencing virtual hard disk (VHD) with its corresponding parent VHD.
offline Takes an online disk or volume to the offline state.
online Takes an offline disk or volume to the online state.
recover Refreshes the state of all disks in a disk group, attempt to recover disks in an invalid disk group, and resynchronizes mirrored volumes and RAID-5 volumes that have stale data.
rem Provides a way to add comments to a script.
remove Removes a drive letter or mount point from a volume.
repair Repairs the RAID-5 volume with focus by replacing the failed disk region with the specified dynamic disk.
rescan Locates new disks that may have been added to the computer.
retain Prepares an existing dynamic simple volume to be used as a boot or system volume.
san Displays or sets the storage area network (san) policy for the operating system.
select Shifts the focus to a disk, partition, volume, or virtual hard disk (VHD).
set id Changes the partition type field for the partition with focus.
shrink Reduces the size of the selected volume by the amount you specify.
uniqueid Displays or sets the GUID partition table (GPT) identifier or master boot record (MBR) signature for the disk with focus.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.