fsutil.exe
- File Path:
C:\WINDOWS\SysWOW64\fsutil.exe - Description: fsutil.exe
Hashes
| Type | Hash |
|---|---|
| MD5 | 67F2C4EF842B25A95F3B35928F8216F8 |
| SHA1 | FF29E07937FB429B30A6C1C1E185D9112C6C4C92 |
| SHA256 | B9FE14610C16FB1B1A6F23A6B5CDFFCB6CAF8294177FFD78EB505DEED6443386 |
| SHA384 | 04813DBC60AB456274F696D8B52412E34D23120214C99D2F76AC54D776F3381B0247B2415F8DDD9EC108194B72926730 |
| SHA512 | BA430ADD27DF9945E3A0FD87BCFD7E29A0517CFCCD6D542E0ABA674426A3AFBD3A4F0C39427C4E295B31CCFC8A22253AB076D591E2A412CF1263FA9245A43888 |
| SSDEEP | 3072:Jy//BP19dJ7Vn9+blQCXLdu7LEAcFhAsGk359y7r81hwTmd9S3p:4BP9J7hIblvcCCg59yk1hwTmop |
| IMP | 2907E8A6FF3315D8AFDF6FD9E0FEE470 |
| PESHA1 | 94702C4EDD6D182184A4FFF53A6BC2CB01E7BB81 |
| PE256 | 5E250581FD5F3E4D9097CD7245C27242DCA53B0EE653CF0E82DB244462925E91 |
Runtime Data
Usage (stdout):
--help is an invalid parameter.
---- Commands Supported ----
8dot3name 8dot3name management
behavior Control file system behavior
bypassIo BypassIo management
dax Dax volume management
dirty Manage volume dirty bit
file File specific commands
fsInfo File system information
hardlink Hardlink management
objectID Object ID management
quota Quota management
repair Self healing management
reparsePoint Reparse point management
storageReserve Storage Reserve management
resource Transactional Resource Manager management
sparse Sparse file control
tiering Storage tiering property management
trace File system trace management
transaction Transaction management
usn USN management
volume Volume management
wim Transparent wim hosting management
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\wow64.dll |
| C:\WINDOWS\System32\wow64base.dll |
| C:\WINDOWS\System32\wow64con.dll |
| C:\WINDOWS\System32\wow64cpu.dll |
| C:\WINDOWS\System32\wow64win.dll |
| C:\WINDOWS\SysWOW64\fsutil.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: fsutil.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.282 (WinBuild.160101.0800)
- Product Version: 10.0.22000.282
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/b9fe14610c16fb1b1a6f23a6b5cdffcb6caf8294177ffd78eb505deed6443386/detection
Possible Misuse
The following table contains possible examples of fsutil.exe being misused. While fsutil.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_fsutil_symlinkevaluation.yml | title: Fsutil Behavior Set SymlinkEvaluation |
DRL 1.0 |
| sigma | proc_creation_win_fsutil_symlinkevaluation.yml | - https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior |
DRL 1.0 |
| sigma | proc_creation_win_fsutil_symlinkevaluation.yml | Image\|endswith: fsutil.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_fsutil_usage.yml | title: Fsutil Suspicious Invocation |
DRL 1.0 |
| sigma | proc_creation_win_susp_fsutil_usage.yml | description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). |
DRL 1.0 |
| sigma | proc_creation_win_susp_fsutil_usage.yml | - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn |
DRL 1.0 |
| sigma | proc_creation_win_susp_fsutil_usage.yml | Image\|endswith: '\fsutil.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_fsutil_usage.yml | OriginalFileName: 'fsutil.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | - \fsutil.exe |
DRL 1.0 |
| atomic-red-team | index.md | - Atomic Test #1: Indicator Removal using FSUtil [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: Indicator Removal using FSUtil [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1070.md | - Atomic Test #1 - Indicator Removal using FSUtil | MIT License. © 2018 Red Canary |
| atomic-red-team | T1070.md | ## Atomic Test #1 - Indicator Removal using FSUtil | MIT License. © 2018 Red Canary |
| atomic-red-team | T1070.md | will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn | MIT License. © 2018 Red Canary |
| atomic-red-team | T1070.md | fsutil usn deletejournal /D C: | MIT License. © 2018 Red Canary |
| atomic-red-team | T1070.md | fsutil usn createjournal m=1000 a=100 c: | MIT License. © 2018 Red Canary |
| signature-base | crime_badrabbit.yar | $s4 = “fsutil usn deletejournal /D %c:” fullword wide | CC BY-NC 4.0 |
| signature-base | crime_nopetya_jun17.yar | $x5 = “fsutil usn deletejournal /D %c:” fullword wide | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
fsutil
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7
Performs tasks that are related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume. If it’s used without parameters, fsutil displays a list of supported subcommands.
[!NOTE] You must be logged on as an administrator or a member of the Administrators group to use fsutil. This command is quite powerful and should be used only by advanced users who have a thorough knowledge of Windows operating systems.
You must enable Windows Subsystem for Linux before you can run fsutil. Run the following command as Administrator in PowerShell to enable this optional feature:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-LinuxYou’ll be prompted to restart your computer once it’s installed. After your computer restarts, you’ll be able to run Fsutil as an administrator.
Parameters
| Subcommand | Description |
|---|---|
| fsutil 8dot3name | Queries or changes the settings for short name behavior on the system, for example, generates 8.3 character-length file names. Removes short names for all files within a directory. Scans a directory and identifies registry keys that might be impacted if short names were stripped from the files in the directory. |
| fsutil dirty | Queries whether the volume’s dirty bit is set or sets a volume’s dirty bit. When a volume’s dirty bit is set, autochk automatically checks the volume for errors the next time the computer is restarted. |
| fsutil file | Finds a file by user name (if Disk Quotas are enabled), queries allocated ranges for a file, sets a file’s short name, sets a file’s valid data length, sets zero data for a file, creates a new file of a specified size, finds a file ID if given the name, or finds a file link name for a specified file ID. |
| fsutil fsinfo | Lists all drives and queries the drive type, volume information, NTFS-specific volume information, or file system statistics. |
| fsutil hardlink | Lists hard links for a file, or creates a hard link (a directory entry for a file). Every file can be considered to have at least one hard link. On NTFS volumes, each file can have multiple hard links, so a single file can appear in many directories (or even in the same directory, with different names). Because all of the links reference the same file, programs can open any of the links and modify the file. A file is deleted from the file system only after all links to it are deleted. After you create a hard link, programs can use it like any other file name. |
| fsutil objectid | Manages object identifiers, which are used by the Windows operating system to track objects such as files and directories. |
| fsutil quota | Manages disk quotas on NTFS volumes to provide more precise control of network-based storage. Disk quotas are implemented on a per-volume basis and enable both hard- and soft-storage limits to be implemented on a per-user basis. |
| fsutil repair | Queries or sets the self-healing state of the volume. Self-healing NTFS attempts to correct corruptions of the NTFS file system online without requiring Chkdsk.exe to be run. Includes initiating on-disk verification and waiting for repair completion. |
| fsutil reparsepoint | Queries or deletes reparse points (NTFS file system objects that have a definable attribute containing user-controlled data). Reparse points are used to extend functionality in the input/output (I/O) subsystem. They are used for directory junction points and volume mount points. They are also used by file system filter drivers to mark certain files as special to that driver. |
| fsutil resource | Creates a Secondary Transactional Resource Manager, starts or stops a Transactional Resource Manager, displays information about a Transactional Resource Manager or modifies its behavior. |
| fsutil sparse | Manages sparse files. A sparse file is a file with one or more regions of unallocated data in it. A program will see these unallocated regions as containing bytes with the value zero, but no disk space is used to represent these zeros. All meaningful or nonzero data is allocated, whereas all non-meaningful data (large strings of data composed of zeros) is not allocated. When a sparse file is read, allocated data is returned as stored and unallocated data is returned as zeros (by default in accordance with the C2 security requirement specification). Sparse file support allows data to be deallocated from anywhere in the file. |
| fsutil tiering | Enables management of storage tier functions, such as setting and disabling flags and listing of tiers. |
| fsutil transaction | Commits a specified transaction, rolls back a specified transaction, or displays info about the transaction. |
| fsutil usn | Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. |
| fsutil volume | Manages a volume. Dismounts a volume, queries to see how much free space is available on a disk, or finds a file that is using a specified cluster. |
| fsutil wim | Provides functions to discover and manage WIM-backed files. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.