fsutil.exe

  • File Path: C:\WINDOWS\SysWOW64\fsutil.exe
  • Description: fsutil.exe

Hashes

Type Hash
MD5 67F2C4EF842B25A95F3B35928F8216F8
SHA1 FF29E07937FB429B30A6C1C1E185D9112C6C4C92
SHA256 B9FE14610C16FB1B1A6F23A6B5CDFFCB6CAF8294177FFD78EB505DEED6443386
SHA384 04813DBC60AB456274F696D8B52412E34D23120214C99D2F76AC54D776F3381B0247B2415F8DDD9EC108194B72926730
SHA512 BA430ADD27DF9945E3A0FD87BCFD7E29A0517CFCCD6D542E0ABA674426A3AFBD3A4F0C39427C4E295B31CCFC8A22253AB076D591E2A412CF1263FA9245A43888
SSDEEP 3072:Jy//BP19dJ7Vn9+blQCXLdu7LEAcFhAsGk359y7r81hwTmd9S3p:4BP9J7hIblvcCCg59yk1hwTmop
IMP 2907E8A6FF3315D8AFDF6FD9E0FEE470
PESHA1 94702C4EDD6D182184A4FFF53A6BC2CB01E7BB81
PE256 5E250581FD5F3E4D9097CD7245C27242DCA53B0EE653CF0E82DB244462925E91

Runtime Data

Usage (stdout):

--help is an invalid parameter.
---- Commands Supported ----

8dot3name         8dot3name management
behavior          Control file system behavior
bypassIo          BypassIo management
dax               Dax volume management
dirty             Manage volume dirty bit
file              File specific commands
fsInfo            File system information
hardlink          Hardlink management
objectID          Object ID management
quota             Quota management
repair            Self healing management
reparsePoint      Reparse point management
storageReserve    Storage Reserve management
resource          Transactional Resource Manager management
sparse            Sparse file control
tiering           Storage tiering property management
trace             File system trace management
transaction       Transaction management
usn               USN management
volume            Volume management
wim               Transparent wim hosting management

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\fsutil.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: fsutil.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.282 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.282
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/b9fe14610c16fb1b1a6f23a6b5cdffcb6caf8294177ffd78eb505deed6443386/detection

Possible Misuse

The following table contains possible examples of fsutil.exe being misused. While fsutil.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_fsutil_symlinkevaluation.yml title: Fsutil Behavior Set SymlinkEvaluation DRL 1.0
sigma proc_creation_win_fsutil_symlinkevaluation.yml - https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior DRL 1.0
sigma proc_creation_win_fsutil_symlinkevaluation.yml Image\|endswith: fsutil.exe DRL 1.0
sigma proc_creation_win_susp_fsutil_usage.yml title: Fsutil Suspicious Invocation DRL 1.0
sigma proc_creation_win_susp_fsutil_usage.yml description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). DRL 1.0
sigma proc_creation_win_susp_fsutil_usage.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn DRL 1.0
sigma proc_creation_win_susp_fsutil_usage.yml Image\|endswith: '\fsutil.exe' DRL 1.0
sigma proc_creation_win_susp_fsutil_usage.yml OriginalFileName: 'fsutil.exe' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \fsutil.exe DRL 1.0
atomic-red-team index.md - Atomic Test #1: Indicator Removal using FSUtil [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Indicator Removal using FSUtil [windows] MIT License. © 2018 Red Canary
atomic-red-team T1070.md - Atomic Test #1 - Indicator Removal using FSUtil MIT License. © 2018 Red Canary
atomic-red-team T1070.md ## Atomic Test #1 - Indicator Removal using FSUtil MIT License. © 2018 Red Canary
atomic-red-team T1070.md will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn MIT License. © 2018 Red Canary
atomic-red-team T1070.md fsutil usn deletejournal /D C: MIT License. © 2018 Red Canary
atomic-red-team T1070.md fsutil usn createjournal m=1000 a=100 c: MIT License. © 2018 Red Canary
signature-base crime_badrabbit.yar $s4 = “fsutil usn deletejournal /D %c:” fullword wide CC BY-NC 4.0
signature-base crime_nopetya_jun17.yar $x5 = “fsutil usn deletejournal /D %c:” fullword wide CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


fsutil

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows 10, Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, Windows 7

Performs tasks that are related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume. If it’s used without parameters, fsutil displays a list of supported subcommands.

[!NOTE] You must be logged on as an administrator or a member of the Administrators group to use fsutil. This command is quite powerful and should be used only by advanced users who have a thorough knowledge of Windows operating systems.

You must enable Windows Subsystem for Linux before you can run fsutil. Run the following command as Administrator in PowerShell to enable this optional feature:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux

You’ll be prompted to restart your computer once it’s installed. After your computer restarts, you’ll be able to run Fsutil as an administrator.

Parameters

Subcommand Description
fsutil 8dot3name Queries or changes the settings for short name behavior on the system, for example, generates 8.3 character-length file names. Removes short names for all files within a directory. Scans a directory and identifies registry keys that might be impacted if short names were stripped from the files in the directory.
fsutil dirty Queries whether the volume’s dirty bit is set or sets a volume’s dirty bit. When a volume’s dirty bit is set, autochk automatically checks the volume for errors the next time the computer is restarted.
fsutil file Finds a file by user name (if Disk Quotas are enabled), queries allocated ranges for a file, sets a file’s short name, sets a file’s valid data length, sets zero data for a file, creates a new file of a specified size, finds a file ID if given the name, or finds a file link name for a specified file ID.
fsutil fsinfo Lists all drives and queries the drive type, volume information, NTFS-specific volume information, or file system statistics.
fsutil hardlink Lists hard links for a file, or creates a hard link (a directory entry for a file). Every file can be considered to have at least one hard link. On NTFS volumes, each file can have multiple hard links, so a single file can appear in many directories (or even in the same directory, with different names). Because all of the links reference the same file, programs can open any of the links and modify the file. A file is deleted from the file system only after all links to it are deleted. After you create a hard link, programs can use it like any other file name.
fsutil objectid Manages object identifiers, which are used by the Windows operating system to track objects such as files and directories.
fsutil quota Manages disk quotas on NTFS volumes to provide more precise control of network-based storage. Disk quotas are implemented on a per-volume basis and enable both hard- and soft-storage limits to be implemented on a per-user basis.
fsutil repair Queries or sets the self-healing state of the volume. Self-healing NTFS attempts to correct corruptions of the NTFS file system online without requiring Chkdsk.exe to be run. Includes initiating on-disk verification and waiting for repair completion.
fsutil reparsepoint Queries or deletes reparse points (NTFS file system objects that have a definable attribute containing user-controlled data). Reparse points are used to extend functionality in the input/output (I/O) subsystem. They are used for directory junction points and volume mount points. They are also used by file system filter drivers to mark certain files as special to that driver.
fsutil resource Creates a Secondary Transactional Resource Manager, starts or stops a Transactional Resource Manager, displays information about a Transactional Resource Manager or modifies its behavior.
fsutil sparse Manages sparse files. A sparse file is a file with one or more regions of unallocated data in it. A program will see these unallocated regions as containing bytes with the value zero, but no disk space is used to represent these zeros. All meaningful or nonzero data is allocated, whereas all non-meaningful data (large strings of data composed of zeros) is not allocated. When a sparse file is read, allocated data is returned as stored and unallocated data is returned as zeros (by default in accordance with the C2 security requirement specification). Sparse file support allows data to be deallocated from anywhere in the file.
fsutil tiering Enables management of storage tier functions, such as setting and disabling flags and listing of tiers.
fsutil transaction Commits a specified transaction, rolls back a specified transaction, or displays info about the transaction.
fsutil usn Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
fsutil volume Manages a volume. Dismounts a volume, queries to see how much free space is available on a disk, or finds a file that is using a specified cluster.
fsutil wim Provides functions to discover and manage WIM-backed files.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.