logman.exe
- File Path:
C:\windows\system32\logman.exe - Description: Performance Log Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | 38C62F948C56566FBF3444180BA31D24 |
| SHA1 | 65B3DD307DDBAA1DC221DDC850EC6D4792D5E4E2 |
| SHA256 | B2F5DA3AA6F748B3F03267CBB3918AFC9E6E2B784F3B86ABD457E9F2BBA40C2A |
| SHA384 | 3C6728DD563E464191FDEB48BA6F38CC923230CACFD3329E3A870449945554EBC7D0B8EC83E38E82FCD1061C2DB9B31A |
| SHA512 | C2E4BBDCFDB374F0B7D424100EDF7BD8EDBDA2CC2C5C299FC54D18D817B7D5BEE46209D9919C656831E4EE599B3B97DFDAC5217FE6FD83F4307A0D51DA6F7E79 |
| SSDEEP | 1536:vkd9d9td+ZKjcA7O6BXnrE+RDHAdDUShjDMRKhKiRJC/hZDQlN/E0LneQneMuIru:vJKj1po+Rg1NDqKxCzQsKuIr1R+ |
Signature
- Status: The file C:\windows\system32\logman.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: Logman.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of logman.exe being misused. While logman.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | image_load_wmi_module_load.yml | - '\logman.exe' |
DRL 1.0 |
| sigma | proc_creation_win_etw_trace_evasion.yml | - 'logman' |
DRL 1.0 |
| sigma | proc_creation_win_susp_disable_eventlog.yml | description: Detects command that is used to disable or delete Windows eventlog via logman Windows utility |
DRL 1.0 |
| sigma | proc_creation_win_susp_disable_eventlog.yml | - https://ss64.com/nt/logman.html |
DRL 1.0 |
| sigma | proc_creation_win_susp_disable_eventlog.yml | - 'logman ' |
DRL 1.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
logman
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Creates and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line.
Syntax
logman [create | query | start | stop | delete| update | import | export | /?] [options]
Parameters
| Parameter | Description |
|---|---|
| logman create | Creates a counter, trace, configuration data collector, or API. |
| logman query | Queries data collector properties. |
| logman start | stop | Starts or stops data collection. |
| logman delete | Deletes an existing data collector. |
| logman update | Updates the properties of an existing data collector. |
| logman import | export | Imports a data collector set from an XML file or export a data collector set to an XML file. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.