• File Path: C:\windows\system32\manage-bde.exe
  • Description: BitLocker Drive Encryption: Configuration Tool


Type Hash
MD5 F7E627DDF4C3B09BDB8954E02B4A375C
SHA1 2EA9A0B98C484ACB8F2A10146AFF965BF2E3F3C4
SHA384 48862144DA9666442607C77D812B33672FC9CB3CF75370BE8F59432C8542D296E09332F90B143EC3DD34976DDD56B115
SHA512 B1539F3F9EB7855D6A7C78986ED8CC8AB2D9D177CE2D658B85B13BE409A24AC2FD55365FD3C6C0A49438012692AA1C29E5961C0A11CD89A17DDB5A50D0987A54
SSDEEP 6144:Z3x5ClQ1RGJbMsTt063tVs7nyatGt+SYF:IVMsZH+S+


  • Status: The file C:\windows\system32\manage-bde.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: manage-bde.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\baaupdate.exe 63
C:\WINDOWS\system32\baaupdate.exe 52
C:\windows\system32\baaupdate.exe 54
C:\WINDOWS\system32\baaupdate.exe 58
C:\Windows\system32\baaupdate.exe 63
C:\WINDOWS\system32\BdeHdCfg.exe 55
C:\Windows\system32\BdeHdCfg.exe 58
C:\WINDOWS\system32\BdeHdCfg.exe 55
C:\Windows\system32\BdeHdCfg.exe 52
C:\windows\system32\BdeHdCfg.exe 55
C:\Windows\system32\bdeunlock.exe 36
C:\Windows\system32\bdeunlock.exe 35
C:\WINDOWS\system32\bdeunlock.exe 38
C:\WINDOWS\system32\bdeunlock.exe 41
C:\windows\system32\bdeunlock.exe 46
C:\Windows\system32\bdeunlock.exe 49
C:\WINDOWS\system32\BitLockerWizard.exe 55
C:\Windows\system32\BitLockerWizard.exe 60
C:\windows\system32\BitLockerWizard.exe 55
C:\WINDOWS\system32\BitLockerWizard.exe 60
C:\Windows\system32\BitLockerWizard.exe 60
C:\Windows\system32\BitLockerWizard.exe 55
C:\Windows\system32\BitLockerWizardElev.exe 58
C:\Windows\system32\BitLockerWizardElev.exe 54
C:\WINDOWS\system32\BitLockerWizardElev.exe 54
C:\Windows\system32\BitLockerWizardElev.exe 54
C:\windows\system32\BitLockerWizardElev.exe 61
C:\WINDOWS\system32\BitLockerWizardElev.exe 58
C:\Windows\system32\fvecpl.dll 40
C:\Windows\system32\fvenotify.exe 54
C:\WINDOWS\system32\fvenotify.exe 50
C:\windows\system32\fvenotify.exe 50
C:\WINDOWS\system32\fvenotify.exe 54
C:\Windows\system32\fvenotify.exe 57
C:\WINDOWS\system32\fveprompt.exe 47
C:\Windows\system32\fveprompt.exe 50
C:\Windows\system32\fveprompt.exe 54
C:\WINDOWS\system32\fveprompt.exe 54
C:\windows\system32\fveprompt.exe 55
C:\Windows\system32\fveui.dll 46
C:\WINDOWS\system32\manage-bde.exe 50
C:\Windows\system32\manage-bde.exe 50
C:\Windows\system32\manage-bde.exe 43
C:\WINDOWS\system32\manage-bde.exe 44
C:\Windows\system32\repair-bde.exe 54
C:\WINDOWS\system32\repair-bde.exe 52
C:\WINDOWS\system32\repair-bde.exe 52
C:\windows\system32\repair-bde.exe 61
C:\Windows\system32\repair-bde.exe 52

Possible Misuse

The following table contains possible examples of manage-bde.exe being misused. While manage-bde.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_manage_bde_lolbas.yml title: Suspicious Usage of the Manage-bde.wsf Script DRL 1.0
sigma proc_creation_win_manage_bde_lolbas.yml description: Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script DRL 1.0
sigma proc_creation_win_manage_bde_lolbas.yml - DRL 1.0
sigma proc_creation_win_manage_bde_lolbas.yml - 'manage-bde.wsf' DRL 1.0
LOLBAS Manage-bde.yml Name: Manage-bde.wsf  
LOLBAS Manage-bde.yml - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf  
LOLBAS Manage-bde.yml Description: Set the comspec variable to another executable prior to calling manage-bde.wsf for execution.  
LOLBAS Manage-bde.yml - Command: copy c:\users\person\evil.exe c:\users\public\manage-bde.exe & cd c:\users\public\ & cscript.exe c:\windows\system32\manage-bde.wsf  
LOLBAS Manage-bde.yml Description: Run the manage-bde.wsf script with a payload named manage-bde.exe in the same directory to run the payload file.  
LOLBAS Manage-bde.yml - Path: C:\Windows\System32\manage-bde.wsf  
LOLBAS Manage-bde.yml - IOC: Manage-bde.wsf should not be invoked by a standard user under normal situations  
atomic-red-team - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team - Atomic Test #2 - manage-bde.wsf Signed Script Command Execution MIT License. © 2018 Red Canary
atomic-red-team ## Atomic Test #2 - manage-bde.wsf Signed Script Command Execution MIT License. © 2018 Red Canary
atomic-red-team Executes the signed manage-bde.wsf script with options to execute an arbitrary command. MIT License. © 2018 Red Canary
atomic-red-team cscript %windir%\System32\manage-bde.wsf MIT License. © 2018 Red Canary

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


Turns on or turns off BitLocker, specifies unlock mechanisms, updates recovery methods, and unlocks BitLocker-protected data drives.

[!NOTE] This command-line tool can be used in place of the BitLocker Drive Encryption Control Panel item.


manage-bde [-status] [–on] [–off] [–pause] [–resume] [–lock] [–unlock] [–autounlock] [–protectors] [–tpm]
[–setidentifier] [-forcerecovery] [–changepassword] [–changepin] [–changekey] [-keypackage] [–upgrade] [-wipefreespace] [{-?|/?}] [{-help|-h}]


Parameter Description
manage-bde status Provides information about all drives on the computer, whether or not they are BitLocker-protected.
manage-bde on Encrypts the drive and turns on BitLocker.
manage-bde off Decrypts the drive and turns off BitLocker. All key protectors are removed when decryption is complete.
manage-bde pause Pauses encryption or decryption.
manage-bde resume Resumes encryption or decryption.
manage-bde lock Prevents access to BitLocker-protected data.
manage-bde unlock Allows access to BitLocker-protected data with a recovery password or a recovery key.
manage-bde autounlock Manages automatic unlocking of data drives.
manage-bde protectors Manages protection methods for the encryption key.
manage-bde tpm Configures the computer’s Trusted Platform Module (TPM). This command isn’t supported on computers running Windows 8 or win8_server_2. To manage the TPM on these computers, use either the TPM Management MMC snap-in or the TPM Management cmdlets for Windows PowerShell.
manage-bde setidentifier Sets the drive identifier field on the drive to the value specified in the Provide the unique identifiers for your organization Group Policy setting.
manage-bde ForceRecovery Forces a BitLocker-protected drive into recovery mode on restart. This command deletes all TPM-related key protectors from the drive. When the computer restarts, only a recovery password or recovery key can be used to unlock the drive.
manage-bde changepassword Modifies the password for a data drive.
manage-bde changepin Modifies the PIN for an operating system drive.
manage-bde changekey Modifies the startup key for an operating system drive.
manage-bde KeyPackage Generates a key package for a drive.
manage-bde upgrade Upgrades the BitLocker version.
manage-bde WipeFreeSpace Wipes the free space on a drive.
-? or /? Displays brief Help at the command prompt.
-help or -h Displays complete Help at the command prompt.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.