• File Path: C:\WINDOWS\system32\msdt.exe
  • Description: Diagnostics Troubleshooting Wizard




Type Hash
MD5 152D4C9F63EFB332CCB134C6953C0104
SHA1 BC0972BA720E31DBBE4EE46A232533C1402843F6
SHA256 A4CBE4F41263B833294D2749DE34FC588CA44D9BC5E3A78BBDCE515250C220C6
SHA384 FB9E1184112390675F4C50809384C07D7DCABAFA59F287410A30F5835C0DC0475BCB3D9D298F24A6229E676446DF140F
SHA512 E910EEBB7F84C0CA39AD1CE3E2F37162A479DD23B02656A2523D286B2FC368E905821410E23193BD2EA67F94A07A150C824C152AE9D3D3002C2532A091E6D5C7
SSDEEP 6144:l+KCiAyRZcNThhgn9IxjuGkomX5Crt+82HGKwXcwrLGcyLjh/qc1:luiAuZIgynsQPwL


  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: msdt.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of msdt.exe being misused. While msdt.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_possible_applocker_bypass.yml - '\msdt.exe' DRL 1.0
LOLBAS Msdt.yml Name: Msdt.exe  
LOLBAS Msdt.yml - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE  
LOLBAS Msdt.yml - Path: C:\Windows\System32\Msdt.exe  
LOLBAS Msdt.yml - Path: C:\Windows\SysWOW64\Msdt.exe  

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.


msdt </id <name> | /path <name> | /cab < name>> <</parameter> [options] … <parameter> [options]>>


Parameter Description
/id <packagename> Specifies which diagnostic package to run. For a list of available packages, see Available Troubleshooting packs.
/path <directory|.diagpkg file|.diagcfg file> Specifies the full path to a diagnostic package. If you specify a directory, the directory must contain a diagnostic package. You cannot use the /path parameter in conjunction with the** /id, **/dci, or /cab parameters.
/dci <passkey> Prepopulates the passkey field. This parameter is only used when a support provider has supplied a passkey.
/dt <directory> Displays the troubleshooting history in the specified directory. Diagnostic results are stored in the user’s %LOCALAPPDATA%\Diagnostics or %LOCALAPPDATA%\ElevatedDiagnostics directories.
/af <answerfile> Specifies an answer file in XML format that contains responses to one or more diagnostic interactions.
/modal <ownerHWND> Makes the troubleshooting pack modal to a window designated by the parent Console Window Handle (HWND), in decimal. This parameter is typically used by applications that launch a troubleshooting pack. For more information about obtaining Console Window Handles, see How to Obtain a Console Window Handle (HWND).
/moreoptions <true|false> Enables (true) or suppresses (false) the final troubleshooting screen that asks if the user wants to explore additional options. This parameter is typically used when the troubleshooting pack is launched by a troubleshooter that isn’t part of the operating system.
/param <parameters> Specifies a set of interaction responses at the command line, similar to an answer file. This parameter isn’t typically used within the context of troubleshooting packs created with TSP Designer. For more information about developing custom parameters, see Windows Troubleshooting Platform.
/advanced Expands the advanced link on the Welcome page by default when the troubleshooting pack is started.
/custom Prompts the user to confirm each possible resolution before it is applied.

Return codes

Troubleshooting packs comprise a set of root causes, each of which describes a specific technical problem. After completing the troubleshooting pack tasks, each root cause returns a state of fixed, not fixed, detected (but not fixable), or not found. In addition to specific results reported in the troubleshooter user interface, the troubleshooting engine returns a code in the results describing, in general terms, whether or not the troubleshooter fixed the original problem. The codes are:

Code Description
-1 Interruption: The troubleshooter was closed before the troubleshooting tasks were completed.
0 Fixed: The troubleshooter identified and fixed at least one root cause, and no root causes remain in a not fixed state.
1 Present, but not fixed: The troubleshooter identified one or more root causes that remain in a not fixed state. This code is returned even if another root cause was fixed.
2 Not found: The troubleshooter did not identify any root causes.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.