msdt.exe
- File Path:
C:\Windows\system32\msdt.exe
- Description: Diagnostics Troubleshooting Wizard
Screenshot
Hashes
Type | Hash |
---|---|
MD5 | 728A1A72370AF1A7641650FD43DB7DBE |
SHA1 | 12609AF89C97A98668B2C93542EDA78B6E67850D |
SHA256 | 7253695FED91C65571BF59A7C61F1F1C72A081CA6EF687043CB039C7B35CA623 |
SHA384 | 244791C3E7B39E32641A985C7D75F0DBD2529FFBB70EF1ADA95BC5855F9AEE5E3DF10E7622BE99D73BD699B5503A3388 |
SHA512 | DC8155755DA8BD58FD1EAA3C0CBC8416659D1B98B6018FA71C35182036DF8BF2FA1BF77215C1A64F1DDD8B1367ABE7B1F9D1390FA7C7FA6C4F3134859CC6B52C |
SSDEEP | 24576:6ZE6Yj7JKD6XH4qvIReK1odddGdBnyE0k26kVZnBm:9aqNK7utRB |
IMP | 321EDF3F2984E7A7F62B38C0675AEA7A |
PESHA1 | BE6778D264FE5FF87A374401173E0698EB85743A |
PE256 | 1392E8A05F5535798A4418899E6E1CCF04CFB353AA3146B4A8CA2E73BA3078DF |
Runtime Data
Window Title:
An error occurred
Open Handles:
Path | Type |
---|---|
(—) C:\Users\ADMINI~1\AppData\Local\Temp\2\msdtadmin_696BBE53-1179-4AE5-910E-DF6CCFEE257F_\inuse | File |
(R-D) C:\Windows\Fonts\StaticCache.dat | File |
(R-D) C:\Windows\System32\en-US\imageres.dll.mui | File |
(R-D) C:\Windows\System32\en-US\msdt.exe.mui | File |
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui | File |
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_f47974b57ff45754\comctl32.dll.mui | File |
(RW-) C:\Users\user | File |
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_f47974b57ff45754 | File |
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 | File |
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db | Section |
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db | Section |
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
\Sessions\2\Windows\Theme2131664586 | Section |
\Windows\Theme966197582 | Section |
Loaded Modules:
Path |
---|
C:\Windows\System32\ADVAPI32.dll |
C:\Windows\system32\ATL.DLL |
C:\Windows\SYSTEM32\atlthunk.dll |
C:\Windows\System32\bcryptPrimitives.dll |
C:\Windows\system32\Cabinet.dll |
C:\Windows\System32\cfgmgr32.dll |
C:\Windows\System32\combase.dll |
C:\Windows\System32\COMDLG32.dll |
C:\Windows\System32\CRYPT32.dll |
C:\Windows\System32\cryptsp.dll |
C:\Windows\system32\DUI70.dll |
C:\Windows\system32\DUser.dll |
C:\Windows\system32\dwmapi.dll |
C:\Windows\System32\GDI32.dll |
C:\Windows\System32\gdi32full.dll |
C:\Windows\System32\IMM32.DLL |
C:\Windows\System32\kernel.appcore.dll |
C:\Windows\System32\KERNEL32.DLL |
C:\Windows\System32\KERNELBASE.dll |
C:\Windows\System32\MSASN1.dll |
C:\Windows\System32\MSCTF.dll |
C:\Windows\system32\msdt.exe |
C:\Windows\system32\MSFTEDIT.DLL |
C:\Windows\System32\msvcp_win.dll |
C:\Windows\System32\msvcrt.dll |
C:\Windows\SYSTEM32\ntdll.dll |
C:\Windows\System32\ole32.dll |
C:\Windows\system32\OLEACC.dll |
C:\Windows\System32\OLEAUT32.dll |
C:\Windows\System32\powrprof.dll |
C:\Windows\System32\profapi.dll |
C:\Windows\System32\RPCRT4.dll |
C:\Windows\System32\sechost.dll |
C:\Windows\system32\Secur32.dll |
C:\Windows\System32\shcore.dll |
C:\Windows\System32\SHELL32.dll |
C:\Windows\System32\shlwapi.dll |
C:\Windows\system32\SSPICLI.DLL |
C:\Windows\System32\ucrtbase.dll |
C:\Windows\System32\USER32.dll |
C:\Windows\system32\UxTheme.dll |
C:\Windows\system32\wer.dll |
C:\Windows\System32\win32u.dll |
C:\Windows\System32\windows.storage.dll |
C:\Windows\system32\WINHTTP.dll |
C:\Windows\System32\WINTRUST.dll |
C:\Windows\system32\xmllite.dll |
C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\COMCTL32.dll |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4
- Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: msdt.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/69
- VirusTotal Link: https://www.virustotal.com/gui/file/7253695fed91c65571bf59a7c61f1f1c72a081ca6ef687043cb039c7b35ca623/detection/
File Similarity (ssdeep match)
File | Score |
---|---|
C:\windows\system32\msdt.exe | 68 |
C:\Windows\system32\msdt.exe | 79 |
C:\windows\SysWOW64\msdt.exe | 65 |
C:\Windows\SysWOW64\msdt.exe | 69 |
C:\Windows\SysWOW64\msdt.exe | 74 |
Possible Misuse
The following table contains possible examples of msdt.exe
being misused. While msdt.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | proc_creation_win_possible_applocker_bypass.yml | - '\msdt.exe' |
DRL 1.0 |
LOLBAS | Msdt.yml | Name: Msdt.exe |
|
LOLBAS | Msdt.yml | - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE |
|
LOLBAS | Msdt.yml | - Path: C:\Windows\System32\Msdt.exe |
|
LOLBAS | Msdt.yml | - Path: C:\Windows\SysWOW64\Msdt.exe |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
msdt
Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.
Syntax
msdt </id <name> | /path <name> | /cab < name>> <</parameter> [options] … <parameter> [options]>>
Parameters
Parameter | Description |
---|---|
/id <packagename> |
Specifies which diagnostic package to run. For a list of available packages, see Available Troubleshooting packs. |
/path <directory|.diagpkg file|.diagcfg file> |
Specifies the full path to a diagnostic package. If you specify a directory, the directory must contain a diagnostic package. You cannot use the /path parameter in conjunction with the** /id, **/dci, or /cab parameters. |
/dci <passkey> |
Prepopulates the passkey field. This parameter is only used when a support provider has supplied a passkey. |
/dt <directory> |
Displays the troubleshooting history in the specified directory. Diagnostic results are stored in the user’s %LOCALAPPDATA%\Diagnostics or %LOCALAPPDATA%\ElevatedDiagnostics directories. |
/af <answerfile> |
Specifies an answer file in XML format that contains responses to one or more diagnostic interactions. |
/modal <ownerHWND> |
Makes the troubleshooting pack modal to a window designated by the parent Console Window Handle (HWND), in decimal. This parameter is typically used by applications that launch a troubleshooting pack. For more information about obtaining Console Window Handles, see How to Obtain a Console Window Handle (HWND). |
/moreoptions <true|false> |
Enables (true) or suppresses (false) the final troubleshooting screen that asks if the user wants to explore additional options. This parameter is typically used when the troubleshooting pack is launched by a troubleshooter that isn’t part of the operating system. |
/param <parameters> |
Specifies a set of interaction responses at the command line, similar to an answer file. This parameter isn’t typically used within the context of troubleshooting packs created with TSP Designer. For more information about developing custom parameters, see Windows Troubleshooting Platform. |
/advanced | Expands the advanced link on the Welcome page by default when the troubleshooting pack is started. |
/custom | Prompts the user to confirm each possible resolution before it is applied. |
Return codes
Troubleshooting packs comprise a set of root causes, each of which describes a specific technical problem. After completing the troubleshooting pack tasks, each root cause returns a state of fixed, not fixed, detected (but not fixable), or not found. In addition to specific results reported in the troubleshooter user interface, the troubleshooting engine returns a code in the results describing, in general terms, whether or not the troubleshooter fixed the original problem. The codes are:
Code | Description |
---|---|
-1 | Interruption: The troubleshooter was closed before the troubleshooting tasks were completed. |
0 | Fixed: The troubleshooter identified and fixed at least one root cause, and no root causes remain in a not fixed state. |
1 | Present, but not fixed: The troubleshooter identified one or more root causes that remain in a not fixed state. This code is returned even if another root cause was fixed. |
2 | Not found: The troubleshooter did not identify any root causes. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.