msdt.exe

  • File Path: C:\Windows\system32\msdt.exe
  • Description: Diagnostics Troubleshooting Wizard

Screenshot

msdt.exe

Hashes

Type Hash
MD5 728A1A72370AF1A7641650FD43DB7DBE
SHA1 12609AF89C97A98668B2C93542EDA78B6E67850D
SHA256 7253695FED91C65571BF59A7C61F1F1C72A081CA6EF687043CB039C7B35CA623
SHA384 244791C3E7B39E32641A985C7D75F0DBD2529FFBB70EF1ADA95BC5855F9AEE5E3DF10E7622BE99D73BD699B5503A3388
SHA512 DC8155755DA8BD58FD1EAA3C0CBC8416659D1B98B6018FA71C35182036DF8BF2FA1BF77215C1A64F1DDD8B1367ABE7B1F9D1390FA7C7FA6C4F3134859CC6B52C
SSDEEP 24576:6ZE6Yj7JKD6XH4qvIReK1odddGdBnyE0k26kVZnBm:9aqNK7utRB
IMP 321EDF3F2984E7A7F62B38C0675AEA7A
PESHA1 BE6778D264FE5FF87A374401173E0698EB85743A
PE256 1392E8A05F5535798A4418899E6E1CCF04CFB353AA3146B4A8CA2E73BA3078DF

Runtime Data

Window Title:

An error occurred

Open Handles:

Path Type
(—) C:\Users\ADMINI~1\AppData\Local\Temp\2\msdtadmin_696BBE53-1179-4AE5-910E-DF6CCFEE257F_\inuse File
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui File
(R-D) C:\Windows\System32\en-US\msdt.exe.mui File
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui File
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_f47974b57ff45754\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_f47974b57ff45754 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\system32\ATL.DLL
C:\Windows\SYSTEM32\atlthunk.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\system32\Cabinet.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\COMDLG32.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\system32\DUI70.dll
C:\Windows\system32\DUser.dll
C:\Windows\system32\dwmapi.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\MSASN1.dll
C:\Windows\System32\MSCTF.dll
C:\Windows\system32\msdt.exe
C:\Windows\system32\MSFTEDIT.DLL
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\system32\OLEACC.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\system32\Secur32.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\shlwapi.dll
C:\Windows\system32\SSPICLI.DLL
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\UxTheme.dll
C:\Windows\system32\wer.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\windows.storage.dll
C:\Windows\system32\WINHTTP.dll
C:\Windows\System32\WINTRUST.dll
C:\Windows\system32\xmllite.dll
C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\COMCTL32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: msdt.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/7253695fed91c65571bf59a7c61f1f1c72a081ca6ef687043cb039c7b35ca623/detection/

File Similarity (ssdeep match)

File Score
C:\windows\system32\msdt.exe 68
C:\Windows\system32\msdt.exe 79
C:\windows\SysWOW64\msdt.exe 65
C:\Windows\SysWOW64\msdt.exe 69
C:\Windows\SysWOW64\msdt.exe 74

Possible Misuse

The following table contains possible examples of msdt.exe being misused. While msdt.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_possible_applocker_bypass.yml - '\msdt.exe' DRL 1.0
LOLBAS Msdt.yml Name: Msdt.exe  
LOLBAS Msdt.yml - Command: msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE  
LOLBAS Msdt.yml - Path: C:\Windows\System32\Msdt.exe  
LOLBAS Msdt.yml - Path: C:\Windows\SysWOW64\Msdt.exe  

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


msdt

Invokes a troubleshooting pack at the command line or as part of an automated script, and enables additional options without user input.

Syntax

msdt </id <name> | /path <name> | /cab < name>> <</parameter> [options] … <parameter> [options]>>

Parameters

Parameter Description
/id <packagename> Specifies which diagnostic package to run. For a list of available packages, see Available Troubleshooting packs.
/path <directory|.diagpkg file|.diagcfg file> Specifies the full path to a diagnostic package. If you specify a directory, the directory must contain a diagnostic package. You cannot use the /path parameter in conjunction with the** /id, **/dci, or /cab parameters.
/dci <passkey> Prepopulates the passkey field. This parameter is only used when a support provider has supplied a passkey.
/dt <directory> Displays the troubleshooting history in the specified directory. Diagnostic results are stored in the user’s %LOCALAPPDATA%\Diagnostics or %LOCALAPPDATA%\ElevatedDiagnostics directories.
/af <answerfile> Specifies an answer file in XML format that contains responses to one or more diagnostic interactions.
/modal <ownerHWND> Makes the troubleshooting pack modal to a window designated by the parent Console Window Handle (HWND), in decimal. This parameter is typically used by applications that launch a troubleshooting pack. For more information about obtaining Console Window Handles, see How to Obtain a Console Window Handle (HWND).
/moreoptions <true|false> Enables (true) or suppresses (false) the final troubleshooting screen that asks if the user wants to explore additional options. This parameter is typically used when the troubleshooting pack is launched by a troubleshooter that isn’t part of the operating system.
/param <parameters> Specifies a set of interaction responses at the command line, similar to an answer file. This parameter isn’t typically used within the context of troubleshooting packs created with TSP Designer. For more information about developing custom parameters, see Windows Troubleshooting Platform.
/advanced Expands the advanced link on the Welcome page by default when the troubleshooting pack is started.
/custom Prompts the user to confirm each possible resolution before it is applied.

Return codes

Troubleshooting packs comprise a set of root causes, each of which describes a specific technical problem. After completing the troubleshooting pack tasks, each root cause returns a state of fixed, not fixed, detected (but not fixable), or not found. In addition to specific results reported in the troubleshooter user interface, the troubleshooting engine returns a code in the results describing, in general terms, whether or not the troubleshooter fixed the original problem. The codes are:

Code Description
-1 Interruption: The troubleshooter was closed before the troubleshooting tasks were completed.
0 Fixed: The troubleshooter identified and fixed at least one root cause, and no root causes remain in a not fixed state.
1 Present, but not fixed: The troubleshooter identified one or more root causes that remain in a not fixed state. This code is returned even if another root cause was fixed.
2 Not found: The troubleshooter did not identify any root causes.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.