perfmon.exe

• File Path: C:\Windows\SysWOW64\perfmon.exe
• Description: Resource and Performance Monitor

Screenshot

Hashes

Type	Hash
MD5	805F9B64745C730A6BD789083D0EF4E2
SHA1	DF46DE4C9866BCB49381A406E9CF4D22B6EA2E7F
SHA256	4A58628ABFA58DCD4E683EBEF43018B663228CB562C27716A799257A7434B6A5
SHA384	185485973AF883F58E37948D316C367CE3EB3229A17966ADB9D6E33380B5968A290D447240AC415ADF9FC3B0BE6054CE
SHA512	51C5A88956A17ED37A5D49445EC7E589E9A93B11A0198EBD847D40446D66B7DC7A891E61574750BEC3D615601603394F6B2CF382315D1DD50679797ED6F7588F
SSDEEP	3072:qWuWAqeMLVf7kaFGghtYIo9piswTogiqQKy349t:q8eCVTkaJhqIo9s37iTK24

Runtime Data

Usage (stdout):

Argument 'help' is unknown.

Signature

• Status: Signature verified.
• Serial: 3300000266BD1580EFA75CD6D3000000000266
• Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: perfmon.exe.mui
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.00
• Product Version: 10.00
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File	Score
C:\Windows\system32\perfmon.exe	66
C:\WINDOWS\system32\perfmon.exe	63
C:\WINDOWS\system32\perfmon.exe	52
C:\windows\system32\perfmon.exe	72
C:\Windows\system32\perfmon.exe	65
C:\Windows\system32\perfmon.exe	63
C:\WINDOWS\system32\resmon.exe	72
C:\windows\system32\resmon.exe	69
C:\Windows\system32\resmon.exe	69
C:\Windows\system32\resmon.exe	69
C:\Windows\system32\resmon.exe	72
C:\WINDOWS\system32\resmon.exe	72
C:\WINDOWS\SysWOW64\perfmon.exe	65
C:\WINDOWS\SysWOW64\perfmon.exe	66
C:\Windows\SysWOW64\perfmon.exe	65
C:\windows\SysWOW64\perfmon.exe	58
C:\Windows\SysWOW64\perfmon.exe	65
C:\WINDOWS\SysWOW64\resmon.exe	71
C:\windows\SysWOW64\resmon.exe	72
C:\Windows\SysWOW64\resmon.exe	72
C:\Windows\SysWOW64\resmon.exe	74
C:\WINDOWS\SysWOW64\resmon.exe	69
C:\Windows\SysWOW64\resmon.exe	69

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_access_win_cred_dump_lsass_access.yml	- 'C:\Windows\System32\perfmon.exe'	DRL 1.0
sigma	proc_access_win_susp_proc_access_lsass.yml	- 'C:\WINDOWS\System32\perfmon.exe'	DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter	Description
/res	Starts the Resource View.
/report	Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel	Starts the Reliability Monitor.
/sys	Starts the Performance Monitor.

Additional References

• Command-Line Syntax Key

• Windows Performance Monitor

---

MIT License. Copyright (c) 2020-2021 Strontic.