perfmon.exe

• File Path: C:\windows\system32\perfmon.exe
• Description: Resource and Performance Monitor

Screenshot

Hashes

Type	Hash
MD5	CB1511A4E14C072450E5A61BD74859E3
SHA1	9FD0DCC07AA539A6590D4C73886DAA4664126D07
SHA256	5898266DF2C54E2F0555D97CC11FBF4707AFE2E991B1A86C1EE7F14F9CA5FA4D
SHA384	CCF9EBE3A771B3CD323BA65083E656AB3BE4888F1ED2D937A904A040247419DEF39EB22B70C542868BC174756D4CE389
SHA512	AF80549E39DB68AE65E9F869875ED7F3FFA1281EFBD2CB2B271E19B8CD941F5FB3DD55E3607F7A027282A0457323EBF22294C4E24C1F06B04ECD1E7C55555BC1
SSDEEP	3072:MRra4at1xbcghtYIo9piswTogiqQKy349b:eYxZhqIo9s37iTK24

Signature

• Status: The file C:\windows\system32\perfmon.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
• Serial: ``
• Thumbprint: ``
• Issuer:
• Subject:

File Metadata

• Original Filename: perfmon.exe.mui
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
• Product Version: 6.3.9600.16384
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File	Score
C:\Windows\system32\perfmon.exe	69
C:\WINDOWS\system32\perfmon.exe	69
C:\WINDOWS\system32\perfmon.exe	46
C:\Windows\system32\perfmon.exe	66
C:\Windows\system32\perfmon.exe	74
C:\WINDOWS\system32\resmon.exe	79
C:\windows\system32\resmon.exe	79
C:\Windows\system32\resmon.exe	79
C:\Windows\system32\resmon.exe	74
C:\Windows\system32\resmon.exe	75
C:\WINDOWS\system32\resmon.exe	79
C:\WINDOWS\SysWOW64\perfmon.exe	72
C:\WINDOWS\SysWOW64\perfmon.exe	69
C:\Windows\SysWOW64\perfmon.exe	79
C:\windows\SysWOW64\perfmon.exe	71
C:\Windows\SysWOW64\perfmon.exe	72
C:\Windows\SysWOW64\perfmon.exe	66
C:\WINDOWS\SysWOW64\resmon.exe	80
C:\windows\SysWOW64\resmon.exe	75
C:\Windows\SysWOW64\resmon.exe	75
C:\Windows\SysWOW64\resmon.exe	77
C:\WINDOWS\SysWOW64\resmon.exe	75
C:\Windows\SysWOW64\resmon.exe	79

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_access_win_cred_dump_lsass_access.yml	- 'C:\Windows\System32\perfmon.exe'	DRL 1.0
sigma	proc_access_win_susp_proc_access_lsass.yml	- 'C:\WINDOWS\System32\perfmon.exe'	DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter	Description
/res	Starts the Resource View.
/report	Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel	Starts the Reliability Monitor.
/sys	Starts the Performance Monitor.

Additional References

• Command-Line Syntax Key

• Windows Performance Monitor

---

MIT License. Copyright (c) 2020-2021 Strontic.