perfmon.exe

• File Path: C:\Windows\system32\perfmon.exe
• Description: Resource and Performance Monitor

Screenshot

Hashes

Type	Hash
MD5	D761794B0779B9951349E2F2507B25BC
SHA1	F766CCBECB7A281B6D5B0EBC9D7D155F2B803D6B
SHA256	71FEFCF8B3882C305875888F52E7253674D7F4F0323633480FEA51EB630AEDBA
SHA384	4E37DDE91DDAEB25FAE991519BEE3AE854CE1664F0FABBD4BE69A817777F6FA81CFF3D15317026C75D1CD484E9A456F6
SHA512	F5F1B098A25578BA2D16AE6774036CA6A5BCD8F5A0851F20EDEC6D6A064AA5C28A61FEEAC29827E89A94F576AF012E7D9CAD516ADCBE8365D29C22C948FEE31B
SSDEEP	3072:QkwW3lFIbDZqg6d+GRRTGghtYIo9piswTogiqQKy349:Qel+Zqg6dRhhqIo9s37iTK24

Runtime Data

Usage (stdout):

Argument 'help' is unknown.

Signature

• Status: Signature verified.
• Serial: 3300000266BD1580EFA75CD6D3000000000266
• Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: perfmon.exe.mui
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.00
• Product Version: 10.00
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File	Score
C:\Windows\system32\perfmon.exe	65
C:\WINDOWS\system32\perfmon.exe	61
C:\WINDOWS\system32\perfmon.exe	47
C:\windows\system32\perfmon.exe	74
C:\Windows\system32\perfmon.exe	58
C:\WINDOWS\system32\resmon.exe	71
C:\windows\system32\resmon.exe	68
C:\Windows\system32\resmon.exe	69
C:\Windows\system32\resmon.exe	68
C:\Windows\system32\resmon.exe	72
C:\WINDOWS\system32\resmon.exe	66
C:\WINDOWS\SysWOW64\perfmon.exe	66
C:\WINDOWS\SysWOW64\perfmon.exe	61
C:\Windows\SysWOW64\perfmon.exe	63
C:\windows\SysWOW64\perfmon.exe	61
C:\Windows\SysWOW64\perfmon.exe	63
C:\Windows\SysWOW64\perfmon.exe	61
C:\WINDOWS\SysWOW64\resmon.exe	69
C:\windows\SysWOW64\resmon.exe	72
C:\Windows\SysWOW64\resmon.exe	69
C:\Windows\SysWOW64\resmon.exe	69
C:\WINDOWS\SysWOW64\resmon.exe	66
C:\Windows\SysWOW64\resmon.exe	69

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_access_win_cred_dump_lsass_access.yml	- 'C:\Windows\System32\perfmon.exe'	DRL 1.0
sigma	proc_access_win_susp_proc_access_lsass.yml	- 'C:\WINDOWS\System32\perfmon.exe'	DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter	Description
/res	Starts the Resource View.
/report	Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel	Starts the Reliability Monitor.
/sys	Starts the Performance Monitor.

Additional References

• Command-Line Syntax Key

• Windows Performance Monitor

---

MIT License. Copyright (c) 2020-2021 Strontic.