refsutil.exe
- File Path:
C:\Windows\system32\refsutil.exe - Description: refsutil.exe
Hashes
| Type | Hash |
|---|---|
| MD5 | 6301E5218642F0FE78A4995EF0F976D5 |
| SHA1 | 66FA89D85B279207EC1394B95BD0BD4FFBB4F8E8 |
| SHA256 | CE4B9871E0C700095E53BAEC341B8BEA5C4B6D5046561594E5A88F90BBA9E2B5 |
| SHA384 | A3D5D526AD59AA26AD58DCF70ADED66B46013090ACBA2E083FDE5ADEBF60F69F90E21D2BEB6D979D6D45B0D7A25690CC |
| SHA512 | 91DCFA64D627732415E9783FC293DA074A2FA8C673099806F32244D56B543F5C72C20DF2F48529939D9A80657849365DD6F91C6FDE24B65757A3F13D408E997F |
| SSDEEP | 24576:gA7zUA6luPPxxJFuSGzQi9Cnu4eBJbZmB:g4AA6oPPxxJFuSW3Eu4ezFmB |
| IMP | 7398FDC9F8A8D73CB40BE75B53BCBE28 |
| PESHA1 | F3616828EF23E56633616351079E20A6221166F6 |
| PE256 | 6C2A4C8B493E595357917E8B8335CEF1F294255999E9314C687335184B620511 |
Runtime Data
Usage (stdout):
---- Commands Supported ----
fixboot Repair boot sectors
leak Leak Detection and Fixing
salvage Salvage operations for corrupt volume
triage Handle corruptions
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\system32\refsutil.exe |
Signature
- Status: Signature verified.
- Serial:
33000002EC6579AD1E670890130000000002EC - Thumbprint:
F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: refsutil.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1151 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1151
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/ce4b9871e0c700095e53baec341b8bea5c4b6d5046561594e5a88f90bba9e2b5/detection
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
ReFSUtil
Applies to: Windows Server 2022, Windows Server 2019, Windows 10
ReFSUtil is a tool included in Windows and Windows Server that attempts to diagnose heavily damaged ReFS volumes, identify remaining files, and copy those files to another volume. This comes in Windows 10 in the %SystemRoot%\Windows\System32 folder or in Windows Server in the %SystemRoot%\System32 folder.
ReFS salvage is the primary function of ReFSUtil, and is useful for recovering data from volumes that show as RAW in Disk Management. ReFS Salvage has two phases: Scan Phase and a Copy Phase. In automatic mode, the Scan Phase and Copy Phase will run sequentially. In manual mode, each phase can be run separately. Progress and logs are saved in a working directory to allow phases to be run separately as well as Scan Phase to be paused and resumed. You shouldn’t need to use the ReFSutil tool unless the volume is RAW. If read-only, then data is still accessible.
Parameters
| Parameter | Description |
|---|---|
<source volume> |
Specifies the ReFS volume to process. The drive letter must be formatted as “L:”, or you must provide a path to the volume mount point. |
<working directory> |
Specifies the location to store temporary information and logs. It must not be located on the <source volume>. |
<target directory> |
Specifies the location where identified files are copied to. It must not be located on the <source volume>. |
| -m | Recovers all possible files including deleted ones.<p>WARNING: Not only does this parameter cause the process to take longer to run, but it can also lead to unexpected results. |
| -v | Specifies to use verbose mode. |
| -x | Forces the volume to dismount first, if necessary. All opened handles to the volume are then invalid. For example, refsutil salvage -QA R: N:\WORKING N:\DATA -x. |
Usage and available options
Quick automatic mode command line usage
Performs a Quick Scan Phase followed by a Copy Phase. This mode runs quicker as it assumes some critical structures of the volume aren’t corrupted and so there’s no need to scan the entire volume to locate them. This also reduces the recovery of stale files/directories/volumes.
refsutil salvage -QA <source volume> <working directory> <target directory> <options>
Full automatic mode command line usage
Performs a Full Scan Phase followed by a Copy Phase. This mode may take a long time as it will scan the entire volume for any recoverable files/directories/volumes.
refsutil salvage -FA <source volume> <working directory> <target directory> <options>
Diagnose phase command line usage (manual mode)
First, try to determine if the <source volume> is an ReFS volume and determine if the volume is mountable. If a volume isn’t mountable, the reason(s) will be provided. This is a standalone phase.
refsutil salvage -D <source volume> <working directory> <options>
Quick Scan phase command line usage
Performs a Quick Scan of the <source volume> for any recoverable files. This mode runs quicker as it assumes some critical structures of the volume are not corrupted and so there’s no need to scan the entire volume to locate them. This also reduces the recovery of stale files/directories/volumes. Discovered files are logged to the foundfiles.<volume signature>.txt file, located in your <working directory>. If the Scan Phase was previously stopped, running with the -QS flag again resumes the scan from where it left off.
refsutil salvage -QS <source volume> <working directory> <options>
Full Scan phase command line usage
Scans the entire <source volume> for any recoverable files. This mode may take a long time as it will scan the entire volume for any recoverable files. Discovered files will be logged to the foundfiles.<volume signature>.txt file, located in your <working directory>. If the Scan Phase was previously stopped, running with the -FS flag again resumes the scan from where it left off.
refsutil salvage -FS <source volume> <working directory> <options>
Copy phase command line usage
Copies all files described in the foundfiles.<volume signature>.txt file to your <target directory>. If you stop the Scan Phase too early, it’s possible that the the foundfiles.<volume signature>.txt file might not yet exist, so no file is copied to the <target directory>.
refsutil salvage -C <source volume> <working directory> <target directory> <options>
Copy phase with list command line usage
Copies all the files in the <file list> from the <source volume> to your <target directory>. The files in the <file list> must have first been identified by the Scan Phase, though the scan need not have been run to completion. The <file list> can be generated by copying foundfiles.<volume signature>.txt to a new file, removing lines referencing files that shouldn’t be restored, and preserving files that should be restored. The PowerShell cmdlet Select-String may be helpful in filtering foundfiles.<volume signature>.txt to only include desired paths, extensions, or file names.
refsutil salvage -SL <source volume> <working directory> <target directory> <file list> <options>
Copy phase with interactive console
Advanced users can salvage files using an interactive console. This mode also requires files generated from either of the Scan Phases.
refsutil salvage -IC <source volume> <working directory> <options>
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.