ru64.exe

  • File Path: C:\SysinternalsSuite\ru64.exe
  • Description: Registry size usage reporter

Hashes

Type Hash
MD5 DECF51343743702EDF309E8EBAC4542A
SHA1 46C6DB6E6A15B8FE3582BA50FFE77BC48DBE9593
SHA256 C48A4859AC614ED008BEC1CEE58E85EC23272538A4ED73823A2050E2E048E0FC
SHA384 C020A7356088B5018445DE907BDAF9178AE0C19E6418022EFCDA27D742B7AD41801D5419D8DBCD0093E91475F8B9B4DC
SHA512 9FE1A6FB4B07B4125AA36603BA077F3CC43A965E8A6FEE9D87BC114C77925D7593E3309EFF09204DB26A3E2531FD5473D49447653CF01512E5F18235F929108C
SSDEEP 6144:YuoZsBzkWeXrY4ZINw2Li/e29u0ef9FpsyFwCDGwcD6SyF4I8YiWbEeqymSKBh/8:YuMsBt94Zf9u0ef9FpsyFMDKFASvnX
IMP 883DF0A8FE04D10C456FA1A0D219F93C
PESHA1 959B811C26AB93C2E9E17CEBA5FA0A3E3566DE2B
PE256 861F64032600B7E9A36AD934C4A1F65E29FE316FFD6766ED7F04EB25E157AA86

Runtime Data

Usage (stdout):


Ru v1.2 - Registry size usage reporter
Copyright (C) 2013-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

usage: ru64 [-c[t]] [-l <levels> | -n | -v] [-q] <absolute path>
usage: ru64 [-c[t]] [-l <levels> | -n | -v] [-q] -h <hive file> [relative path]
   -c     Print output as CSV. Specify -ct for tab delimiting.
          Specify -nobanner to avoid banner being output to CSV
   -h     Load the specified hive file, perform the size calculation, then
          unload it and compress it.
   -l     Specify subkey depth of information (default is one level).
   -n     Do not recurse.
   -v     Show size of all subkeys.
   -nobanner
          Do not display the startup banner and copyright message.

CSV output is formatted as:
Path,CurrentValueCount,CurrentValueSize,ValueCount,KeyCount,KeySize,WriteTime

Usage (stderr):

The Registry path specified is not valid: c:\temp\strontic-xcyclopedia\notepad.exe

Loaded Modules:

Path
C:\SysinternalsSuite\ru64.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000187721772155940C709000000000187
  • Thumbprint: 2485A7AFA98E178CB8F30C9838346B514AEA4769
  • Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: Regsize1
  • Product Name: Sysinternals Ru
  • Company Name: Sysinternals - www.sysinternals.com
  • File Version: 1.2
  • Product Version: 1.2
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 2013-2016 Mark Russinovich
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/c48a4859ac614ed008bec1cee58e85ec23272538a4ed73823a2050e2e048e0fc/detection/

Possible Misuse

The following table contains possible examples of ru64.exe being misused. While ru64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_false_sysinternalsuite.yml - '\ru64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.