stordiag.exe
- File Path:
C:\WINDOWS\system32\stordiag.exe
- Description:
Hashes
Type |
Hash |
MD5 |
274CE0986C0B644035BBB28FE6BBC9B2 |
SHA1 |
2C0ECD330EE9F5FD6F0FE1D138562CB83668E96C |
SHA256 |
CAEBDBA030A9458F6ECB452FAF79A6A3E19A666E16471F12AC26017714CB1A2A |
SHA384 |
93DE58FF8103535AD3E70BE372A777AB1ECF7D35B57FFD8D2CCBF949199C9332FA6FDEBCC7398BAF3DD938FC2D12386B |
SHA512 |
2E10CA5AE19ACA0A1F8D29823C1C50872662F3F09BFA68EF81668474D0C22F6591DD2F34634A542F1EEED543B94A3F634E630359323E837189D1B0BBC2057E08 |
SSDEEP |
3072:1VzhKuWZfRvY7V//e3jzl5b9zd4HZJRFgvbmYq:1zR+3HfbfsV |
IMP |
F34D5F2D4577ED6D9CEEC516C1F5A744 |
PESHA1 |
02F85B54D1E724467A071DC7DBCDE229EBA0FCC4 |
PE256 |
863AC88F7E57DD1E03BE9FCF434F0AB09A013B3C1382581AFD8CEFD005BF4B33 |
Runtime Data
Usage (stdout):
Collects storage and filesystem diagnostic logs and outputs them to a folder.
StorDiag [-collectEtw] [-out <PATH>]
-collectEtw Collect a 30-second long ETW trace if run from an elevated session
-collectPerf Collect disk performance counters
-collectStorageBreakdown Collect system volume used space breakdown
-checkFSConsistency Checks for the consistency of the NTFS file system
-diagnostic outputs a storage diagnostic report
-bootdiag output boot sectors of the disk
-driverdiag output avaliable storport and storahci logs
-out <PATH> Specify the output path. If not specified, logs are saved to %TEMP%\StorDiag
Child Processes:
conhost.exe
Open Handles:
Path |
Type |
(R–) C:\Users\user\AppData\Local\Temp\StorDiag\PSLogs.txt |
File |
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll |
File |
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll |
File |
(R-D) C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll |
File |
(R-D) C:\Windows\System32\en-US\crypt32.dll.mui |
File |
(R-D) C:\Windows\System32\en-US\mpr.dll.mui |
File |
(R-D) C:\Windows\System32\en-US\winnlsres.dll.mui |
File |
(RW-) C:\Windows\System32 |
File |
...\Cor_SxSPublic_IPCBlock |
Section |
\BaseNamedObjects__ComCatalogCache__ |
Section |
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db |
Section |
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db |
Section |
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro |
Section |
\BaseNamedObjects\Cor_Private_IPCBlock_v4_9424 |
Section |
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 |
Section |
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 |
Section |
\Sessions\2\BaseNamedObjects\windows_shell_global_counters |
Section |
Loaded Modules:
Path |
C:\WINDOWS\System32\KERNEL32.dll |
C:\WINDOWS\System32\KERNELBASE.dll |
C:\WINDOWS\SYSTEM32\MSCOREE.DLL |
C:\WINDOWS\SYSTEM32\ntdll.dll |
C:\WINDOWS\system32\stordiag.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED
- Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Original Filename: stordiag_managed.exe
- Product Name: Microsoft (R) Windows (R) Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1
- Product Version: 10.0.22000.1
- Language: Language Neutral
- Legal Copyright: Copyright (c) Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/74
- VirusTotal Link: https://www.virustotal.com/gui/file/caebdba030a9458f6ecb452faf79a6a3e19a666e16471f12ac26017714cb1a2a/detection
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of stordiag.exe
being misused. While stordiag.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
MIT License. Copyright (c) 2020-2021 Strontic.