winrs.exe

  • File Path: C:\Windows\system32\winrs.exe
  • Description: winrs

Hashes

Type Hash
MD5 653692B020379C04A0EAF74A48555998
SHA1 CE97172791F07189EC67D9A64C63E332F703598D
SHA256 6D4D5950D1EFFB6004AA02DDD9FE0B58E953EBFCEE6466E96C1051830D266B3D
SHA384 8890AD5D817C89E7DFFCDFC00F9CFA23DF7E48FDEE850C7E768F860566C069A6EDC13FD92A0B40F9A0F1DD3941AABE20
SHA512 2F5755727075618700023FC24D8B8561139108DB2A8D269F44FDCFBF7C75D6D448091CA9B511CB7B935668668F9B3306C6C8FF9D357DEF6B4B97DA98017CD073
SSDEEP 768:Q48+3C69UYjb0sRW4e7ckwcTNCJhb5jx08TzNskIVLQbFAPq/eAcDKKWteb:Qm9nhe71NCJDjx08StAsq/CKKWteb

Runtime Data

Usage (stdout):

For more information on a specific command, type HELP command-name
ASSOC          Displays or modifies file extension associations.
ATTRIB         Displays or changes file attributes.
BREAK          Sets or clears extended CTRL+C checking.
BCDEDIT        Sets properties in boot database to control boot loading.
CACLS          Displays or modifies access control lists (ACLs) of files.
CALL           Calls one batch program from another.
CD             Displays the name of or changes the current directory.
CHCP           Displays or sets the active code page number.
CHDIR          Displays the name of or changes the current directory.
CHKDSK         Checks a disk and displays a status report.
CHKNTFS        Displays or modifies the checking of disk at boot time.
CLS            Clears the screen.
CMD            Starts a new instance of the Windows command interpreter.
COLOR          Sets the default console foreground and background colors.
COMP           Compares the contents of two files or sets of files.
COMPACT        Displays or alters the compression of files on NTFS partitions.
CONVERT        Converts FAT volumes to NTFS.  You cannot convert the
               current drive.
COPY           Copies one or more files to another location.
DATE           Displays or sets the date.
DEL            Deletes one or more files.
DIR            Displays a list of files and subdirectories in a directory.
DISKPART       Displays or configures Disk Partition properties.
DOSKEY         Edits command lines, recalls Windows commands, and 
               creates macros.
DRIVERQUERY    Displays current device driver status and properties.
ECHO           Displays messages, or turns command echoing on or off.
ENDLOCAL       Ends localization of environment changes in a batch file.
ERASE          Deletes one or more files.
EXIT           Quits the CMD.EXE program (command interpreter).
FC             Compares two files or sets of files, and displays the 
               differences between them.
FIND           Searches for a text string in a file or files.
FINDSTR        Searches for strings in files.
FOR            Runs a specified command for each file in a set of files.
FORMAT         Formats a disk for use with Windows.
FSUTIL         Displays or configures the file system properties.
FTYPE          Displays or modifies file types used in file extension 
               associations.
GOTO           Directs the Windows command interpreter to a labeled line in 
               a batch program.
GPRESULT       Displays Group Policy information for machine or user.
GRAFTABL       Enables Windows to display an extended character set in 
               graphics mode.
HELP           Provides Help information for Windows commands.
ICACLS         Display, modify, backup, or restore ACLs for files and 
               directories.
IF             Performs conditional processing in batch programs.
LABEL          Creates, changes, or deletes the volume label of a disk.
MD             Creates a directory.
MKDIR          Creates a directory.
MKLINK         Creates Symbolic Links and Hard Links
MODE           Configures a system device.
MORE           Displays output one screen at a time.
MOVE           Moves one or more files from one directory to another 
               directory.
OPENFILES      Displays files opened by remote users for a file share.
PATH           Displays or sets a search path for executable files.
PAUSE          Suspends processing of a batch file and displays a message.
POPD           Restores the previous value of the current directory saved by 
               PUSHD.
PRINT          Prints a text file.
PROMPT         Changes the Windows command prompt.
PUSHD          Saves the current directory then changes it.
RD             Removes a directory.
RECOVER        Recovers readable information from a bad or defective disk.
REM            Records comments (remarks) in batch files or CONFIG.SYS.
REN            Renames a file or files.
RENAME         Renames a file or files.
REPLACE        Replaces files.
RMDIR          Removes a directory.
ROBOCOPY       Advanced utility to copy files and directory trees
SET            Displays, sets, or removes Windows environment variables.
SETLOCAL       Begins localization of environment changes in a batch file.
SC             Displays or configures services (background processes).
SCHTASKS       Schedules commands and programs to run on a computer.
SHIFT          Shifts the position of replaceable parameters in batch files.
SHUTDOWN       Allows proper local or remote shutdown of machine.
SORT           Sorts input.
START          Starts a separate window to run a specified program or command.
SUBST          Associates a path with a drive letter.
SYSTEMINFO     Displays machine specific properties and configuration.
TASKLIST       Displays all currently running tasks including services.
TASKKILL       Kill or stop a running process or application.
TIME           Displays or sets the system time.
TITLE          Sets the window title for a CMD.EXE session.
TREE           Graphically displays the directory structure of a drive or 
               path.
TYPE           Displays the contents of a text file.
VER            Displays the Windows version.
VERIFY         Tells Windows whether to verify that your files are written
               correctly to a disk.
VOL            Displays a disk volume label and serial number.
XCOPY          Copies files and directory trees.
WMIC           Displays WMI information inside interactive command shell.

For more information on tools see the command-line reference in the online help.

Usage (stderr):

Winrs.exe: Unrecognized switch "/h"
Use "winrs -?" to obtain the usage information

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: winrs.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of winrs.exe being misused. While winrs.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_logon_explicit_credentials.yml - '\winrs.exe' DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


winrs

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Windows remote Management allows you to manage and execute programs remotely.

Syntax

winrs [/<parameter>[:<value>]] <command>
Parameters
Parameter Description
/remote:<endpoint> Specifies the target endpoint using a NetBIOS name or the standard connection:<p>- <url>: [<transport>://]<target>[:<port>]<p>if not specified, /r:localhost is used.
/unencrypted Specifies that the messages to the remote shell will not be encrypted. This is useful for troubleshooting or when the network traffic is already encrypted using ipsec, or when physical security is enforced.<p>By default, the messages are encrypted using Kerberos or NTLM keys.<p>This command-line option is ignored when HTTPS transport is selected.
/username:<username> Specifies username on command line.<p>if not specified, the tool will use Negotiate authentication or prompt for the name.<p>if /username is specified, /password must also be specified.
/password:<password> Specifies password on command line.<p>if /password is not specified but /username is, the tool will prompt for the password.<p>if /password is specified, /username must also be specified.
/timeout:<seconds> This option is deprecated.
/directory:<path> Specifies starting directory for remote shell.<p>if not specified, the remote shell will start in the user’s home directory defined by the environment variable %USERPROFILE%.
/environment:<string>=<value> Specifies a single environment variable to be set when shell starts, which allows changing default environment for shell.<p>Multiple occurrences of this switch must be used to specify multiple environment variables.
/noecho Specifies that echo should be disabled. This may be necessary to ensure that user’s answers to remote prompts are not displayed locally.<p>By default echo is on.
/noprofile Specifies that the user’s profile should not be loaded.<p>By default, the server will attempt to load the user profile.<p>if the remote user is not a local administrator on the target system, then this option will be required (the default will result in error).
/allowdelegate Specifies that the user’s credentials can be used to access a remote share, for example, found on a different machine than the target endpoint.
/compression Turn on compression. Older installations on remote machines may not support compression so it is off by default.<p>Default setting is off, since older installations on remote machines may not support compression.
/usessl Use an SSL connection when using a remote endpoint. Specifying this instead of the transport https: will use the default WinRM default port.
/? Displays help at the command prompt.

Remarks

  • All command-line options accept either short form or long form. For example both /r and /remote are valid.
  • To terminate the /remote command, the user can type Ctrl-C or Ctrl-break, which will be sent to the remote shell. The second Ctrl-C will force termination of winrs.exe.
  • To manage active remote shells or winrs configuration, use the WinRM tool. The URI alias to manage active shells is shell/cmd. The URI alias for winrs configuration is winrm/config/winrs.

Examples

winrs /r:https://contoso.com command
winrs /r:contoso.com /usessl command
winrs /r:myserver command
winrs /r:http://127.0.0.1 command
winrs /r:http://169.51.2.101:80 /unencrypted command
winrs /r:https://[::FFFF:129.144.52.38] command
winrs /r:http://[1080:0:0:0:8:800:200C:417A]:80 command
winrs /r:https://contoso.com /t:600 /u:administrator /p:$%fgh7 ipconfig
winrs /r:myserver /env:path=^%path^%;c:\tools /env:TEMP=d:\temp config.cmd
winrs /r:myserver netdom join myserver /domain:testdomain /userd:johns /passwordd:$%fgh789
winrs /r:myserver /ad /u:administrator /p:$%fgh7 dir \\anotherserver\share

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.