winrshost.exe

  • File Path: C:\windows\system32\winrshost.exe
  • Description: Host Process for WinRM’s Remote Shell plugin

Hashes

Type Hash
MD5 C4FFB616FE5B81E61F70073732CBBB81
SHA1 E25A9835F02E2149C6153DA3DF3D680BA7442B37
SHA256 8142A15194183BAB9FE1967ABD0961D633D6030D3753099A67150F9C4AB6D4FB
SHA384 0964B338D52F83C032DC386A8AC3CCBB6DD3315A2A368BFBE06797A2683170B1317D6C1D46A56BEAEEFA4B32D3C2BF6C
SHA512 19D69A2B7F507C4D78C4BC13EC7CFA393FA2EBA3CE29427086222B07D862253CBA5F11935C7CEE6FAAC7F6B57C6BC5DE8D36F1BC3A64CFA4E5AFDD9AB6365F80
SSDEEP 384:HtuAKt4M0my5c55oQaAsLIDHf2Y1f1OwqUY17lC4YHZiOiE0ACrMsLGpr37w0Rc1:H2RB/seQwqUL4CZiOiEKzLOHRcTD

Signature

  • Status: The file C:\windows\system32\winrshost.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: winrshost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.17415 (winblue_r4.141028-1500)
  • Product Version: 6.3.9600.17415
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of winrshost.exe being misused. While winrshost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\winrshost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.