wpr.exe
- File Path:
C:\Windows\system32\wpr.exe
- Description: Microsoft Windows Performance Recorder
Hashes
| Type |
Hash |
| MD5 |
6E4BF60ABB6F9373D5C795D7CD7EDF68 |
| SHA1 |
A78B4AEF2DE0EC9675C92FFAABAFA438B79FE576 |
| SHA256 |
30940147D6C68C79C9CB8E56CEDB4DAA4F025EDDF1134274DE90DD39D0D8EAD0 |
| SHA384 |
A7E008CC9393C194FD46AA6B762920950A51FC613E0A784A93F93B3AC48128D0F049DC6B37BFA7873830D389F7F4B6B1 |
| SHA512 |
0F993938797ADFE1E13457A4777946B65679EBD9AEBC84F64D12170E0948596022CE25A3C57C0ED216AF1A957BE5672AEE57B920B26A2416CA74B9B2AC338247 |
| SSDEEP |
6144:egtvJfDldaBXZd0PaHw/kDeuiEKvK5cnbhbYg06X0R:JZJfreXZd0pseuiIS//E |
| IMP |
E61CD2AA90474CA9DFFAD3043C7DA49E |
| PESHA1 |
E6E806F059535CDAA2655ADEF8979FCD518309C3 |
| PE256 |
D661C1CB218965082FDF827B3ACB8BF7E966E06B098218E1DB70DFC0284BB6AC |
Runtime Data
Usage (stdout):
Microsoft Windows Performance Recorder Version 10.0.19041 (CoreSystem)
Copyright (c) 2019 Microsoft Corporation. All rights reserved.
Usage: wpr options ...
-help - Provide command line help information
-profiles - Enumerates the profile names and descriptions from a profile file
-purgecache - Purges the dynamic symbols cache
-start - Starts one or more profiles
-marker - Fires an event marker
-markerflush - Fires an event marker and flushes the working set
-status - Displays status on active recording (if any)
-profiledetails - Displays the detailed information about a set of profiles
-providers - Displays detailed information about providers
-cancel - Cancels recording initiated via WPR (if any)
-stop - Stops recording initiated via WPR (if any) and saves
-flush - Flushes logging sessions initiated through WPR (if any)
-log - Configure debug logging to the event log
-disablepagingexecutive - Change the Disable Paging Executive settings
-heaptracingconfig - Change heap tracing settings for a process
-snapshotconfig - Change snapshot settings for a process
-capturestateondemand - Capture states for the configured providers in the current recording
-pmcsources - Query the list of hardware counters available on the system
-setprofint - Set sampled profile interval
-profint - Query the current profile interval
-resetprofint - Restores the default profile interval values
-boottrace - Configures the registry entries for autologger/globallogger sessions
-enableperiodicsnapshot - Enable Periodic Snapshot for the specified interval and given process id
-disableperiodicsnapshot - Disable Periodic Snapshot for all process
-singlesnapshot - On demand Snapshot for the specified process
-instancename - Specifies a name to uniquely identify the tracing instance.
Useful when managing multiple concurrent wpr sessions. Must be last parameter.
Usage (stderr):
Invalid command syntax.
Error code: 0xc5600602
Invalid option: --help
Loaded Modules:
| Path |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\system32\wpr.exe |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266
- Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Original Filename: WPR.exe
- Product Name: Microsoft Windows Performance Recorder
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.329 (WinBuild.160101.0800)
- Product Version: 10.0.19041.329
- Language: English (United States)
- Legal Copyright: 2019 Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/30940147d6c68c79c9cb8e56cedb4daa4f025eddf1134274de90dd39d0d8ead0/detection
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of wpr.exe being misused. While wpr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
MIT License. Copyright (c) 2020-2021 Strontic.