wsmprovhost.exe

  • File Path: C:\WINDOWS\SysWOW64\wsmprovhost.exe
  • Description: Host process for WinRM plug-ins

Hashes

Type Hash
MD5 2939BE15226596225F58EABA9DF0249C
SHA1 4749F4C1D39D60A933F8B22A15F157CD4683BAF4
SHA256 BE89A0D58492D069421042385A5527673DFB0BC03304A1B1790044F0B9F52733
SHA384 CAFC9CFB87E023762242554FA6BE94AC931126492F1E1E65C661F329CB7D4A03101E8408CD92A825B479BAB9670BDAA8
SHA512 E4DBE91C8E112B81BA964796C0132B87EFD22257E45AA20B64320B5C80BCF9FE42A48AF600C5D7221AF7D9C1FB369BE21242EBCDD89AB27EA6938711685F494C
SSDEEP 384:heIsKmxRFccvoq8mI9JdkPkzYvpsdtP/bD36Y3QcOi3E7vt3qxiQqbiW7PfWRtE:MIlURrZPR0Nzqc/c3eiPbv46
IMP 2A22F824F59FF9009353E613421FE8BE
PESHA1 9504A4C3B6C86C915017AC7A1E2916158C1C42C7
PE256 BD93A67C3383096E68CF9B6388404D9FD51E11F5F0EDBCFA0D0E3CF431B1FAD8

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\wsmprovhost.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wsmprovhost.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.282 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.282
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: Unknown

Possible Misuse

The following table contains possible examples of wsmprovhost.exe being misused. While wsmprovhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_in_memory_powershell.yml - '\wsmprovhost.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - '\WINDOWS\System32\wsmprovhost.exe' DRL 1.0
sigma pipe_created_susp_adfs_namedpipe_connection.yml - '\wsmprovhost.exe' DRL 1.0
sigma posh_pc_remote_powershell_session.yml HostApplication\|contains: 'wsmprovhost.exe' DRL 1.0
sigma posh_pm_remote_powershell_session.yml - 'wsmprovhost.exe' # HostApplication\|contains: 'wsmprovhost.exe' french Application hôte = DRL 1.0
sigma proc_access_win_mimikatz_trough_winrm.yml description: Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe. DRL 1.0
sigma proc_access_win_mimikatz_trough_winrm.yml SourceImage: 'C:\Windows\system32\wsmprovhost.exe' DRL 1.0
sigma proc_creation_win_remote_powershell_session_process.yml description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session). DRL 1.0
sigma proc_creation_win_remote_powershell_session_process.yml - Image\|endswith: '\wsmprovhost.exe' DRL 1.0
sigma proc_creation_win_remote_powershell_session_process.yml - ParentImage\|endswith: '\wsmprovhost.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_from_winrm.yml ParentImage: '*\wsmprovhost.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.