Process

unknown

fsutil.exe

fsutil.exe is a file system utility for low-level NTFS and volume tasks. Administrators use it for disk and file system maintenance. Attackers use it for anti-forensics, most notably deleting the USN change journal that records file activity, and to wipe or manipulate files.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS3
  • fsutil.exe file setZeroData offset=0 length=9999999999 {PATH_ABSOLUTE}Tamper · Can be used to forensically erase a file
  • fsutil.exe usn deletejournal /d c:Tamper · Can be used to hide file creation activity
  • fsutil.exe trace decodeExecute · Spawn a pre-planted executable from fsutil.exe.

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

fsutil.exe performs file system operations that ordinary tools do not expose: querying and setting volume and NTFS properties, managing hardlinks and reparse points, working with sparse files, and managing the USN change journal that NTFS keeps of file changes. It requires administrative rights and lives at C:\Windows\System32\fsutil.exe.

Legitimately, fsutil is run by administrators for disk diagnostics and configuration, which is infrequent. The sub-command it runs is what gives an instance meaning.

Security notes

fsutil.exe is an anti-forensics tool (T1070.004). fsutil usn deletejournal /d C: deletes the USN change journal, the NTFS record of which files were created, modified, and deleted, removing a timeline investigators rely on. Run next to event-log clearing and shadow-copy deletion, it is part of a deliberate effort to erase the trail.

Its low-level file operations also support data destruction (T1485): verbs that zero or overwrite file data can be used to wipe specific files beyond recovery. Because fsutil is a legitimate maintenance tool, the sub-command, the target, and the parent are what separate disk administration from evidence destruction.

Anomaly signals5
  • Image path other than C:\Windows\System32\fsutil.exehigh
  • usn deletejournal (destroying the NTFS change journal)high
  • file setZeroData or similar used to overwrite file contentshigh
  • Parent is cmd.exe, powershell.exe, or an unfamiliar processhigh
  • Run alongside event-log clearing or shadow-copy deletionmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof fsutil.exe?
Edit this page on GitHub