Process

unknown

msdt.exe

msdt.exe is the Microsoft Support Diagnostic Tool, which runs the troubleshooting wizards Windows uses to diagnose problems. It is mostly invisible to users. It became infamous as the engine behind the "Follina" vulnerability, where a document could make msdt run attacker commands.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS3
  • msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af {PATH_ABSOLUTE:.xml} /skip TRUEExecute · Execute code
  • msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af {PATH_ABSOLUTE:.xml} /skip TRUEAWL Bypass · Execute code bypass Application whitelisting
  • msdt.exe /id PCWDiagnostic /skip force /param "IT_LaunchMethod=ContextMenu IT_BrowseForFile=/../../$(calc).exe"AWL Bypass · Execute code bypass Application allowlisting

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

msdt.exe runs diagnostic troubleshooting packs, guided wizards that collect information and apply fixes for a category of problem. It is normally launched by Windows or the Get Help app, not by users directly. The genuine binary lives at C:\Windows\System32\msdt.exe. It accepts a troubleshooting pack and parameters, and historically could be reached through the ms-msdt: URL protocol, the path that made it exploitable from documents.

Legitimately, msdt appears when someone runs a Windows troubleshooter. Its parent and how it was invoked, interactively versus from a document or URL handler, are what give an instance meaning.

Security notes

msdt.exe is best known for "Follina" (CVE-2022-30190), an exploitation path where a Word document referenced the ms-msdt: protocol and passed parameters that caused msdt to execute attacker PowerShell with no macro and no user prompt (T1203). The pattern to recognize is an Office application as msdt's parent, or msdt spawning a shell.

More generally msdt is a system-binary proxy (T1218): its diagnostic parameters can be abused to run external commands through a signed Microsoft process, a form of indirect command execution (T1202). Because msdt legitimately runs only when someone uses a troubleshooter, a msdt launched by a document, through a URL handler, or spawning a command shell is the case to pull apart.

Anomaly signals5
  • Parent is an Office application or another document viewerhigh
  • Invoked through the ms-msdt: URL protocolhigh
  • Command line containing IT_BrowseForFile, a path, or script-like contenthigh
  • msdt spawning cmd.exe, powershell.exe, or other LOLBINshigh
  • Outbound network connections from msdtmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof msdt.exe?
Edit this page on GitHub