Process

unknown

systeminfo.exe

systeminfo.exe reports detailed configuration about a computer and its operating system: the OS version and build, installed hotfixes, hardware, domain membership, and network adapters. Administrators use it for inventory. Attackers use it to fingerprint a host, including which patches are missing.

CategoryUtilityTagsmicrosoftcore-windows

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

systeminfo.exe gathers system configuration into a single report: the OS name, version, and build, the install date and uptime, the hardware and memory, the domain and logon server, network card details, and the list of installed hotfixes by KB number. With /s <host> and credentials it can pull the same report from a remote machine. The genuine binary lives at C:\Windows\System32\systeminfo.exe.

Legitimately, systeminfo is run by administrators and asset-inventory tooling to record what a machine is and how it is configured. It only reads configuration.

Security notes

systeminfo gives an attacker a fast profile of a host (T1082). The OS build and the hotfix list are the most useful parts: comparing installed KBs against known vulnerabilities points straight at missing patches that may allow privilege escalation. The domain, logon server, and network adapter details also sketch the environment around the host (T1016).

One run during legitimate inventory is normal. systeminfo run by an unexpected parent, or as part of an opening recon sequence with whoami and net, is what separates attacker fingerprinting from administration.

Anomaly signals4
  • Image path other than C:\Windows\System32\systeminfo.exehigh
  • Parent is an Office application, a script host, or a service processhigh
  • Run shortly after access, especially with output captured to a filemed
  • A remote target, /s <host>med

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof systeminfo.exe?
Edit this page on GitHub