This native tool is not very well known, but it may be useful in some cases.<\/p>\n\n\n\n
The tool seems to be parsing volumes directly, bypassing the Windows APIs — hence, it kinda works like a The program accepts a number of command line arguments:<\/p>\n\n\n\n It turns out that the ‘checksum’ is actually a SHA256 algorithm, so running:<\/p>\n\n\n\n will list all the files in the c:\\test directory, and will calculate the SHA256 of each file.<\/p>\n\n\n\n The other curious command line argument is gives us this list of keywords<\/a> (on Windows 11 25H2). It turns out that this list is based on the content of There is an undocumented command line argument Otherwise, it checks if the OS is a retail version (guessing by the function name that is called here), and if it is, it ‘rolls a dice’ and prints the below message:<\/p>\n\n\n\n There is a command line argument This native tool is not very well known, but it may be useful in some cases. The tool seems to be parsing volumes directly, bypassing the Windows APIs — hence, it kinda works like a dir command, but parses the … Continue reading dir<\/code> command, but parses the $MFT of volumes directly (but still via API).<\/p>\n\n\n\nDiskSnapshot.exe [options]\n -c write detail data to console\n -i write detail data to console (same as -c)\n -s (deprecated) summary data to console\n -u process large volumes (no limit)\n -j [config] specifies an alternate config file\n -v [volume][path] specifies volume(+path) to process, e.g. \"d:\" or \"d:\\foo\"\n -d [input-file] print encoded versions of the strings in the input file, for decoding purposes\n -e prints out escalation keywords\n -k calculate checksums for files, used to investigate duplicated on-disk content (c arg required).\n -o [output-file] write detail data to a file<\/pre>\n\n\n\n
disksnapshot -c -k -v c:\\test<\/pre>\n\n\n\n
-e<\/code>. Running:<\/p>\n\n\n\ndisksnapshot -e > escalation_keywords.txt<\/pre>\n\n\n\n
c:\\WINDOWS\\system32\\DiskSnapshot.conf<\/code> file. <\/p>\n\n\n\n-z<\/code> that kinda tries to collect telemetry, but it doesn’t really work. If the call to a function TelIsTelemetryTypeAllowed(2) <\/em>returns 1 it just exits with a message:<\/p>\n\n\n\nTelemetry run: telemetry is disabled, exiting<\/pre>\n\n\n\n
curtime = _time64(0);\n _o_srand(curtime);\n rand = ::rand();\n if ( rand != 7 * (rand \/ 7) )\n {\n v4 = o___acrt_iob_func_0(2u);\n fwprintf(v4, L\"Telemetry run: failed the dice roll, exiting\\n\");\n return 0;\n }\n<\/pre>\n\n\n\n-j<\/code> that we can use to change the default config file from c:\\WINDOWS\\system32\\DiskSnapshot.conf<\/code> file to our own, but I am not sure how to use it. The disksnapshot -j c:\\test\\test.conf -e<\/code> command prints out the content of the custom config, but when I tried to apply it to the volume, it somehow didn’t work. I guess I just don’t fully understand the logic behind this tool.<\/p>\n","protected":false},"excerpt":{"rendered":"