esentutl
Extensible Storage Engine utility. Can copy locked or in-use files (e.g., NTDS.dit, SAM) and is used for credential access and file staging.
Binary Paths
C:\Windows\System32\esentutl.exe
Glob Patterns
| Pattern | Notes |
|---|---|
for /f %i in ('where esen*.exe') do %i /y source.edb destination.edb
|
Star matches 'tutl' after 'esen' |
for /f %i in ('where esentut?.exe') do %i /y source.edb dest.edb
|
Single char wildcard replaces 'l' |
for /f %i in ('where e*tl.exe') do %i /y source.edb dest.edb
|
Star matches 'sen' + 'tu' between 'e' and 'tl' |
for /f %i in ('dir /b C:\Windows\System32\esen*.exe') do %i /y src dest
|
dir /b glob finds esentutl.exe in System32 |
forfiles /p C:\Windows\System32 /m esen*.exe /c "@file /y source dest"
|
forfiles * mask finds esentutl.exe — @file expands to matched filename |
for %i in (C:\Windows\System32\esen*.exe) do @%i /y source.edb dest.edb
|
Native CMD for loop with filesystem glob — expands esen*.exe directly in System32 without where.exe |
for /f %i in ('where /r C:\Windows\System32 esen*.exe') do %i /y source.edb dest.edb
|
Recursive where search scoped to System32 — finds esentutl.exe without full path knowledge |
C:\Windows\System32\ESENTU~1.EXE /y source.edb dest.edb
|
8.3 SFN — ESENTU~1 auto-generated for esentutl.exe; requires NtfsDisable8dot3NameCreation=0 |
Pattern Tester
$
Try typing esentutl or a full path like C:\Windows\System32\esentutl.exe
YARA Rule
Auto-generated detection rule for esentutl
Platform Notes
esentutl.exe can copy files that are locked by the OS (using VSS or direct ESE access). This makes it useful for extracting credential stores like NTDS.dit or the SAM hive. The /y flag copies a file, /vss accesses via Volume Shadow Copy. In batch scripts use %%i instead of %i.