5040 – Windows Diagnostics Hub Standard Collector

Why It’s Open

Part of the Windows Diagnostics Hub, used by developers and system administrators to collect logs and diagnostic info remotely.

Common Risks

• Information Leakage: Can expose detailed system logs and telemetry.
• Privilege Escalation: Debug services can sometimes be misused for local privilege escalation.
• Poor Access Controls: Not always well protected in default setups.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

Book a Demo

Enumeration & Testing

Check if it’s open

nmap -p 5040

Check services with

sc queryex | findstr DiagTrack

Identify services tied to diagnostics

tasklist /svc | findstr diag

Known Exploits

1. CVE-2018-0824 A remote code execution vulnerability exists in the Windows Diagnostics Hub Standard Collector Service.

🔗 NVD Entry

🔗 Microsoft Advisory

2. CVE-2018-0952 An elevation of privilege vulnerability exists when the Windows Diagnostics Hub Standard Collector Service improperly handles objects in memory.

🔗 NVD Entry

🔗 Microsoft Advisory

Tools & Tactics

Inspect DiagTrack logs via:

Get-WinEvent -LogName "Microsoft-Windows-DiagTrack-Listener/Operational"

• Use ProcMon or WinDbg to see what the service accesses
• Query Windows Collector interfaces (if known COM GUIDs are accessible)

What to Look For

Mitigation

Disable the service unless explicitly required:

sc stop DiagTrack
sc config DiagTrack start= disabled

Restrict port 5040 to localhost or internal debugging tools only.

Real-World Example

Some forensic tools and red teamers leverage diagnostics endpoints to pull telemetry, including command history and crash data, during post-exploitation.

TL;DR

• Service: Plug and Play / DRM / Remote Performance Logging
• Default Port: 5040/TCP
• Risks: Local privilege escalation, limited remote DoS potential
• Mitigation: Limit local privileges, apply updates, restrict unnecessary services