Windows 10 has more phantom DLL files…

(Re)starting the Print Spooler or Fax services leads to C:\Windows\System32\ualapi.dll being loaded.

Except it is not always present – as far as I can tell it is only present on Windows server 2012 (can someone confirm it?) as it is responsible for providing User Access Logging (UAL) functionality.

So, placing a malicious C:\Windows\System32\ualapi.dll on Windows 10 will lead to its execution anytime system starts (nowadays Print Spooler is started most of the time).

Of course, writing to c:\windows\system32 requires admin rights.