A few more protocol handlers :), Part 2

Posted on by

In 2018 I published this post.

In 2022 I published this post and this post.

@Radkeyboard7984 and I continue chatting about the new Windows 11 protocols and I just did a quick comparison between the protocols I posted before, and the ones present in Windows 11 25H2. Turns out, there are some new kids on the block:

  • com.clipchamp.app
  • Explorer.CameraRoll.Import
  • lpa
  • microsoftsolitairecollection
  • ms-clicktodo
  • ms-clipchamp
  • ms-controlcenter
  • ms-crossdevice-settings
  • ms-cxh-wam (kudos to @Radkeyboard7984 for spotting it)
  • ms-devhome
  • ms-fulltrustsearch
  • ms-launchremotedesktop
  • ms-lwh
  • ms-media-player
  • ms-notepad
  • ms-oobe
  • ms-outlook
  • ms-personacard
  • ms-playto-audio
  • ms-print-queue
  • ms-recall
  • ms-shellhost
  • ms-snaplaunch
  • ms-startfeeds
  • ms-stickereditor
  • ms-widgetboard
  • ms-widgets
  • ms-windowsbackup
  • ms-woah
  • ms-woah-full
  • msteams
  • msteamscanary
  • WdMam
  • webcal
  • webcals
  • wifi

WerReportCreate API

Posted on by

The API I want to talk about today is called WerReportCreate. It takes a few arguments, but the most interesting is the first one, which is the Event Name.

Looking at Windows OS binaries, we can see this API being utilized by a number of native executables and libraries, and each invocation uses unique string for the event name:

  • FaultTolerantHeap – AcLayers.dll
  • AppxDeploymentFailureBlue – AppXDeploymentServer.dll
  • CertPinning – cryptui.dll
  • D3DDRED2 – D3D12Core.dll
  • DMRCDeviceMetadataPackageFailure – DeviceMetadataRetrievalClient.dll
  • DispBrokerTimeoutEvent – DispBroker.dll
  • WWAJSE – EdgeContent.dll
  • WindowsBlackScreenDiagnosticsV1 – explorer.exe
  • ShellBrowserCancel – ExplorerFrame.dll
  • ShellViewReentered – ExplorerFrame.dll
  • FaultTolerantHeap – fthsvc.dll
  • GDIObjectLeak – gdi32full.dll
  • CompatEntityAnalysis_1 – invagent.dll
  • ScriptedDiagFailure – msdt.exe
  • WindowsNonFatalSuspectedDeadlock – netprofmsvc.dll
  • CommsNonFatalSuspectedDeadlock – PhoneProviders.dll
  • CommsNonFatalSuspectedDeadlock – PhoneService.dll
  • HamLkd – PsmServiceExtHost.dll
  • RADAR_PRE_LEAK_32 – radarrs.dll
  • RADAR_LEAK_64 – rdrleakdiag.exe
  • MemDiagV1 – RelPost.exe
  • StartupRepairOnline – RelPost.exe
  • WindowsBackupFailure – sdclt.exe
  • WindowsBackupFailure – sdengin2.dll
  • ServiceHang – services.exe
  • SystemRestore – srcore.dll
  • ShellThumbnailExtractionTimeout – thumbcache.dll
  • ShellThumbnailExtractionTimeout – ThumbnailExtractionHost.exe
  • UpdateAgentDiag – UpdateAgent.dll
  • Windows Server Backup Error – wbengine.exe
  • AppHangB1 – WerFault.exe
  • BlueScreen – WerFault.exe
  • LiveKernelEvent – WerFault.exe
  • Temp – werui.dll
  • WUDFUnhandledException – WUDFPlatform.dll