Beyond good ol’ Run key, Part 50

November 8, 2016 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Incident Response

Windows 10 has more phantom DLL files…

(Re)starting the Print Spooler or Fax services leads to C:\Windows\System32\ualapi.dll being loaded.


ualapi1Except it is not always present – as far as I can tell it is only present on Windows server 2012 (can someone confirm it?) as it is responsible for providing User Access Logging (UAL) functionality.

So, placing a malicious C:\Windows\System32\ualapi.dll on Windows 10 will lead to its execution anytime system starts (nowadays Print Spooler is started most of the time).

Of course, writing to c:\windows\system32 requires admin rights.

Comments are closed.