An Elf walks into the bar…

Windows 11’s advapi32.dll includes interesting export functions:

  • ElfBackupEventLogFileA
  • ElfBackupEventLogFileW
  • ElfChangeNotify
  • ElfClearEventLogFileA
  • ElfClearEventLogFileW
  • ElfCloseEventLog
  • ElfDeregisterEventSource
  • ElfFlushEventLog
  • ElfNumberOfRecords
  • ElfOldestRecord
  • ElfOpenBackupEventLogA
  • ElfOpenBackupEventLogW
  • ElfOpenEventLogA
  • ElfOpenEventLogW
  • ElfReadEventLogA
  • ElfReadEventLogW
  • ElfRegisterEventSourceA
  • ElfRegisterEventSourceW
  • ElfReportEventA
  • ElfReportEventAndSourceW
  • ElfReportEventW

And I know nothing about them… while they are obviously exported by advapi32.dll and for some unknown reason, they do not seem to be imported … by anything (no .exe, .dll import these functions, at least directly!). Plus, most of these apis’ code reference NDR functions (RPC), so unless you are really well-versed in these, it’s hard to reverse them 🙁


A quick google suggests that these are not Linux-related (refrerence to ‘ELF’), and are actually Event Log File (also ‘ELF’)-related. In a trivial pursuit of the truth, we look at the code of Elf* functions and their invocations and we can almost immediately see that f.ex. that RegisterEventSourceW is calling ElfRegisterEventSourceW internally. So… looks like either intentionally, or accidentally the MS coders exposed a lower-level interface to Event Logs.

As such, functions:

  • ElfClearEventLogFileA
  • ElfClearEventLogFileW

may be perhaps of interest?