Author Archives: adam

WerReportCreate API

Posted on by

The API I want to talk about today is called WerReportCreate. It takes a few arguments, but the most interesting is the first one, which is the Event Name.

Looking at Windows OS binaries, we can see this API being utilized by a number of native executables and libraries, and each invocation uses unique string for the event name:

  • FaultTolerantHeap – AcLayers.dll
  • AppxDeploymentFailureBlue – AppXDeploymentServer.dll
  • CertPinning – cryptui.dll
  • D3DDRED2 – D3D12Core.dll
  • DMRCDeviceMetadataPackageFailure – DeviceMetadataRetrievalClient.dll
  • DispBrokerTimeoutEvent – DispBroker.dll
  • WWAJSE – EdgeContent.dll
  • WindowsBlackScreenDiagnosticsV1 – explorer.exe
  • ShellBrowserCancel – ExplorerFrame.dll
  • ShellViewReentered – ExplorerFrame.dll
  • FaultTolerantHeap – fthsvc.dll
  • GDIObjectLeak – gdi32full.dll
  • CompatEntityAnalysis_1 – invagent.dll
  • ScriptedDiagFailure – msdt.exe
  • WindowsNonFatalSuspectedDeadlock – netprofmsvc.dll
  • CommsNonFatalSuspectedDeadlock – PhoneProviders.dll
  • CommsNonFatalSuspectedDeadlock – PhoneService.dll
  • HamLkd – PsmServiceExtHost.dll
  • RADAR_PRE_LEAK_32 – radarrs.dll
  • RADAR_LEAK_64 – rdrleakdiag.exe
  • MemDiagV1 – RelPost.exe
  • StartupRepairOnline – RelPost.exe
  • WindowsBackupFailure – sdclt.exe
  • WindowsBackupFailure – sdengin2.dll
  • ServiceHang – services.exe
  • SystemRestore – srcore.dll
  • ShellThumbnailExtractionTimeout – thumbcache.dll
  • ShellThumbnailExtractionTimeout – ThumbnailExtractionHost.exe
  • UpdateAgentDiag – UpdateAgent.dll
  • Windows Server Backup Error – wbengine.exe
  • AppHangB1 – WerFault.exe
  • BlueScreen – WerFault.exe
  • LiveKernelEvent – WerFault.exe
  • Temp – werui.dll
  • WUDFUnhandledException – WUDFPlatform.dll

ShimBad the Sailor, Part 3

Posted on by

Windows 11 brings us a lot of new Shim-related goodies and it makes sense to cover at least some of them.

In the second part of this series I listed a number of process names that are treated in a special way by the existing shim database entries.

It turns out that the list of these process names has been extended by at least two:

  • SdbMergeTestEntry_Added_Exe_Item.exe
  • SdbMergeTestEntry_Added_Exe_Item_InboxApp.exe

In other words, when you run a program that is named like the two aforementioned entries, you will get these messages:

Additionally, Windows 11 binaries handling shims include references to a list of folders that may be of some interest:

  • %windir%\apppatch\AcPluginDlls\Plugin
  • %windir%\apppatch\AcPluginDlls\PluginWow
  • %windir%\apppatch\AcPluginDlls\PluginWowAMD64
  • %windir%\apppatch\AcPluginDlls\PluginWowARM
  • %windir%\apppatch\AcPluginDlls\PluginWowARM64
  • %windir%\apppatch\AcPluginDlls\PluginWowX86

The Windows 11 installations I saw so far include these test Ac plugins:

  • c:\WINDOWS\apppatch\AcPluginDlls\Plugin\AcPlugin_Test.dll
  • c:\WINDOWS\apppatch\AcPluginDlls\Plugin\AcPlugin_Test2.dll
  • c:\WINDOWS\apppatch\AcPluginDlls\PluginWowX86\AcPlugin_Test.dll
  • c:\WINDOWS\apppatch\AcPluginDlls\PluginWowX86\AcPlugin_Test2.dll

The code referencing these directories resides in a few system libraries:

  • apphelp.dll
  • pcasvc.dll
  • appraiser.dll

but I have not explored yet how they work. As of now, I assume this is a lesser-known Shim Database enhancement mechanism that could be potentially leveraged for persistence and stealth code injection…