A few years ago I released a list of ‘bad’ mutexes/mutants. That list was generated from my malware sandbox reports.

I thought that it may be good to revisit the idea, but this time with a focus on a ‘clean’ list.

What do I mean by that?

Windows native binaries reference many ‘clean’ mutexes and mutants. By looking for references to CreateMutex* and OpenMutex API invocations inside the native OS applications and DLLs we can build a list presented below.

I hope you will agree that amongst all the items presented, the x9pv45dxghk mutex looks the most suspicious, as if malware just hit your system, but … it’s actually not a bad guy! Also, some of these mutexes you will probably never see in your logs f.ex. anything RAS-related is kinda dead, because dialers are long gone (of course, RAS is a bit wider in scope, but you know what I mean). But then some of them may actually still be helpful in detecting interesting OS events f.ex. everything with a ‘RDP’ in name. There are also some eye-catching mutexes that may be worth further exploration, f.ex. Global\SignedDriversMutex is created before driverquery.exe runs a WQL query “select * from Win32_PnpSignedDriver where DeviceName != NULL“. Why that mutex is needed there? Hmm…

Let’s remember that mutexes often guard program’s important business logic. By understanding why these mutexes are created we may affect some of this logic and take over the program’s narrative. For example, the WerMgr.exe uses Global\WerMgrUploadingLock mutex to ensure only one instance of WerMgr.exe is uploading Windows Error Reports (for wemgr.exe options –upload and –uploadforce). It’s not very useful per se, but it makes the point.

Here’s the list I collected:

2F8FA37B-8158-476F-9B22-3283D2A6FEC2

• Windows\System32\phoneactivate.exe

5615046C-3289-4BC3-A5C7-0E9B0FE4C2DA

• Windows\System32\CourtesyEngine.dll

ACTIONDIALOG_MUTEX

• Windows\System32\WindowsActionDialog.exe

AD8DA490-28A3-4dfd-96BA-37453388BAEF

• Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll
• Program Files\Windows Photo Viewer\PhotoAcq.dll

AMResourceMutex3

• Windows\SysWOW64\quartz.dll
• Windows\System32\quartz.dll

AccessibilitySoundAgentRunning

• Windows\SysWOW64\PlaySndSrv.dll
• Windows\SysWOW64\sethc.exe
• Windows\System32\PlaySndSrv.dll
• Windows\System32\sethc.exe

AppIDSvc\CertStore

• Windows\System32\appidcertstorecheck.exe

AppIDSvc\PolicyMutex

• Windows\System32\appidpolicyconverter.exe

AssignedAccessCspDataStore{2DB91A08-F99F-4E50-A831-6D917523A264}

• Windows\System32\AssignedAccessCsp.dll

AuthHostAppContainerMutex.SSO

• Windows\SysWOW64\AuthBroker.dll
• Windows\System32\AuthBroker.dll

AutoTune

• Windows\SysWOW64\psisdecd.dll
• Windows\System32\psisdecd.dll

BDATIF_Mutex

• Windows\SysWOW64\psisdecd.dll
• Windows\System32\psisdecd.dll

BFFF9080-1DAE-43B1-96B6-738575D01524

• Program Files (x86)\Common Files\Microsoft Shared\ink\mshwLatin.dll
• Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
• Program Files\Common Files\microsoft shared\ink\mshwLatin.dll
• Windows\System32\msTextPrediction.dll

CB35EF5D-4591-41d9-BBA2-0363342F3783

• Windows\System32\cscsvc.dll

CSM Policy Key Mutex

• Windows\SysWOW64\SearchIndexer.exe
• Windows\SysWOW64\srchadmin.dll
• Windows\System32\SearchIndexer.exe
• Windows\System32\srchadmin.dll

CWpcTridentWebFilter::Initialize

• Windows\SysWOW64\WpcWebFilter.dll
• Windows\System32\WpcWebFilter.dll

ClearTypeTunerWizardMutex

• Windows\SysWOW64\cttune.exe
• Windows\System32\cttune.exe

CloudNotifications

• Windows\SysWOW64\CloudNotifications.exe
• Windows\System32\CloudNotifications.exe

Connection Manager Phonebook Access

• Windows\SysWOW64\cmdl32.exe
• Windows\System32\cmdl32.exe

Connection Manager Profile Installer Mutex

• Windows\SysWOW64\cmstp.exe
• Windows\System32\cmstp.exe

CredPicker.Mutex_CAED75DD_5855_49C7_A2FD_4CC470A3575E

• Windows\System32\Windows.Security.Credentials.UI.CredentialPicker.dll

DBWinMutex

• Windows\SysWOW64\KernelBase.dll
• Windows\System32\KernelBase.dll

DSKQUOTA_SIDCACHE_MUTEX

• Windows\SysWOW64\dskquota.dll
• Windows\System32\dskquota.dll

DirectMusiCPcClockMutex

• Windows\SysWOW64\dmusic.dll
• Windows\System32\dmusic.dll

DirectMusicMasterClockMutex

• Windows\SysWOW64\dmusic.dll
• Windows\System32\dmusic.dll

DiskSnapshot-Mutex

• Windows\System32\DiskSnapshot.exe

DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}

• Windows\System32\drvinst.exe
• Windows\System32\pnppolicy.dll

EUPPSYNCLOCK

• Windows\SysWOW64\msfeeds.dll
• Windows\System32\msfeeds.dll

EduPrintProvSingleInstance

• Windows\System32\EduPrintProv.exe

EnterpriseIDMutex-61982412-20ce-4a9a-b974-55c3ce44b9b0

• Windows\SysWOW64\efswrt.dll
• Windows\System32\efswrt.dll

FinishInstallOperation_mutex_{13f20490-1533-411a-9489-1a6da95d2b85}

• Windows\SysWOW64\newdev.dll
• Windows\System32\newdev.dll

FlightActionManagerConsolidateMutex

• Windows\SysWOW64\FlightSettings.dll
• Windows\System32\FlightSettings.dll

GeneratingSchemaGlobalMapping

• Windows\SysWOW64\propsys.dll
• Windows\System32\propsys.dll

Global\552FFA80-3393-423d-8671-7BA046BB5906

• Windows\SysWOW64\sppc.dll
• Windows\System32\sppc.dll
• Windows\System32\sppsvc.exe

Global\AudioResourceAcquisitionMutex

• Windows\System32\audioresourceregistrar.dll
• Windows\System32\audiosrv.dll

Global\CDNDownloadMutex

• Windows\SysWOW64\dmenrollengine.dll
• Windows\System32\DeviceEnroller.exe

Global\ComPortNumberDatabaseMutexObject

• Windows\SysWOW64\msports.dll
• Windows\System32\msports.dll

Global\DFXLIB_STORE_MUTEX

• Windows\SysWOW64\difxapi.dll
• Windows\System32\difxapi.dll

Global\DVD_Region_Cntry_List_Mutex

• Windows\SysWOW64\Storprop.dll

Global\DeclaredConfigurationMutex

• Windows\SysWOW64\dmenrollengine.dll
• Windows\System32\omadmclient.exe

Global\DeviceManagementContainerMutex

• Windows\SysWOW64\dmcmnutils.dll
• Windows\System32\dmcmnutils.dll

Global\F659A567-8ACB-4E4A-92A7-5C2DD1884F72

• Windows\SysWOW64\RacEngn.dll
• Windows\System32\RacEngn.dll

Global\FillWindowsUpdatePrinterCatalog

• Windows\SysWOW64\ntprint.dll
• Windows\System32\ntprint.dll

Global\FindNetPrinters{60E245A9-955D-421b-985C-A48F7CBF0476}

• Windows\SysWOW64\findnetprinters.dll
• Windows\System32\findnetprinters.dll

Global\Fve-AAD-Mutex

• Windows\System32\fveskybackup.dll

Global\LicenseUI

• Windows\System32\LicensingUI.exe

Global\Lpksetup-TempFolderToken

• Windows\System32\lpksetup.exe

Global\MS ODBC PerfMon

• Windows\SysWOW64\odbc32.dll
• Windows\System32\odbc32.dll

Global\Microsoft.Windows.Setup.Box

• Windows\System32\UpdateAgent.dll

Global\Microsoft.Windows.Setup.SetupCln

• Windows\SysWOW64\setupcln.dll
• Windows\System32\setupcln.dll

Global\Microsoft.Windows.WindowsColorSystem.CalibrationLoaderMutex

• Windows\SysWOW64\mscms.dll
• Windows\System32\mscms.dll

Global\NetSetupShimDriverInstallUninstall

• Windows\SysWOW64\NetSetupShim.dll
• Windows\System32\NetSetupShim.dll

Global\PolicyManagerMutex

• Windows\System32\Win32AppSettingsProvider.dll

Global\RasMpDevices

• Windows\SysWOW64\mprdim.dll
• Windows\System32\mprdim.dll
• Windows\System32\rasmans.dll
• Windows\System32\sstpsvc.dll

Global\RasPbFile

• Windows\SysWOW64\rasplap.dll
• Windows\System32\rasapi32.dll
• Windows\System32\rasdlg.dll
• Windows\System32\rasgcw.dll
• Windows\System32\rasmans.dll
• Windows\System32\rasplap.dll

Global\RecentDocumentsUpdate

• Windows\SysWOW64\windows.storage.dll

Global\SQMWindowsConsolidator

• Windows\System32\wsqmcons.exe

Global\ServicePackOrHotfix

• Program Files (x86)\Windows Media Player\setup_wm.exe
• Program Files\Windows Media Player\setup_wm.exe

Global\SetupLog

• Windows\SysWOW64\wimgapi.dll
• Windows\System32\wimgapi.dll
• Windows\System32\wimserv.exe

Global\SignedDriversMutex

• Windows\SysWOW64\driverquery.exe
• Windows\System32\driverquery.exe

Global\SpaceWorker_Mutex

• Windows\System32\SpaceAgent.exe

Global\TPAC_DEBUG_FILE_ACCESS

• Windows\System32\TPSvc.dll

Global\WAU running

• Windows\SysWOW64\LicensingWinRT.dll
• Windows\System32\LicensingWinRT.dll

Global\WDC.0AF0EEEF-BDEC-4D4C-AC72-6AF58B3EEE01

• Windows\SysWOW64\wdc.dll
• Windows\System32\wdc.dll

Global\WIATRACE_MUTEX

• Windows\SysWOW64\sti.dll
• Windows\SysWOW64\wiaaut.dll
• Windows\System32\sti.dll
• Windows\System32\sti_ci.dll
• Windows\System32\wiaaut.dll
• Windows\System32\wiarpc.dll
• Windows\System32\wiaservc.dll

Global\WerKernelVerticalConvertingLiveDump

• Windows\SysWOW64\WerFault.exe
• Windows\System32\WerFault.exe

Global\WerKernelVerticalGeneratingDump

• Windows\SysWOW64\WerFault.exe
• Windows\System32\WerFault.exe

Global\WerKernelVerticalReporting

• Windows\SysWOW64\WerFault.exe
• Windows\System32\WerFault.exe

Global\WerMgrUploadingLock

• Windows\SysWOW64\wermgr.exe
• Windows\System32\wermgr.exe

Global\WinSATMutex

• Windows\System32\WinSAT.exe

Global\Windows.User.OOBE

• Windows\SysWOW64\explorer.exe
• Windows\SysWOW64\twinui.dll
• Windows\System32\twinui.dll

Global\lpksetup-init

• Windows\System32\lpksetup.exe

Global\mbaeapi.mutex

• Windows\SysWOW64\MbaeApi.dll
• Windows\System32\MbaeApi.dll

Global\{5E5C36C0-5E7C-471f-84D7-110FDC1AFD0D}

• Windows\SysWOW64\esent.dll
• Windows\System32\esent.dll
• Windows\System32\esentutl.exe

Global\{B817B57E-5013-4b35-BD74-24B3C225ED6E}

• Windows\System32\dstokenclean.exe

IESettingSyncMutex

• Windows\System32\IESettingSync.exe

KeyMgrMutex

• Windows\SysWOW64\keymgr.dll
• Windows\System32\keymgr.dll

LOCATIONNOTIFICATION_MUTEX

• Windows\System32\LocationNotificationWindows.exe

Local\!BrowserEmulation!SharedMemory!Mutex

• Windows\SysWOW64\urlmon.dll
• Windows\System32\urlmon.dll

Local\BitLockerChangePinTaskDialogMutex

• Windows\System32\bdechangepin.exe

Local\C9E8AF12-FA27-4748-EC04-38CA71239739_RegisterDevice

• Windows\System32\DeviceDirectoryClient.dll

Local\Color CPL Startup Mutex

• Windows\SysWOW64\colorui.dll
• Windows\System32\colorui.dll

Local\CscUnpinSingletonProcess

• Windows\System32\Microsoft.Uev.CscUnpinTool.exe

Local\DCCW Startup Mutex

• Windows\SysWOW64\dccw.exe
• Windows\System32\dccw.exe

Local\DDrawDriverObjectListMutex

• Windows\SysWOW64\ddraw.dll

Local\DDrawWindowListMutex

• Windows\SysWOW64\ddraw.dll

Local\DSREGCMD-Recovery

• Windows\SysWOW64\dsreg.dll
• Windows\System32\dsreg.dll

Local\DialersIveBeenStartedMutex

• Windows\SysWOW64\dialer.exe
• Windows\System32\dialer.exe

Local\E2A05719-7EDD-4269-94FB-E5C725AE176B

• Windows\System32\Windows.Cortana.Desktop.dll

Local\ERCAPPSINGLEINSTANCE

• Windows\System32\werconcpl.dll

Local\ExplorerIsShellMutex

• Windows\SysWOW64\explorer.exe

Local\Feeds Store Mutex LoRIE

• Windows\SysWOW64\msfeeds.dll
• Windows\System32\msfeeds.dll

Local\FmsRegChangeMutex

• Windows\SysWOW64\fms.dll
• Windows\System32\fms.dll

Local\FmsRegMutex

• Windows\SysWOW64\fms.dll
• Windows\System32\fms.dll

Local\HelpPaneRunningMutex

• Windows\HelpPane.exe

Local\InputServiceHostMutex

• Windows\SysWOW64\MsCtfMonitor.dll
• Windows\System32\MsCtfMonitor.dll

Local\LRIEElevationPolicyMutex

• Program Files (x86)\Internet Explorer\IEShims.dll
• Program Files\Internet Explorer\IEShims.dll

Local\LockAppHostThreadProcMutex

• Windows\System32\LockHostingFramework.dll

Local\MICROSOFT_WMDM_MUTEX

• Windows\SysWOW64\mswmdm.dll
• Windows\System32\mswmdm.dll

Local\MPSWabDataAccessMutex

• Program Files (x86)\Common Files\System\wab32.dll
• Program Files\Common Files\System\wab32.dll

Local\MSIdent Logon

• Windows\SysWOW64\msident.dll
• Windows\System32\msident.dll

Local\Microsoft-Windows-LockScreenHistory

• Windows\SysWOW64\Windows.UI.Immersive.dll
• Windows\System32\Windows.UI.Immersive.dll

Local\Microsoft:VisionTools:GlobalsMutex

• Windows\SysWOW64\MSPhotography.dll
• Windows\SysWOW64\MSVideoDSP.dll
• Windows\System32\MSPhotography.dll
• Windows\System32\MSVideoDSP.dll

Local\Microsoft_WMP_70_CheckForOtherInstanceMutex

• Program Files (x86)\Windows Media Player\wmplayer.exe
• Program Files\Windows Media Player\wmplayer.exe

Local\MidiMapper_modLongMessage_RefCnt

• Windows\SysWOW64\midimap.dll
• Windows\System32\midimap.dll

Local\RdpInitMutex

• Windows\System32\rdpinit.exe

Local\RdpInitSxSMutex

• Windows\System32\rdpinit.exe

Local\RdpShellMutex

• Windows\System32\rdpshell.exe

Local\RemoteAssistanceNoviceLock

• Windows\System32\msra.exe

Local\RemoteAssistanceSettingLockS

• Windows\System32\msra.exe
• Windows\System32\msrahc.dll

Local\SessionImmersiveColorMutex

• Windows\SysWOW64\explorer.exe
• Windows\SysWOW64\uxtheme.dll
• Windows\System32\uxtheme.dll

Local\Shell.CMruPidlList

• Windows\SysWOW64\windows.storage.dll

Local\Shell_LightDismissOverlay_Sync

• Windows\SysWOW64\Windows.UI.Immersive.dll
• Windows\System32\Windows.UI.Immersive.dll

Local\SpeechUX~Running

• Windows\IME\SPTIP.DLL

Local\SyncCenterAllowIsolationServer

• Windows\SysWOW64\SyncCenter.dll
• Windows\System32\SyncCenter.dll

Local\SyncServiceThread

• Windows\SysWOW64\SyncCenter.dll
• Windows\System32\SyncCenter.dll

Local\SystemResetExeAlreadyRunning

• Windows\System32\systemreset.exe

Local\TpmInit

• Windows\SysWOW64\TpmInit.exe
• Windows\System32\TpmInit.exe

Local\WMDMLogger.LogFile.Mutex

• Windows\SysWOW64\wmdmlog.dll
• Windows\System32\wmdmlog.dll

Local\WMDMLogger.Registry.Mutex

• Windows\SysWOW64\wmdmlog.dll
• Windows\System32\wmdmlog.dll

Local\WindowsSearchService_EfsRegKeysMutex

• Windows\SysWOW64\mssrch.dll
• Windows\System32\mssrch.dll

Local\ZonesCacheCounterMutex

• Windows\SysWOW64\urlmon.dll

Local\ZonesLockedCacheCounterMutex

• Windows\SysWOW64\urlmon.dll

Local\__DDrawCheckExclMode__

• Windows\SysWOW64\ddraw.dll

Local\__DDrawExclMode__

• Windows\SysWOW64\d3d8.dll
• Windows\SysWOW64\d3d9.dll
• Windows\SysWOW64\ddraw.dll
• Windows\System32\d3d9.dll

Local\ba76e584-735b-45d5-ab75-7ecb8ec8f208

• Windows\System32\rekeywiz.exe

Local\tapi_dp_mutex

• Windows\SysWOW64\tapi32.dll
• Windows\System32\tapi32.dll

Local\workspace_status_notifier

• Windows\System32\TSWorkspace.dll

Local\{62D41444-0649-48E1-9670-1E54E5B06001}

• Windows\SysWOW64\themecpl.dll
• Windows\System32\themecpl.dll

Local\{9ea26f7c-c1a5-466d-9c5e-0be4435f9910}

• Windows\System32\Dxpserver.exe

Local\{EA35C8AC-BCAE-4458-98BD-F3ECB90DBC09}

• Windows\SysWOW64\psr.exe
• Windows\System32\psr.exe

LockScreenDataLayerMutex

• Windows\SysWOW64\LockAppBroker.dll
• Windows\System32\LockAppBroker.dll

MCICDA_InitCritSection

• Windows\SysWOW64\mcicda.dll
• Windows\System32\mcicda.dll

MOBILITYCENTER_MUTEX

• Windows\System32\mblctr.exe

MSDevicePairingWizard

• Windows\SysWOW64\DevicePairing.dll
• Windows\System32\DevicePairing.dll

MSORCL32.DLL:NO ORACLE MESSAGE MUTEX

• Windows\SysWOW64\msorcl32.dll

MSScreenMagnifierAlreadyExistsMutex

• Windows\System32\winlogon.exe

MSScreenMagnifierContextAreaMutex

• Windows\SysWOW64\Magnify.exe
• Windows\System32\Magnify.exe

MS_FAXXP_ATTACHMENTREGION_MUTEX

• Windows\System32\FXSAPI.dll
• Windows\System32\FXSCOMPOSE.dll

MS_FAXXP_ATTACHMENT_MUTEX

• Windows\System32\FXSAPI.dll
• Windows\System32\FXSCOMPOSE.dll

ManagedAccountManager{8466CE10-BD83-44BF-81A9-9B35D36EB77C}

• Windows\System32\assignedaccessmanagersvc.dll

Microsoft.Windows.Migration.MigWiz

• Program Files\Common Files\microsoft shared\ink\tabskb.dll
• Program Files\Common Files\microsoft shared\ink\tipskins.dll

Microsoft.Windows.Setup.FirstUXRefCount

• Windows\SysWOW64\spwizeng.dll
• Windows\System32\sppnp.dll
• Windows\System32\spwizeng.dll

Microsoft_WMP_70_CheckForOtherInstanceMutex

• Windows\SysWOW64\wmpshell.dll
• Windows\System32\wmpshell.dll

Mutex:Pubwiz:Icons

• Windows\SysWOW64\shwebsvc.dll
• Windows\System32\shwebsvc.dll

Mutex:Pubwiz:Regs

• Windows\SysWOW64\shwebsvc.dll
• Windows\System32\shwebsvc.dll

Notification serialiazer Mutex

• Windows\SysWOW64\InstallService.dll
• Windows\System32\InstallService.dll

OFFLINEDEVICEID-CREATERANDOMSEED

• Windows\System32\ClipSVC.dll
• Windows\System32\TpmTasks.dll

OOC State Mutex

• Windows\SysWOW64\hidserv.dll
• Windows\System32\hidserv.dll

ORTC_TracingLock

• Windows\SysWOW64\rtmpal.dll
• Windows\System32\rtmpal.dll

OnlineHistoryUUIDGenLock

• Windows\System32\EdgeContent.dll

PRESENTATIONSETTINGS_MUTEX

• Windows\System32\PresentationSettings.exe

PRWIZARDMUTEX

• Windows\SysWOW64\keymgr.dll
• Windows\System32\keymgr.dll

Provisioning\ProvMutex

• Windows\SysWOW64\provcore.dll
• Windows\System32\provcore.dll

RasPbFile

• Windows\SysWOW64\rasplap.dll
• Windows\System32\rasapi32.dll
• Windows\System32\rasdlg.dll
• Windows\System32\rasgcw.dll
• Windows\System32\rasmans.dll
• Windows\System32\rasplap.dll

RdpClipAlreadyRunningMutex

• Windows\System32\rdpclip.exe

RdpInputAlreadyRunningMutex

• Windows\System32\rdpclip.exe
• Windows\System32\rdpinput.exe

RecommendedTroubleshootingServiceMutexName

• Windows\System32\MitigationClient.dll

Search Admin Control Panel

• Windows\SysWOW64\srchadmin.dll
• Windows\System32\srchadmin.dll

SearchServiceMUT

• Windows\SysWOW64\SearchIndexer.exe
• Windows\System32\SearchIndexer.exe

SetuplogMutex

• Windows\SysWOW64\setupapi.dll
• Windows\System32\setupapi.dll

ShellNewConsolidationMutex

• Windows\SysWOW64\shell32.dll

ShellNewConsolidationMutex64

• Windows\System32\shell32

SpellingHostSingletonMutex

• Windows\System32\MsSpellCheckingHost.exe

StoreCacheInit_Mutex

• Windows\System32\Windows.CloudStore.dll

System_Feed_Scheduler_Mutex

• Windows\SysWOW64\msfeeds.dll
• Windows\System32\msfeeds.dll

TSLicensingLock

• Windows\SysWOW64\tlscsp.dll
• Windows\System32\tlscsp.dll

TabCalSingleInstance

• Windows\System32\tabcal.exe

TapisrvProviderListMutex

• Windows\SysWOW64\tapi32.dll
• Windows\SysWOW64\tapisrv.dll
• Windows\SysWOW64\tcmsetup.exe
• Windows\System32\tapi32.dll
• Windows\System32\tapisrv.dll
• Windows\System32\tcmsetup.exe

TraceLogStorageMutex

• Windows\SysWOW64\IndexedDbLegacy.dll
• Windows\System32\IndexedDbLegacy.dll

WBEMPROVIDERSTATICMUTEX

• Windows\SysWOW64\framedyn.dll
• Windows\SysWOW64\framedynos.dll

WMSetup10RTM-UI

• Program Files (x86)\Windows Media Player\setup_wm.exe
• Program Files\Windows Media Player\setup_wm.exe

WdsSetupLogInit

• Windows\SysWOW64\ieUnatt.exe
• Windows\SysWOW64\wdscore.dll
• Windows\System32\DismApi.dll
• Windows\System32\UpdateAgent.dll
• Windows\System32\ieUnatt.exe
• Windows\System32\mssrch.dll
• Windows\System32\wdscore.dll

Windows Volume App Window

• Windows\SysWOW64\SndVol.exe
• Windows\SysWOW64\SndVolSSO.dll
• Windows\System32\SndVol.exe
• Windows\System32\SndVolSSO.dll

WindowsInsiderServiceMutexName

• Windows\SysWOW64\FlightSettings.dll
• Windows\System32\FlightSettings.dll

WindowsPhotoGallerySlideshow

• Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll
• Program Files\Windows Photo Viewer\PhotoViewer.dll

WofCompressionPolicyEval

• Windows\SysWOW64\WofUtil.dll
• Windows\SysWOW64\compact.exe
• Windows\System32\WofUtil.dll
• Windows\System32\compact.exe

_SHuassist.mtx

• Windows\SysWOW64\shell32.dll
• Windows\System32\shell32

__EXTENSION_POINTS_STATE_MUTEX__

• Windows\SysWOW64\Windows.UI.Search.dll
• Windows\SysWOW64\twinui.appcore.dll
• Windows\SysWOW64\twinui.dll
• Windows\System32\ApplicationFrame.dll
• Windows\System32\SettingsHandlers_nt.dll
• Windows\System32\Windows.UI.Search.dll
• Windows\System32\twinui.appcore.dll
• Windows\System32\twinui.dll

__MDM_LOCAL_MANAGEMENT_NAMED_MUTEX__

• Windows\SysWOW64\mdmlocalmanagement.dll
• Windows\System32\mdmlocalmanagement.dll

__MsiPromptForCD

• Windows\SysWOW64\msi.dll
• Windows\System32\msi.dll

__OMADM_NAMED_MUTEX__

• Windows\SysWOW64\omadmapi.dll
• Windows\System32\omadmapi.dll

___ENUMDEVSYNCH___

• Windows\SysWOW64\msmpeg2vdec.dll
• Windows\System32\msmpeg2vdec.dll

__clickonce_app_store__

• Windows\SysWOW64\dfshim.dll
• Windows\System32\dfshim.dll

eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0

• Windows\SysWOW64\qedit.dll
• Windows\System32\qedit.dll

g_nTpmCoreProvisioningClass_SerializationMutex_

• Windows\SysWOW64\TpmCoreProvisioning.dll
• Windows\System32\TpmCoreProvisioning.dll

x9pv45dxghk

• Windows\SysWOW64\winipcsecproc.dll
• Windows\System32\winipcsecproc.dll

{08E99B95-8687-49A7-9F6E-21D4EEA9346F}

• Program Files\Windows Defender\Offline\OfflineScannerShell.exe

{14B2AE96-6F90-421C-A255-E7916D51FEF1}

• Windows\SysWOW64\srmscan.dll
• Windows\System32\srmscan.dll

{4ae7cdb7-4608-4a6a-b8f1-55d7c500f2ef}

• Windows\System32\cofire.exe

{5312EE61-79E3-4A24-BFE1-132B85B23C3A}

• Windows\SysWOW64\iedkcs32.dll
• Windows\SysWOW64\msfeeds.dll
• Windows\System32\ie4uinit.exe
• Windows\System32\iedkcs32.dll
• Windows\System32\msfeeds.dll

{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}

• Windows\SysWOW64\iedkcs32.dll
• Windows\System32\ie4uinit.exe
• Windows\System32\iedkcs32.dll

{91ff306c-a88d-4173-9df3-f9fb73e3b047}

• Windows\System32\DFDWiz.exe

{9ebf696d-2428-4dc4-b048-d46c6da4b717}

• Windows\System32\BdeHdCfg.exe

{A5B99A4D-2959-11D1-BAC8-00C04FC2E20D}

• Windows\SysWOW64\iaspolcy.dll
• Windows\SysWOW64\iasrad.dll
• Windows\SysWOW64\iassvcs.dll
• Windows\System32\iaspolcy.dll
• Windows\System32\iasrad.dll
• Windows\System32\iassvcs.dll

{D4445657-0FBC-11dc-A692-00037AF63586}

• Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
• Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll

So you finished writing your perfect threat hunting query.

Done and dusted, right?

Hmm, sorry… chances are, it is… broken.

How come?

One reason, but it has many acronyms: L10N, T9N, I18N or G11N.

If you are mostly dealing with English-centric versions of the operating systems you may now stop reading. But… You will be missing out.

Why?

THERE ARE OTHER LANGUAGES OUT THERE. And they come with a luggage…

The acronyms listed earlier expand into:

• Translation (T9N)
• Localization (L10N)
• Internationalization (I18N)
• Globalization (G11N) 

They define a different world. The world that is quite esoteric to monoglots. The world that embraces the world of ‘other languages in use’. The whole lot of new devices ‘suddenly in scope’, too. The world of foreigners who do not use English as their MAIN language. Most of Europe really. Many places in the world, REALLY!

In this world, your c:\Program Files becomes… an item from this table.

Pfff… and suddenly, all your queries relying on hard-coded ‘program files’ string need to be adjusted.

You are welcome! 🙂

And it’s not the only artifact that changes.

What about ‘New folder”? This thread shows some examples of “New Folder” string represented in various languages:

• Neuer Ordner
• New folder
• Nouveau dossier
• Nova Pasta
• Nowy folder
• Nuova Cartella

And again, this is just one of many ‘not so subtle’ localization changes to the OS that affects the way you should be writing your threat hunting queries or doing your DFIR engagement. And yes, it complicates things A LOT. And yes, Hebrew, Arabic, Chinese and Japanese versions of these do exist as well, and they complicate things even more.

Where does it leave us?

Simple answer: pay attention. More responsible answer: explore the environment & adjust queries as per need.

As long as your results generating framework/language supports Unicode you should be seeing these localized “things”, but only IF YOU EXPECT THEM. Once you see them, bundle them together and use them as a template, f.ex. use combos like this for a c:\program files folder name:

"\Program Files",
"\Programme",
"\Archivos de programa",
"\Programmes",
"\Programmi",
"\Arquivos de Programas",
"\Programmer",
"\Programfiler",
"\Fisiere Program"

These are not all the possibilities, of course, but they are good enough to make us all ‘aware’.

Going forward, we will all be localizing our queries. Oui?