Similarly as in the previous case, wermgr.exe accepts many command line arguments:

-boot
-clean
-datacollectorcreate
-nonelevated
-outproc
-purgestores
-queuereporting
-queuereporting_svc
-queuereporting_s_machine
-upload
-uploadforce
-waitforpendingreports

The -boot one is interesting as it triggers the execution of program’s path that attempts to load the following phantom DLL:

C:\Windows\System32\offdmpsvc.dll

As such, placing your payload in the aforementioned DLL will lead to its execution when you launch the following command:

wermgr -boot

Today I have discovered the PipelineFilterHook Registry entry only to find out that this blog post has already described it in detail. Nice work!

So, I decided to take a look at my favorite phantom DLLs again, and came up with this finding…

The wpr.exe program accepts many command line arguments:

The ‘boottrace’ command line argument is one of them, and if we provide some reasonable, even non-sensical second command line argument to the program, we can trigger the execution of wpr.exe program’s path that will lead to loading of axeonoffhelper.dll from System32 directory. As it happens, axeonoffhelper.dll is a phantom DLL.

So, placing your payload in:

C:\Windows\System32\axeonoffhelper.dll

and then executing f.ex.:

wpr -boottrace -stopboot foo

will lead to C:\Windows\System32\axeonoffhelper.dll being executed.