{"id":10333,"date":"2026-02-21T20:23:40","date_gmt":"2026-02-21T20:23:40","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10333"},"modified":"2026-02-21T20:23:40","modified_gmt":"2026-02-21T20:23:40","slug":"1-little-known-secret-of-sti_ci-dll","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2026\/02\/21\/1-little-known-secret-of-sti_ci-dll\/","title":{"rendered":"1 little known secret of sti_ci.dll"},"content":{"rendered":"\n

In 2017 I posted about sideloading of sti_ci.dll<\/a>. And it’s that DLL itself that executes the InstallWiaDevice<\/em> installation command mentioned in that post…<\/p>\n\n\n\n

How?<\/p>\n\n\n\n

Via its export function called… InstallWiaDevice.<\/p>\n\n\n\n

It turns out that we can launch this API directly via rundll32.exe<\/em>:<\/p>\n\n\n\n

rundll32.exe sti_ci.dll, InstallWiaService<\/pre>\n\n\n\n
When executed, the API runs a number of programs:<\/p>\n\n\n\n
regsvr32.exe \/s wiaservc.dll
regsvr32.exe \/s sti.dll
regsvr32 \/s C:\\WINDOWS\\syswow64\\sti.dll
regsvr32.exe \/s wiadefui.dll
wiaacmgr.exe \/RegServer
regsvr32.exe \/s wiashext.dll
regsvr32.exe \/s camocx.dll
regsvr32.exe \/s photowiz.dll
regsvr32.exe \/s wiavusd.dll
regsvr32.exe \/s wiasf.ax<\/pre>\n\n\n\n
Obviously, this creates a number of new possible lolbin opportunities. The only challenge is that since the rundll32.exe<\/em> is executed from the system32 directory, the program will look for regsvr32.exe<\/em>, wiaacmgr.exe<\/em> there first, same as for the listed DLLs.<\/p>\n\n\n\n
To bypass it, one could copy rundll32.exe<\/em> to a different directory, and launch it from there — not the most elegant solution, but it works.<\/p>\n\n\n\n
Bonus:<\/p>\n\n\n\n
The sti_ci.dll<\/em> library logs executed commands in a wiatrace.log<\/em> file. It may be located in various places on the system:<\/p>\n\n\n\n