{"id":2072,"date":"2013-08-21T15:44:07","date_gmt":"2013-08-21T15:44:07","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2072"},"modified":"2023-05-12T21:44:25","modified_gmt":"2023-05-12T21:44:25","slug":"da-lil-world-of-dll-exports-and-entry-points-part-3","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2013\/08\/21\/da-lil-world-of-dll-exports-and-entry-points-part-3\/","title":{"rendered":"Da Li&#8217;L World of DLL Exports and Entry Points, Part 3"},"content":{"rendered":"<p>The third part of the series (<a title=\"Da Li\u2019L World of DLL Exports and Entry Points, Part 1\" href=\"https:\/\/www.hexacorn.com\/blog\/2013\/08\/08\/da-lil-world-of-dll-exports-and-entry-points-part-1\/\">Part 1<\/a>, <a title=\"Da Li\u2019L World of DLL Exports and Entry Points, Part 2\" href=\"https:\/\/www.hexacorn.com\/blog\/2013\/08\/11\/da-lil-world-of-dll-exports-and-entry-points-part-2\/\">Part2<\/a>) is just a list of as many types of DLL described on MSDN as I could find by quickly googling around. I am pretty sure these are not all, but cover at least the most common ones. If you see anything wrong, or missing, please let me know. Thx!<\/p>\n<p><strong>Component Object Model (COM) DLL<\/strong><\/p>\n<p>Provides COM functionality. These below are functions executed when you run &#8220;regsrv32.exe&#8221;&nbsp; and &#8220;regsrv32.exe \/u&#8221; and when programs communicate \/ use the COM objects implemented via the DLL.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Subsystem: Windows<\/li>\n<li>Typical file extension: DLL\/OCX\/VBX<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms680760%28v=vs.85%29.aspx\">DllGetClassObject<\/a> &#8211; Retrieves the class object from a DLL object handler or object application.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms682162%28v=vs.85%29.aspx\">DllRegisterServer<\/a>&nbsp;&#8211; Instructs an in-process server to create its registry entries for all classes supported in this server module.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms691457%28v=vs.85%29.aspx\">DllUnregisterServer<\/a>&nbsp;&#8211; Instructs an in-process server to remove only those entries created through DllRegisterServer.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms690368%28v=vs.85%29.aspx\">DllCanUnloadNow<\/a>&nbsp;&#8211;&nbsp;Determines whether the DLL that implements this function is in use. If not, the caller can unload the DLL from memory.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/bb759846%28v=vs.85%29.aspx\">DllInstall<\/a> &#8211; Not required, but may be present.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Kernel Mode DLL<br \/>\n<\/strong><\/p>\n<p>These are best described in a &#8220;classic&#8221; document entitled &#8220;<a href=\"http:\/\/www.wd-3.com\/archive\/KernelDlls.htm\">DLLs in Kernel Mode<\/a>&#8221; written by Tim Roberts.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Subsystem: Native<\/li>\n<li>Typical file extension: SYS\/DLL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/hardware\/ff544049%28v=vs.85%29.aspx\">DllInitialize<\/a> &#8211;&nbsp;The system calls a kernel-mode DLL&#8217;s DllInitialize routine immediately after the DLL is loaded.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/hardware\/ff544054%28v=vs.85%29.aspx\">DllUnload<\/a>&nbsp;-The system calls a kernel-mode DLL&#8217;s DllUnload routine before it unloads the DLL.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Service DLL<br \/>\n<\/strong><\/p>\n<p>These are hosted by svchost. Another &#8216;classic; on the subject is a <a href=\"http:\/\/www.geoffchappell.com\/studies\/windows\/win32\/services\/svchost\/index.htm\">document<\/a> written by Geoff Chappell&#8217;s.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Subsystem: Windows<\/li>\n<li>Typical file extension: DLL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms685138%28v=vs.85%29.aspx\">ServiceMain<\/a> &#8211; The entry point for a service.<\/li>\n<li><a href=\"http:\/\/www.geoffchappell.com\/studies\/windows\/win32\/services\/svchost\/dll\/svchostpushserviceglobals.htm\">SvchostPushServiceGlobals<\/a> &#8211; this function does not need to be implemented, but if it is, it will be called before ServiceMain.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Control Panel application&nbsp;DLL<br \/>\n<\/strong><\/p>\n<p>Anytime you open Control Panel and change the system settings you are running a small applications called Control Panel Applets. They are implemented as DLL. They can be controlled either via <a href=\"http:\/\/support.microsoft.com\/kb\/166168\">Rundll32\/Control_RunDLL<\/a> or <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/cc144191%28v=vs.85%29.aspx\">control.exe<\/a>.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Subsystem: Windows<\/li>\n<li>Typical file extension: CPL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/bb776392%28v=vs.85%29.aspx\">CPlApplet<\/a> &#8211; Serves as the entry point for a Control Panel application.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Installable Drivers DLL<br \/>\n<\/strong><\/p>\n<p>Audio Compression Manager Drivers (ACM).<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Subsystem: Windows<\/li>\n<li>Typical file extension: ACM, AX, DRV, DLL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/dd797918%28v=vs.85%29.aspx\">DriverProc<\/a>&nbsp;&#8211; Serves as the entry point for a Control Panel application.<\/li>\n<li>AboutDialogProc &#8211; Occasionally may be found in the installable drivers, but not required. Handles messages from &#8216;About&#8217; window.<\/li>\n<li>ConfigureDialogProc &#8211; Occasionally may be found in the installable drivers, but not required.&nbsp;Handles messages from &#8216;Configure&#8217; window.<\/li>\n<li>DriverDialogProc &#8211; Occasionally may be found in the installable drivers, but not required.&nbsp;Handles messages from &#8216;Configure&#8217; window (alternative name).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Audio Device Messages for MIDI<\/strong><\/p>\n<p>These are same as installable driver DLLs, but have extra functions exported to process the window messages (some of them seem to be legacy and no longer documented on MSDN).<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Typical file extension: DRV, DLL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms708185%28VS.85%29.aspx\">DriverProc<\/a> &#8211; Processes driver messages for the installable driver (note: MSDN has at least two pages about <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/dd797918%28v=vs.85%29.aspx\">DriverProc<\/a>).<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/hardware\/ff537532%28v=vs.85%29.aspx\">modMessage<\/a> &#8211; An entry-point function for musical instrument digital interface (MIDI) output drivers and for internal synthesizer drivers<\/li>\n<li>modmCallback &#8211; An internal callback function provided to midi API that doesn&#8217;t need to be exported, but can be sometimes found.<\/li>\n<li>wodMessage &#8211; Entry-point function for waveform output drivers.<\/li>\n<li>widMessage &#8211; Entry-point function for waveform input drivers.<\/li>\n<li>midMessage &#8211; Entry-point function for MIDI input drivers.<\/li>\n<li>mxdMessage &#8211; Entry-point function for mixer drivers.<\/li>\n<li>auxMessage- Entry-point function for auxiliary audio drivers.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>File Manager Extension<\/strong><\/p>\n<p>This is a very old type of DLL &#8211; an extension to a File Manager.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Typical file extension: DLL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/bb762600%28v=vs.85%29.aspx\">FMExtensionProc<\/a> &#8211; Called by the File Manager.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>NetShell helper DLL<\/strong><\/p>\n<p>These support netsh.exe tool by providing a &#8216;coverage&#8217; for a specific network functionality. See details <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms708387%28v=vs.85%29.aspx\">here<\/a>.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Typical file extension: DLL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms708327%28v=vs.85%29.aspx\">InitHelperDll<\/a> &#8211; Called by NetShell (netsh.exe) to perform an initial loading of a helper.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Credential Manager DLL<\/strong><\/p>\n<p>Called by Multiple Provider Router (MPR) and support Credential Manager (malware \/ hack tools can use it to sniff credentials). More details <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa375498%28v=vs.85%29.aspx\">here<\/a>.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Typical file extension: DLL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa378804%28v=vs.85%29.aspx\">NPLogonNotify<\/a> &#8211; Called when logon event occurs.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa378806(v=vs.85).aspx\">NPPasswordChangeNotify<\/a> &#8211; Called when password change event occurred.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>IIS Server Extension (ISAPI filter) DLL<\/strong><\/p>\n<p>I mentioned ISAPI filters in my older <a href=\"https:\/\/www.hexacorn.com\/blog\/2013\/01\/19\/beyond-good-ol-run-key-part-3\/\">post<\/a>.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Typical file extension: DLL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms525283%28v=vs.90%29.aspx\">GetExtensionVersion <\/a> &#8211; first entry-point function in IIS (for registration)<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms525010%28v=vs.90%29.aspx\">HttpExtensionProc<\/a> &#8211; main entry point for an ISAPI extension (doing all the dirty work)<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms524470%28v=vs.90%29.aspx\">TerminateExtension<\/a> &#8211; optional,&nbsp;&nbsp;unloads the ISAPI DLL<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Web Filter DLL<\/strong><\/p>\n<p>Web filters detect and process HTTP request notifications. See <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms812622.aspx\">MSDN<\/a> for more details and information about what pairs of APIs listed below need to be exported.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Typical file extension: DLL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms826738.aspx\">GetFilterVersion<\/a> &#8211;&nbsp; Called to register for event notifications.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms826751.aspx\">HttpFilterProc<\/a> &#8211; Called whenever an event for which the filter has registered in the GetFilterVersion function occurs.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms826740.aspx\">GetWPXFilterVersion<\/a> &#8211; Called to register for the event notifications that were introduced in ISA Server&nbsp;2004.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms826752.aspx\">HttpWPXFilterProc<\/a> &#8211; Called whenever an event for which the filter has registered in GetWPXFilterVersion occurs.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/aa503405.aspx\">TerminateFilter<\/a> &#8211; Called to notify the filter that it will be removed from memory.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/aa503285.aspx\">ReloadWPXFilterConfiguration<\/a> &#8211; Called to notify the filter that changes to the configuration of the ISA Server administration COM objects have been applied.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>RAS Administration DLL<\/strong><\/p>\n<p>The RAS Administration DLL exports functions that the RAS server calls whenever a user tries to connect or disconnect.See more details <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa377847%28v=vs.85%29.aspx\">here<\/a>.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Subsystem: Windows<\/li>\n<li>Typical file extension: DLL<\/li>\n<li>Exported functions (not all must be implemented, see this <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa377847%28v=vs.85%29.aspx\">MSDN article<\/a>):\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa374554(v=vs.85).aspx\">MprAdminAcceptNewLink<\/a> &#8211; Remote Access Service (RAS) calls the MprAdminAcceptNewLink function each time a link is created for a particular connection.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa374571%28v=vs.85%29.aspx\">MprAdminInitializeDll<\/a> &#8211; Called when the Routing and Remote Access Service (RRAS) starts.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa374596%28v=vs.85%29.aspx\">MprAdminLinkHangupNotification<\/a> &#8211; Called &nbsp;whenever a link for a particular connection is dismantled.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa375849%28v=vs.85%29.aspx\">MprAdminTerminateDll<\/a> &#8211; Called when the RAS shuts down.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa374551%28v=vs.85%29.aspx\">MprAdminAcceptNewConnection<\/a> &#8211; Remote Access Service calls this function each time a new user dials in and successfully completes RAS authentication<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa374561%28v=vs.85%29.aspx\">MprAdminConnectionHangupNotification<\/a> &#8211; Remote Access Service calls this function after the last link for the specified connection has been dismantled.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa374552%28v=vs.85%29.aspx\">MprAdminAcceptNewConnection2<\/a> &#8211;&nbsp;Remote Access Service calls this function each time a new user dials in and successfully completes RAS authentication<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa374562%28v=vs.85%29.aspx\">MprAdminConnectionHangupNotification2<\/a> &#8211; Remote Access Service calls this function after the last link for the specified connection has been dismantled.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Winlogon GINA DLLs<br \/>\n<\/strong><\/p>\n<p>An &#8216;old -school&#8217; (old, because no longer available on Windows Server 2008 and Windows Vista); it was a replacement for GINA DLL (another type of DLL that was often used to sniff passwords)<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Subsystem: Windows<\/li>\n<li>Typical file extension: DLL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380548(v=vs.85).aspx\">WlxActivateUserShell<\/a> &#8211; Activates the user shell program.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380560(v=vs.85).aspx\">WlxDisplayLockedNotice<\/a> &#8211; Allows the GINA to display information about the lock, such as who locked the workstation and when it was locked.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380561(v=vs.85).aspx\">WlxDisplaySASNotice<\/a> &#8211; Called when no user is logged on.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380562(v=vs.85).aspx\">WlxDisplayStatusMessage<\/a> &#8211; Called when the GINA DLL should display a message.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380563(v=vs.85).aspx\">WlxGetConsoleSwitchCredentials<\/a> &#8211; Called to read the currently logged on user&#8217;s credentials to transparently transfer them to a target session.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380566(v=vs.85).aspx\">WlxGetStatusMessage<\/a> &#8211; Called to get the status message being displayed by the GINA DLL.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380567(v=vs.85).aspx\">WlxInitialize<\/a> &#8211; Called once for each window station present on the computer. Currently, the operating system supports one window station per workstation.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380568(v=vs.85).aspx\">WlxIsLockOk<\/a> &#8211; Called before attempting to lock the workstation.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380569(v=vs.85).aspx\">WlxIsLogoffOk<\/a> &#8211; Called when the user initiates a logoff operation.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380570(v=vs.85).aspx\">WlxLoggedOnSAS<\/a> &#8211; Called when it receives a secure attention sequence (SAS) event while the user is logged on and the workstation is not locked.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380571(v=vs.85).aspx\">WlxLoggedOutSAS<\/a> &#8211; Called when it receives a secure attention sequence (SAS) event while no user is logged on.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380572(v=vs.85).aspx\">WlxLogoff<\/a> &#8211; Called to notify the GINA of a logoff operation on this workstation, allowing the GINA to perform any logoff operations that may be required.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380574(v=vs.85).aspx\">WlxNegotiate<\/a> &#8211; The WlxNegotiate function must be implemented by a replacement GINA DLL. This is the first call made by Winlogon to the GINA DLL. WlxNegotiate allows the GINA to verify that it supports the installedversion of Winlogon.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380574(v=vs.85).aspx\">WlxNetworkProviderLoad<\/a> &#8211; Called to collect valid authentication and identification information.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380581(v=vs.85).aspx\">WlxRemoveStatusMessage<\/a> &#8211; Called to tell the GINA DLL to stop displaying the status message.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380583(v=vs.85).aspx\">WlxScreenSaverNotify<\/a> &#8211; Called immediately before a screen saver is activated, allowing the GINA to interact with the screen saver program.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380588(v=vs.85).aspx\">WlxShutdown<\/a> &#8211; Called just before shutting down, allowing the GINA to perform any shutdown tasks, such as ejecting a smart card from a reader.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa380589(v=vs.85).aspx\">WlxStartApplication<\/a> &#8211; Called when the system needs an application to be started in the context of the user.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa381093(v=vs.85).aspx\">WlxWkstaLockedSAS<\/a> &#8211; Called when it receives a secure attention sequence (SAS) and the workstation is locked.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Resource DLL&nbsp;<\/strong><\/p>\n<p>The Resource DLL functions allow the Cluster service to manage resources indirectly through a Resource Monitor and a resource DLL. See more on <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa372244%28v=vs.85%29.aspx\">MSDN<\/a>.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Subsystem: Windows<\/li>\n<li>Typical file extension: DLL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa367181(v=vs.85).aspx\">Arbitrate<\/a> &#8211; Allows a node to attempt to regain ownership of a quorum resource.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa367196(v=vs.85).aspx\">Close<\/a> &#8211; Removes a resource instance from the cluster.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa370496(v=vs.85).aspx\">IsAlive<\/a> &#8211; Determines if a resource is actually operational.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa370972(v=vs.85).aspx\">LooksAlive<\/a> &#8211; Determines if a resource appears to be available for use.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa371767(v=vs.85).aspx\">Offline<\/a> &#8211; Performs a graceful shutdown of the resource.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa371770(v=vs.85).aspx\">Online<\/a> &#8211; Starts the resource and makes it available to the cluster.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa371773(v=vs.85).aspx\">Open<\/a> &#8211; Creates a new resource instance.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa372121(v=vs.85).aspx\">Release<\/a> &#8211; Releases a quorum resource from arbitration.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa372150(v=vs.85).aspx\">ResourceControl<\/a> &#8211; Supports resource control codes.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa372216(v=vs.85).aspx\">ResourceTypeControl<\/a> &#8211; Supports resource type control codes.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa372931(v=vs.85).aspx\">Startup<\/a> &#8211; Receives the LogEvent and SetResourceStatus callbacks and returns a function table.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa372939(v=vs.85).aspx\">Terminate<\/a> &#8211; Performs an immediate shutdown of the resource..<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>MAPI Service Provider DLL<\/strong><\/p>\n<p>These extend MAPI functionality. See more details <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/office\/cc842159.aspx\">here<\/a>.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Subsystem: Windows<\/li>\n<li>Typical file extension: DLL<\/li>\n<li>Exported functions:<\/li>\n<\/ul>\n<ul>\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/cc815304.aspx\">MSProviderInit<\/a> &#8211; Implemented by Message store providers.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/office\/cc839864.aspx\">XPProviderInit<\/a> &#8211; Implemented by Transport providers.<\/li>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/office\/cc842453.aspx\">ABProviderInit<\/a> &#8211; Implemented by Address book providers.<\/li>\n<\/ul>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>WinRT Component DLLs<\/strong><\/p>\n<p>This is a relatively new type of DLL that is being used by Metro applications under Windows 8.<\/p>\n<ul>\n<li>How to recognize?\n<ul>\n<li>Subsystem: Windows<\/li>\n<li>Typical file extension: DLL<\/li>\n<li>Exported functions:\n<ul>\n<li><a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/apps\/br205771%28v=vs.85%29.aspx\">DllGetActivationFactory<\/a> &#8211; Retrieves the activation factory from a DLL that contains activatable Windows Runtimeclasses. A very enigmatic sounding description means that the DLL implements widgets for Metro.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The third part of the series (Part 1, Part2) is just a list of as many types of DLL described on MSDN as I could find by quickly googling around. I am pretty sure these are not all, but cover &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2013\/08\/21\/da-lil-world-of-dll-exports-and-entry-points-part-3\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,109,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2072"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2072"}],"version-history":[{"count":7,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2072\/revisions"}],"predecessor-version":[{"id":8508,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2072\/revisions\/8508"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2072"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2072"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2072"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}