EtwRundown.dll

Description: Etw Rundown Helper Library

Authors: © Microsoft Corporation. All rights reserved.

Version: 10.0.19041.1

Architecture: 64-bit

Operating System: Windows NT

SHA256: 1eb48fa0044186d59a6525d0a7d841d7

File Size: 50.0 KB

Uploaded At: Dec. 1, 2025, 7:27 a.m.

Views: 10

Security Warning

This file has been flagged as potentially dangerous.

Reason: Detected potentially dangerous functions used for process injection: OpenProcess

Exported Functions

  • EtwLogHeapRundown (Ordinal: 1, Address: 0x3270)
  • EtwLogSysConfigRundown (Ordinal: 2, Address: 0x1200)

Imported DLLs & Functions

api-ms-win-core-apiquery-l1-1-0.dll
  • ApiSetQueryApiSetPresence (Address: 0x18000a1f0)
api-ms-win-core-delayload-l1-1-0.dll
  • DelayLoadFailureHook (Address: 0x18000a200)
api-ms-win-core-delayload-l1-1-1.dll
  • ResolveDelayLoadedAPI (Address: 0x18000a210)
api-ms-win-core-errorhandling-l1-1-0.dll
  • GetLastError (Address: 0x18000a230)
  • SetUnhandledExceptionFilter (Address: 0x18000a228)
  • UnhandledExceptionFilter (Address: 0x18000a220)
api-ms-win-core-file-l1-1-0.dll
  • CreateFileW (Address: 0x18000a260)
  • GetDriveTypeW (Address: 0x18000a240)
  • GetLogicalDriveStringsW (Address: 0x18000a248)
  • GetVolumeInformationW (Address: 0x18000a258)
  • LocalFileTimeToFileTime (Address: 0x18000a250)
api-ms-win-core-file-l1-2-0.dll
  • GetVolumePathNamesForVolumeNameW (Address: 0x18000a270)
api-ms-win-core-handle-l1-1-0.dll
  • CloseHandle (Address: 0x18000a280)
api-ms-win-core-heap-l2-1-0.dll
  • LocalFree (Address: 0x18000a290)
api-ms-win-core-io-l1-1-0.dll
  • DeviceIoControl (Address: 0x18000a2a8)
  • GetOverlappedResult (Address: 0x18000a2a0)
api-ms-win-core-libraryloader-l1-2-0.dll
  • DisableThreadLibraryCalls (Address: 0x18000a2b8)
api-ms-win-core-processthreads-l1-1-0.dll
  • GetCurrentProcess (Address: 0x18000a2e0)
  • GetCurrentProcessId (Address: 0x18000a2d0)
  • GetCurrentThreadId (Address: 0x18000a2c8)
  • TerminateProcess (Address: 0x18000a2d8)
api-ms-win-core-processthreads-l1-1-1.dll
  • IsProcessorFeaturePresent (Address: 0x18000a2f0)
  • OpenProcess (Address: 0x18000a2f8)
api-ms-win-core-profile-l1-1-0.dll
  • QueryPerformanceCounter (Address: 0x18000a308)
api-ms-win-core-registry-l1-1-0.dll
  • RegCloseKey (Address: 0x18000a340)
  • RegEnumKeyExW (Address: 0x18000a318)
  • RegEnumValueW (Address: 0x18000a330)
  • RegOpenKeyExW (Address: 0x18000a320)
  • RegQueryInfoKeyW (Address: 0x18000a338)
  • RegQueryValueExW (Address: 0x18000a328)
api-ms-win-core-synch-l1-1-0.dll
  • CreateEventW (Address: 0x18000a350)
api-ms-win-core-sysinfo-l1-1-0.dll
  • GetComputerNameExW (Address: 0x18000a368)
  • GetSystemTimeAsFileTime (Address: 0x18000a378)
  • GetSystemWindowsDirectoryW (Address: 0x18000a360)
  • GetTickCount (Address: 0x18000a370)
  • GlobalMemoryStatusEx (Address: 0x18000a380)
api-ms-win-core-sysinfo-l1-2-0.dll
  • GetNativeSystemInfo (Address: 0x18000a398)
  • GetSystemFirmwareTable (Address: 0x18000a390)
api-ms-win-core-timezone-l1-1-0.dll
  • SystemTimeToFileTime (Address: 0x18000a3a8)
api-ms-win-service-core-l1-1-1.dll
  • EnumServicesStatusExW (Address: 0x18000a3b8)
api-ms-win-service-management-l1-1-0.dll
  • CloseServiceHandle (Address: 0x18000a3c8)
  • OpenSCManagerW (Address: 0x18000a3d0)
api-ms-win-service-private-l1-1-0.dll
  • I_QueryTagInformation (Address: 0x18000a3e0)
CFGMGR32.dll
  • CM_Free_Log_Conf_Handle (Address: 0x18000a168)
  • CM_Free_Res_Des_Handle (Address: 0x18000a148)
  • CM_Get_DevNode_Status_Ex (Address: 0x18000a178)
  • CM_Get_First_Log_Conf_Ex (Address: 0x18000a158)
  • CM_Get_Next_Res_Des_Ex (Address: 0x18000a170)
  • CM_Get_Res_Des_Data_Ex (Address: 0x18000a150)
  • CM_Get_Res_Des_Data_Size_Ex (Address: 0x18000a160)
DEVOBJ.dll
  • DevObjCreateDeviceInfoList (Address: 0x18000a1d0)
  • DevObjDestroyDeviceInfoList (Address: 0x18000a1a8)
  • DevObjEnumDeviceInfo (Address: 0x18000a1c0)
  • DevObjEnumDeviceInterfaces (Address: 0x18000a190)
  • DevObjGetClassDevs (Address: 0x18000a198)
  • DevObjGetDeviceInfoListDetail (Address: 0x18000a1b0)
  • DevObjGetDeviceInstanceId (Address: 0x18000a188)
  • DevObjGetDeviceInterfaceDetail (Address: 0x18000a1a0)
  • DevObjGetDeviceRegistryProperty (Address: 0x18000a1b8)
  • DevObjOpenDevRegKey (Address: 0x18000a1c8)
IPHLPAPI.DLL
  • GetAdaptersAddresses (Address: 0x18000a1e0)
ntdll.dll
  • _vsnwprintf (Address: 0x18000a488)
  • _wcsicmp (Address: 0x18000a4b8)
  • EtwpGetCpuSpeed (Address: 0x18000a408)
  • memcpy (Address: 0x18000a478)
  • memset (Address: 0x18000a508)
  • NtClose (Address: 0x18000a498)
  • NtEnumerateKey (Address: 0x18000a400)
  • NtOpenFile (Address: 0x18000a410)
  • NtOpenKey (Address: 0x18000a480)
  • NtPowerInformation (Address: 0x18000a500)
  • NtQuerySystemInformation (Address: 0x18000a490)
  • NtQueryValueKey (Address: 0x18000a4e0)
  • NtQueryVolumeInformationFile (Address: 0x18000a4a8)
  • NtSetInformationThread (Address: 0x18000a458)
  • NtTraceEvent (Address: 0x18000a4d8)
  • RtlAdjustPrivilege (Address: 0x18000a450)
  • RtlAllocateHeap (Address: 0x18000a4f0)
  • RtlCaptureContext (Address: 0x18000a428)
  • RtlCreateQueryDebugBuffer (Address: 0x18000a448)
  • RtlDestroyQueryDebugBuffer (Address: 0x18000a468)
  • RtlFreeHeap (Address: 0x18000a4e8)
  • RtlGetDeviceFamilyInfoEnum (Address: 0x18000a3f8)
  • RtlGUIDFromString (Address: 0x18000a418)
  • RtlImpersonateSelf (Address: 0x18000a438)
  • RtlInitUnicodeString (Address: 0x18000a4f8)
  • RtlIpv4AddressToStringW (Address: 0x18000a430)
  • RtlIpv6AddressToStringW (Address: 0x18000a420)
  • RtlLookupFunctionEntry (Address: 0x18000a4c0)
  • RtlNtStatusToDosError (Address: 0x18000a4b0)
  • RtlQueryHeapInformation (Address: 0x18000a440)
  • RtlQueryProcessDebugInformation (Address: 0x18000a460)
  • RtlReAllocateHeap (Address: 0x18000a4d0)
  • RtlVirtualUnwind (Address: 0x18000a470)
  • wcsncmp (Address: 0x18000a4a0)
  • wcsrchr (Address: 0x18000a3f0)
  • wcsstr (Address: 0x18000a4c8)