winsrvext.dll
Description: Multi-User Windows Server Extension DLL
Authors: © Microsoft Corporation. All rights reserved.
Version: 10.0.19041.3636
Architecture: 64-bit
Operating System: Windows NT
SHA256: 265c54edc632e9a284ec05ea4a5eb22b
File Size: 101.0 KB
Uploaded At: Dec. 1, 2025, 7:44 a.m.
Views: 5
Security Warning
This file has been flagged as potentially dangerous.
Reason: Detected potentially dangerous functions used for process injection: OpenProcess
Exported Functions
- UserServerDllInitializationExt (Ordinal: 1, Address: 0x1370)
Imported DLLs & Functions
api-ms-win-core-apiquery-l1-1-0.dll
- ApiSetQueryApiSetPresence (Address: 0x1800136d8)
api-ms-win-core-com-l1-1-0.dll
- CoTaskMemFree (Address: 0x1800136e8)
api-ms-win-core-debug-l1-1-0.dll
- IsDebuggerPresent (Address: 0x1800136f8)
api-ms-win-core-delayload-l1-1-0.dll
- DelayLoadFailureHook (Address: 0x180013708)
api-ms-win-core-delayload-l1-1-1.dll
- ResolveDelayLoadedAPI (Address: 0x180013718)
api-ms-win-core-errorhandling-l1-1-0.dll
- GetLastError (Address: 0x180013728)
- SetLastError (Address: 0x180013738)
- SetUnhandledExceptionFilter (Address: 0x180013730)
- UnhandledExceptionFilter (Address: 0x180013740)
api-ms-win-core-file-l1-1-0.dll
- GetLogicalDrives (Address: 0x180013758)
- ReadFile (Address: 0x180013750)
api-ms-win-core-handle-l1-1-0.dll
- CloseHandle (Address: 0x180013768)
api-ms-win-core-heap-l2-1-0.dll
- LocalFree (Address: 0x180013778)
api-ms-win-core-io-l1-1-0.dll
- GetOverlappedResult (Address: 0x180013788)
api-ms-win-core-kernel32-legacy-l1-1-0.dll
- GetComputerNameW (Address: 0x180013798)
api-ms-win-core-libraryloader-l1-2-0.dll
- DisableThreadLibraryCalls (Address: 0x1800137c8)
- FreeLibrary (Address: 0x1800137a8)
- GetModuleHandleW (Address: 0x1800137b0)
- GetProcAddress (Address: 0x1800137b8)
- LoadLibraryExW (Address: 0x1800137c0)
api-ms-win-core-processthreads-l1-1-0.dll
- GetCurrentProcess (Address: 0x180013800)
- GetCurrentProcessId (Address: 0x1800137f0)
- GetCurrentThread (Address: 0x1800137f8)
- GetCurrentThreadId (Address: 0x180013808)
- GetExitCodeProcess (Address: 0x1800137e0)
- GetExitCodeThread (Address: 0x1800137e8)
- GetThreadId (Address: 0x180013810)
- TerminateProcess (Address: 0x1800137d8)
api-ms-win-core-processthreads-l1-1-1.dll
- OpenProcess (Address: 0x180013820)
api-ms-win-core-profile-l1-1-0.dll
- QueryPerformanceCounter (Address: 0x180013830)
api-ms-win-core-psapi-l1-1-0.dll
- QueryFullProcessImageNameW (Address: 0x180013840)
api-ms-win-core-registry-l1-1-0.dll
- RegCloseKey (Address: 0x180013858)
- RegGetValueW (Address: 0x180013860)
- RegLoadAppKeyW (Address: 0x180013850)
- RegOpenKeyExW (Address: 0x180013868)
api-ms-win-core-synch-l1-1-0.dll
- CreateEventW (Address: 0x180013880)
- OpenMutexW (Address: 0x180013888)
- WaitForMultipleObjectsEx (Address: 0x180013878)
api-ms-win-core-sysinfo-l1-1-0.dll
- GetSystemDirectoryW (Address: 0x1800138a8)
- GetSystemTimeAsFileTime (Address: 0x1800138a0)
- GetTickCount (Address: 0x180013898)
api-ms-win-core-timezone-private-l1-1-0.dll
- SetClientDynamicTimeZoneInformation (Address: 0x1800138b8)
- SetClientTimeZoneInformation (Address: 0x1800138c0)
api-ms-win-core-windowserrorreporting-l1-1-0.dll
- GetApplicationRestartSettings (Address: 0x1800138d0)
api-ms-win-devices-swdevice-l1-1-0.dll
- SwDeviceClose (Address: 0x1800138e8)
- SwDeviceCreate (Address: 0x1800138e0)
api-ms-win-eventing-provider-l1-1-0.dll
- EventRegister (Address: 0x180013900)
- EventSetInformation (Address: 0x1800138f8)
- EventUnregister (Address: 0x180013908)
- EventWrite (Address: 0x180013918)
- EventWriteTransfer (Address: 0x180013910)
api-ms-win-security-base-l1-1-0.dll
- CheckTokenMembership (Address: 0x180013928)
BASESRV.dll
- BaseGetProcessCrtlRoutine (Address: 0x180013308)
- BaseSetProcessCreateNotify (Address: 0x1800132f8)
- BaseSrvNlsLogon (Address: 0x180013300)
- BaseSrvNlsUpdateRegistryCache (Address: 0x180013310)
CSRSRV.dll
- CsrAddStaticServerThread (Address: 0x180013378)
- CsrConnectToUser (Address: 0x180013398)
- CsrDereferenceProcess (Address: 0x180013338)
- CsrDereferenceThread (Address: 0x1800133a0)
- CsrExecServerThread (Address: 0x1800133a8)
- CsrGetProcessLuid (Address: 0x180013370)
- CsrImpersonateClient (Address: 0x180013388)
- CsrLockedReferenceProcess (Address: 0x180013330)
- CsrLockProcessByClientId (Address: 0x180013350)
- CsrLockThreadByClientId (Address: 0x180013360)
- CsrQueryApiPort (Address: 0x180013380)
- CsrReferenceThread (Address: 0x180013348)
- CsrReplyToMessage (Address: 0x180013320)
- CsrRevertToSelf (Address: 0x180013390)
- CsrShutdownProcesses (Address: 0x180013368)
- CsrUnlockProcess (Address: 0x180013340)
- CsrUnlockThread (Address: 0x180013358)
- CsrValidateMessageBuffer (Address: 0x180013328)
GDI32.dll
- CreateCompatibleDC (Address: 0x1800133d0)
- CreateSolidBrush (Address: 0x1800133f0)
- DeleteDC (Address: 0x1800133b8)
- DeleteObject (Address: 0x180013408)
- GdiAddFontResourceW (Address: 0x180013400)
- GdiAddInitialFonts (Address: 0x1800133f8)
- GdiSupportsFontChangeEvent (Address: 0x180013410)
- GdiTransparentBlt (Address: 0x1800133c0)
- GetLayout (Address: 0x1800133e8)
- GetObjectW (Address: 0x1800133d8)
- SelectObject (Address: 0x1800133c8)
- SetLayout (Address: 0x1800133e0)
KERNELBASE.dll
- GetApplicationUserModelId (Address: 0x180013440)
- LocalAlloc (Address: 0x180013448)
- LocalReAlloc (Address: 0x180013438)
- lstrcmpiW (Address: 0x180013420)
- Sleep (Address: 0x180013428)
- WTSGetServiceSessionId (Address: 0x180013430)
ntdll.dll
- _strnicmp (Address: 0x180013960)
- _vsnwprintf (Address: 0x180013c40)
- _wtoi (Address: 0x180013c48)
- AlpcGetMessageAttribute (Address: 0x180013be8)
- AlpcInitializeMessageAttribute (Address: 0x180013a60)
- DbgUiIssueRemoteBreakin (Address: 0x180013c08)
- EtwEventEnabled (Address: 0x180013b38)
- EtwEventRegister (Address: 0x180013c38)
- EtwEventUnregister (Address: 0x180013bb8)
- EtwEventWrite (Address: 0x180013b30)
- EtwEventWriteNoRegistration (Address: 0x180013c60)
- EvtIntReportEventAndSourceAsync (Address: 0x180013c28)
- LdrFlushAlternateResourceModules (Address: 0x180013c18)
- memcpy (Address: 0x180013bc0)
- memmove (Address: 0x180013a90)
- memset (Address: 0x180013ca8)
- NtAlertThread (Address: 0x180013a78)
- NtAlpcAcceptConnectPort (Address: 0x180013a20)
- NtAlpcCancelMessage (Address: 0x180013a10)
- NtAlpcConnectPort (Address: 0x180013a00)
- NtAlpcCreatePort (Address: 0x180013a80)
- NtAlpcOpenSenderProcess (Address: 0x180013a08)
- NtAlpcSendWaitReceivePort (Address: 0x180013a58)
- NtClearEvent (Address: 0x180013968)
- NtClose (Address: 0x180013ba8)
- NtCreateEvent (Address: 0x180013b90)
- NtCreateKey (Address: 0x180013b48)
- NtDeleteValueKey (Address: 0x180013978)
- NtDeviceIoControlFile (Address: 0x1800139b8)
- NtDuplicateObject (Address: 0x1800139c0)
- NtDuplicateToken (Address: 0x180013bd0)
- NtEnumerateKey (Address: 0x180013ac0)
- NtEnumerateValueKey (Address: 0x180013998)
- NtNotifyChangeKey (Address: 0x180013b18)
- NtOpenEvent (Address: 0x1800139a8)
- NtOpenKey (Address: 0x180013b80)
- NtOpenProcess (Address: 0x1800139d8)
- NtOpenProcessToken (Address: 0x180013bd8)
- NtOpenSymbolicLinkObject (Address: 0x180013a70)
- NtOpenThread (Address: 0x180013a18)
- NtOpenThreadToken (Address: 0x1800139e8)
- NtPowerInformation (Address: 0x180013c10)
- NtQueryInformationProcess (Address: 0x180013b10)
- NtQueryInformationToken (Address: 0x180013948)
- NtQuerySymbolicLinkObject (Address: 0x180013a50)
- NtQuerySystemInformation (Address: 0x180013bf0)
- NtQueryValueKey (Address: 0x180013b28)
- NtReadVirtualMemory (Address: 0x1800139f0)
- NtResetEvent (Address: 0x180013aa8)
- NtResumeThread (Address: 0x180013b70)
- NtSetEvent (Address: 0x180013c00)
- NtSetInformationThread (Address: 0x180013ab8)
- NtSetSystemInformation (Address: 0x180013b20)
- NtSetValueKey (Address: 0x180013be0)
- NtTerminateProcess (Address: 0x180013c30)
- NtTerminateThread (Address: 0x180013a88)
- NtWaitForMultipleObjects (Address: 0x180013ab0)
- NtWaitForSingleObject (Address: 0x180013a98)
- PssNtCaptureSnapshot (Address: 0x180013c58)
- PssNtFreeSnapshot (Address: 0x180013c78)
- qsort (Address: 0x180013a28)
- RtlAddAccessAllowedAce (Address: 0x180013ae0)
- RtlAllocateAndInitializeSid (Address: 0x180013af8)
- RtlAnsiStringToUnicodeString (Address: 0x1800139c8)
- RtlAppendUnicodeToString (Address: 0x180013b50)
- RtlCaptureContext (Address: 0x180013c80)
- RtlCopySid (Address: 0x180013970)
- RtlCopyUnicodeString (Address: 0x180013b58)
- RtlCreateAcl (Address: 0x180013ae8)
- RtlCreateSecurityDescriptor (Address: 0x180013ad8)
- RtlCreateUnicodeString (Address: 0x180013990)
- RtlCreateUserThread (Address: 0x180013b78)
- RtlDeleteCriticalSection (Address: 0x180013bb0)
- RtlDeriveCapabilitySidsFromName (Address: 0x180013a68)
- RtlEnterCriticalSection (Address: 0x180013b98)
- RtlEqualUnicodeString (Address: 0x180013a30)
- RtlExitUserThread (Address: 0x180013aa0)
- RtlFindMessage (Address: 0x180013938)
- RtlFormatCurrentUserKeyPath (Address: 0x180013b60)
- RtlFreeAnsiString (Address: 0x1800139b0)
- RtlFreeHeap (Address: 0x180013950)
- RtlFreeSid (Address: 0x180013ac8)
- RtlFreeUnicodeString (Address: 0x180013b40)
- RtlGetNtProductType (Address: 0x180013c98)
- RtlInitializeCriticalSection (Address: 0x180013ba0)
- RtlInitUnicodeString (Address: 0x180013b88)
- RtlLeaveCriticalSection (Address: 0x180013b68)
- RtlLengthSid (Address: 0x180013af0)
- RtlLookupFunctionEntry (Address: 0x180013c88)
- RtlNtStatusToDosError (Address: 0x180013bc8)
- RtlOpenCurrentUser (Address: 0x180013c20)
- RtlQueryPackageClaims (Address: 0x180013bf8)
- RtlRegisterThreadWithCsrss (Address: 0x180013a38)
- RtlRunOnceExecuteOnce (Address: 0x180013ca0)
- RtlSetDaclSecurityDescriptor (Address: 0x180013ad0)
- RtlSubscribeWnfStateChangeNotification (Address: 0x180013b08)
- RtlUnicodeStringToAnsiString (Address: 0x1800139e0)
- RtlUnicodeStringToInteger (Address: 0x1800139d0)
- RtlUnsubscribeWnfStateChangeNotification (Address: 0x180013b00)
- RtlUpcaseUnicodeChar (Address: 0x180013988)
- RtlVerifyVersionInfo (Address: 0x180013a40)
- RtlVirtualUnwind (Address: 0x180013c90)
- strstr (Address: 0x180013c50)
- towlower (Address: 0x180013980)
- VerSetConditionMask (Address: 0x1800139a0)
- wcscpy_s (Address: 0x180013a48)
- wcsncmp (Address: 0x1800139f8)
- wcsrchr (Address: 0x180013940)
- WinSqmAddToStream (Address: 0x180013958)
- ZwQueryWnfStateNameInformation (Address: 0x180013c70)
- ZwUpdateWnfStateData (Address: 0x180013c68)
USER32.dll
- (Address: 0x180013510)
- (Address: 0x180013550)
- (Address: 0x180013630)
- BeginPaint (Address: 0x180013470)
- BroadcastSystemMessageW (Address: 0x1800136c8)
- CallMsgFilterW (Address: 0x1800135f8)
- ChangeWindowMessageFilterEx (Address: 0x180013558)
- CheckWindowThreadDesktop (Address: 0x1800134b8)
- CreateDialogParamW (Address: 0x1800135d8)
- CtxInitUser32 (Address: 0x180013518)
- DestroyIcon (Address: 0x1800134b0)
- DestroyWindow (Address: 0x1800135d0)
- DispatchMessageW (Address: 0x1800135e8)
- DrawEdge (Address: 0x180013480)
- DrawIcon (Address: 0x180013478)
- EndPaint (Address: 0x180013498)
- EnumThreadWindows (Address: 0x180013650)
- EnumWindows (Address: 0x180013538)
- FillRect (Address: 0x180013488)
- GetClassLongW (Address: 0x180013660)
- GetClassNameW (Address: 0x180013668)
- GetClientRect (Address: 0x180013560)
- GetDC (Address: 0x1800134a0)
- GetDlgItem (Address: 0x1800135b8)
- GetGUIThreadInfo (Address: 0x180013540)
- GetReasonTitleFromReasonCode (Address: 0x1800134c8)
- GetSysColor (Address: 0x180013570)
- GetSystemMetrics (Address: 0x1800136a8)
- GetTaskmanWindow (Address: 0x1800134d8)
- GetThreadDesktop (Address: 0x1800135a0)
- GetUserObjectInformationW (Address: 0x180013598)
- GetWindow (Address: 0x180013688)
- GetWindowLongPtrW (Address: 0x180013468)
- GetWindowLongW (Address: 0x180013528)
- GetWindowRect (Address: 0x180013568)
- GetWindowTextLengthW (Address: 0x1800134d0)
- GetWindowTextW (Address: 0x180013680)
- GetWindowThreadProcessId (Address: 0x1800136a0)
- GhostWindowFromHungWindow (Address: 0x180013640)
- HungWindowFromGhostWindow (Address: 0x1800134c0)
- InflateRect (Address: 0x180013588)
- InternalGetWindowIcon (Address: 0x180013678)
- InvalidateRect (Address: 0x180013590)
- IsDialogMessageW (Address: 0x180013600)
- IsHungAppWindow (Address: 0x180013638)
- IsInDesktopWindowBand (Address: 0x180013658)
- IsWindow (Address: 0x1800135e0)
- IsWindowEnabled (Address: 0x180013690)
- IsWindowVisible (Address: 0x180013648)
- KillTimer (Address: 0x180013530)
- LoadBitmapW (Address: 0x180013490)
- LoadIconW (Address: 0x180013670)
- MapWindowPoints (Address: 0x180013578)
- MB_GetString (Address: 0x1800134f0)
- MessageBoxTimeoutW (Address: 0x180013500)
- MsgWaitForMultipleObjects (Address: 0x180013610)
- OffsetRect (Address: 0x180013580)
- PeekMessageW (Address: 0x180013608)
- PostMessageW (Address: 0x180013620)
- PostThreadMessageW (Address: 0x180013508)
- RecordShutdownReason (Address: 0x180013698)
- RegisterWindowMessageW (Address: 0x1800136c0)
- ReleaseDC (Address: 0x1800134a8)
- SendInput (Address: 0x180013548)
- SendMessageCallbackW (Address: 0x180013618)
- SendMessageTimeoutW (Address: 0x1800134e8)
- SendMessageW (Address: 0x1800135b0)
- SendNotifyMessageW (Address: 0x1800136b8)
- SetDlgItemTextW (Address: 0x1800135c8)
- SetFocus (Address: 0x1800135a8)
- SetForegroundWindow (Address: 0x180013628)
- SetTimer (Address: 0x1800135c0)
- SetWindowLongPtrW (Address: 0x180013458)
- SetWindowPos (Address: 0x1800134e0)
- SetWindowTextW (Address: 0x180013460)
- ShutdownBlockReasonQuery (Address: 0x180013520)
- SoftModalMessageBox (Address: 0x1800134f8)
- SystemParametersInfoW (Address: 0x1800136b0)
- TranslateMessage (Address: 0x1800135f0)
win32u.dll
- gDispatchTableValues (Address: 0x180013d20)
- NtUserAutoRotateScreen (Address: 0x180013ce8)
- NtUserCallNoParam (Address: 0x180013d10)
- NtUserCallOneParam (Address: 0x180013cd8)
- NtUserCallTwoParam (Address: 0x180013cd0)
- NtUserCtxDisplayIOCtl (Address: 0x180013cf8)
- NtUserHardErrorControl (Address: 0x180013d40)
- NtUserInitialize (Address: 0x180013d30)
- NtUserNotifyProcessCreate (Address: 0x180013d38)
- NtUserProcessConnect (Address: 0x180013d18)
- NtUserQueryInformationThread (Address: 0x180013d08)
- NtUserQueryWindow (Address: 0x180013d00)
- NtUserRemoteConnect (Address: 0x180013ce0)
- NtUserRemoteRedrawRectangle (Address: 0x180013cc0)
- NtUserRemoteRedrawScreen (Address: 0x180013cb8)
- NtUserRemoteStopScreenUpdates (Address: 0x180013cc8)
- NtUserSetInformationThread (Address: 0x180013d28)
- NtUserSetSensorPresence (Address: 0x180013cf0)