Sysinternals命令行工具
Sysinternals(en)在1996年由Mark Russinovich创建,由一些绿色小巧强大的工具组成,可帮助你管理、排查 Windows 和 Linux (ProcMon、ProcDump、SysMon)与应用程序的问题并进行诊断。
注:64位进程建议用64位Sysinternals工具,32进程建议用32位Sysinternals工具
handle64.exe(handle.exe)
handle64.exe -accepteula /? // 查看帮助
Nthandle v5.0 - Handle viewer
Copyright (C) 1997-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
usage: handle [[-a [-l]] [-v|-vt] [-u] | [-c <handle> [-y]] | [-s]] [-p <process>|<pid>] [name] [-nobanner]
-a Dump all handle information.
-l Just show pagefile-backed section handles.
-c Closes the specified handle (interpreted as a hexadecimal number).
You must specify the process by its PID. Requires administrator
rights.
WARNING: Closing handles can cause application or system instability.
-g Print granted access.
-y Don't prompt for close handle confirmation.
-s Print count of each type of handle open.
-u Show the owning user name when searching for handles.
-v CSV output with comma delimiter.
-vt CSV output with tab delimiter.
-p Dump handles belonging to process (partial name accepted).
name Search for handles to objects with <name> (fragment accepted).
-nobanner Do not display the startup banner and copyright message.
No arguments will dump all file references.
handle64.exe -accepteula 122_cures.ifs.cures // 查找122_cures.ifs.cures文件的句柄
Nthandle v5.0 - Handle viewer
Copyright (C) 1997-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
UE4Editor-Win64-DebugGame.exe pid: 78508 type: File B7C4: H:\svn\MyGame\Saved\patch\122_cures.ifs.cures
handle64.exe -accepteula H:\svn\MyGame\Saved\patch // 查找路径中含有H:\svn\MyGame\Saved\patch的所有句柄
Nthandle v5.0 - Handle viewer Copyright (C) 1997-2022 Mark Russinovich Sysinternals - www.sysinternals.com UE4Editor-Win64-DebugGame.exe pid: 78508 type: File D6A4: H:\svn\MyGame\Saved\patch\apollo_reslist.flistnewlist UE4Editor-Win64-DebugGame.exe pid: 78508 type: File D724: H:\svn\MyGame\Saved\patch\122149298_1000260_1.0.154.2_20240419113539_2012980118_cures.ifs.cures
handle64.exe -accepteula -p 78508 -c D6A4 -y // 强制关闭pid为78508中id为D5A4(十六进制)的句柄 注:必须带上-p <pid>来指明是哪个进程
Nthandle v5.0 - Handle viewer Copyright (C) 1997-2022 Mark Russinovich Sysinternals - www.sysinternals.com D6A4: File (RW-) H:\svn\MyGame\Saved\patch\apollo_reslist.flistnewlist Handle closed.
strings64.exe(strings.exe)
搜索文件中的字符串内容 注:可通过findstr来过滤
strings64.exe -accepteula /? // 查看帮助
Strings v2.54 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2021 Mark Russinovich
Sysinternals - www.sysinternals.com
usage: strings64.exe [-a] [-f offset] [-b bytes] [-n length] [-o] [-s] [-u] <file or directory>
-a Ascii-only search (Unicode and Ascii is default)
-b Bytes of file to scan
-f File offset at which to start scanning.
-o Print offset in file string was located
-n Minimum string length (default is 3)
-s Recurse subdirectories
-u Unicode-only search (Unicode and Ascii is default)
-nobanner
Do not display the startup banner and copyright message.
strings64.exe -accepteula H:\svn\MyGame\Tools\FastPatchClient\*.bat | findstr /i "UnrealEngine" // 搜索H:\svn\MyGame\FastPatchClient目录中的bat文件的字符串(过滤显示含有UnrealEngine的字符串)
H:\svn\MyGame\Tools\FastPatchClient\MakePatch.bat: python %~dp0/MakeGamePakPatchV2.py "EngineDir=E:/MyGroup/UnrealEngine/Engine" "ProjectDir=E:/MyGroup/MyGame" H:\svn\MyGame\Tools\FastPatchClient\MakePatch_2.bat: C:\Python36-32\python.exe %~dp0/MakeGamePakPatchV2.py "EngineDir=H:/svn/UnrealEngine/Engine" "ProjectDir=H:/svn/MyGame"
strings64.exe -accepteula -s H:\svn\MyGame\Tools\* // 搜索H:\svn\MyGame\Tools目录(递归子目录)中各文件中的字符串
pslist64.exe(pslist.exe)
pslist64.exe /accepteula /? // 查看帮助
PsList v1.41 - Process information lister
Copyright (C) 2000-2023 Mark Russinovich
Sysinternals - www.sysinternals.com
Usage: pslist64.exe [-d][-m][-x][-t][-s [n] [-r n] [\\computer [-u username][-p password][name|pid]
-d Show thread detail.
-m Show memory detail.
-x Show processes, memory information and threads.
-t Show process tree.
-s [n] Run in task-manager mode, for optional seconds specified.
Press Escape to abort.
-r n Task-manager mode refresh rate in seconds (default is 1).
\\computer Specifies remote computer.
-u Optional user name for remote login.
-p Optional password for remote login. If you don't present
on the command line pslist will prompt you for it if necessary.
name Show information about processes that begin with the name
specified.
-e Exact match the process name.
-nobanner Do not display the startup banner and copyright message.
pid Show information about specified process.
All memory values are displayed in KB.
Abbreviation key:
Pri Priority
Thd Number of Threads
Hnd Number of Handles
VM Virtual Memory
WS Working Set
Priv Private Virtual Memory
Priv Pk Private Virtual Memory Peak
Faults Page Faults
NonP Non-Paged Pool
Page Paged Pool
Cswtch Context Switches
pslist64.exe /accepteula -t // 展示整个系统种的进程树
pslist64.exe /accepteula -d mspaint // 查看进程名为mspaint的线程信息
F:\Tools\SysinternalsSuite>pslist64.exe /accepteula -d mspaint PsList v1.41 - Process information lister Copyright (C) 2000-2023 Mark Russinovich Sysinternals - www.sysinternals.com Thread detail for kekec-PC9: mspaint 32972: Tid Pri Cswtch State User Time Kernel Time Elapsed Time 44260 10 1070071869 Wait:UserReq 0:01:04.625 0:00:43.000 720:41:11.771 41900 8 45462 Wait:UserReq 0:00:00.078 0:00:00.359 720:41:10.516 31208 8 360 Wait:UserReq 0:00:00.000 0:00:00.078 720:41:09.998 22408 8 521985 Wait:Queue 0:00:00.234 0:00:00.218 686:06:09.898 86544 8 2228 Wait:UserReq 0:00:00.000 0:00:00.875 384:55:07.646 115656 8 1208516 Wait:DelayExec 0:00:02.125 0:00:07.750 256:23:44.176
pslist64.exe /accepteula -m 32972 // 查看pid为32972的内存信息
PsList v1.41 - Process information lister Copyright (C) 2000-2023 Mark Russinovich Sysinternals - www.sysinternals.com Process memory detail for kekec-PC9: Name Pid VM WS Priv Priv Pk Faults NonP Page mspaint 32972 2152069508 145876 59920 91212 3647311 180 535
pslist64.exe /accepteula -x 32972 // 查看pid为32972的线程和内存信息
PsList v1.41 - Process information lister Copyright (C) 2000-2023 Mark Russinovich Sysinternals - www.sysinternals.com Process and thread information for kekec-PC9: Name Pid VM WS Priv Priv Pk Faults NonP Page mspaint 32972 2152070020 145896 59948 91212 3647316 181 535 Tid Pri Cswtch State User Time Kernel Time Elapsed Time 44260 10 1070140676 Wait:UserReq 0:01:04.625 0:00:43.015 720:44:23.791 41900 8 45462 Wait:UserReq 0:00:00.078 0:00:00.359 720:44:22.536 31208 8 360 Wait:UserReq 0:00:00.000 0:00:00.078 720:44:22.018 22408 8 522027 Wait:Queue 0:00:00.234 0:00:00.218 686:09:21.918 86544 8 2228 Wait:UserReq 0:00:00.000 0:00:00.875 384:58:19.667 115656 8 1208586 Wait:DelayExec 0:00:02.125 0:00:07.750 256:26:56.196 113592 8 5 Wait:Queue 0:00:00.000 0:00:00.000 0:00:39.552 102344 8 1 Wait:Queue 0:00:00.000 0:00:00.000 0:00:19.491
psSuspend64.exe(psSuspend.exe)
暂停和恢复进程
psSuspend64.exe /accepteula /? // 查看帮助
PsSuspend v1.08 - Process Suspender
Copyright (C) 2001-2023 Mark Russinovich
Sysinternals
PsSuspend suspends or resumes processes on a local or remote NT system.
Usage: pssuspend [-r] [\\RemoteComputer [-u Username [-p Password]]] <process Id or name>
-r Resume.
-u Specifies optional user name for login to
remote computer.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.
-nobanner Do not display the startup banner and copyright message.
psSuspend64.exe /accepteula mspaint // 暂停名为mspaint的进程
psSuspend64.exe /accepteula 32972 // 暂停pid为32972的进程
psSuspend64.exe /accepteula -r mspaint // 暂停名为mspaint的进程
psSuspend64.exe /accepteula -r 32972 // 暂停pid为32972的进程
pskill64.exe(pskill.exe)
结束进程
pskill64.exe /accepteula /? // 查看帮助
PsKill v1.17 - Terminates processes on local or remote systems
Copyright (C) 1999-2023 Mark Russinovich
Sysinternals - www.sysinternals.com
Usage: pskill [-t] [\\computer [-u username [-p password]]] <process ID | name>
-t Kill the process and its descendants.
-u Specifies optional user name for login to
remote computer.
-p Specifies optional password for user name. If you omit this
you will be prompted to enter a hidden password.
-nobanner Do not display the startup banner and copyright message.
pskill64.exe /accepteula CalculatorApp.exe // 结束exe名为CalculatorApp.exe的进程
PsKill v1.17 - Terminates processes on local or remote systems Copyright (C) 1999-2023 Mark Russinovich Sysinternals - www.sysinternals.com Process CalculatorApp.exe killed.
pskill64.exe /accepteula -t 52588 // 结束pid为52588的进程和由它创建出来的子进程
PsKill v1.17 - Terminates processes on local or remote systems Copyright (C) 1999-2023 Mark Russinovich Sysinternals - www.sysinternals.com Process 52588 killed.
注:杀掉pid为52588的进程及其子进程
Listdlls64.exe(Listdlls.exe)
查看进程加载的dll模块
Listdlls64.exe -accepteula /? // 查看帮助
Listdlls v3.2 - Listdlls
Copyright (C) 1997-2016 Mark Russinovich
Sysinternals
usage: listdlls [-r] [-v | -u] [processname|pid]
usage: listdlls [-r] [-v] [-d dllname]
processname Dump DLLs loaded by process (partial name accepted)
pid Dump DLLs associated with the specified process id
dllname Show only processes that have loaded the specified DLL.
-r Flag DLLs that relocated because they are not loaded at
their base address.
-u Only list unsigned DLLs.
-v Show DLL version information.
Listdlls64.exe -accepteula mspaint // 查看进程名为mspaint的模块信息
Listdlls v3.2 - Listdlls Copyright (C) 1997-2016 Mark Russinovich Sysinternals ------------------------------------------------------------------------------ mspaint.exe pid: 32972 Command line: "C:\WINDOWS\system32\mspaint.exe" Base Size Path 0x00000000240f0000 0xeb000 C:\WINDOWS\system32\mspaint.exe 0x000000004d370000 0x1f8000 C:\WINDOWS\SYSTEM32\ntdll.dll 0x000000004d010000 0xbd000 C:\WINDOWS\System32\KERNEL32.DLL 0x000000004ad00000 0x2f6000 C:\WINDOWS\System32\KERNELBASE.dll 0x0000000045700000 0x90000 C:\WINDOWS\SYSTEM32\apphelp.dll 0x000000002d640000 0x63000 C:\WINDOWS\SYSTEM32\AcGenral.dll 0x000000004cb40000 0x9e000 C:\WINDOWS\System32\msvcrt.dll 0x000000004cd70000 0x9c000 C:\WINDOWS\System32\sechost.dll 0x000000004b3d0000 0x126000 C:\WINDOWS\System32\RPCRT4.dll 0x000000004d0d0000 0x55000 C:\WINDOWS\System32\SHLWAPI.dll 0x000000004ce50000 0x19e000 C:\WINDOWS\System32\USER32.dll 0x000000004b0a0000 0x22000 C:\WINDOWS\System32\win32u.dll 0x000000004c7b0000 0x2c000 C:\WINDOWS\System32\GDI32.dll 0x000000004b150000 0x11a000 C:\WINDOWS\System32\gdi32full.dll 0x000000004b000000 0x9d000 C:\WINDOWS\System32\msvcp_win.dll 0x000000004aac0000 0x100000 C:\WINDOWS\System32\ucrtbase.dll 0x000000004cc40000 0x12b000 C:\WINDOWS\System32\ole32.dll 0x000000004c7e0000 0x354000 C:\WINDOWS\System32\combase.dll 0x000000004b500000 0x744000 C:\WINDOWS\System32\SHELL32.dll 0x000000004c690000 0xaf000 C:\WINDOWS\System32\ADVAPI32.dll 0x000000004a940000 0x2e000 C:\WINDOWS\SYSTEM32\USERENV.dll 0x0000000034700000 0x1d000 C:\WINDOWS\SYSTEM32\MPR.dll 0x000000004a900000 0x32000 C:\WINDOWS\SYSTEM32\SspiCli.dll 0x000000004ce10000 0x30000 C:\WINDOWS\System32\IMM32.DLL 0x000000004c5c0000 0xcd000 C:\WINDOWS\System32\OLEAUT32.dll 0x0000000018220000 0x172000 C:\WINDOWS\system32\MFC42u.dll 0x000000002e3e0000 0x29a000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\COMCTL32.dll 0x000000004bcc0000 0xda000 C:\WINDOWS\System32\COMDLG32.dll 0x000000004d280000 0xad000 C:\WINDOWS\System32\shcore.dll 0x0000000048630000 0xf6000 C:\WINDOWS\system32\PROPSYS.dll 0x000000002c590000 0x27000 C:\WINDOWS\system32\WINMM.dll 0x000000003f260000 0x6a000 C:\WINDOWS\SYSTEM32\ninput.dll 0x0000000044860000 0x1a5000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\gdiplus.dll 0x0000000047bc0000 0x9e000 C:\WINDOWS\system32\uxtheme.dll 0x000000004abc0000 0x82000 C:\WINDOWS\System32\bcryptPrimitives.dll 0x000000001e8d0000 0x34d000 C:\WINDOWS\system32\MSFTEDIT.DLL 0x000000004c290000 0x114000 C:\WINDOWS\System32\MSCTF.dll 0x0000000049450000 0x12000 C:\WINDOWS\SYSTEM32\kernel.appcore.dll 0x000000004d1d0000 0xa9000 C:\WINDOWS\System32\clbcatq.dll 0x000000005e170000 0x3ec000 C:\WINDOWS\system32\UIRibbon.dll 0x00000000434b0000 0x36000 C:\WINDOWS\system32\XmlLite.dll 0x0000000048770000 0x79b000 C:\WINDOWS\system32\windows.storage.dll 0x000000004a490000 0x2d000 C:\WINDOWS\system32\Wldp.dll 0x0000000019e20000 0xdd000 C:\Windows\System32\efswrt.dll 0x00000000454d0000 0x155000 C:\WINDOWS\SYSTEM32\wintypes.dll 0x000000003ef60000 0x207000 C:\Windows\System32\twinapi.appcore.dll 0x0000000069ab0000 0x57000 C:\Windows\System32\sti.dll 0x00000000459e0000 0xa000 C:\WINDOWS\SYSTEM32\wiatrace.dll 0x0000000043bc0000 0xd000 C:\WINDOWS\SYSTEM32\atlthunk.dll 0x0000000047eb0000 0x2f000 C:\WINDOWS\system32\dwmapi.dll 0x00000000478d0000 0x1b4000 C:\WINDOWS\system32\windowscodecs.dll 0x000000004b0d0000 0x27000 C:\WINDOWS\System32\bcrypt.dll 0x000000002bc30000 0xac000 C:\WINDOWS\SYSTEM32\TextShaping.dll 0x000000003bf40000 0x66000 C:\Windows\System32\oleacc.dll 0x0000000034880000 0xfa000 C:\WINDOWS\SYSTEM32\textinputframework.dll 0x0000000046840000 0xf2000 C:\WINDOWS\System32\CoreMessaging.dll 0x000000004c740000 0x6b000 C:\WINDOWS\System32\WS2_32.dll 0x00000000450b0000 0x35b000 C:\WINDOWS\System32\CoreUIComponents.dll 0x0000000049b70000 0x33000 C:\WINDOWS\SYSTEM32\ntmarta.dll 0x0000000040450000 0x28f000 C:\WINDOWS\system32\SogouTSF.ime 0x0000000048ff0000 0xa000 C:\WINDOWS\system32\VERSION.dll 0x000000002c330000 0x7000 C:\WINDOWS\system32\MSIMG32.dll 0x0000000001bf0000 0xdfb000 C:\WINDOWS\system32\SogouPY.ime 0x000000004b270000 0x15d000 C:\WINDOWS\System32\CRYPT32.dll 0x00000000445e0000 0x10a000 C:\WINDOWS\system32\WINHTTP.dll 0x0000000001120000 0x29e000 E:\Program Files (x86)\SogouInput\Components\PicFace\1.1.0.2129\PicFace64.dll 0x000000004ce40000 0x8000 C:\WINDOWS\System32\PSAPI.DLL 0x000000004a980000 0x25000 C:\WINDOWS\system32\profapi.dll 0x0000000010000000 0x59a000 E:\Program Files (x86)\SogouInput\13.11.0.8627\Resource.dll 0x000000002bfc0000 0x24000 C:\WINDOWS\SYSTEM32\edputil.dll 0x000000004c210000 0x79000 C:\WINDOWS\System32\coml2.dll 0x000000004a3e0000 0x18000 C:\WINDOWS\SYSTEM32\CRYPTSP.dll 0x0000000049a50000 0x34000 C:\WINDOWS\system32\rsaenh.dll 0x000000004a400000 0xc000 C:\WINDOWS\system32\CRYPTBASE.dll 0x00000000dd9b0000 0x95000 C:\WINDOWS\system32\DUser.dll 0x000000003f7a0000 0xae000 C:\WINDOWS\system32\mscms.dll 0x000000003f850000 0x11000 C:\WINDOWS\system32\ColorAdapterClient.dll 0x0000000068820000 0x20c000 C:\WINDOWS\System32\msxml3.dll 0x0000000044c10000 0x3b000 C:\WINDOWS\SYSTEM32\dxcore.dll 0x000000004b100000 0x4e000 C:\WINDOWS\System32\cfgmgr32.dll 0x00000000b7590000 0xb2000 C:\Program Files (x86)\iOA\module\DataProtection\TxUmon64.dll 0x0000000028d10000 0xb000 C:\WINDOWS\system32\FltLib.dll 0x0000000034a10000 0x19000 C:\WINDOWS\system32\Avicap32.dll 0x00000000349e0000 0x2b000 C:\WINDOWS\system32\MSVFW32.dll 0x0000000041250000 0x2a000 C:\WINDOWS\system32\Ntdsapi.dll 0x0000000035320000 0xb000 C:\WINDOWS\system32\KtmW32.dll 0x0000000029aa0000 0xa5000 C:\WINDOWS\system32\winspool.drv 0x0000000027c90000 0x1cd000 C:\WINDOWS\system32\d3d9.dll 0x000000004a620000 0x12000 C:\WINDOWS\SYSTEM32\msasn1.dll 0x0000000043d90000 0x31000 C:\WINDOWS\SYSTEM32\cryptnet.dll
Listdlls64.exe -accepteula -v mspaint // 查看进程名为mspaint的模块详细信息
Listdlls v3.2 - Listdlls
Copyright (C) 1997-2016 Mark Russinovich
Sysinternals
------------------------------------------------------------------------------
mspaint.exe pid: 32972
Command line: "C:\WINDOWS\system32\mspaint.exe"
Base Size Path
0x00000000240f0000 0xeb000 C:\WINDOWS\system32\mspaint.exe
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 画图
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sun May 17 01:10:04 2099
0x000000004d370000 0x1f8000 C:\WINDOWS\SYSTEM32\ntdll.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: NT 层 DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Mon Aug 12 16:55:11 2052
0x000000004d010000 0xbd000 C:\WINDOWS\System32\KERNEL32.DLL
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows NT 基本 API 客户端 DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Tue Jun 02 23:58:31 2054
0x000000004ad00000 0x2f6000 C:\WINDOWS\System32\KERNELBASE.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows NT 基本 API 客户端 DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Oct 24 11:05:19 1996
0x0000000045700000 0x90000 C:\WINDOWS\SYSTEM32\apphelp.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 应用程序兼容性客户端库
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Jul 20 13:49:26 2084
0x000000002d640000 0x63000 C:\WINDOWS\SYSTEM32\AcGenral.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows Compatibility DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Tue Jul 25 04:32:11 2034
0x000000004cb40000 0x9e000 C:\WINDOWS\System32\msvcrt.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows NT CRT DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 7.0.19041.3636
Create time: Sat Nov 30 23:38:44 2052
0x000000004cd70000 0x9c000 C:\WINDOWS\System32\sechost.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Host for SCM/SDDL/LSA Lookup APIs
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat Dec 27 21:07:38 2053
0x000000004b3d0000 0x126000 C:\WINDOWS\System32\RPCRT4.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 远程过程调用运行时
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Mon Apr 02 14:04:18 2096
0x000000004d0d0000 0x55000 C:\WINDOWS\System32\SHLWAPI.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 外壳简易实用工具库
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Mon Dec 28 10:13:39 1987
0x000000004ce50000 0x19e000 C:\WINDOWS\System32\USER32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 多用户 Windows 用户 API 客户端 DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Jan 17 20:56:57 1980
0x000000004b0a0000 0x22000 C:\WINDOWS\System32\win32u.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Win32u
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Wed May 04 04:26:59 1977
0x000000004c7b0000 0x2c000 C:\WINDOWS\System32\GDI32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: GDI Client DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sun Oct 28 22:20:37 2029
0x000000004b150000 0x11a000 C:\WINDOWS\System32\gdi32full.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: GDI Client DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Tue Feb 06 17:48:53 2103
0x000000004b000000 0x9d000 C:\WINDOWS\System32\msvcp_win.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft? C Runtime Library
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Fri May 19 23:25:03 2000
0x000000004aac0000 0x100000 C:\WINDOWS\System32\ucrtbase.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft? C Runtime Library
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Wed Jan 05 22:32:41 2039
0x000000004cc40000 0x12b000 C:\WINDOWS\System32\ole32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 用于 Windows 的 Microsoft OLE
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Oct 20 03:08:37 2072
0x000000004c7e0000 0x354000 C:\WINDOWS\System32\combase.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 用于 Windows 的 Microsoft COM
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Mon Sep 13 06:20:45 2021
0x000000004b500000 0x744000 C:\WINDOWS\System32\SHELL32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows Shell 公用 DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Tue Apr 21 17:34:37 2037
0x000000004c690000 0xaf000 C:\WINDOWS\System32\ADVAPI32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 高级 Windows 32 基本 API
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3693
File version: 6.2.19041.3693
Create time: Sun Aug 28 04:47:43 1988
0x000000004a940000 0x2e000 C:\WINDOWS\SYSTEM32\USERENV.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Userenv
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Fri Nov 04 11:54:55 2078
0x0000000034700000 0x1d000 C:\WINDOWS\SYSTEM32\MPR.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 多提供程序路由器 DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Wed Jul 14 11:02:09 1999
0x000000004a900000 0x32000 C:\WINDOWS\SYSTEM32\SspiCli.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Security Support Provider Interface
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sun Mar 12 03:49:31 2006
0x000000004ce10000 0x30000 C:\WINDOWS\System32\IMM32.DLL
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Multi-User Windows IMM32 API Client DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Tue Mar 27 17:23:09 2068
0x000000004c5c0000 0xcd000 C:\WINDOWS\System32\OLEAUT32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: OLEAUT32.DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Oct 22 04:56:17 2082
0x0000000018220000 0x172000 C:\WINDOWS\system32\MFC42u.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: MFCDLL 共享库 - 零售版
Product: Microsoft (R) Visual C++
Version: 6.6.4.0
File version: 6.6.8063.0
Create time: Fri Apr 16 20:31:34 2055
0x000000002e3e0000 0x29a000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\COMCTL32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 用户体验控件库
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.10.19041.3636
Create time: Wed Dec 09 04:28:29 2009
0x000000004bcc0000 0xda000 C:\WINDOWS\System32\COMDLG32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Common Dialogs DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Fri Dec 09 09:36:11 2101
0x000000004d280000 0xad000 C:\WINDOWS\System32\shcore.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: SHCORE
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Oct 07 21:52:11 1999
0x0000000048630000 0xf6000 C:\WINDOWS\system32\PROPSYS.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft 属性系统
Product: Windows? Search
Version: 7.0.19041.3636
File version: 7.0.19041.3636
Create time: Mon Jan 01 02:52:25 2091
0x000000002c590000 0x27000 C:\WINDOWS\system32\WINMM.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: MCI API DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Wed Mar 24 13:27:45 2083
0x000000003f260000 0x6a000 C:\WINDOWS\SYSTEM32\ninput.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft Pen and Touch Input Component
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Wed Apr 16 01:32:04 2036
0x0000000044860000 0x1a5000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3636_none_91a19322cc8a92a3\gdiplus.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft GDI+
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Fri Dec 16 09:30:59 2067
0x0000000047bc0000 0x9e000 C:\WINDOWS\system32\uxtheme.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft UxTheme 库
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Sep 24 20:23:18 1981
0x000000004abc0000 0x82000 C:\WINDOWS\System32\bcryptPrimitives.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows Cryptographic Primitives Library
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sun Mar 27 13:41:19 2101
0x000000001e8d0000 0x34d000 C:\WINDOWS\system32\MSFTEDIT.DLL
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: RTF 编辑控件,8.5 版
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat Apr 23 10:14:18 2033
0x000000004c290000 0x114000 C:\WINDOWS\System32\MSCTF.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: MSCTF 服务器 DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Mon Sep 14 16:59:06 2105
0x0000000049450000 0x12000 C:\WINDOWS\SYSTEM32\kernel.appcore.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: AppModel API Host
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat Jan 29 08:29:14 2033
0x000000004d1d0000 0xa9000 C:\WINDOWS\System32\clbcatq.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: COM+ Configuration Catalog
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 2001.12.10941.16384
Create time: Mon Feb 05 02:00:35 1973
0x000000005e170000 0x3ec000 C:\WINDOWS\system32\UIRibbon.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows 功能区框架
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.1
File version: 6.2.19041.1
Create time: Tue Feb 25 21:13:58 2098
0x00000000434b0000 0x36000 C:\WINDOWS\system32\XmlLite.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft XmlLite Library
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat Aug 30 14:44:47 2031
0x0000000048770000 0x79b000 C:\WINDOWS\system32\windows.storage.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft WinRT Storage API
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3693
File version: 6.2.19041.3693
Create time: Fri Jul 14 16:58:53 2034
0x000000004a490000 0x2d000 C:\WINDOWS\system32\Wldp.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows 锁定策略
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Tue Apr 10 09:03:59 2103
0x0000000019e20000 0xdd000 C:\Windows\System32\efswrt.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Storage Protection Windows Runtime DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Fri Jun 18 03:57:50 2032
0x00000000454d0000 0x155000 C:\WINDOWS\SYSTEM32\wintypes.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows 基本类型 DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Mon Oct 30 12:03:00 2051
0x000000003ef60000 0x207000 C:\Windows\System32\twinapi.appcore.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: twinapi.appcore
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat Jan 31 09:15:04 2004
0x0000000069ab0000 0x57000 C:\Windows\System32\sti.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 静止图像设备客户端 DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Fri Feb 24 09:34:19 1984
0x00000000459e0000 0xa000 C:\WINDOWS\SYSTEM32\wiatrace.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: WIA Tracing
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat Jun 27 20:57:43 1970
0x0000000043bc0000 0xd000 C:\WINDOWS\SYSTEM32\atlthunk.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: atlthunk.dll
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Fri Feb 01 14:26:25 2064
0x0000000047eb0000 0x2f000 C:\WINDOWS\system32\dwmapi.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft 桌面窗口管理器 API
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sun Sep 20 22:38:41 1992
0x00000000478d0000 0x1b4000 C:\WINDOWS\system32\windowscodecs.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft Windows Codecs Library
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat Oct 16 03:40:07 1976
0x000000004b0d0000 0x27000 C:\WINDOWS\System32\bcrypt.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows 加密基元库
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Mon May 09 17:20:03 2050
0x000000002bc30000 0xac000 C:\WINDOWS\SYSTEM32\TextShaping.dll
Verified: Microsoft Windows
Publisher: n/a
Description: n/a
Product: n/a
Version: n/a
File version: n/a
Create time: Fri Jan 06 06:51:47 2062
0x000000003bf40000 0x66000 C:\Windows\System32\oleacc.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Active Accessibility Core Component
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 7.2.19041.3636
Create time: Mon Nov 22 00:15:52 2100
0x0000000034880000 0xfa000 C:\WINDOWS\SYSTEM32\textinputframework.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: "TextInputFramework.DYNLINK"
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Wed Nov 11 14:20:44 2048
0x0000000046840000 0xf2000 C:\WINDOWS\System32\CoreMessaging.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft CoreMessaging Dll
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Oct 19 10:55:20 2062
0x000000004c740000 0x6b000 C:\WINDOWS\System32\WS2_32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows Socket 2.0 32 位 DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Tue Nov 21 09:24:12 2034
0x00000000450b0000 0x35b000 C:\WINDOWS\System32\CoreUIComponents.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft Core UI Components Dll
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat Aug 20 17:05:49 1977
0x0000000049b70000 0x33000 C:\WINDOWS\SYSTEM32\ntmarta.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows NT MARTA 提供程序
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Feb 26 18:33:19 2105
0x0000000040450000 0x28f000 C:\WINDOWS\system32\SogouTSF.ime
Verified: Beijing Sogou Technology Development Co.
Publisher: Sogou.com
Description: 搜狗输入法
Product: 搜狗输入法
Version: 13.11.0.8627
File version: 13.11.0.8627
Create time: Tue Nov 14 15:34:44 2023
0x0000000048ff0000 0xa000 C:\WINDOWS\system32\VERSION.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Version Checking and File Installation Libraries
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Tue Oct 23 22:20:28 2103
0x000000002c330000 0x7000 C:\WINDOWS\system32\MSIMG32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: GDIEXT Client DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Tue Apr 21 21:04:18 2026
0x0000000001bf0000 0xdfb000 C:\WINDOWS\system32\SogouPY.ime
Verified: Beijing Sogou Technology Development Co.
Publisher: Sogou.com
Description: 搜狗输入法
Product: 搜狗输入法
Version: 13.11.0.8627
File version: 13.11.0.8627
Create time: Tue Nov 14 15:36:09 2023
0x000000004b270000 0x15d000 C:\WINDOWS\System32\CRYPT32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 加密 API32
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sun Dec 17 16:50:33 2079
0x00000000445e0000 0x10a000 C:\WINDOWS\system32\WINHTTP.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows HTTP 服务
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat May 29 11:44:22 2094
0x0000000001120000 0x29e000 E:\Program Files (x86)\SogouInput\Components\PicFace\1.1.0.2129\PicFace64.dll
Verified: Beijing Sogou Technology Development Co.
Publisher: Sogou.com Inc.
Description: 搜狗输入法 图片表情
Product: 搜狗输入法
Version: 1.1.0.2129
File version: 1.1.0.2129
Create time: Tue May 16 14:38:58 2023
0x000000004ce40000 0x8000 C:\WINDOWS\System32\PSAPI.DLL
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Process Status Helper
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Tue Nov 05 17:34:37 2013
0x000000004a980000 0x25000 C:\WINDOWS\system32\profapi.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: User Profile Basic API
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sun Jun 26 02:42:14 2022
0x0000000010000000 0x59a000 E:\Program Files (x86)\SogouInput\13.11.0.8627\Resource.dll
Verified: Beijing Sogou Technology Development Co.
Publisher: Sogou.com
Description: 搜狗输入法 资源
Product: 搜狗输入法
Version: 13.11.0.8627
File version: 13.11.0.8627
Create time: Tue Nov 14 15:21:58 2023
0x000000002bfc0000 0x24000 C:\WINDOWS\SYSTEM32\edputil.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: EDP 实用程序
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Jun 13 10:04:14 2041
0x000000004c210000 0x79000 C:\WINDOWS\System32\coml2.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft COM for Windows
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sun Aug 17 22:23:35 1975
0x000000004a3e0000 0x18000 C:\WINDOWS\SYSTEM32\CRYPTSP.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Cryptographic Service Provider API
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Jan 24 15:17:49 2086
0x0000000049a50000 0x34000 C:\WINDOWS\system32\rsaenh.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft Enhanced Cryptographic Provider
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Fri Oct 08 07:34:55 2010
0x000000004a400000 0xc000 C:\WINDOWS\system32\CRYPTBASE.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Base cryptographic API DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sun Mar 12 20:15:38 2023
0x00000000dd9b0000 0x95000 C:\WINDOWS\system32\DUser.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows DirectUser Engine
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Fri Jan 21 19:31:09 1977
0x000000003f7a0000 0xae000 C:\WINDOWS\system32\mscms.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft 颜色匹配系统 DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat Aug 19 20:01:12 2045
0x000000003f850000 0x11000 C:\WINDOWS\system32\ColorAdapterClient.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft Color Adapter Client
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sun Jan 31 21:49:23 2077
0x0000000068820000 0x20c000 C:\WINDOWS\System32\msxml3.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: MSXML 3.0
Product: Microsoft XML Core Services
Version: 8.110.19041.3636
File version: 8.110.19041.3636
Create time: Fri Mar 13 23:09:43 2082
0x0000000044c10000 0x3b000 C:\WINDOWS\SYSTEM32\dxcore.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: DXCore
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat Dec 06 09:40:30 1986
0x000000004b100000 0x4e000 C:\WINDOWS\System32\cfgmgr32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Configuration Manager DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat May 31 12:43:09 1986
0x00000000b7590000 0xb2000 C:\Program Files (x86)\iOA\module\DataProtection\TxUmon64.dll
Verified: Tencent Technology (Shenzhen) Company Limited
Publisher: n/a
Description: n/a
Product: n/a
Version: n/a
File version: n/a
Create time: Thu Mar 28 17:36:06 2024
0x0000000028d10000 0xb000 C:\WINDOWS\system32\FltLib.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: 筛选器库
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Jul 24 08:56:25 2087
0x0000000034a10000 0x19000 C:\WINDOWS\system32\Avicap32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: AVI 捕获窗口类
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.1
File version: 6.2.19041.1
Create time: Sat Jun 03 05:28:22 2000
0x00000000349e0000 0x2b000 C:\WINDOWS\system32\MSVFW32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Microsoft Video for Windows DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.1
File version: 6.2.19041.1
Create time: Mon Aug 31 13:35:15 2009
0x0000000041250000 0x2a000 C:\WINDOWS\system32\Ntdsapi.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Active Directory Domain Services API
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Wed Jan 10 07:19:26 2001
0x0000000035320000 0xb000 C:\WINDOWS\system32\KtmW32.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows KTM Win32 Client DLL
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Thu Aug 19 17:45:30 2027
0x0000000029aa0000 0xa5000 C:\WINDOWS\system32\winspool.drv
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Windows 后台处理程序驱动程序
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3693
File version: 6.2.19041.3693
Create time: Tue Oct 23 00:16:17 2068
0x0000000027c90000 0x1cd000 C:\WINDOWS\system32\d3d9.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Direct3D 9 Runtime
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Sat May 20 20:58:08 2006
0x000000004a620000 0x12000 C:\WINDOWS\SYSTEM32\msasn1.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: ASN.1 Runtime APIs
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Wed Mar 18 00:04:36 1987
0x0000000043d90000 0x31000 C:\WINDOWS\SYSTEM32\cryptnet.dll
Verified: Microsoft Windows
Publisher: Microsoft Corporation
Description: Crypto Network Related API
Product: Microsoft? Windows? Operating System
Version: 10.0.19041.3636
File version: 6.2.19041.3636
Create time: Wed Nov 12 12:52:42 2003
Listdlls64.exe -accepteula -u scrcpy // 查看进程名为scrcpy的未签名的模块
Listdlls v3.2 - Listdlls
Copyright (C) 1997-2016 Mark Russinovich
Sysinternals
------------------------------------------------------------------------------
scrcpy.exe pid: 52468
Command line: "F:\GameTools\scrcpy-win64-v2.0\scrcpy.exe"
Base Size Path
0x00000000eea00000 0x10d000 F:\GameTools\scrcpy-win64-v2.0\scrcpy.exe
Verified: Unsigned
Publisher: n/a
Description: n/a
Product: n/a
Version: n/a
File version: n/a
Create time: Sun Mar 12 09:13:20 2023
0x0000000027980000 0x84000 F:\GameTools\scrcpy-win64-v2.0\avformat-60.dll
Verified: Unsigned
Publisher: FFmpeg Project
Description: FFmpeg container format library
Product: FFmpeg
Version: 60.3.100.0
File version: 60.3.100.0
Create time: Sat Mar 04 02:19:02 2023
0x00000000106b0000 0x203000 F:\GameTools\scrcpy-win64-v2.0\avutil-58.dll
Verified: Unsigned
Publisher: FFmpeg Project
Description: FFmpeg utility library
Product: FFmpeg
Version: 58.2.100.0
File version: 58.2.100.0
Create time: Sat Mar 04 02:19:02 2023
0x0000000070980000 0x34000 F:\GameTools\scrcpy-win64-v2.0\msys-usb-1.0.dll
Verified: Unsigned
Publisher: libusb.info
Description: C library for writing portable USB drivers in userspace
Product: libusb-1.0
Version: 1.0.26.11724
File version: 1.0.26.11724
Create time: Sun Apr 10 20:19:44 2022
0x000000000f8a0000 0x26e000 F:\GameTools\scrcpy-win64-v2.0\SDL2.dll
Verified: Unsigned
Publisher:
Description: SDL
Product: Simple DirectMedia Layer
Version: 2.26.4.0
File version: 2.26.4.0
Create time: Tue Mar 07 07:56:20 2023
0x0000000013480000 0x359000 F:\GameTools\scrcpy-win64-v2.0\avcodec-60.dll
Verified: Unsigned
Publisher: FFmpeg Project
Description: FFmpeg codec library
Product: FFmpeg
Version: 60.3.100.0
File version: 60.3.100.0
Create time: Sat Mar 04 02:19:02 2023
0x0000000034b50000 0x27000 F:\GameTools\scrcpy-win64-v2.0\swresample-4.dll
Verified: Unsigned
Publisher: FFmpeg Project
Description: FFmpeg audio resampling library
Product: FFmpeg
Version: 4.10.100.0
File version: 4.10.100.0
Create time: Sat Mar 04 02:19:02 2023
0x0000000030980000 0x2a000 F:\GameTools\scrcpy-win64-v2.0\zlib1.dll
Verified: Unsigned
Publisher: n/a
Description: zlib data compression library
Product: zlib
Version: 1.2.13.0
File version: 1.2.13.0
Create time: Sat Oct 15 17:27:34 2022
sysmon64.exe(sysmon.exe)
安装sysmon64(sysmon)服务来追踪进程的一些行为
sysmon64 -accepteula /? // 查看帮助
System Monitor v15.12 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2023 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com
Usage:
Install: Sysmon64.exe -i [<configfile>]
Update configuration: Sysmon64.exe -c [<configfile>]
Install event manifest: Sysmon64.exe -m
Print schema: Sysmon64.exe -s
Uninstall: Sysmon64.exe -u [force]
-c Update configuration of an installed Sysmon driver or dump the
current configuration if no other argument is provided. Optionally
take a configuration file.
-i Install service and driver. Optionally take a configuration file.
-m Install the event manifest (done on service install as well)).
-s Print configuration schema definition of the specified version.
Specify 'all' to dump all schema versions (default is latest)).
-u Uninstall service and driver. Adding force causes uninstall to proceed
even when some components are not installed.
The service logs events immediately and the driver installs as a boot-start driver to capture activity from early in the boot that the service will write to the event log when it starts.
On Vista and higher, events are stored in "Applications and Services Logs/Microsoft/Windows/Sysmon/Operational". On older systems, events are written to the System event log.
Use the '-? config' command for configuration file documentation. More examples are available on the Sysinternals website.
Specify -accepteula to automatically accept the EULA on installation, otherwise you will be interactively prompted to accept it.
Neither install nor uninstall requires a reboot.
sysmon64 -accepteula /i // 以缺省配置来安装sysmon64服务
sysmon64 -accepteula /i mycconfig.xml // 以mycconfig.xml配置来安装sysmon64服务
sysmon64 -accepteula /c -- // 将sysmon64服务刷回缺省配置
sysmon64 -accepteula /c mycconfig.xml // 将sysmon64服务刷到mycconfig.xml配置
sysmon64 -accepteula /u // 卸载sysmon64服务
mycconfig.xml 注:更复杂的配置见:https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xml
<Sysmon schemaversion="4.82"> <EventFiltering> <RuleGroup name="group 1" groupRelation="and"> <!-- 条件1、条件2为and(与)的关系 --> <ProcessCreate onmatch="include"> <!-- 包含 --> <Image condition="contains">Notepad2.exe</Image> <!-- 条件1 --> <CommandLine condition="contains">-d3d12</CommandLine> <!-- 条件2 --> </ProcessCreate> </RuleGroup> <RuleGroup groupRelation="or"> <!-- 条件a、条件b为or(或)的关系 --> <ProcessTerminate onmatch="include"> <!-- 包含 --> <Image condition="contains">Notepad2.exe</Image> <!-- 条件a --> <Image condition="contains">ping.exe</Image> <!-- 条件b --> </RuleGroup> <ImageLoad onmatch="include"/> </EventFiltering> </Sysmon>
