wtsapi32.dll

  • File Path: C:\Windows\system32\wtsapi32.dll
  • Description: Windows Remote Desktop Session Host Server SDK APIs

Hashes

Type Hash
MD5 8A74CE8D744EE03A61806B349CD55387
SHA1 C63F61F0BB509CA44D964967F6A709092BFF961A
SHA256 EA14059AB9FF886189088D9812880837DAC54851457A5F446E506CD613D18B97
SHA384 44D3A6C77E96192DF7CE72E99C85FEE6BB81C7459E017AABE4CDEDD8ECE807EBCB908925E3EAA23D6A2F99B78CAF8C8B
SHA512 C96F375FAD450C2E72FD9B3531818DB1FE51E604C483964F887B19DF86873A3B404CDFA4D87B79ECA009D8D87F16E539E434F30B75355DA33B4205AE7E28617E
SSDEEP 1536:U7UOp5LXS15qdCJCLXWwapUgQPAX5q9uP:yp9CLqdCJCGwapbQPo5q9u
IMP 1D3A55F1B05A4AA4D327269FDE13BA58
PESHA1 E4F419651A23B21C165624A145DCACEF60E61211
PE256 47E0F8C14A5BBBDD1B480A4E72F87E564701A097D39BD045D71A3E2B74E01A0D

DLL Exports:

Function Name Ordinal Type
WTSSetListenerSecurityA 47 Exported Function
WTSSetListenerSecurityW 48 Exported Function
WTSSendMessageA 45 Exported Function
WTSSendMessageW 46 Exported Function
WTSSetSessionInformationW 51 Exported Function
WTSSetUserConfigA 52 Exported Function
WTSSetRenderHint 49 Exported Function
WTSSetSessionInformationA 50 Exported Function
WTSRegisterSessionNotificationEx 44 Exported Function
WTSQuerySessionInformationA 38 Exported Function
WTSQuerySessionInformationW 39 Exported Function
WTSQueryListenerConfigA 36 Exported Function
WTSQueryListenerConfigW 37 Exported Function
WTSQueryUserToken 42 Exported Function
WTSRegisterSessionNotification 43 Exported Function
WTSQueryUserConfigA 40 Exported Function
WTSQueryUserConfigW 41 Exported Function
WTSVirtualChannelPurgeInput 64 Exported Function
WTSVirtualChannelPurgeOutput 65 Exported Function
WTSVirtualChannelOpen 62 Exported Function
WTSVirtualChannelOpenEx 63 Exported Function
WTSVirtualChannelWrite 68 Exported Function
WTSWaitSystemEvent 69 Exported Function
WTSVirtualChannelQuery 66 Exported Function
WTSVirtualChannelRead 67 Exported Function
WTSVirtualChannelClose 61 Exported Function
WTSStartRemoteControlSessionA 55 Exported Function
WTSStartRemoteControlSessionW 56 Exported Function
WTSSetUserConfigW 53 Exported Function
WTSShutdownSystem 54 Exported Function
WTSUnRegisterSessionNotification 59 Exported Function
WTSUnRegisterSessionNotificationEx 60 Exported Function
WTSStopRemoteControlSession 57 Exported Function
WTSTerminateProcess 58 Exported Function
WTSOpenServerW 35 Exported Function
WTSEnumerateListenersA 12 Exported Function
WTSEnumerateListenersW 13 Exported Function
WTSDisconnectSession 10 Exported Function
WTSEnableChildSessions 11 Exported Function
WTSEnumerateProcessesExW 16 Exported Function
WTSEnumerateProcessesW 17 Exported Function
WTSEnumerateProcessesA 14 Exported Function
WTSEnumerateProcessesExA 15 Exported Function
WTSCreateListenerW 9 Exported Function
QueryUserToken 3 Exported Function
RegisterUsertokenForNoWinlogon 4 Exported Function
IsInteractiveUserSession 1 Exported Function
QueryActiveSession 2 Exported Function
WTSConnectSessionW 7 Exported Function
WTSCreateListenerA 8 Exported Function
WTSCloseServer 5 Exported Function
WTSConnectSessionA 6 Exported Function
WTSGetListenerSecurityW 29 Exported Function
WTSIsChildSessionsEnabled 30 Exported Function
WTSGetChildSessionId 27 Exported Function
WTSGetListenerSecurityA 28 Exported Function
WTSOpenServerExA 33 Exported Function
WTSOpenServerExW 34 Exported Function
WTSLogoffSession 31 Exported Function
WTSOpenServerA 32 Exported Function
WTSFreeMemoryExW 26 Exported Function
WTSEnumerateSessionsA 20 Exported Function
WTSEnumerateSessionsExA 21 Exported Function
WTSEnumerateServersA 18 Exported Function
WTSEnumerateServersW 19 Exported Function
WTSFreeMemory 24 Exported Function
WTSFreeMemoryExA 25 Exported Function
WTSEnumerateSessionsExW 22 Exported Function
WTSEnumerateSessionsW 23 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wtsapi32.dll
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/ea14059ab9ff886189088d9812880837dac54851457a5f446e506cd613d18b97/detection/

Possible Misuse

The following table contains possible examples of wtsapi32.dll being misused. While wtsapi32.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
signature-base apt_uboat_rat.yar $s6 = “WTSAPI32.dll” ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.