wtsapi32.dll

  • File Path: C:\Windows\SysWOW64\wtsapi32.dll
  • Description: Windows Remote Desktop Session Host Server SDK APIs

Hashes

Type Hash
MD5 D0404C8E3AE16A5B6036FFA971D4D9EA
SHA1 FE0D1077B9A8E1E60C3649924DC1E18DA341B380
SHA256 D4E754AD5AA18AA1CF06CC42A7042ED01DBACDD8771C9BFC931C2709953C2FA0
SHA384 789C2C985E94CE520F7E80288EC868C322EB047D087FADDF4D64861D6E4BF7F5622FD92D9E86F1569719C111E01DE656
SHA512 24B17884E15B78055F8771C78D1DBDED8672D4AE2DA6F9C3B2BE36D5B49E5744BBBD79CDA13A557B609D8E45F1758762D41B459D6145B9236E1CA1257FA859B9
SSDEEP 1536:4BPK/mFR/+hdaWMDxYVxnlXVzq9gGMoPLJSG:8PK+FsdUDAxnFtq9g4jJSG
IMP 05DE2F62058708C9549030BB966BAF5C
PESHA1 9CE2536EFF66F4335C81484B04B969413506E460
PE256 713551B3ADFEE2CC1360D34CE2A475984B36F5570184F51964B29F144D22737A

DLL Exports:

Function Name Ordinal Type
WTSSetListenerSecurityA 47 Exported Function
WTSSetListenerSecurityW 48 Exported Function
WTSSendMessageA 45 Exported Function
WTSSendMessageW 46 Exported Function
WTSSetSessionInformationW 51 Exported Function
WTSSetUserConfigA 52 Exported Function
WTSSetRenderHint 49 Exported Function
WTSSetSessionInformationA 50 Exported Function
WTSRegisterSessionNotificationEx 44 Exported Function
WTSQuerySessionInformationA 38 Exported Function
WTSQuerySessionInformationW 39 Exported Function
WTSQueryListenerConfigA 36 Exported Function
WTSQueryListenerConfigW 37 Exported Function
WTSQueryUserToken 42 Exported Function
WTSRegisterSessionNotification 43 Exported Function
WTSQueryUserConfigA 40 Exported Function
WTSQueryUserConfigW 41 Exported Function
WTSVirtualChannelPurgeInput 64 Exported Function
WTSVirtualChannelPurgeOutput 65 Exported Function
WTSVirtualChannelOpen 62 Exported Function
WTSVirtualChannelOpenEx 63 Exported Function
WTSVirtualChannelWrite 68 Exported Function
WTSWaitSystemEvent 69 Exported Function
WTSVirtualChannelQuery 66 Exported Function
WTSVirtualChannelRead 67 Exported Function
WTSVirtualChannelClose 61 Exported Function
WTSStartRemoteControlSessionA 55 Exported Function
WTSStartRemoteControlSessionW 56 Exported Function
WTSSetUserConfigW 53 Exported Function
WTSShutdownSystem 54 Exported Function
WTSUnRegisterSessionNotification 59 Exported Function
WTSUnRegisterSessionNotificationEx 60 Exported Function
WTSStopRemoteControlSession 57 Exported Function
WTSTerminateProcess 58 Exported Function
WTSOpenServerW 35 Exported Function
WTSEnumerateListenersA 12 Exported Function
WTSEnumerateListenersW 13 Exported Function
WTSDisconnectSession 10 Exported Function
WTSEnableChildSessions 11 Exported Function
WTSEnumerateProcessesExW 16 Exported Function
WTSEnumerateProcessesW 17 Exported Function
WTSEnumerateProcessesA 14 Exported Function
WTSEnumerateProcessesExA 15 Exported Function
WTSCreateListenerW 9 Exported Function
QueryUserToken 3 Exported Function
RegisterUsertokenForNoWinlogon 4 Exported Function
IsInteractiveUserSession 1 Exported Function
QueryActiveSession 2 Exported Function
WTSConnectSessionW 7 Exported Function
WTSCreateListenerA 8 Exported Function
WTSCloseServer 5 Exported Function
WTSConnectSessionA 6 Exported Function
WTSGetListenerSecurityW 29 Exported Function
WTSIsChildSessionsEnabled 30 Exported Function
WTSGetChildSessionId 27 Exported Function
WTSGetListenerSecurityA 28 Exported Function
WTSOpenServerExA 33 Exported Function
WTSOpenServerExW 34 Exported Function
WTSLogoffSession 31 Exported Function
WTSOpenServerA 32 Exported Function
WTSFreeMemoryExW 26 Exported Function
WTSEnumerateSessionsA 20 Exported Function
WTSEnumerateSessionsExA 21 Exported Function
WTSEnumerateServersA 18 Exported Function
WTSEnumerateServersW 19 Exported Function
WTSFreeMemory 24 Exported Function
WTSFreeMemoryExA 25 Exported Function
WTSEnumerateSessionsExW 22 Exported Function
WTSEnumerateSessionsW 23 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wtsapi32.dll
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/d4e754ad5aa18aa1cf06cc42a7042ed01dbacdd8771c9bfc931c2709953c2fa0/detection/

Possible Misuse

The following table contains possible examples of wtsapi32.dll being misused. While wtsapi32.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
signature-base apt_uboat_rat.yar $s6 = “WTSAPI32.dll” ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.