none
Script to check if DLL is being loaded by a process RRS feed

  • Question

  • Hello everyone,

    I would like some help from you.

    I need to create a script that checks whether a given DLL was "loaded" by a process. To understand, for example, taking into account the image below, we will think that I want to know if the DLL that is selected at the bottom of the image is being "loaded" by the process that is selected at the top of the image below;

    I checked several WMI objects (including Win32_Process) and just found the process, I got to see an object (I can not remember the name now) WMI that showed some DLLs, but not the ones that are being "loaded" by a process.

    Anyone have any idea how I can create a script that checks this? Which WMI object could give me this information?

    Sorry for any translation failures (by google).

    Wednesday, February 1, 2017 8:46 PM

Answers

  • $p = gwmi win32_process -Filter 'Name = "spoolsv.exe"'
    $p.GetRelated('CIM_DataFile')|select name


    \_(ツ)_/

    • Marked as answer by Léo.SP Thursday, February 2, 2017 12:51 AM
    • Unmarked as answer by Léo.SP Thursday, February 2, 2017 12:51 AM
    • Marked as answer by Léo.SP Friday, February 3, 2017 1:47 AM
    Wednesday, February 1, 2017 9:16 PM

All replies

  • What's provoking the question?

    -- Bill Stewart [Bill_Stewart]

    Wednesday, February 1, 2017 9:16 PM
    Moderator
  • $p = gwmi win32_process -Filter 'Name = "spoolsv.exe"'
    $p.GetRelated('CIM_DataFile')|select name


    \_(ツ)_/

    • Marked as answer by Léo.SP Thursday, February 2, 2017 12:51 AM
    • Unmarked as answer by Léo.SP Thursday, February 2, 2017 12:51 AM
    • Marked as answer by Léo.SP Friday, February 3, 2017 1:47 AM
    Wednesday, February 1, 2017 9:16 PM
  • $p = gwmi win32_process -Filter 'Name = "spoolsv.exe"'
    $p.GetRelated('CIM_DataFile')|select name


    \_(ツ)_/

    Jrv,

    Thanks, i'll test and return soon.

    This script is in powershell, correct? I confess that I do not know much powershell, i'm more familiar with VBScript, do you think it's possible to create a script this way in VBScript?
    Thursday, February 2, 2017 12:51 AM
  • What's provoking the question?

    -- Bill Stewart [Bill_Stewart]

    Bill,

    Sorry I did not explain my need in more detail.

    In the company where I work, we have a problem with a system that a certain process (from this system) running on a server for some reason (which is still being analyzed by the systems team) stops "calling" a DLL, until this problem is fixed, i need to create a script that verifies that this DLL is being "executed" along with the process. I do not know if you could understand it now and I went into more detail, but that's the problem.

    As soon as i can create this script, i will configure it in a monitoring system so that it runs from time to time in order to check if the DLL exists with the process.

    Regards,


    Thursday, February 2, 2017 12:51 AM
  • There is no  such thing as executing a DLL>  A DLL is loaded and bound.  If that fails the process will crash.  In some cases a DLL can be loaded dynamically but failure will throw an exception either when it is loaded or when it is called.  The lack of one of these DLLs in memory is meaningless as they can be loaded or not loaded and it will be normal.

    There are tools in the SDK that can monitor the loading of DLLs into a process and log what is happening.  DLLs loaded into an app domain cannot be unloaded or disappear.

    The Debug API can monitor calls in a process.  What nothing can do is to tell you why something wasn't called. 

    A DLL is not a thing that is called it is qa file that contains namespaces and classes.  Legacy DLLs may just contain functions.

    What you are trying to do can prove nothing.


    \_(ツ)_/

    Thursday, February 2, 2017 12:55 AM
  • There is no  such thing as executing a DLL>  A DLL is loaded and bound.  If that fails the process will crash.  In some cases a DLL can be loaded dynamically but failure will throw an exception either when it is loaded or when it is called.  The lack of one of these DLLs in memory is meaningless as they can be loaded or not loaded and it will be normal.

    There are tools in the SDK that can monitor the loading of DLLs into a process and log what is happening.  DLLs loaded into an app domain cannot be unloaded or disappear.

    The Debug API can monitor calls in a process.  What nothing can do is to tell you why something wasn't called. 

    A DLL is not a thing that is called it is qa file that contains namespaces and classes.  Legacy DLLs may just contain functions.

    What you are trying to do can prove nothing.


    \_(ツ)_/

    It may seem crazy and totally meaningless, but at this point it's interesting for me to know if a DLL is being loaded by a specific process. This DLL is from an authentication system and the process that loads it already exists in the operating system (lsass.exe).

    I know that this may not prove anything, but the purpose is not to prove something or not, because the problem with the system already exists and a way to correct it (alternately) without having great impacts on the productive environment, would verify if the DLL Is being loaded by the process, the purpose in my case is monitoring to act proactively and not deliver a problem that is already known by all.

    I did a test and I believe that the path is the one that you guided me, I will try to reproduce in a remote server to see if I can achieve my goal.

    Very thanks brother

    =D

    Friday, February 3, 2017 1:36 AM
  • Windows cannot run without LSASS.  LSASS will shut the system down to a blue screen if it fails to load a DLL.

    Whoever sent you on this snipe hunt is probably laFFing their but of watching you chase a mirage.


    \_(ツ)_/

    Friday, February 3, 2017 2:11 AM