Windows 10: Collecting Windows API or DLL logs

Hello,

In order to detect malicious behavior, I am interested in monitoring calls to some Windows base functions also calls Windows API sometimes or DLLs. So I was wondering if someone could help us on this question ?

I am able to find logs related to .exe or process but nothing about precise functions calls.


Thanks for your help,

Neïlo

:)

 

Missing api-ms-win-core DLLs

Hi

I bought a laptop with Windows 8.1 and upgraded to Windows 10. It's a 64-bit system with an AMD processor. I'm trying to use py2exe to turn a Python script into a standalone executeable but I have missing DLLs. The list of DLLs is:

- api-ms-win-core-libraryloader-l1-2-1.dll

- api-ms-win-core-atoms-l1-1-0.dll

- api-ms-win-core-winrt-error-l1-1-1.dll

- api-ms-win-core-sidebyside-l1-1-0.dll

- api-ms-win-core-localization-obsolete-l1-3-0.dll

- api-ms-win-core-heap-l1-2-0.dll

- api-ms-win-core-heap-l2-1-0.dll

- api-ms-win-core-delayload-l1-1-1.dll

- api-ms-win-core-libraryloader-l1-2-0.dll

- api-ms-win-core-rtlsupport-l1-2-0.dll

- api-ms-win-core-shlwapi-obsolete-l1-2-0.dll

- api-ms-win-security-base-l1-2-0.dll

I do not know where to find these DLLs. I have installed the following in an attempt to resolve this but it has not worked:

- Visual C++ Redistributables (x86 and x64 - 2008, 2010, 2012, 2013 and 2015)

- Visual Studio 2010 Express

- Visual Studio 2010 Express Prerequisites x64

- Microsoft Windows SDK for Windows 7 (7.1)

Also Microsoft .NET Framework 4 Multi-Targeting Pack is listed in my Programs and Features list but I am unable to install ANY version of .NET Framework after 4. For example, when I try to install NEW Framework v4.6 the installer blocks and says I already
have a newer version of .NET Framework installed. But when I tried to install Windows SDK for Windows 7 the installer told me I had a pre-release version of .NET Framework 4 (which I don't remember installing).

Where can I obtain the missing DLLs from?

 

Error: ucrtbase.terminate not located in the dynamic link library api-ms-win-crt-runtime-l1-1-0.dll

Open elevated cmd.
Type the following command: regsvr32 /u api-ms-win-crt-runtime-l1-1-0.dll.
Type the following command: regsvr32 /i api-ms-win-crt-runtime-l1-1-0.dll.
Close cmd. Shut down. Restart.
Here's the page that lists the commands: Regsvr32 - Register a DLL - Windows CMD - SS64.com

That being said, I also did a registry cleaning, and it also had a pending update that went through that was apparently awaiting a full shut down. It might very well have just been that.

Microsoft can nudge all they want, I'm keeping this older model laptop on 7, it's not powerful enough for the bloat of 10. I was very near to running a sfc scan (I was going to make that my last thing to set it to do before retiring to bed for the night) and then putting the windows disc in and repairing the install like you suggested tomorrow if the sfc repair didn't work.

 

api-ms-win-core-libraryloader-l1-2-1.dll is missing

It is not *-l1-2-0.dll nor *-sysinfo-l1-2-1.dll but *-l1-2-1.dll that is missing.
I have a win8.1 Ent installing in Parallels Desktop on my MacBook Pro.
I'm trying to install a win10 on an external USB3.0 following the tutorial.
On the last step in Step 3: Deploy the Windows installation image, I try to create the boot section using:

but it pops up "The program can't start because api-ms-win-core-libraryloader-l1-2-1.dll is missing from your computer. Try reinstalling the program to fix this problem."
The windows installed in Parallels is 64bit, and the win10 I'm trying to install is also 64bit.

How can I fix this problem?