LOLBins Reference

VSCode binary, also portable (CLI) version

Remote file download used by the Intel Graphics Control Panel, receives as first parameter a URL and a destination file path.

Powershell.exe is a a task-based command-line shell built on .NET.

.NET Tool used for updating cache files for Microsoft Office Add-Ins.

Tool used for installation of AppX/MSIX applications on Windows 10

ASP.NET Compilation Tool

Schedule periodic tasks

Helper binary for Assistive Technology (AT)

File used by Windows subsystem for Linux

Used for managing background intelligent transfer

Used for installing certificates

Used for requesting and managing certificates

Windows binary used for handling certificates

Remote Desktop Services MultiUser Change Utility

File Encryption Utility

The command-line interpreter in Windows

creates, lists, and deletes stored user names and passwords or credentials.

Microsoft Connection Manager Auto-Download

Installs or removes a Connection Manager service profile.

Binary that handles color management

ComputerDefaults.exe is a Windows system utility for managing default applications for tasks like web browsing, emailing, and media playback.

Binary part of Windows Defender. Used to manage settings in Windows Defender. You can configure different pilot collections for each of the co-management workloads. Being able to use different pilot collections allows you to take a more granular approach when shifting workloads.

Console Window host

Binary used to launch controlpanel items in Windows

Binary file used by .NET Framework to compile C# code

Binary used to execute scripts in Windows

A host process that is used by custom shells when using Windows in Kiosk mode.

DataSvcUtil.exe is a command-line tool provided by WCF Data Services that consumes an Open Data Protocol (OData) feed and generates the client data service classes that are needed to access a data service from a .NET Framework client application.

Windows binary used to configure lockscreen/desktop image

Device Credential Deployment

ClickOnce engine in Windows used by .NET

Binary that package existing files into a cabinet (.cab) file

Diskshadow.exe is a tool that exposes the functionality offered by the volume shadow copy Service (VSS).

A command-line interface for managing DNS servers

Binary for working with Microsoft Joint Engine Technology (JET) database

Private Character Editor Windows Utility

Displays Windows Event Logs in a GUI window.

Binary that expands one or more compressed files

Binary used for managing files and system components within Windows

Load a DLL located in the c:\test folder with a specific name.

Extract to ADS, copy or overwrite a file with Extrac32.exe

Write to ADS, discover, or download files with Findstr.exe

Displays information about a user or users on a specified remote computer that is running the Finger service or daemon

Filter Manager Control Program used by Windows

Selects and executes a command on a file or set of files. This command is useful for batch processing.

File System Utility

A binary designed for connecting to FTP servers

Used by group policy to process scripts

Binary used for processing chm files in Windows

Microsoft IME Open Extended Dictionary Module

Executes commands from a specially prepared ie4uinit.inf file.

Diagnostics Utility for Internet Explorer

The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.

used for compile c# code into dll or exe.

Binary used to perform installation based on content inside inf files

The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies

Microsoft iSCSI Initiator Control Panel tool

Binary file used by .NET to compile JavaScript code to .exe or .dll format

Creates, modifies, and deletes LDAP directory objects.

Binary to package existing files into a cabinet (.cab) file

Used by App-v in Windows

A utility included with .NET that is capable of compiling and executing C# or VB.net code.

Load snap-ins to locally and remotely manage Windows systems

Binary part of Windows Defender. Used to manage settings in Windows Defender

Used to compile and execute code

MSConfig is a troubleshooting tool which is used to temporarily disable or re-enable software, device drivers or Windows services that run during startup process to help the user determine the cause of a problem with Windows

Microsoft diagnostics tool

Microsoft Edge browser

Used by Windows to execute html applications. (.hta)

Used by Windows to execute msi files

Netsh is a Windows tool used to manipulate network interface settings.

Microsoft Native Image Generator.

Used in Windows for managing ODBC connections

Windows Defender Offline Shell

OneDrive Standalone Updater

Program Compatibility Assistant

Program Compatibility Wizard

Capture Network Packets on the windows 10 with October 2018 Update or later.

Used for installing drivers

File is used for executing Browser applications

Used by Windows to send files to the printer

Printer Migration Command-Line Tool

Launcher process

Windows Problem Steps Recorder, used to record screen and clicks.

Remote Desktop Services MultiUser Query Utility

Windows Remote Access Dialer

Microsoft Windows resource leak diagnostic tool

Used to manipulate the registry

Part of .NET

Used by Windows to manipulate registry

Used to manipulate the registry

Used to register new wmi providers

Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies

Used by Windows to register dlls

Used to replace file with another file

Remote Desktop Services Reset Utility

Used to verify rpc connection

Used by Windows to execute dll files

Launcher process

Executes a Run Once Task that has been configured in the registry

Execute target PowerShell script

Used by Windows to manage services

Schedule periodic tasks

Execute binary through proxy binary to evade defensive counter measures

Configures display settings

Host Process for Setting Synchronization

sftp.exe is a Windows command-line utility that uses the Secure File Transfer Protocol (SFTP) to securely transfer files between a local machine and a remote server.

Ssh.exe is the OpenSSH compatible client can be used to connect to Windows 10 (build 1809 and later) and Windows Server 2019 devices.

Storage diagnostic tool

Used by App-v to get App-v server lists

Used by Windows to extract and create archives.

Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)

Used by Windows 1809 and newer to Debug Time Travel

Microsoft Windows Media Player Setup Utility

Binary file used for compile vbs code

Used to verify a COM object before it is instantiated by Windows Explorer

Windows address book manager

Windows Backup Administration utility

WMI/WBEM Test Binary

Windows Package Manager tool

Windows Logon Reminder executable

The WMI command-line (WMIC) utility provides a command-line interface for WMI

Work Folders

Used by Windows to execute scripts

Used to reset Windows Store settings according to its manifest file

Windows Update Client

Execute custom class that has been added to the registry or download a file with Xwizard.exe

Microsoft Edge Browser

msedgewebview2.exe is the executable file for Microsoft Edge WebView2, which is a web browser control used by applications to display web content.

Windows Terminal

Utility for installing software and drivers with rundll32.exe

Desktop Settings Control Panel

ClickOnce engine in Windows used by .NET

INF installer for Internet Explorer. Has much of the same functionality as advpack.dll.

Internet Browser DLL for translating HTML code.

Microsoft HTML Viewer

Microsoft HTML Viewer

Windows Photo Viewer

Windows Script Component Runtime

Windows Setup Application Programming Interface

Shell Doc Object and Control Library.

Windows Shell Common Dll

Photo Gallery Viewer

Windows NT System Setup

Internet Shortcut Shell Extension DLL.

Compressed Folder library

COM+ Services

PowerShell Diagnostic Script

Proxy execution with CL_Mutexverifiers.ps1

Aero diagnostics script

Locates and imports a Developer PowerShell module and calls the Enter-VsDevShell cmdlet

Script for managing BitLocker

Proxy execution with Pubprn.vbs

Script used related to app-v and publishing server

PowerShell Diagnostic Script

Script used for manage Windows RM settings

Used as part of the Powershell pester

Verifies UI accessibility requirements

Debugging tool included with Windows Debugging Tools

Intune Management Extension included on Intune Managed Devices

User Experience Virtualization tool that launches applications under monitoring to capture and synchronize user settings.

Windows App Certification Kit command-line tool.

Application Virtualization Utility Included with Microsoft Office 2016

Microsoft SQL Server Bulk Copy Program utility for importing and exporting data between SQL Server instances and data files.

Background Information Utility included with SysInternals Suite

Debugging tool included with Windows Debugging Tools.

Binary coregen.exe (Microsoft CoreCLR Native Image Generator) loads exported function GetCLRRuntimeHost from coreclr.dll or from .DLL in arbitrary path. Coregen is located within "C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\" or another version of Silverlight. Coregen is signed by Microsoft and bundled with Microsoft Silverlight.

Microsoft .NET Runtime Crash Dump Generator (included in .NET Core)

Command line interface included with Visual Studio.

This binary can be downloaded along side multiple software downloads on the Microsoft website. It gets downloaded when the user forgets to uncheck the option to set Bing as the default search provider.

Visual Studio 2019 tool

Binary will execute specified binary. Part of VS/VScode installation.

.NET Execution environment file included with .NET.

dotnet.exe comes with .NET Framework

Dsdbutil is a command-line tool that is built into Windows Server. It is available if you have the AD LDS server role installed. Can be used as a command line utility to export Active Directory.

Microsoft command line utility used to manage SQL Server Integration Services packages.

Memory dump tool that comes with Microsoft Visual Studio

Dump tool part Visual Studio 2022

DirectX diagnostics/debugger included with Visual Studio.

Command-line tool for managing certificates in Microsoft Exchange Server.

Microsoft Office binary

64-bit FSharp (F#) Interpreter included with Visual Studio and DotNet Core SDK.

32/64-bit FSharp (F#) Interpreter included with Visual Studio.

Visual Studio command-line tool for collecting and managing diagnostic trace files.

Trace log generation tool for Media Foundation Tools.

Part of the NodeJS Visual Studio tools.

Command-line tool for running Message Passing Interface (MPI) applications.

Microsoft Office component

Microsoft tool used to deploy Web Applications.

Microsoft Office component

Microsoft Publisher

Command line utility used to perform XSL transformations.

Command line utility used to export Active Directory.

Symbolic Debugger for Windows.

Console Window host for Windows Terminal

Command line utility for taking and analyzing PIX GPU captures.

Microsoft Office binary.

SysInternals Memory Dump Tool

Microsoft Office binary

Non-Interactive command line inerface included with Visual Studio.

Debugging tool included with Windows Debugging Tools

Debugging utility included with Microsoft SQL.

Tool included with Microsoft SQL Server that loads SQL Server cmdlets. Microsoft SQL Server\100 and 110 are Powershell v2. Microsoft SQL Server\120 and 130 are Powershell version 4. Replaced by SQLToolsPS.exe in SQL Server 2016, but will be included with installation for compatability reasons.

Tool included with Microsoft SQL that loads SQL Server cmdlts. A replacement for sqlps.exe. Successor to sqlps.exe in SQL Server 2016+.

Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.

Testing tool included with Microsoft Test Authoring and Execution Framework (TAEF).

Electron runtime binary which runs the Teams application

TestWindowRemoteAgent.exe is the command-line tool to establish RPC

Tool included with Microsoft .Net Framework.

Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.

Command-line tool used for performing diagnostics.

Binary will execute specified binary. Part of VS/VScode installation.

Microsoft Visio Executable

A Windows SDK binary for manual and automated testing of Microsoft UI Automation implementation and controls.

Microsoft Visual Studio browser launcher tool for web applications debugging

VShadow is a command-line tool that can be used to create and manage volume shadow copies.

Just-In-Time (JIT) debugger included with Visual Studio

Command-line tool used for pretty-print a dump file generated by Message Farm Analyzer tool.

The Workflow Command-line Compiler tool is included with the Windows Software Development Kit (SDK).

Windows Debugger for advanced user-mode and kernel-mode debugging.

Microsoft Project Executable

Microsoft Office binary

Windows subsystem for Linux executable

Windows Performance Toolkit binary used to start performance traces.

Windows Performance Toolkit binary used for tracing and analyzing system performance during sleep and resume transitions.

Binary to enable forwarded ports on windows operating systems.

Agent for Visual Studio Live Share (Code Collaboration)

VSTest.Console.exe is the command-line tool to run tests

Windows File Manager executable

XML Schema Definition Tool included with the Windows Software Development Kit (SDK).