Many VQL plugins and functions provide access to the Windows APIs. The following are only available when running Velociraptor on Windows.
| Plugin/Function | Type | Description |
|---|---|---|
| amsi | Function | AMSI is an interface on windows to scan a string for malware |
| appcompatcache | Plugin | Parses the appcompatcache |
| authenticode | Function | Parses authenticode information from PE files |
| certificates | Plugin | Collect certificate from the system trust store |
| etw_sessions | Plugin | Enumerates all active ETW sessions |
| handles | Plugin | Enumerate process handles |
| interfaces | Plugin | List all active network interfaces using the API |
| lookupSID | Function | Get information about the SID |
| modules | Plugin | Enumerate Loaded DLLs |
| partitions | Plugin | List all partitions |
| proc_dump | Plugin | Dumps process memory |
| proc_yara | Plugin | Scan processes using yara rules |
| read_reg_key | Plugin | This is a convenience plugin which applies the globs to the registry |
| reg_rm_key | Function | Removes a key and all its values from the registry |
| reg_rm_value | Function | Removes a value in the registry |
| reg_set_value | Function | Set a value in the registry |
| srum_lookup_id | Function | Lookup a SRUM id |
| threads | Plugin | Enumerate threads in a process |
| token | Function | Extract process token |
| users | Plugin | Display information about workstation local users |
| vad | Plugin | Enumerate process memory regions |
| winobj | Plugin | Enumerate The Windows Object Manager namespace |
| winpmem | Function | Uses the winpmem driver to take a memory image |
| wmi | Plugin | Execute simple WMI queries synchronously |