Windows Specific

Many VQL plugins and functions provide access to the Windows APIs. The following are only available when running on Windows.

amsiFunctionAMSI is an interface on windows to scan a string for malware
appcompatcachePluginParses the appcompatcache
authenticodeFunctionParses authenticode information from PE files
certificatesPluginCollect certificate from the system trust store
dnsPluginMonitor dns queries
handlesPluginEnumerate process handles
interfacesPluginList all active network interfaces using the API
lookupSIDFunctionGet information about the SID
modulesPluginEnumerate Loaded DLLs
partitionsPluginList all partitions
proc_dumpPluginDumps process memory
proc_yaraPluginScan processes using yara rules
read_reg_keyPluginThis is a convenience plugin which applies the globs to the registry
srum_lookup_idFunctionLookup a SRUM id
tokenFunctionExtract process token
usersPluginDisplay information about workstation local users
vadPluginEnumerate process memory regions
winobjPluginEnumerate The Windows Object Manager namespace
wmiPluginExecute simple WMI queries synchronously