Many VQL plugins and functions provide access to the Windows APIs. The following are only available when running on Windows.
| Plugin/Function | Type | Description |
|---|---|---|
| amsi | Function | AMSI is an interface on windows to scan a string for malware |
| appcompatcache | Plugin | Parses the appcompatcache |
| authenticode | Function | Parses authenticode information from PE files |
| certificates | Plugin | Collect certificate from the system trust store |
| dns | Plugin | Monitor dns queries |
| handles | Plugin | Enumerate process handles |
| interfaces | Plugin | List all active network interfaces using the API |
| lookupSID | Function | Get information about the SID |
| modules | Plugin | Enumerate Loaded DLLs |
| partitions | Plugin | List all partitions |
| proc_dump | Plugin | Dumps process memory |
| proc_yara | Plugin | Scan processes using yara rules |
| read_reg_key | Plugin | This is a convenience plugin which applies the globs to the registry |
| srum_lookup_id | Function | Lookup a SRUM id |
| token | Function | Extract process token |
| users | Plugin | Display information about workstation local users |
| vad | Plugin | Enumerate process memory regions |
| winobj | Plugin | Enumerate The Windows Object Manager namespace |
| wmi | Plugin | Execute simple WMI queries synchronously |