Where to find information on windows dll files

Jackface 1 Reputation point
2022-09-15T11:43:51.403+00:00

Hi All,

I got an alert that PC's are resolving a strange looking URL (c.lencr.org) . When I have looked into it, its coming from multiple PC's. We found the URL is actually legitimate CRL list:
https://letsencrypt.org/docs/lencr.org/

We used sysmon to find the DNS requests are coming from cryptsvc.dll on the client machines. I uploaded cryptsvc.dll to virustotal and it has come up clean.

I think this is normal operation for cryptsvc.dll but I'm looking to find some official documentation from Microsoft on what this DLL does to confirm it. The best I found was here:
https://www.bleepingcomputer.com/startups/cryptsvc.dll-25643.html

But not an offical MS website.

Any help welcome. Thanks in advance.

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,169 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. dstaulcu 351 Reputation points
    2022-09-17T15:35:32.607+00:00

    The journey to answer this sort of question can be jumpstarted with sysinternals sigcheck.

    You can point sigcheck at the file in question to answer questions relating to origin of the executable (publisher, company), it's integrity (digital signature), it's description (high level summary of functionality), and its hash (for lookups to threat intelligence sources such as VirusTotal having details about reputation and observed behavior).

    Once you trust that the file in question has integrity you can then leverage the product description to study it's intended purpose on vendor website. For Microsoft function libraries I tend to throw "learn.microsoft.com" and "msdn" into search terms. Full query:

    "Cryptographic Services" CryptSvc.dll site:learn.microsoft.com msdn

    Based on the description I agree with your assessment that the transaction was expected behavior relating to cryptographic services. With that the follow-on action in my mind would be to determine what activity invoked the support of cyptographic services. In this case I'd be more concerned about "the game" than the cryptsvc player itself. I'd inspect ProcessCreate/ ImageLoad events just prior to the cue and DNSQuery/NetworkConnect events which immediately follow for answers to that.

    0 comments No comments

  2. Michael_N 961 Reputation points
    2022-11-13T08:53:47.707+00:00

    No really applicable to your case but depending of what information on the DLL you are looking for Strontic's xCyclopedia might be of assistence.
    For cryptsvc.dll the xCyclopedia is found here:
    https://strontic.github.io/xcyclopedia/library/cryptsvc.dll-8AB3568419872D1A8A7B45153AF7B3D4.html

    The xCyclopedia in general:

    0 comments No comments

  3. Nic Bennett 0 Reputation points
    2023-05-10T09:18:30.51+00:00

    Interestingly enough I recently had this problem, though not sure which DLL it originated from, but in my case I was DLL hijacked and it’s been immensely difficult to find much information on it till now. Even less so due to almost every scanner failing me up until spy bot was able to pick up a few registry changes that lead on the hunt leading to this. It had been driving me mad too because the persistence being as high as it was and thinking sfc and down were helping, yet it made it worse, as well as the corrupted wim file replacement making the reset function all quite unusable all unbeknownst to me being a green horn exploring further into computer sciences 😬

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.