Performs an operation on a specified file. If malware creates a new process, you will need to analyze the new process as well.
HINSTANCE ShellExecute( _In_opt_ HWND hwnd, _In_opt_ LPCTSTR lpOperation, _In_ LPCTSTR lpFile, _In_opt_ LPCTSTR lpParameters, _In_opt_ LPCTSTR lpDirectory, _In_ INT nShowCmd );
- hwnd [in, optional]
- Type: HWND
- A handle to the parent window used for displaying a UI or error messages. This value can be NULL if the operation is not associated with a window.
- lpOperation [in, optional]
- Type: LPCTSTR
- A pointer to a null-terminated string, referred to in this case as a verb, that specifies the action to be performed. The set of available verbs depends on the particular file or folder. Generally, the actions available from an object's shortcut menu are available verbs. The following verbs are commonly used:
- Launches an editor and opens the document for editing. If lpFile is not a document file, the function will fail.
- Explores a folder specified by lpFile.
- Initiates a search beginning in the directory specified by lpDirectory.
- Opens the item specified by the lpFile parameter. The item can be a file or folder.
- Prints the file specified by lpFile. If lpFile is not a document file, the function fails.
- The default verb is used, if available. If not, the "open" verb is used. If neither verb is available, the system uses the first verb listed in the registry.
- lpFile [in]
- Type: LPCTSTR
- A pointer to a null-terminated string that specifies the file or object on which to execute the specified verb. To specify a Shell namespace object, pass the fully qualified parse name. Note that not all verbs are supported on all objects. For example, not all document types support the "print" verb. If a relative path is used for the lpDirectory parameter do not use a relative path for lpFile.
- lpParameters [in, optional]
- Type: LPCTSTR
- If lpFile specifies an executable file, this parameter is a pointer to a null-terminated string that specifies the parameters to be passed to the application. The format of this string is determined by the verb that is to be invoked.
- If lpFile specifies a document file, lpParameters should be NULL.
- lpDirectory [in, optional]
- Type: LPCTSTR
- A pointer to a null-terminated string that specifies the default (working) directory for the action. If this value is NULL, the current working directory is used. If a relative path is provided at lpFile, do not use a relative path for lpDirectory.
- nShowCmd [in]
- Type: INT
- The flags that specify how an application is to be displayed when it is opened. If lpFile specifies a document file, the flag is simply passed to the associated application. It is up to the application to decide how to handle it. These values are defined in Winuser.h.
- SW_HIDE (0)
- Hides the window and activates another window.
- SW_MAXIMIZE (3)
- Maximizes the specified window.
- SW_MINIMIZE (6)
- Minimizes the specified window and activates the next top-level window in the z-order.
- SW_RESTORE (9)
- Activates and displays the window. If the window is minimized or maximized, Windows restores it to its original size and position. An application should specify this flag when restoring a minimized window.
- SW_SHOW (5)
- Activates the window and displays it in its current size and position.
- SW_SHOWDEFAULT (10)
- Sets the show state based on the SW_ flag specified in the STARTUPINFO structure passed to the CreateProcess function by the program that started the application. An application should call ShowWindow with this flag to set the initial show state of its main window.
- SW_SHOWMAXIMIZED (3)
- Activates the window and displays it as a maximized window.
- SW_SHOWMINIMIZED (2)
- Activates the window and displays it as a minimized window.
- SW_SHOWMINNOACTIVE (7)
- Displays the window as a minimized window. The active window remains active.
- SW_SHOWNA (8)
- Displays the window in its current state. The active window remains active.
- SW_SHOWNOACTIVATE (4)
- Displays a window in its most recent size and position. The active window remains active.
- SW_SHOWNORMAL (1)
- Activates and displays a window. If the window is minimized or maximized, Windows restores it to its original size and position. An application should specify this flag when displaying the window for the first time.
If the function succeeds, it returns a value greater than 32. If the function fails, it returns an error value that indicates the cause of the failure. The return value is cast as an HINSTANCE for backward compatibility with 16-bit Windows applications. It is not a true HINSTANCE, however. It can be cast only to an int and compared to either 32 or the following error codes below.
|0||The operating system is out of memory or resources.|
|ERROR_FILE_NOT_FOUND||The specified file was not found.|
|ERROR_PATH_NOT_FOUND||The specified path was not found.|
|ERROR_BAD_FORMAT||The .exe file is invalid (non-Win32 .exe or error in .exe image).|
|SE_ERR_ACCESSDENIED||The operating system denied access to the specified file.|
|SE_ERR_ASSOCINCOMPLETE||The file name association is incomplete or invalid.|
|SE_ERR_DDEBUSY||The DDE transaction could not be completed because other DDE transactions were being processed.|
|SE_ERR_DDEFAIL||The DDE transaction failed.|
|SE_ERR_DDETIMEOUT||The DDE transaction could not be completed because the request timed out.|
|SE_ERR_DLLNOTFOUND||The specified DLL was not found.|
|SE_ERR_FNF||The specified file was not found.|
|SE_ERR_NOASSOC||There is no application associated with the given file name extension. This error will also be returned if you attempt to print a file that is not printable.|
|SE_ERR_OOM||There was not enough memory to complete the operation.|
|SE_ERR_PNF||The specified path was not found.|
|SE_ERR_SHARE||A sharing violation occurred.|