From d6eec4ea748245c07a041e6c513268c170c6c33f Mon Sep 17 00:00:00 2001
From: Oddvar Moe <oddvar.moe@advania.no>
Date: Fri, 27 Apr 2018 17:21:50 +0200
Subject: [PATCH] Added Pcwutl.dll to LOLLibs

---
 LOLLibs.md            |  1 +
 OSBinaries/Psr.md     | 20 ++++++++++++++++++++
 OSLibraries/Pcwutl.md | 30 ++++++++++++++++++++++++++++++
 3 files changed, 51 insertions(+)
 create mode 100644 OSLibraries/Pcwutl.md

diff --git a/LOLLibs.md b/LOLLibs.md
index fc9b73c..0fb0bad 100644
--- a/LOLLibs.md
+++ b/LOLLibs.md
@@ -7,6 +7,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Advpack.dll](OSLibraries/Advpack.md)    
 [Ieadvpack.dll](OSLibraries/Ieadvpack.md)    
 [Ieframe.dll](OSLibraries/Ieframe.md)    
+[Pcwutl.dll](OSLibraries/Pcwutl.md)    
 [Shdocvw.dll](OSLibraries/Shdocvw.md)    
 [Shell32.dll](OSLibraries/Shell32.md)    
 [Url.dll](OSLibraries/Url.md)    
diff --git a/OSBinaries/Psr.md b/OSBinaries/Psr.md
index af8c129..430c4c4 100644
--- a/OSBinaries/Psr.md
+++ b/OSBinaries/Psr.md
@@ -5,6 +5,8 @@
 ```
 psr.exe /start /gui 0 /output c:\users\user\out.zip    
 
+psr.exe /start /maxsc 100 /gui 0 /output c:\users\user\out.zip    
+
 psr.exe /stop    
 ```
 
@@ -26,5 +28,23 @@ C:\Windows\SysWOW64\Psr.exe
 Notes:
 It does not log keystrokes. Only screenshots when something is clicked.
 
+psr.exe [/start |/stop][/output <fullfilepath>] [/sc (0|1)] [/maxsc <value>]
+    [/sketch (0|1)] [/slides (0|1)] [/gui (o|1)]
+    [/arcetl (0|1)] [/arcxml (0|1)] [/arcmht (0|1)]
+    [/stopevent <eventname>] [/maxlogsize <value>] [/recordpid <pid>]
+
+/start            :Start Recording. (Outputpath flag SHOULD be specified)
+/stop            :Stop Recording.
+/sc            :Capture screenshots for recorded steps.
+/maxsc            :Maximum number of recent screen captures.
+/maxlogsize        :Maximum log file size (in MB) before wrapping occurs.
+/gui            :Display control GUI.
+/arcetl            :Include raw ETW file in archive output.
+/arcxml            :Include MHT file in archive output.
+/recordpid        :Record all actions associated with given PID.
+/sketch            :Sketch UI if no screenshot was saved.
+/slides            :Create slide show HTML pages.
+/output            :Store output of record session in given path.
+/stopevent        :Event to signal after output files are generated.
 
  
\ No newline at end of file
diff --git a/OSLibraries/Pcwutl.md b/OSLibraries/Pcwutl.md
new file mode 100644
index 0000000..961465c
--- /dev/null
+++ b/OSLibraries/Pcwutl.md
@@ -0,0 +1,30 @@
+## Pcwutl.dll
+
+* Functions: Execute
+
+```
+rundll32.exe pcwutl.dll,LaunchApplication calc.exe
+```
+
+Acknowledgements:
+* Matt harr0ey - @harr0ey
+
+Code sample:
+* 
+
+Resources:
+* https://twitter.com/harr0ey/status/989617817849876488
+
+Full path:
+```
+c:\windows\system32\Pcwutl.dll
+c:\windows\sysWOW64\Pcwutl.dll
+```
+
+Notes:
+
+
+
+Detection:
+
+