winapiexec is a small tool that allows to run WinAPI functions through command line parameters.


The syntax is:
winapiexec.exe library.dll@FunctionName 123 unicode_text "a space"

If you don’t specify a library or use “k”, kernel32.dll is used.
If you specify “u” as a library, user32.dll is used.

Numbers are detected automatically. You can use hex numbers (like 0xFE) and use the minus sign (e.g. -5).
Strings are Unicode by default.

You can use special prefixes to specify parameter types:
$s:ansi – an ANSI string.
$u:unicode – a Unicode string (it’s Unicode by default, but you can use it to force numbers as strings).
$b:1024 – a zero-bytes buffer with the size you specify, in bytes.
$$:1 – a reference to another parameter, you can also use $$:0 for the program’s name (argv[0]).
$a:0,1,two,3 – an array of parameters, divided by commas. you can use all the prefixes here.
$a[a,b,$a[c,d],e] – an alternative syntax for an array of parameters. Allows to have nested arrays.
$$:3@2 – a reference to an item in an array of parameters, can have more than one indirection.

While referencing to another parameter, note that they are processed by the order of execution, which means there’s no point to reference to a parameter right to the referencing one.
Also note that after a function is run, its first parameter (like library.dll@FunctionName) is replaced with the return value.

You can execute multiple WinAPI functions, one after the other, using a comma:
winapiexec.exe library.dll@FunctionName1 123 , library.dll@FunctionName2 456
You can also have nested functions, using parentheses:
winapiexec.exe library.dll@FunctionName1 ( library.dll@FunctionName2 456 )
While the return value of the internal function is passed as a parameter to the external function.


zip (6.02 kB)


Here are some examples of what you can do:

Display temp path:
winapiexec.exe GetTempPathW 260 $b:520 , u@MessageBoxW 0 $$:3 $$:0 0x40

winapiexec.exe advapi32.dll@GetUserNameW $b:65534 $a:32767 , u@wsprintfW $b:2050 "Hello %s from %s" $$:2 $$:0 , u@MessageBoxW 0 $$:6 ... 0

Hide the taskbar for half a second, then show it:
winapiexec.exe u@ShowWindow ( u@FindWindowW Shell_TrayWnd 0 ) 0 , Sleep 500 , u@ShowWindow $$:3 5

Run calculator for a second, then terminate it:
winapiexec.exe CreateProcessW 0 calc 0 0 0 0x20 0 0 $a:0x44,,,,,,,,,,,,,,,, $b:16 , Sleep 1000 , TerminateProcess $$:11@0 0

Show a messagebox and then create a new instance of the process:
winapiexec.exe u@MessageBoxW 0 Hello! :) 0 , CreateProcessW $$:0 ( GetCommandLineW ) 0 0 0 0x20 0 0 $a:0x44,,,,,,,,,,,,,,,, $b:16

Eject your disc drive 🙂
winapiexec.exe winmm.dll@mciSendStringW "open cdaudio" 0 0 0 , winmm.dll@mciSendStringW "set cdaudio door open" 0 0 0 , winmm.dll@mciSendStringW "close cdaudio" 0 0 0

And some more practical examples…

Copy some text into the clipboard:
winapiexec.exe lstrcpyW ( GlobalLock ( GlobalAlloc 0x0042 8192 ) ) "Sample text" , GlobalUnlock $$:5 , u@OpenClipboard 0 , u@SetClipboardData 13 $$:5 , u@CloseClipboard

Turn off and on monitor:
winapiexec.exe u@SendMessageW 0xFFFF 0x112 0xF170 2
winapiexec.exe u@SendMessageW 0xFFFF 0x112 0xF170 -1

Clear the icon cache:
winapiexec.exe shell32.dll@SHChangeNotify 0x08000000 0 0 0

Display the Start menu:
winapiexec.exe u@SendMessageW ( u@FindWindowW Shell_TrayWnd 0 ) 0x111 305 0
Run task manager:
winapiexec.exe u@SendMessageW ( u@FindWindowW Shell_TrayWnd 0 ) 0x111 420 0
More tricks like that can be found here.

Posted in Releases, Software by RaMMicHaeL at January 8th, 2011.

172 Responses to “winapiexec”

  1. BeGreenMedia says:

    I love this tool! Thank you Michael!

    I want to create a shortcut for a file selected with right click in Explorer in My Shortcuts folder it’s possible with this tool?

  2. KT says:

    Hello RaMMicHaeL

    I’m trying to find a method in cmd.exe for getting an effect immediately after updating windows registry (system environment vars) and that needs send windows api as below.

    SendMessageTimeout(HWND_BROADCAST, WM_SETTINGCHANGE, 0, (LPARAM) “Environment”, SMTO_ABORTIFHUNG, 5000, &dwReturnValue);

    Then could you take a look below command. It doesn’t work.

    winapiexec.exe u@SendMessageTimeoutW HWND_BROADCAST WM_SETTINGCHANGE 0 (LPARAM) “Environment” SMTO_ABORTIFHUNG 5000 &dwReturnValue

    • RaMMicHaeL says:


      The translation for your C code is:
      winapiexec.exe u@SendMessageTimeoutW 0xFFFF 0x1A 0 Environment 2 5000 $b:16

      • KT says:

        Thank you for the quick respond. However I’m not sure the translated command is working properly.

        I tried to add a new path to the value of “Path” in below registry keys.
        – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment


        Then, did the command and echo %path% in cmd.exe.

        But the new path wasn’t added.

        How can I make sure it is right ?
        Or, Isn’t my C code which has been provided via Microsoft web page appropriate ?

        • RaMMicHaeL says:

          How can I make sure it is right ?

          You can check it with a debugger such as OllyDbg. Actually I did that before posting the code.

          Or, Isn’t my C code which has been provided via Microsoft web page appropriate ?

          That’s probably what’s happening. You can try compiling it with a C compiler and checking it to be sure.

          • KT says:

            Thanks for the advice. I’ll check it.

            And One more question. What is the reference for translating C to the command for winapiexec.exe which would become very useful tool for me if I could make the most of it.

            Since I’m new to C and winapiexec.exe, I can’t find where “HWND_BROADCAST”, “WM_SETTINGCHANGE”, “SMTO_ABORTIFHUNG” has disappeared.

            • RaMMicHaeL says:

              I can’t find where “HWND_BROADCAST”, “WM_SETTINGCHANGE”, “SMTO_ABORTIFHUNG” has disappeared.

              These are constants. You can find out their values in your compiler. Also, usually Googling something along the lines of “define HWND_BROADCAST” works.
              winapiexec is a tiny tool, 4 kB in size, so it’s not familiar with all these constants and their values.

  3. Monte says:

    Hu RaMMicHael!

    How to, for example, translate the following call to winapiexec variant?
    rundll32.exe shell32.dll,Control_RunDLL hotplug.dll

    “winapiexec shell32.dll@Control_RunDLL hotplug.dll” throws “Stack error on argument number 1” and opens Control Panel. Could you please look into it?

  4. auvist says:


    I see several “u@MessageBoxW” examples, but it would be useful to be able to get some output directly in the console where winapiexec.exe is run. Any ideas how to achieve this?

    For example:

    “winapiexec.exe advapi32.dll@GetUserNameW $b:65534 $a:32767 , u@wsprintfW $b:2050 “Hello %s from %s” $$:2 $$:0 , u@MessageBoxW 0 $$:6 … 0″

    from the description to be logically equivalent to:

    “winapiexec.exe advapi32.dll@GetUserNameW $b:65534 $a:32767 , u@wsprintfW $b:2050 “Hello %s from %s” $$:2 $$:0 , ?@??functionToPrintToConsole?? $$:6

    and print the “Hello …” text directly in the cmd.exe window where this command is run.

    And a second question: is it possible to get the value referenced by a pointer?
    For example “winapiexec.exe k@QueryPerformanceCounter $b:4, u@MessageBoxW 0 $$:2 text 0” returns the address, but it would be nice to dereference it and get the value

    • RaMMicHaeL says:

      it would be useful to be able to get some output directly in the console where winapiexec.exe is run. Any ideas how to achieve this?

      Here you go:
      winapiexec.exe advapi32.dll@GetUserNameW $b:65534 $a:32767 , u@wsprintfW $b:2050 "Hello %s from %s" $$:2 $$:0 , AttachConsole -1 , WriteConsoleW ( GetStdHandle -11 ) $$:6 ( lstrlenW $$:6 ) $b:4 0

      See also this comment:

      is it possible to get the value referenced by a pointer?

      You can use $b:4@0 and $b:4@1 to get the low and high double words of the large integer, respectively. Note that it’s a 64-bit integer, so you also need to use $b:8, not $b:4. And you’re missing a space after $b:4, which is critical.

  5. Sam says:

    Hi RaMMicHaeL,

    Firstly, thank you for creating such awesome software tools and sharing them and your knowledge with the world for free! I can’t live without 7+ Taskbar Tweaker anymore! 🙂

    I’ve been using winapiexec for some time now in conjunction with Samurize to show the systray clock calendar. However, since I moved to Win10 this has stopped working.

    The command I had been using was:
    winapiexec u@PostMessageW ( u@FindWindowExW ( u@FindWindowExW ( u@FindWindowW Shell_TrayWnd 0 ) 0 TrayNotifyWnd 0 ) 0 TrayClockWClass 0 ) 0x466 1 0

    I can’t remember where I got that command line, and I have no idea where I could go to find an updated version which works with Win10.

    If you could please direct me to where I could find this information or to an updated command to execute this function I would be most grateful!



  6. am96 says:

    please tell me some more good & tricky example uses of winapiexec

  7. am96 says:

    PLEASE specify all possible uses of winapi & make some help file too
    i m finding it difficult to generate winapi commands. Any src to easily write such commands

  8. am96 says:

    how can i take screenshot with this app

  9. am96 says:


  10. Conquoro says:

    Hi Michael, wonderful is your work.. this is not working to attach a vhd. where am i wrong..
    winapiexec64.exe virtdisk.dll@OpenVirtualDisk $a:2,0 “C:\Test.vhd” 0x00020000 0 0 $b:4 , virtdisk.dll@AttachVirtualDisk $$:7@0 0 0 0 1 0

    • RaMMicHaeL says:

      Hi Conquoro,
      I see at least two critical issues with your command:
      1. Since you’re using winapiexec64, a handle requires 8 bytes, so the last parameter of the OpenVirtualDisk function should be $b:8.
      2. The parameter of the AttachVirtualDisk function where you pass 1 requires a pointer. Of course 1 is not a valid pointer.

      • Conquoro says:

        thank you for a quick reply..
        after messing for a while,
        Attach VHD by winapiexec.exe finally worked..

        winapiexec64.exe virtdisk.dll@OpenVirtualDisk $a:2,0 “C:\Test.vhd” 0x00020000 0 0 $b:4 , virtdisk.dll@AttachVirtualDisk $$:7@0 0 0x00000004 0 0 0

      • Conquoro says:

        cool.. i have changed $b:4 to $b:8 as you corrected, though $b:4 is working fine..

        • RaMMicHaeL says:

          You were just lucky. By specifying $b:4, you’re asking for at least 4 bytes. You might get more sometimes but you can’t rely on it. It’s also possible that you get only 4 bytes and then you override 4 other bytes you don’t own. Again, you can be lucky and it might not do any harm, but it might also have negative effects such as crashing the process before the mount takes place.

Leave a Reply