winapiexec
winapiexec is a small tool that allows to run WinAPI functions through command line parameters.
Syntax
The syntax is:
winapiexec.exe [email protected] 123 unicode_text "a space"
If you don’t specify a library or use “k”, kernel32.dll is used.
If you specify “u” as a library, user32.dll is used.
Numbers are detected automatically. You can use hex numbers (like 0xFE) and use the minus sign (e.g. -5).
Strings are Unicode by default.
You can use special prefixes to specify parameter types:
$s:ansi – an ANSI string.
$u:unicode – a Unicode string (it’s Unicode by default, but you can use it to force numbers as strings).
$b:1024 – a zero-bytes buffer with the size you specify, in bytes.
$$:1 – a reference to another parameter, you can also use $$:0 for the program’s name (argv[0]).
$a:0,1,two,3 – an array of parameters, divided by commas. you can use all the prefixes here.
$a[a,b,$a[c,d],e] – an alternative syntax for an array of parameters. Allows to have nested arrays.
$$:[email protected] – a reference to an item in an array of parameters, can have more than one indirection.
While referencing to another parameter, note that they are processed by the order of execution, which means there’s no point to reference to a parameter right to the referencing one.
Also note that after a function is run, its first parameter (like [email protected]) is replaced with the return value.
You can execute multiple WinAPI functions, one after the other, using a comma:
winapiexec.exe [email protected] 123 , [email protected] 456
You can also have nested functions, using parentheses:
winapiexec.exe [email protected] ( [email protected] 456 )
While the return value of the internal function is passed as a parameter to the external function.
Download
winapiexec.zip (6.02 kB)
Examples
Here are some examples of what you can do:
Display temp path:
winapiexec.exe GetTempPathW 260 $b:520 , [email protected] 0 $$:3 $$:0 0x40
Greetings:
winapiexec.exe [email protected] $b:65534 $a:32767 , [email protected] $b:2050 "Hello %s from %s" $$:2 $$:0 , [email protected] 0 $$:6 ... 0
Hide the taskbar for half a second, then show it:
winapiexec.exe [email protected] ( [email protected] Shell_TrayWnd 0 ) 0 , Sleep 500 , [email protected] $$:3 5
Run calculator for a second, then terminate it:
winapiexec.exe CreateProcessW 0 calc 0 0 0 0x20 0 0 $a:0x44,,,,,,,,,,,,,,,, $b:16 , Sleep 1000 , TerminateProcess $$:[email protected] 0
Show a messagebox and then create a new instance of the process:
winapiexec.exe [email protected] 0 Hello! :) 0 , CreateProcessW $$:0 ( GetCommandLineW ) 0 0 0 0x20 0 0 $a:0x44,,,,,,,,,,,,,,,, $b:16
Eject your disc drive 🙂
winapiexec.exe [email protected] "open cdaudio" 0 0 0 , [email protected] "set cdaudio door open" 0 0 0 , [email protected] "close cdaudio" 0 0 0
And some more practical examples…
Copy some text into the clipboard:
winapiexec.exe lstrcpyW ( GlobalLock ( GlobalAlloc 0x0042 8192 ) ) "Sample text" , GlobalUnlock $$:5 , [email protected] 0 , [email protected] 13 $$:5 , [email protected]
Turn off and on monitor:
winapiexec.exe [email protected] 0xFFFF 0x112 0xF170 2
winapiexec.exe [email protected] 0xFFFF 0x112 0xF170 -1
Clear the icon cache:
winapiexec.exe [email protected] 0x08000000 0 0 0
Display the Start menu:
winapiexec.exe [email protected] ( [email protected] Shell_TrayWnd 0 ) 0x111 305 0
Run task manager:
winapiexec.exe [email protected] ( [email protected] Shell_TrayWnd 0 ) 0x111 420 0
More tricks like that can be found here.
I love this tool! Thank you Michael!
I want to create a shortcut for a file selected with right click in Explorer in My Shortcuts folder it’s possible with this tool?
Hello RaMMicHaeL
I’m trying to find a method in cmd.exe for getting an effect immediately after updating windows registry (system environment vars) and that needs send windows api as below.
SendMessageTimeout(HWND_BROADCAST, WM_SETTINGCHANGE, 0, (LPARAM) “Environment”, SMTO_ABORTIFHUNG, 5000, &dwReturnValue);
Then could you take a look below command. It doesn’t work.
winapiexec.exe [email protected] HWND_BROADCAST WM_SETTINGCHANGE 0 (LPARAM) “Environment” SMTO_ABORTIFHUNG 5000 &dwReturnValue
Hi,
The translation for your C code is:
winapiexec.exe [email protected] 0xFFFF 0x1A 0 Environment 2 5000 $b:16Thank you for the quick respond. However I’m not sure the translated command is working properly.
I tried to add a new path to the value of “Path” in below registry keys.
– HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
HKEY_CURRENT_USER\Environment
Then, did the command and echo %path% in cmd.exe.
But the new path wasn’t added.
How can I make sure it is right ?
Or, Isn’t my C code which has been provided via Microsoft web page appropriate ?
You can check it with a debugger such as OllyDbg. Actually I did that before posting the code.
That’s probably what’s happening. You can try compiling it with a C compiler and checking it to be sure.
Thanks for the advice. I’ll check it.
And One more question. What is the reference for translating C to the command for winapiexec.exe which would become very useful tool for me if I could make the most of it.
Since I’m new to C and winapiexec.exe, I can’t find where “HWND_BROADCAST”, “WM_SETTINGCHANGE”, “SMTO_ABORTIFHUNG” has disappeared.
These are constants. You can find out their values in your compiler. Also, usually Googling something along the lines of “define HWND_BROADCAST” works.
winapiexec is a tiny tool, 4 kB in size, so it’s not familiar with all these constants and their values.
Fine. Many thanks RaMMicHaeL.
Hu RaMMicHael!
How to, for example, translate the following call to winapiexec variant?
rundll32.exe shell32.dll,Control_RunDLL hotplug.dll
“winapiexec [email protected]_RunDLL hotplug.dll” throws “Stack error on argument number 1” and opens Control Panel. Could you please look into it?
Hi Monte,
You can use the following command:
winapiexec.exe [email protected]_RunDLLW 0 ( GetModuleHandleW 0 ) hotplug.dll 10Based on this information and on debugging rundll32.exe. Note that the the second argument is actually the executable module handle, contrary to what the documentation says.
Thanks for your reply!
Still it’s not working for me (showing nothing), but now I’ve got it that rundll works differently and it’s not for calling winapi functions as one may think.
Works for me. That’s on Windows 10, I haven’t tried it on Windows 7.
I believe you, there’s no need in evidence 🙂
I’m on Windows 7, so maybe that’s the culprit.
I checked it, and it doesn’t work on Windows 7 because it expects the window argument to be non-zero.
Hi,
I see several “[email protected]” examples, but it would be useful to be able to get some output directly in the console where winapiexec.exe is run. Any ideas how to achieve this?
For example:
“winapiexec.exe [email protected] $b:65534 $a:32767 , [email protected] $b:2050 “Hello %s from %s” $$:2 $$:0 , [email protected] 0 $$:6 … 0″
from the description to be logically equivalent to:
“winapiexec.exe [email protected] $b:65534 $a:32767 , [email protected] $b:2050 “Hello %s from %s” $$:2 $$:0 , [email protected]??functionToPrintToConsole?? $$:6
and print the “Hello …” text directly in the cmd.exe window where this command is run.
And a second question: is it possible to get the value referenced by a pointer?
For example “winapiexec.exe [email protected] $b:4, [email protected] 0 $$:2 text 0” returns the address, but it would be nice to dereference it and get the value
Here you go:
winapiexec.exe [email protected] $b:65534 $a:32767 , [email protected] $b:2050 "Hello %s from %s" $$:2 $$:0 , AttachConsole -1 , WriteConsoleW ( GetStdHandle -11 ) $$:6 ( lstrlenW $$:6 ) $b:4 0See also this comment:
http://rammichael.com/winapiexec/comment-page-1#comment-4420
You can use
$b:[email protected]and$b:[email protected]to get the low and high double words of the large integer, respectively. Note that it’s a 64-bit integer, so you also need to use$b:8, not$b:4. And you’re missing a space after$b:4, which is critical.