Microsoft Windows library files

Hal.dll is the core file of the Windows NT family of operating systems that provides and handles the interaction of software and hardware via the Hardware Abstraction Layer. Without hal.dll being present, any machine running a Windows NT based operating system will fail to function, if it even boots.

Windows includes several PALs to support different kinds of hardware; the appropriate PAL is chosen during the initial installation of Windows. Generally speaking, the determining factors for HAL selection are uni- vs. multi-processor CPU, ACPI vs. non-ACPI, and APIC vs. PIC.

Msvcrt.dll is a DLL that contains the C Run-Time Library for programs compiled with Visual C++, versions 4.2 to 6.

In newer Windows operating systems (e.g., Windows XP) this file is included as part of the operating system and should only be updated by a service pack or hotfix (although it is also used for compatibility with Visual C++ 4.2 to 6 programs). The debug version of this file is called msvcrtd.dll.

The Native API (with capitalized N) is the publicly mostly undocumented application programming interface used internally by the Windows NT family of operating systems produced by Microsoft, with only about 25 of its 250 functions described in the Windows NT Device Driver Kit.^[1] Most of them are in ntdll.dll and ntoskrnl.exe (and its variants); the majority of exported symbols within these libraries are prefixed Nt, e.g. NtDisplayString.

Applications that are linked directly against this library are known as Native Applications; the primary reason for their existence is to perform low-level tasks such as direct disk I/O that cannot be achieved through the documented Windows API. An example is the autochk binary that runs chkdsk during the system initialisation "Blue Screen". Unlike Win32 Applications, Native Applications instantiate within the Kernel runtime code (ntoskrnl.exe) and so must manage their own memory using the Rtl heap API, obtain their command-line arguments via a pointer to an in-memory structure, and return execution with a call to NtProcessTerminate (as opposed to ExitProcess). They also have a different entry point of NtProcessStartup as opposed to (w)(Win)MainCRTStartup to distinguish them from normal Windows binaries. ^[1]

Despite their API being undocumented, Native Applications can be built using the Windows Driver Development Kit; many AntiVirus and other utility software vendors incorporate Native Applications within their products, usually to perform some boot-time task that cannot be carried out in Userspace.

Ordinary Windows applications are not linked directly against this library, but to one or more of the "client" libraries with well-documented APIs; This is to retain portability across Windows Platforms among other reasons.

shscrap.dll implenents support for shell scrap files. These are automatically created when you drag selected content from an OLE-capable application into an Explorer window (or onto the Desktop)^[2], but you can also use the Object Packager to create them. They can then be dragged into another OLE-capable application. Scrap (.shs) files are sometimes used by viruses because they can contain a wide variety of files (including executable code), and the file extension is not shown even when "Hide file extensions from known file types" is disabled.^[3]

user32.dll is a DLL that implements the Windows User API Client Library. It is a core file for several versions of the Microsoft Windows operating system. If this file is damaged or deleted, the operating system will not work.

Because this file is a core Windows DLL, several viruses attempt to infect it. Some of these viruses are:

• Backdoor.Hebolani
• Ceydem.6750.Worm
• Trojan.Anicmoo
• Trojan.Anicmoo.B
• Trojan.Anicmoo.C
• Trojan.Anicmoo.D

• API calls list - USER32.DLL - Tips for using the User API Client Library with Visual Basic
• Native API reference
• Unofficial website that documents most of the Native API methods

• Windows NT Startup Process
• List of Microsoft Windows components
• Windows API