Windows 11’s advapi32.dll includes interesting export functions:

• ElfBackupEventLogFileA
• ElfBackupEventLogFileW
• ElfChangeNotify
• ElfClearEventLogFileA
• ElfClearEventLogFileW
• ElfCloseEventLog
• ElfDeregisterEventSource
• ElfFlushEventLog
• ElfNumberOfRecords
• ElfOldestRecord
• ElfOpenBackupEventLogA
• ElfOpenBackupEventLogW
• ElfOpenEventLogA
• ElfOpenEventLogW
• ElfReadEventLogA
• ElfReadEventLogW
• ElfRegisterEventSourceA
• ElfRegisterEventSourceW
• ElfReportEventA
• ElfReportEventAndSourceW
• ElfReportEventW

And I know nothing about them… while they are obviously exported by advapi32.dll and for some unknown reason, they do not seem to be imported … by anything (no .exe, .dll import these functions, at least directly!). Plus, most of these apis’ code reference NDR functions (RPC), so unless you are really well-versed in these, it’s hard to reverse them 🙁

BUT

A quick google suggests that these are not Linux-related (refrerence to ‘ELF’), and are actually Event Log File (also ‘ELF’)-related. In a trivial pursuit of the truth, we look at the code of Elf* functions and their invocations and we can almost immediately see that f.ex. that RegisterEventSourceW is calling ElfRegisterEventSourceW internally. So… looks like either intentionally, or accidentally the MS coders exposed a lower-level interface to Event Logs.

As such, functions:

• ElfClearEventLogFileA
• ElfClearEventLogFileW

may be perhaps of interest?