It’s been a long time since I looked at phantom DLLs (non-existing DLLs that are expected to be present in predictable locations). So, a quick rundown what we can see on Win10 today folows:

• C:\Windows\System32\edgegdi.dll
  • loaded by gdi.dll, but not present on the most up to date win10 pro installation; it must be signed
  • loaded by a number of processes backgroundTaskHost.exe, BackgroundTransferHost.exe, DllHost.exe, dmclient.exe, HxTsr.exe, LockApp.exe, LogonUI.exe, Microsoft.Photos.exe, mousocoreworker.exe and many others; existing work: found some EoP research on Twitter
• C:\Windows\SysWOW64\rpcss.dll
• C:\Windows\System32\UsoSelfhost.dll
  • loaded by mousocoreworker.exe — possible EoP?
• C:\Windows\System32\Speech_OneCore\common\sapi_onecore.dll
  • loaded by SearchApp.exe
• C:\Windows\System32\windowscoredeviceinfo.dll
  • loaded by taskhostw.exe

There are more, but I reserve them for a possible future post.