SysUtils

1.4.0

Read-only Windows PE / COM / .NET inspector for sysadmins. Parses DLL/OCX/EXE/SYS without LoadLibrary; reports PE headers, version info, COM TypeLibs (CoClasses, interfaces, methods), .NET assembly metadata (PEKind, CorFlags, AssemblyName, types) and Authenticode signatures. Cross-bitness inspection.

Minimum PowerShell version

5.1

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name SysUtils

Copy and Paste the following command to install this package using Microsoft.PowerShell.PSResourceGet More Info

Install-PSResource -Name SysUtils

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Owners

Copyright

(c) 2026 Manuel Alcocer Jiménez <manalcjim@outlook.com>. MIT License.

Package Details

Author(s)

  • Manuel Alcocer Jiménez

Tags

PE DLL OCX COM TypeLib dotnet Inspector Sysadmin Windows PowerShell5

Functions

Get-DllInfo Get-DllGuidTable Invoke-DllSuiteAnalysis New-DllSuiteReport

Dependencies

This module has no dependencies.

Release Notes

1.4.0 - DLL Suite Analysis: cross-DLL drift inventory.

Two new public cmdlets aimed at legacy COM suites where DLLs got
copied across teams and silently diverged while keeping the same
CLSIDs (the classic VB6 Binary Compatibility footgun):

 - Invoke-DllSuiteAnalysis: scans one or more directories, parses
   every PE found, and produces a structured analysis with duplicate
   groups (SHA-256), GUID conflicts (same CLSID/IID across distinct
   DLLs), interface drift (signature mismatch across versions), and
   registry status of conflicted CoClasses (which on-disk copy is
   currently registered, or whether registration points outside the
   scanned tree). Strictly read-only.
 - New-DllSuiteReport: renders a self-contained HTML report from the
   analysis (CSS, JS and JSON embedded). Filterable, no external
   dependencies, double-clickable - the artifact you mail to dev
   teams.

Output schema 'dllsuite/1' for stable JSON consumption by dashboards.

Companion wrappers under Tools\ (in the release zip, not on PSGallery):
DllSuite-GUI.ps1/.cmd (WinForms launcher) and DllSuite-Run.ps1/.cmd
(headless CI wrapper with proper exit codes: 0/1/2 = ok/fatal/strict-
fail). Release tags now also publish a SysUtils-DllSuite-<ver>.zip
asset bundling the module + Tools for air-gapped CI.

1.3.1 - Metadata-only: update Author, CompanyName and Copyright to the
full author name (Manuel Alcocer Jiménez) and add contact email in the
copyright line. No code changes.

1.3.0 - Get-DllGuidTable: add -Both switch.

The new -Both switch shows Type/Name/Guid/RegKey at once (4 columns),
complementing the existing default (Type/Name/Guid) and -RegKey
(Type/Name/RegKey) modes. The three are mutually exclusive via
ParameterSetName. Help adds an EXAMPLE showing how to avoid line
wrapping in narrow consoles when using -Both (Out-String -Width 250
and BufferSize tweak).

1.2.0 - Add Get-DllGuidTable cmdlet.

Flat (Type, Name, Guid, RegKey) view of every entry in a DLL's embedded
TypeLib (coclass / interface / dispatch / enum / record / union / alias
/ module). The RegKey column reports the registry path under which each
GUID is registered (HKCR\CLSID for CoClasses, HKCR\Interface for
interfaces and dispinterfaces; HKLM and HKCU plus 32-bit Wow6432Node
views are searched), or empty when not registered or not applicable.
Switch -RegKey swaps the default Format-Table display from Guid to
RegKey to avoid wrapping; -Kind filters by entry kind. Strictly
read-only: oleaut32!LoadTypeLibEx is called with REGKIND_NONE and
registry lookups go through Microsoft.Win32.RegistryKey directly.

1.1.0 - Add -IncludeComRegistration switch.

Cross-references the CoClasses declared in the DLL's embedded TypeLib
against HKCR\CLSID across HKLM/HKCU x64+x86 views to determine whether
a COM in-proc server is correctly registered, plus surfaces every CLSID
whose InprocServer32 points at the inspected DLL. Uses
Microsoft.Win32.RegistryKey directly (full HKCR\CLSID walk drops from
~20s to ~1s vs the PowerShell registry provider). Strictly read-only:
no regsvr32, no LoadLibrary, no admin needed. Per-CLSID statuses:
Registered / DeclaredOnly / PathMismatch / RegisteredOnly. Global
verdict: OK / Partial / Unregistered / NotApplicable.

1.0.0 - Initial release.

Get-DllInfo: read-only Windows PE inspector that parses DLL/OCX/EXE/SYS
files without LoadLibrary (so cross-bitness inspection works and DllMain is
never executed). Layered output controlled by switches:

 - default: PE header (architecture, subsystem, characteristics, sections,
   timestamp), version info, shallow COM detection, shallow .NET detection.
 - -IncludeImports: full IDT/ILT walk including import-by-ordinal.
 - -IncludeExports: full export table with forwarder detection.
 - -IncludeResources: recursive 3-level resource tree walk.
 - -IncludeTypeLib: TypeLib reader via oleaut32!LoadTypeLibEx (CoClasses,
   interfaces, methods, parameters, enums, aliases, IIDs/CLSIDs).
 - -IncludeDotNetTypes: ReflectionOnlyLoadFrom for [ComVisible]/[Guid]/
   [ProgId] per type.
 - -IncludeSignature: Authenticode signature.
 - -IncludeHash: SHA-256.
 - -Detailed: turns on every Include* switch.

For managed assemblies, PEKind disambiguates AnyCPU / AnyCPUPrefer32 /
x86 / x64 / ARM64 / ManagedMixed using Machine + PE32/PE32+ + CorFlags.

FileList

Version History

Version Downloads Last updated
1.4.0 (current version) 3 4/25/2026
1.3.1 3 4/25/2026
1.3.0 5 4/25/2026
1.2.0 9 4/25/2026
1.1.0 3 4/25/2026
1.0.0 5 4/25/2026
Show more