Windows search path

Nov 6

Posted by

The search path for DLL’s before Windows XP SP1 and Windows Server 2003 was:

  1. search in directory of executable
  2. search in working directory
  3. search in Windows system directory (SYSTEM32 as well as SYSTEM!)
  4. search in Windows directory
  5. search in path defined by variable %PATH%

Search sequence changed in windows XP SP1 and Windows 2003, a quote from article by Michael Howard, “Development Impacts of Security Changes in Windows Server 2003”:

QUOTE:

DLL Search Order Has Changed

No longer is the current directory searched first when loading DLLs! This change was also made in Windows XP SP1. The default behavior now is to look in all the system locations first, then the current directory, and finally any user-defined paths. This will have an impact on your code if you install a DLL in the application's directory because Windows Server 2003 no longer loads the 'local' DLL if a DLL of the same name is in the system directory. A common example is if an application won't run with a specific version of a DLL, an older version is installed that does work in the application directory. This scenario will fail in Windows Server 2003.

The reason this change was made was to mitigate some kinds of trojaning attacks. An attacker may be able to sneak a bad DLL into your application directory or a directory that has files associated with your application. The DLL search order change removes this attack vector.

The SetDllDirectory function, also available in Windows XP SP1, modifies the search path used to locate DLLs for the application and affects all subsequent calls to the LoadLibrary and LoadLibraryEx functions by the application.

This fact can have a major consequence when troubleshooting applications that depends on common libraries (such as msvcr*.dll). If safe search order is turned ON, the search sequence is: 1, 3, 4, 2, 5 from the list above.

My first thought (of course;-) was: how to disable safe search order feature?

According to article Dynamic-Link Library Search Order, all you need to do is, to add a registry value:
HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode and set it to 0.

Advertisement

Posted on 06.11.2007, in MS Windows and tagged . Bookmark the permalink. Comments Off on Windows search path.

Comments are closed.