Hi @ll, in a recent blog post titled "Load Library Safely" Microsoft Security Research & Defense wrote: | To ensure secure loading of libraries | * Use proper DLL search order. | * Always specify the fully qualified path when the library location is ~~~~~~ | constant. | * Load as data file when required. | * Make use of code signing infrastructure or AppLocker. Let's concentrate on the second point and see how well Microsoft follows their own safety and security guidance: - the locations of ALL libraries delivered with Windows are constant and well-known. - the locations of ALL installed files remain constant after their installation, so ALL installation routines can safely write the well-known fully qualified path to the registry, desktop.ini files, shortcuts, ... Quite some people pointed out this fact MANY times in the past, over and over again. JFTR: specifies: | InprocServer Specifies the path to the in-process server DLL. ~~~~ | LocalServer Specifies the full path to a 16-bit local server application. ~~~~~~~~~ | LocalServer32 Specifies the full path to a 32-bit local server application. ~~~~~~~~~ specifies: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID | {CLSID} | InprocServer32 | (Default) = path ~~~~ specifies: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID | {CLSID} | InprocServer | (Default) = path ~~~~ specifies: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID | {CLSID} | DefaultIcon = path, resourceID ~~~~ ... | This is a REG_SZ value that specifies the full path to the executable ~~~~~~~~~ Now take a look at the registry of Windows 8.1 (as it comes on the DVD available from , inside the \sources\install.wim). In no particular order, and of course not exhaustive (the full list is available from ): [HKEY_CLASSES_ROOT\CLSID\{00020000-0000-0000-C000-000000000046}\InprocServer] @="avifile.dll" [HKEY_CLASSES_ROOT\CLSID\{5848A73D-E9C2-499E-BB92-887CABCB2BD6}\InprocHandler32] @="ole32.dll" [HKEY_CLASSES_ROOT\CLSID\{00021400-0000-0000-C000-000000000046}\shell\cmd] @="@shell32.dll,-8506" [HKEY_CLASSES_ROOT\CLSID\{289228DE-A31E-11D1-A19C-0000F875B132}\ToolboxBitmap32] @="cic.dll, 1" [HKEY_CLASSES_ROOT\CLSID\{3080F90E-D7AD-11D9-BD98-0000947B0257}\Instance\InitPropertyBag] "command"="@shell32.dll,-12715" [HKEY_CLASSES_ROOT\CLSID\{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag] "opentext"="@shell32.dll,-12706" "properties"="inetcpl.cpl" "propertiestext"="@shell32.dll,-12704" [HKEY_CLASSES_ROOT\CLSID\{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag] "command"="@appwiz.cpl,-130" "Param1"="appwiz.cpl,,3" "Param2"="control.exe" [HKEY_CLASSES_ROOT\CLSID\{0E5CBF21-D15F-11D0-8301-00AA005B4383}] "MenuTextPUI"="@explorerframe.dll,-13138" [HKEY_CLASSES_ROOT\CLSID\{031EE060-67BC-460d-8847-E4A7C5E45A27}] "Icon"="wmploc.dll,101" [HKEY_CLASSES_ROOT\CLSID\{FC1EE10B-7EF6-41B5-BB60-98D26DD9FCD1}\MergedFolder] "Location"="@shell32.dll,-9091" [HKEY_CLASSES_ROOT\CLSID\{3080F90E-D7AD-11D9-BD98-0000947B0257}] "LocalizedString"="@shell32.dll,-10114" [HKEY_CLASSES_ROOT\accountpicturefile] "FriendlyTypeName"="@Windows.UI.Immersive.dll,-38306" [HKEY_CLASSES_ROOT\batfile\shell\runasuser] @="@shell32.dll,-50944" [HKEY_CLASSES_ROOT\CATFile\DefaultIcon] @="cryptui.dll,-3418" [HKEY_CLASSES_ROOT\CERFile\shell\add] "MUIVerb"="@cryptext.dll,-6132" [HKEY_CLASSES_ROOT\Network\SharingHandler] @="ntshrui.dll" [HKEY_CLASSES_ROOT\OLETransactionManagers\MSDTC] "DLL"="MSDTCPRX.DLL" [HKEY_CLASSES_ROOT\Applications\WINWORD.EXE\TaskbarExceptionsIcons\WordMail] "IconPath"="explorer.exe,16" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}] "$DLL"="WINTRUST.DLL" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectPlay\Service Providers\Internet TCP/IP Connection For DirectPlay] "Gateway"="dpnhpast.dll" "Path"="dpwsockx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{0f3f3735-573d-9804-99e4-ab2a69ba5fd4}] "ModuleName"="SecurityAuditPoliciesSnapIn.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{58221C6A-EA27-11CF-ADCF-00AA00A80033}] "ProviderIndirect"="@filemgmt.dll,-3505" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{A2A54893-AAF2-49A3-B3F5-CC43CEBCC27C}] "DescriptionIndirect"="@napdsnap.dll,-2" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\{DFFFAE4D-F0CF-46CD-9586-FE891237AB8A}] "NameStringIndirect"="@comres.dll,-659" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh] "napmontr"="napmontr.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Router\CurrentVersion\RouterManagers\Ip] "ConfigDll"="ipadmin.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Router\CurrentVersion\RouterManagers\Ipv6] "ConfigDll"="ipadmin.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Router\CurrentVersion\UiConfigDlls] "58bdf950-f471-11cf-aa67-00805f0c9232"="ifadmin.dll" "58bdf951-f471-11cf-aa67-00805f0c9232"="ipadmin.dll" "58bdf953-f471-11cf-aa67-00805f0c9232"="ddmadmin.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ClientProtocols] "ncacn_ip_tcp"="rpcrt4.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions] "NdrOleExtDll"="Ole32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService] "9"="sspicli.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS] "IGDSearcherDLL"="bitsigd.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Glass Colorization\Swatches\{FD81078C-1B36-4595-A92E-91F05C4FA5DC}] "Resource"="themecpl.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching\Plugin] "WUSearchLibrary"="chkwudrv.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder] "Text"="@shell32.dll,-30498" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSWMPBurnCDOnArrival] "Action"="@wmploc.dll,-6505" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSPlayCDAudioOnArrival] "Provider"="@wmploc.dll,-6502" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}] "InfoTip"="@shell32,dll,-12692" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{0b2baaeb-0042-4dca-aa4d-3ee8648d03e5}\TopViews\{ 82ba0782-5b7a-4569-b5d7-ec83085f08cc}] "Name"="@shell32.dll,-34817" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\AUTH\LOGON\SILENT] "HelpID"="iexplore.hlp#50283" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\DOTNET] "PlugUIText"="@mscorier.dll,-1001" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Mail\Advanced Settings\Contact Conversion] "Bitmap"="msoeres.dll,50" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Audit\SystemPolicy\System\SystemIntegrity] "HelpText"="@auditpolmsg.dll,-734" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers] "Adobe Type Manager"="atmfd.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DiscoveryManager] "DiscoveryProviderDllPath"="PeerDistWSDDiscoProv.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\DownloadManager] "TransportDllPath"="PeerDistHttpTrans.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache] "TransportDllPath"="PeerDistHttpTrans.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\Discovery] "ProviderDLLPath"="PeerDistAD.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\_V2Providers\{f3b975e7-e068-4f66-81ef-b23e0a0e64c9}] "ApplicationIdentity"="lsm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileLoader\{F5441CBB-AE7D-4495-905B-161047E58936}] "DllName"="userenv.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit\Reg Values\MACHINE/System/CurrentControlSet/Services/LDAP/LDAPClientIntegrity] "DisplayChoices"=multi:"0|@wsecedit.dll,-59073","1|@wsecedit.dll,-59074","2|@wsecedit.dll,-59075" "DisplayName"="@wsecedit.dll,-59072" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f}] "DisplayName"="@gptext.dll,-205" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\PHSearchConnectors\StickyNotes\Default] "Description"="@SNTSearch.dll,-504" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystemUtilities] "IfsUtilExtension"="ifsutilx.dll" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port] "Driver"="WSDMon.dll" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Providers\LanMan Print Services] "Name"="win32spl.dll" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Els\Services\{2D64B439-6CAF-4f6b-B688-E5D0F4FAA7D7}] "Description"="@elscore.dll,-2" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RpcSs] "DisplayName"="@combase.dll,-5010" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\00000401] "Layout File"="KBDA1.DLL" [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0] "Icon"="shell32.dll#0016" [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4] "LowIcon"="inetcpl.cpl#005426" [HKEY_USERS\S-1-5-19\AppEvents\EventLabels\.Default] "DispFileName"="@mmres.dll,-5824" [HKEY_USERS\S-1-5-20\AppEvents\Schemes\Names\.None] @="@mmres.dll,-801" [ 1669 more entries with unqualified filenames omitted ] regards Stefan Kanthak