The Wayback Machine - https://web.archive.org/web/20120509160536/http://msdn.microsoft.com:80/en-us/library/ms682586.aspx
Home Library Learn Downloads Support Community
Sign in | United States - English | |
38 out of 87 rated this helpful - Rate this topic

Dynamic-Link Library Search Order

A system can contain multiple versions of the same dynamic-link library (DLL). Applications can control the location from which a DLL is loaded by specifying a full path or using another mechanism such as a manifest. If these methods are not used, the system searches for the DLL at load time as described in this topic.

Factors That Affect Searching

The following factors affect whether the system searches for a DLL:

  • If a DLL with the same module name is already loaded in memory, the system checks only for redirection and a manifest before resolving to the loaded DLL, no matter which directory it is in. The system does not search for the DLL.
  • If the DLL is on the list of known DLLs for the version of Windows on which the application is running, the system uses its copy of the known DLL (and the known DLL's dependent DLLs, if any) instead of searching for the DLL. For a list of known DLLs on the current system, see the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs.
  • If a DLL has dependencies, the system searches for the dependent DLLs as if they were loaded with just their module names. This is true even if the first DLL was loaded by specifying a full path.

Search Order for Metro style Apps

When a Metro style app loads a packaged module by calling the LoadPackagedLibrary function, the DLL must be in the package dependency graph of the process. For more information, see LoadPackagedLibrary. When a Metro style app loads a module by other means and does not specify a full path, the system searches for the DLL and its dependencies at load time as described in this section.

Windows 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows Server 2003, and Windows XP:  Metro style apps are supported starting with Windows 8 Consumer Preview and Windows Server 8 Beta.

Before the system searches for a DLL, it checks the following:

  • If a DLL with the same module name is already loaded in memory, the system uses the loaded DLL, no matter which directory it is in. The system does not search for the DLL.
  • If the DLL is on the list of known DLLs for the version of Windows on which the application is running, the system uses its copy of the known DLL (and the known DLL's dependent DLLs, if any). The system does not search for the DLL. For a list of known DLLs on the current system, see the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs.

If the system must search for a module or its dependencies, it always uses the search order for Metro style apps even if a dependency is not Metro style code.

Standard Search Order for Metro style Apps

If the module is not already loaded or on the list of known DLLs, the system searches these locations in this order:

  1. The package dependency graph of the process. This is the application's package plus any dependencies specified as <PackageDependency> in the <Dependencies> section of the application's package manifest. Dependencies are searched in the order they appear in the manifest.
  2. The directory the calling process was loaded from.
  3. The system directory (%SystemRoot%\system32).

If a DLL has dependencies, the system searches for the dependent DLLs as if they were loaded with just their module names. This is true even if the first DLL was loaded by specifying a full path.

Alternate Search Order for Metro style Apps

If a module changes the standard search order by calling the LoadLibraryEx function with LOAD_WITH_ALTERED_SEARCH_PATH, the system searches the directory the specified module was loaded from instead of the directory of the calling process. The system searches these locations in this order:

  1. The package dependency graph of the process. This is specified in the <Dependencies> section of the application's package manifest. Dependencies are searched in the order they appear in the manifest.
  2. The directory the specified module was loaded from.
  3. The System directory (%SystemRoot%\system32).

Search Order for Desktop Applications

Desktop applications can control the location from which a DLL is loaded by specifying a full path, using DLL redirection, or by using a manifest. If none of these methods are used, the system searches for the DLL at load time as described in this section.

Before the system searches for a DLL, it checks the following:

  • If a DLL with the same module name is already loaded in memory, the system uses the loaded DLL, no matter which directory it is in. The system does not search for the DLL.
  • If the DLL is on the list of known DLLs for the version of Windows on which the application is running, the system uses its copy of the known DLL (and the known DLL's dependent DLLs, if any). The system does not search for the DLL. For a list of known DLLs on the current system, see the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs.

If a DLL has dependencies, the system searches for the dependent DLLs as if they were loaded with just their module names. This is true even if the first DLL was loaded by specifying a full path.

Important  If an attacker gains control of one of the directories that is searched, it can place a malicious copy of the DLL in that directory. For ways to help prevent such attacks, see Dynamic-Link Library Security.

Standard Search Order for Desktop Applications

The standard DLL search order used by the system depends on whether safe DLL search mode is enabled or disabled. Safe DLL search mode places the user's current directory later in the search order.

Safe DLL search mode is enabled by default. To disable this feature, create the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode registry value and set it to 0. Calling the SetDllDirectory function effectively disables SafeDllSearchMode while the specified directory is in the search path and changes the search order as described in this topic.

Windows XP:  Safe DLL search mode is disabled by default. To enable this feature, create the SafeDllSearchMode registry value and set it to 1. Safe DLL search mode is enabled by default starting with Windows XP with Service Pack 2 (SP2).

If SafeDllSearchMode is enabled, the search order is as follows:

  1. The directory from which the application loaded.
  2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

If SafeDllSearchMode is disabled, the search order is as follows:

  1. The directory from which the application loaded.
  2. The current directory.
  3. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  5. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

Alternate Search Order for Desktop Applications

The standard search order used by the system can be changed by calling the LoadLibraryEx function with LOAD_WITH_ALTERED_SEARCH_PATH. The standard search order can also be changed by calling the SetDllDirectory function.

Windows XP:  Changing the standard search order by calling SetDllDirectory is not supported until Windows XP with Service Pack 1 (SP1).

If you specify an alternate search strategy, its behavior continues until all associated executable modules have been located. After the system starts processing DLL initialization routines, the system reverts to the standard search strategy.

The LoadLibraryEx function supports an alternate search order if the call specifies LOAD_WITH_ALTERED_SEARCH_PATH and the lpFileName parameter specifies an absolute path.

Note that the standard search strategy and the alternate search strategy specified by LoadLibraryEx with LOAD_WITH_ALTERED_SEARCH_PATH differ in just one way: The standard search begins in the calling application's directory, and the alternate search begins in the directory of the executable module that LoadLibraryEx is loading.

If SafeDllSearchMode is enabled, the alternate search order is as follows:

  1. The directory specified by lpFileName.
  2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

If SafeDllSearchMode is disabled, the alternate search order is as follows:

  1. The directory specified by lpFileName.
  2. The current directory.
  3. The system directory. Use the GetSystemDirectory function to get the path of this directory.
  4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
  5. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

The SetDllDirectory function supports an alternate search order if the lpPathName parameter specifies a path. The alternate search order is as follows:

  1. The directory from which the application loaded.
  2. The directory specified by the lpPathName parameter of SetDllDirectory.
  3. The system directory. Use the GetSystemDirectory function to get the path of this directory. The name of this directory is System32.
  4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. The name of this directory is System.
  5. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
  6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

If the lpPathName parameter is an empty string, the call removes the current directory from the search order.

SetDllDirectory effectively disables safe DLL search mode while the specified directory is in the search path. To restore safe DLL search mode based on the SafeDllSearchMode registry value and restore the current directory to the search order, call SetDllDirectory with lpPathName as NULL.

Search Order Using LOAD_LIBRARY_SEARCH Flags

An application can specify a search order by using one or more LOAD_LIBRARY_SEARCH flags with the LoadLibraryEx function. An application can also use LOAD_LIBRARY_SEARCH flags with the SetDefaultDllDirectories function to establish a DLL search order for a process. The application can specify additional directories for the process DLL search order by using the AddDllDirectory or SetDllDirectory functions.

Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008:  The LOAD_LIBRARY_SEARCH flags are available on systems with KB2533623 installed.
Windows Server 2003 and Windows XP:  The LOAD_LIBRARY_SEARCH flags are not supported.

The directories that are searched depend on the flags specified with SetDefaultDllDirectories or LoadLibraryEx. If more than one flag is used, the corresponding directories are searched in the following order:

  1. The directory that contains the DLL (LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR). This directory is searched only for dependencies of the DLL to be loaded.
  2. The application directory (LOAD_LIBRARY_SEARCH_APPLICATION_DIR).
  3. Paths explicitly added with the AddDllDirectory function (LOAD_LIBRARY_SEARCH_USER_DIRS) or the SetDllDirectory function. If more than one path has been added, the order in which the paths are searched is unspecified.
  4. The System directory (LOAD_LIBRARY_SEARCH_SYSTEM32).

If the application does not call LoadLibraryEx with any LOAD_LIBRARY_SEARCH flags or establish a DLL search order for the process, the system searches for DLLs using either the standard search order or the alternate search order.

Related topics

AddDllDirectory
Application Registration
Dynamic-Link Library Redirection
Dynamic-Link Library Security
LoadLibrary
LoadLibraryEx
LoadPackagedLibrary
SetDefaultDllDirectories
SetDllDirectory
Side-by-side Components

 

 

Send comments about this topic to Microsoft

Build date: 3/6/2012

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
How about the GAC?
From the above article, it does not seems the GAC is even searched. Is the GAC searched? When? $0 $0 $0The GAC is not searched.  Native DLLs should not be placed in the GAC.  Managed assemblies are loaded by .NET and don't use the same search order.  (Ben Voigt, Visual C++ MVP)$0$0$0 $0 $0
History
Default OS setting/"SafeDllSearchMode"

In this article XPSP3 has SafeDllSearchMode value 1 as default.  When navigating to HKLM\System\CurrentControlSet\Control\Session Manager in the XPSP3 registry there is found no "SafeDllSearchMode" entry in the Session Manager NameTypeData window.

This article suggests creating said value in XPSP1/Windows2000SP4, I assume for the same reason, that it isn't present.

My question is this:   How does XPSP3 safe dll loading occur if it too does not have the "SafeDllSearchMode" value in its registry?

Am I not seeing it because of the regedit/regedit32 distinction?

Logically there must be "control" elsewhere in XPSP3 operating system to avoid the presentation of contradiction in this article.

carpe OS noncontra deo  AI veritas

History
KnownDlls
Note when loading by module name, the presence of the module in KnownDlls dominates over already loaded DLLs.

For example,  an application that explicitly loads "c:\example\msvcrt.dll" (which is in KnownDlls) then loads "msvcrt" will load %SystemRoot%\System32\msvcrt.dll

History
<![CDATA[ Third party scripts and code linked to or referenced from this website are licensed to you by the parties that own such code, not by Microsoft. See ASP.NET Ajax CDN Terms of Use – http://www.asp.net/ajaxlibrary/CDN.ashx. ]>