{"id":24183,"date":"2007-12-13T10:00:00","date_gmt":"2007-12-13T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2007\/12\/13\/appinit_dlls-should-be-renamed-deadlock_or_crash_randomly_dlls\/"},"modified":"2007-12-13T10:00:00","modified_gmt":"2007-12-13T10:00:00","slug":"appinit_dlls-should-be-renamed-deadlock_or_crash_randomly_dlls","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20071213-00\/?p=24183","title":{"rendered":"AppInit_DLLs should be renamed Deadlock_Or_Crash_Randomly_DLLs"},"content":{"rendered":"<p>I have no idea why the window manager team added <a href=\"http:\/\/support.microsoft.com\/kb\/197571\"> this feature<\/a> to Windows&nbsp;NT. It basically says, &#8220;Hi, use this key to violate all the rules known to mankind about what can legitimately be done in a <code>DllMain<\/code> function. Oh, and be <a href=\"http:\/\/www.avira.com\/en\/threats\/section\/fulldetails\/id_vir\/3265\/tr_drop.stration.677.html\"> an attractive malware attack vector<\/a>, too.&#8221;\n I&#8217;ve debugged a few crashes that were traced back to the <code>AppInit_DLLs<\/code> key. What makes them particularly fun is that the offending DLL is usually not on the stack. Rather, the fact that a foreign DLL is being loaded inside <code>USER32<\/code>&#8216;s initialization code means that you&#8217;re violating the rule against calling <code>LoadLibrary<\/code> inside a <code>DllMain<\/code> function. The result of this madness is that DLLs get initialized out of order, and typically manifests itself in some DLL crashing trying to use an object (often a critical section) that it is supposed to have initialized in its <code>DLL_PROCESS_ATTACH<\/code> handler. It crashed because the loader got tricked into initializing DLLs out of order. The dependent DLL received its <code>DLL_PROCESS_ATTACH<\/code> before the prerequisite DLL.\n I end up looking at these failures because the victim DLL is often a DLL that my group is responsible for.<\/p>\n<p> The window manager folks came to the same conclusion about <code>AppInit_DLLs<\/code>, and it doesn&#8217;t work any more in Windows Vista by default. (<a href=\"http:\/\/blogs.msdn.com\/nickkramer\/archive\/2006\/04\/18\/577962.aspx\">Nick Kramer describes how to re-enable it<\/a>.) <\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have no idea why the window manager team added this feature to Windows&nbsp;NT. It basically says, &#8220;Hi, use this key to violate all the rules known to mankind about what can legitimately be done in a DllMain function. Oh, and be an attractive malware attack vector, too.&#8221; I&#8217;ve debugged a few crashes that were [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-24183","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>I have no idea why the window manager team added this feature to Windows&nbsp;NT. It basically says, &#8220;Hi, use this key to violate all the rules known to mankind about what can legitimately be done in a DllMain function. Oh, and be an attractive malware attack vector, too.&#8221; I&#8217;ve debugged a few crashes that were [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/24183","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=24183"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/24183\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=24183"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=24183"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=24183"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}