A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm
Article ID: 2264107 - View products that this article applies to.Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows.Expand all | Collapse all
On This Page
SUMMARY
This update introduces a new registry entry CWDIllegalInDllSearch that allows users to control the DLL search path algorithm. The DLL search path algorithm is used by the LoadLibrary API and the LoadLibraryEx API when DLLs are loaded without specifying a fully qualified path. The update allows the administrator to define the following on a system-wide or a per-application basis:Remove the current working directory from the library search path.Prevent an application from loading a library from a WebDAV location.Prevent an application from loading a library from both a WebDAV, as well as a remote UNC location.Back to the top | Give Feedback
MORE INFORMATION
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:322756 How to back up and restore the registry in Windows
How the CWDIllegalInDllSearch registry entry works
When an application dynamically loads a DLL without specifying a fully qualified path, Windows tries to locate this DLL by searching through a well-defined set of directories. These sets of directories are known as DLL search path. As soon as Windows locates the DLL in a directory, Windows loads that DLL. If Windows does not find the DLL in any of the directories in the DLL search order, Windows will return a failure to the DLL load operation. The LoadLibrary function and the LoadLibraryEx function are used to dynamically load DLLs. The following is the DLL search order for these two functions:The directory from which the application loadedThe system directoryThe 16-bit system directoryThe Windows directoryThe current working directory (CWD)The directories that are listed in the PATH environment variableThe newly introduced CWDIllegalInDllSearch registry entry enables computer administrators to modify the behavior of the DLL search path algorithm that is used by LoadLibrary and by LoadLibraryEx. This registry entry could allow certain kinds of directories to be skipped. The CWDIllegalInDllSearch registry entry can be added in the following path:To use this registry entry for all the applications on a computer:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session ManagerTo use this registry entry for a specified application on a computer:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<application binary name>The per-application registry entry always overrides the system-wide setting. This allows the system-wide setting to be set restrictively. An application-setting can then be set for any applications that do not work correctly with the system-wide setting. For example, an administrator could block a DLL from being loaded both from WebDAV and SMB by setting the system-wide setting to 2, and could then change the behavior for a particular application that requires this behavior, by setting the Image File Execution Option to 0 or 1. The value of the CWDIllegalInDllSearch registry entry modifies the behavior of LoadLibrary and of LoadLibraryEx as follows.
Scenario 1: The application is started from a local folder, such as C:\Program Files
CWDIllegalInDllSearchValueBehavior of the DLL search path in LoadLibrary and in LoadLibraryEx0xFFFFFFFFRemoves the current working directory from the default DLL search order0Uses the default DLL search path that was mentioned earlier1Blocks a DLL Load from the current working directory if the current working directory is set to a WebDAV folder2Blocks a DLL Load from the current working directory if the current working directory is set to a remote folder (such as a WebDAV or UNC location)No key or other valuesUses the default DLL search path that was mentioned earlier
Scenario 2: The application is started from a remote folder, such as \\remote\shareremote\share)
CWDIllegalInDllSearchValueBehavior of the DLL search path in LoadLibrary and in LoadLibraryEx0xFFFFFFFFRemoves the current working directory from the default DLL search order0Uses the default DLL search path that was mentioned earlier1Blocks a DLL Load from the current working directory if the current working directory is set to a WebDAV folder2Allows DLL Load from the current working directory if the current working directory is set to a remote folder (such as a WebDAV or UNC location).No key or other valuesUses the default DLL search path that was mentioned earlier
Scenario 3: The application is started from a WebDav folder, such as http://remote/share)
CWDIllegalInDllSearch ValueBehavior of the DLL search path in LoadLibrary and in LoadLibraryEx0xFFFFFFFFRemoves the current working directory from the default DLL search orderNo key or other valuesUses the default DLL search path that was mentioned earlier
Examples
Example 1: How to disable loading DLLs from a WebDAV share for all applications that are installed on your local computer
Log on to your computer as an administrator.Open Registry Editor.Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session ManagerRight-click Session Manager, point to New, and then click Dword Value.Type CWDIllegalInDllSearch, and then click Modify.In the Value data box, type 1, and then click OK.
Example 2: How to disable loading DLLs from a WebDAV share for only a specific application that is installed on the local computer
Log on to your computer as an administrator.Open Registry Editor.Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<application binary name>If a key with the application binary name does not exist, then you will have to create one.Right-click <application binary name>, point to New, and then click Dword Value.Type CWDIllegalInDllSearch,and then click Modify.In the Value data box, type 1, and then click OK.
Example 3: How to disable loading DLLs from a remote (SMB) share for only a specific application installed on the local computer
Log on to your computer as an administrator.Open Registry Editor.Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<application binary name>If a key with the application binary name does not exist, then you will have to create one.Right-click <application binary name>, point to New, and then click Dword Value.Type CWDIllegalInDllSearch,and then click Modify.In the Value data box, type 2, and then click OK.Back to the top | Give Feedback
Fix it for me
The fix it solution described in this section is not intended to be a replacement for any security update. We recommend that you always install the latest security updates. However, we offer this fix it solution as a workaround option for customers to protect their systems while a security update is not available or cannot be installed. This fix it solution will only deploy the registry entry that is needed to block nonsecure DLL loads from WebDAV and SMB locations. Note Before you run the fix it solution, you must first download and then install update 2264107, which is described later in this article. By default, protection is disabled when you install update 2264107. Then, the protection can be configured manually as described in this article, or you can run the fix it. When you run the fix it, protection is enabled to protect against remote, nonsecure DLL loads. To manually undo the setting changed by the fix it solution, you can reset the value of the following CWDIllegalInDLLSearch registry entry to 0 (zero):HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\CWDIllegalInDLLSearchA setting of 0 will undo the changes that are made by the fix it solution. To automatically enable or disable this fixit solution, click the Fix it button or link under the Enable this fix it heading or under the Disable this fix it heading. Click Run in the File Downloaddialog box, and then follow the steps in the Fix it wizard.Enable this fix itDisable this fix itFix this problem Microsoft Fix it 50522Fix this problem Microsoft Fix it 50523
No comments:
Post a Comment