When an executable file is invoked, the operating system loader creates the virtual address space for the process. Then the loader maps the executable module into the process' address space. The loader examines the executable's import section and attempts to locate and map any required DLLs into the process' address space.
Because the import section contains just a DLL name without its pathname, the loader must search the user's disk drives for the DLL. Here is the loader's search order:
-
The directory containing the executable image file
-
The Windows system directory returned by GetWindowsDirectory
-
The 16-bit system directory—that is, the System subfolder under the Windows directory
-
The Windows directory returned by GetSystemDirectory
-
The process' current directory
-
The directories listed in the PATH environment variable
Notice that the application current directory is searched after the Windows directories. This change occurred in Windows XP SP2 to avoid having fake system DLLs be found and loaded from the application current directory instead of from their official location in the Windows directories. The MSDN online help mentions how a DWORD value under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager could change this search order, but you should never set it if you don't want to allow malware to compromise your machine. Be aware that other things can affect how the loader searches for a DLL. (See Chapter 20 for more information.)