Wednesday, July 22, 2015

DLL Voodoo: register, unregister, enable and disable a DLL

DLLs are files on the Microsoft Windows Operating System that offer shared functionality to multiple applications (that is my one-phrase definition). To see what DLLs are used by an executable you can use a utility like dependency walker.

Before Windows can use the DLL it needs to be registered. Remember that in a 32-bit environment the a standard location for DLLs is %windir%\system32 and on 64-bit systems you have to take into account that the 64-bit version is stored in %windir%\syswow64.

To register a DLL:
C:\Windows\System32\regsvr32 filename.dll

To unregister a DLL:
C:\Windows\System32\regsvr32 -u path\filename.dll

This is something I learned being a sysadmin a while back but what I learned this week with the Security Bulletin MS15-078 is how to disable them by renaming them and then re-enabling this.

Disabling the dll:
cd dir_path_of_dll
C:\Windows\System32\takeown.exe /f filename.dll
C:\Windows\System32\icacls.exe filename.dll  /save  filename.dll.acl
C:\Windows\System32\icacls.exe filename.dll  /grant  Administrators:(F)
rename filename.dll  x-filename.dll

You need a reboot of the OS to take effect.
 
Enabling the dll:
rename x-filename.dll filename.dll
C:\Windows\System32\icacls.exe filename.dll /setowner "NT SERVICE\TrustedInstaller"
C:\Windows\System32\icacls.exe filename.dll /restore filename.dll.acl

You need a reboot of the OS to take effect.