Is it OK to enable SafeDllSearchMode?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I read that the registry key SafeDllSearchMode was introduced in
Windows 2000 SP3. It improves security by searching in the system
directories for DLLs before searching in the current directory. But
it was disabled by default in all versions of Windows until Windows XP
SP2 because it could potentially break existing applications. Does
anyone know what applications will break if you enable it?
 
Is my Windows XP and Windows 2003 vulnerable since I do not see the
SafeDllSearchMode registry key?

No. On Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server
2003 and Windows Server 2003 Service Pack1 SafeDllSearchMode is set to 1 by
default within the operating system code and is therefore not vulnerable.
Adding the registry key with a value other than 1 will change the default
configuration. For more information about SafeDllSearchMode configuration
options please read following MSDN article.


http://msdn2.microsoft.com/en-us/library/ms682586.aspx

--

All the Best,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm
 
Is my Windows XP and Windows 2003 vulnerable since I do not see the
SafeDllSearchMode registry key?

No. On Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server
2003 and Windows Server 2003 Service Pack1 SafeDllSearchMode is set to 1 by
default within the operating system code and is therefore not vulnerable.
Adding the registry key with a value other than 1 will change the default
configuration. For more information about SafeDllSearchMode configuration
options please read following MSDN article.

http://msdn2.microsoft.com/en-us/library/ms682586.aspx

I am running Windows 2000, so my original question stands.
 
Is my Windows XP and Windows 2003 vulnerable since I do not see the
SafeDllSearchMode registry key?

No. On Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server
2003 and Windows Server 2003 Service Pack1 SafeDllSearchMode is set to 1 by
default within the operating system code and is therefore not vulnerable.
Adding the registry key with a value other than 1 will change the default
configuration. For more information about SafeDllSearchMode configuration
options please read following MSDN article.

http://msdn2.microsoft.com/en-us/library/ms682586.aspx

I am running Windows 2000, so my original question stands.
 
In microsoft.public.win2000.general [email protected] said:
I read that the registry key SafeDllSearchMode was introduced in
Windows 2000 SP3. It improves security by searching in the system
directories for DLLs before searching in the current directory. But
it was disabled by default in all versions of Windows until Windows XP
SP2 because it could potentially break existing applications. Does
anyone know what applications will break if you enable it?

Assuming that I'm reading Knowledge Base article 306850 correctly -- and
that's a big assumption because it's VERY badly written -- no reasonable
appplication could be affected. The alleged security improvement is also
pretty far-fetched, although the performance issue is plausible. There's
no way to tell what applications might be affected except to try it and
see if anything complains about being unable to find DLLs. I've made the
registry change on my system just for the heck of it. We'll see what
happens.
 
Assuming that I'm reading Knowledge Base article 306850 correctly -- and
that's a big assumption because it's VERY badly written -- no reasonable
appplication could be affected. The alleged security improvement is also
pretty far-fetched, although the performance issue is plausible. There's
no way to tell what applications might be affected except to try it and
see if anything complains about being unable to find DLLs. I've made the
registry change on my system just for the heck of it. We'll see what
happens.

That article appears to describe a specific situation that requires
the SafeDllSearchMode key to be enabled. From what I've read, the
main reason to enable that key is for security, not performance. A
better description is available here:

http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/05sconfg.mspx

"The fact that the current working directory is searched before the
system directories can be used by someone with access to the file
system to cause a program launched by a user to load a spoofed DLL. If
a user launches a program by double-clicking a document, the current
working directory is actually the location of the document. If a DLL
in that directory has the same name as a system DLL in that location
will then be loaded instead of the system DLL. This attack vector was
actually used by the Nimda virus.

To combat this, a new setting was created in Service Pack 3, which
moves the current working directory to after the system directories in
the search order. To avoid application compatibility issues, however,
this switch was not turned on by default."

And if an application does break with the enabling of that key, the
error may not be an inability to find a DLL. See one scenario
mentioned here:

http://books.google.com/books?id=yZ...ts=GR5YBhr-gG&sig=djOngoYEjBE1kxAjLLD25rxjuyQ

Besides claiming that breakage is low (which might be true for him,
but I'm sure I run some applications that he doesn't), the author says
that SQL 2000 loaded SFC.dll (Starfighter Foundation Classes) from its
working directory, but after enabling SafeDllSearchMode, it
incorrectly loaded SFC.dll (system file checker) from the system
directory. He also mentions that Outlook 2000 add-ins will break if
the key is enabled.

More subtle problems could occur too:

http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch10n.mspx

"Applications will be forced to search for DLLs in the system path
first. For applications that require unique versions of these DLLs
that are included with the application, this entry could cause
performance or stability problems."

It's those potential subtle problems that worry me. And what about
tools such as PartitionMagic? You can't really test those to see if
they break. I probably won't enable it, and I'll just live with the
security risk.

One thing that might be helpful in determining whether an app might
break or not is to see when the last update for it became available.
If it was after August 2004 (the date that XP SP2 was released, in
which the key became enabled by default), then the app is probably
compatible with the enabling of the key. If it was before that date,
then the app might not be compatible with it.
 
Back
Top