Is it OK to enable SafeDllSearchMode?

[Guest void.no.spam.com@gmail.com]

I read that the registry key SafeDllSearchMode was introduced in

Windows 2000 SP3. It improves security by searching in the system

directories for DLLs before searching in the current directory. But

it was disabled by default in all versions of Windows until Windows XP

SP2 because it could potentially break existing applications. Does

anyone know what applications will break if you enable it?

[Guest Kelly]

Re: Is it OK to enable SafeDllSearchMode?

 

Is my Windows XP and Windows 2003 vulnerable since I do not see the

SafeDllSearchMode registry key?

 

No. On Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server

2003 and Windows Server 2003 Service Pack1 SafeDllSearchMode is set to 1 by

default within the operating system code and is therefore not vulnerable.

Adding the registry key with a value other than 1 will change the default

configuration. For more information about SafeDllSearchMode configuration

options please read following MSDN article.

 

 

http://msdn2.microsoft.com/en-us/library/ms682586.aspx

 

--

 

All the Best,

Kelly (MS-MVP/DTS&XP)

 

Taskbar Repair Tool Plus!

http://www.kellys-korner-xp.com/taskbarplus!.htm

 

 

<void.no.spam.com@gmail.com> wrote in message

news:1183991869.120092.19370@c77g2000hse.googlegroups.com...

>I read that the registry key SafeDllSearchMode was introduced in

> Windows 2000 SP3. It improves security by searching in the system

> directories for DLLs before searching in the current directory. But

> it was disabled by default in all versions of Windows until Windows XP

> SP2 because it could potentially break existing applications. Does

> anyone know what applications will break if you enable it?

>

[Guest nobuyout@gmail.com]

Re: Is it OK to enable SafeDllSearchMode?

 

On Jul 9, 12:52 pm, "Kelly" <k...@mvps.org> wrote:

> Is my Windows XP and Windows 2003 vulnerable since I do not see the

> SafeDllSearchMode registry key?

>

> No. On Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server

> 2003 and Windows Server 2003 Service Pack1 SafeDllSearchMode is set to 1 by

> default within the operating system code and is therefore not vulnerable.

> Adding the registry key with a value other than 1 will change the default

> configuration. For more information about SafeDllSearchMode configuration

> options please read following MSDN article.

>

> http://msdn2.microsoft.com/en-us/library/ms682586.aspx

 

I am running Windows 2000, so my original question stands.

[Guest void.no.spam.com@gmail.com]

Re: Is it OK to enable SafeDllSearchMode?

 

On Jul 9, 12:52 pm, "Kelly" <k...@mvps.org> wrote:

> Is my Windows XP and Windows 2003 vulnerable since I do not see the

> SafeDllSearchMode registry key?

>

> No. On Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server

> 2003 and Windows Server 2003 Service Pack1 SafeDllSearchMode is set to 1 by

> default within the operating system code and is therefore not vulnerable.

> Adding the registry key with a value other than 1 will change the default

> configuration. For more information about SafeDllSearchMode configuration

> options please read following MSDN article.

>

> http://msdn2.microsoft.com/en-us/library/ms682586.aspx

 

I am running Windows 2000, so my original question stands.

[Guest Gary S. Terhune]

Re: Is it OK to enable SafeDllSearchMode?

 

Did you read this?

http://support.microsoft.com/kb/306850/en-us

 

(You might get better answers if you post to a WIn2000 newsgroup.)

 

--

Gary S. Terhune

MS-MVP Shell/User

http://www.grystmill.com

 

<nobuyout@gmail.com> wrote in message

news:1184001585.494249.306330@57g2000hsv.googlegroups.com...

> On Jul 9, 12:52 pm, "Kelly" <k...@mvps.org> wrote:

>> Is my Windows XP and Windows 2003 vulnerable since I do not see the

>> SafeDllSearchMode registry key?

>>

>> No. On Windows XP Service Pack 1, Windows XP Service Pack 2, Windows

>> Server

>> 2003 and Windows Server 2003 Service Pack1 SafeDllSearchMode is set to 1

>> by

>> default within the operating system code and is therefore not vulnerable.

>> Adding the registry key with a value other than 1 will change the default

>> configuration. For more information about SafeDllSearchMode configuration

>> options please read following MSDN article.

>>

>> http://msdn2.microsoft.com/en-us/library/ms682586.aspx

>

> I am running Windows 2000, so my original question stands.

>

[Guest Gary Smith]

Re: Is it OK to enable SafeDllSearchMode?

 

In microsoft.public.win2000.general void.no.spam.com@gmail.com <void.no.spam.com@gmail.com> wrote:

> I read that the registry key SafeDllSearchMode was introduced in

> Windows 2000 SP3. It improves security by searching in the system

> directories for DLLs before searching in the current directory. But

> it was disabled by default in all versions of Windows until Windows XP

> SP2 because it could potentially break existing applications. Does

> anyone know what applications will break if you enable it?

 

Assuming that I'm reading Knowledge Base article 306850 correctly -- and

that's a big assumption because it's VERY badly written -- no reasonable

appplication could be affected. The alleged security improvement is also

pretty far-fetched, although the performance issue is plausible. There's

no way to tell what applications might be affected except to try it and

see if anything complains about being unable to find DLLs. I've made the

registry change on my system just for the heck of it. We'll see what

happens.

 

--

Gary L. Smith

Columbus, Ohio

[Guest void.no.spam.com@gmail.com]

Re: Is it OK to enable SafeDllSearchMode?

 

On Jul 9, 8:13 pm, Gary Smith <bitbuc...@example.com> wrote:

> Assuming that I'm reading Knowledge Base article 306850 correctly -- and

> that's a big assumption because it's VERY badly written -- no reasonable

> appplication could be affected. The alleged security improvement is also

> pretty far-fetched, although the performance issue is plausible. There's

> no way to tell what applications might be affected except to try it and

> see if anything complains about being unable to find DLLs. I've made the

> registry change on my system just for the heck of it. We'll see what

> happens.

 

That article appears to describe a specific situation that requires

the SafeDllSearchMode key to be enabled. From what I've read, the

main reason to enable that key is for security, not performance. A

better description is available here:

 

http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/05sconfg.mspx

 

"The fact that the current working directory is searched before the

system directories can be used by someone with access to the file

system to cause a program launched by a user to load a spoofed DLL. If

a user launches a program by double-clicking a document, the current

working directory is actually the location of the document. If a DLL

in that directory has the same name as a system DLL in that location

will then be loaded instead of the system DLL. This attack vector was

actually used by the Nimda virus.

 

To combat this, a new setting was created in Service Pack 3, which

moves the current working directory to after the system directories in

the search order. To avoid application compatibility issues, however,

this switch was not turned on by default."

 

And if an application does break with the enabling of that key, the

error may not be an inability to find a DLL. See one scenario

mentioned here:

 

http://books.google.com/books?id=yZX2uAoAagwC&pg=PA381&lpg=PA381&dq=safedllsearchmode+sfc&source=web&ots=GR5YBhr-gG&sig=djOngoYEjBE1kxAjLLD25rxjuyQ

 

Besides claiming that breakage is low (which might be true for him,

but I'm sure I run some applications that he doesn't), the author says

that SQL 2000 loaded SFC.dll (Starfighter Foundation Classes) from its

working directory, but after enabling SafeDllSearchMode, it

incorrectly loaded SFC.dll (system file checker) from the system

directory. He also mentions that Outlook 2000 add-ins will break if

the key is enabled.

 

More subtle problems could occur too:

 

http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch10n.mspx

 

"Applications will be forced to search for DLLs in the system path

first. For applications that require unique versions of these DLLs

that are included with the application, this entry could cause

performance or stability problems."

 

It's those potential subtle problems that worry me. And what about

tools such as PartitionMagic? You can't really test those to see if

they break. I probably won't enable it, and I'll just live with the

security risk.

 

One thing that might be helpful in determining whether an app might

break or not is to see when the last update for it became available.

If it was after August 2004 (the date that XP SP2 was released, in

which the key became enabled by default), then the app is probably

compatible with the enabling of the key. If it was before that date,

then the app might not be compatible with it.

[Guest Kelly]

Re: Is it OK to enable SafeDllSearchMode?

 

How would I have known that?

 

--

 

All the Best,

Kelly (MS-MVP/DTS&XP)

 

Taskbar Repair Tool Plus!

http://www.kellys-korner-xp.com/taskbarplus!.htm

 

 

<nobuyout@gmail.com> wrote in message

news:1184001585.494249.306330@57g2000hsv.googlegroups.com...

> On Jul 9, 12:52 pm, "Kelly" <k...@mvps.org> wrote:

>> Is my Windows XP and Windows 2003 vulnerable since I do not see the

>> SafeDllSearchMode registry key?

>>

>> No. On Windows XP Service Pack 1, Windows XP Service Pack 2, Windows

>> Server

>> 2003 and Windows Server 2003 Service Pack1 SafeDllSearchMode is set to 1

>> by

>> default within the operating system code and is therefore not vulnerable.

>> Adding the registry key with a value other than 1 will change the default

>> configuration. For more information about SafeDllSearchMode configuration

>> options please read following MSDN article.

>>

>> http://msdn2.microsoft.com/en-us/library/ms682586.aspx

>

> I am running Windows 2000, so my original question stands.

>