Loading a DLL Into All Processes


The AppInit_DLLs value is found in the following registry key:


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows


All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.



The AppInit DLLs are loaded via LoadLibrary() during the DLL_PROCESS_ATTACH of User32.dll. As a result, executables that don't link with User32.dll will not load the AppInit DLLs. There are very few executables that don't link with User32.dll.


Because of their early loading, only API functions exported from Kernel32.dll are safe to use within the initialization of the AppInit DLLs.


The AppInit_DLLs value has type REG_SZ. This value should specify a NULL- terminated string of DLLs, which is delimited by spaces or commas. Because spaces are used as delimiters, no long file names should be used. The system does not recognize semicolons as delimiters for these DLLs.


Only the first 32 characters of the AppInit_DLLs value are picked up by the system. Because of this 32-character limit, all of the AppInit DLLs should be located within the SYSTEM32 directory. This eliminates the need to include a path, thus allowing multiple DLLs to be specified.


Normally, only the Administrators group and the LocalSystem account have write access to the key containing the AppInit_DLLs value.