Windows Server 2008: DLL Loader and Address Space Load Randomization

There's only three weeks to go till Launch Day. Today, we're going to talk about the Dynamic Link Library (DLL) Loader and Address Space Load Randomization. In Windows Vista and Windows Server 2008, when talking about process and thread creation, it is important to understand the role of the DLL Loader. The user-mode DLL Loader […]

There's only three weeks to go till Launch Day. Today, we're going to talk about the Dynamic Link Library (DLL) Loader and Address Space Load Randomization. In Windows Vista and Windows Server 2008, when talking about process and thread creation, it is important to understand the role of the DLL Loader. The user-mode DLL Loader is invoked every time a process or thread is created to complete the following tasks related to the DLL's required by the process or thread as needed:

  • Determine appropriate DLL load order and resolve dependencies
  • Load all required DLLs
  • Unload DLLs when they are no longer needed

Starting with Windows Vista, there were several improvements made to the DLL Loader that provide benefits such as improved process creation time and fewer reboots as a result of system DLL servicing. Let's look at each of these in turn beginning with the improved process creation time. When you think about process creation, a significant portion of the creation time is spent resolving DLL dependencies and processing DLL imports. Improvements to import processing algorithms have reduced processing time significantly. For some applications that are heavily dependent on DLL's, the end-to-end process creation time may be improved by as much as ten percent.

You're all probably familiar with the fact that in earlier versions of Windows, if you had to update a system DLL, you had to reboot the system. This was because there was no mechanism in place to identify which system service had loaded the DLL in question. Thus, in order for the file update to occur, you had to reboot the entire system to ensure that the older version of the DLL was completely unloaded and the updated DLL was loaded in its place. With Windows Server 2008, the enhanced loader management allows the system to maintain a complete list of services that have loaded a particular DLL. If that DLL is updated, the system can identify and restart the specific services that use that DLL as opposed to rebooting the entire system. Downtime is decreased and overall system uptime is increased - with the added benefit of the system being updated. However, it is important to note that this does not apply to all system DLL's. System DLL's such as NTDLL.DLL and Kernel32.DLL will still require a reboot when they are updated.

Full Article

Microsoft, WS2008, Windows Server 2008, DLL, ASLR, Architecture, Memory, Management, Performance, Security, Troubleshooting, Windows Vista, Knowledgebase