DllMain entry point (Process.h) - Win32 apps (2023)

  • Article
  • 8 minutes to read

An optional entry point into a dynamic-link library (DLL). When the system starts or terminates a process or thread, it calls the entry-point function for each loaded DLL using the first thread of the process. The system also calls the entry-point function for a DLL when it is loaded or unloaded using the LoadLibrary and FreeLibrary functions.


BOOL WINAPI DllMain( HINSTANCE hinstDLL, // handle to DLL module DWORD fdwReason, // reason for calling function LPVOID lpvReserved ) // reserved{ // Perform actions based on the reason for calling. switch( fdwReason ) { case DLL_PROCESS_ATTACH: // Initialize once for each new process. // Return FALSE to fail DLL load. break; case DLL_THREAD_ATTACH: // Do thread-specific initialization. break; case DLL_THREAD_DETACH: // Do thread-specific cleanup. break; case DLL_PROCESS_DETACH: if (lpvReserved != nullptr) { break; // do not do cleanup if process termination scenario } // Perform any necessary cleanup. break; } return TRUE; // Successful DLL_PROCESS_ATTACH.}

This is an example from the Dynamic-Link Library Entry-Point Function.


There are significant limits on what you can safely do in a DLL entry point. See General Best Practices for specific Windows APIs that are unsafe to call in DllMain. If you need anything but the simplest initialization then do that in an initialization function for the DLL. You can require applications to call the initialization function after DllMain has run and before they call any other functions in the DLL.


BOOL WINAPI DllMain( _In_ HINSTANCE hinstDLL, _In_ DWORD fdwReason, _In_ LPVOID lpvReserved);


hinstDLL [in]

A handle to the DLL module. The value is the base address of the DLL. The HINSTANCE of a DLL is the same as the HMODULE of the DLL, so hinstDLL can be used in calls to functions that require a module handle.

fdwReason [in]

The reason code that indicates why the DLL entry-point function is being called. This parameter can be one of the following values.

The DLL is being loaded into the virtual address space of the current process as a result of the process starting up or as a result of a call to LoadLibrary. DLLs can use this opportunity to initialize any instance data or to use the TlsAlloc function to allocate a thread local storage (TLS) index.
The lpvReserved parameter indicates whether the DLL is being loaded statically or dynamically.
The DLL is being unloaded from the virtual address space of the calling process because it was loaded unsuccessfully or the reference count has reached zero (the processes has either terminated or called FreeLibrary one time for each time it called LoadLibrary).
The lpvReserved parameter indicates whether the DLL is being unloaded as a result of a FreeLibrary call, a failure to load, or process termination.
The DLL can use this opportunity to call the TlsFree function to free any TLS indices allocated by using TlsAlloc and to free any thread local data.
Note that the thread that receives the DLL_PROCESS_DETACH notification is not necessarily the same thread that received the DLL_PROCESS_ATTACH notification.
The current process is creating a new thread. When this occurs, the system calls the entry-point function of all DLLs currently attached to the process. The call is made in the context of the new thread. DLLs can use this opportunity to initialize a TLS slot for the thread. A thread calling the DLL entry-point function with DLL_PROCESS_ATTACH does not call the DLL entry-point function with DLL_THREAD_ATTACH.
Note that a DLL's entry-point function is called with this value only by threads created after the DLL is loaded by the process. When a DLL is loaded using LoadLibrary, existing threads do not call the entry-point function of the newly loaded DLL.
A thread is exiting cleanly. If the DLL has stored a pointer to allocated memory in a TLS slot, it should use this opportunity to free the memory. The system calls the entry-point function of all currently loaded DLLs with this value. The call is made in the context of the exiting thread.

lpvReserved [in]

If fdwReason is DLL_PROCESS_ATTACH, lpvReserved is NULL for dynamic loads and non-NULL for static loads.

If fdwReason is DLL_PROCESS_DETACH, lpvReserved is NULL if FreeLibrary has been called or the DLL load failed and non-NULL if the process is terminating.

Return value

When the system calls the DllMain function with the DLL_PROCESS_ATTACH value, the function returns TRUE if it succeeds or FALSE if initialization fails. If the return value is FALSE when DllMain is called because the process uses the LoadLibrary function, LoadLibrary returns NULL. (The system immediately calls your entry-point function with DLL_PROCESS_DETACH and unloads the DLL.) If the return value is FALSE when DllMain is called during process initialization, the process terminates with an error. To get extended error information, call GetLastError.

When the system calls the DllMain function with any value other than DLL_PROCESS_ATTACH, the return value is ignored.


DllMain is a placeholder for the library-defined function name. You must specify the actual name you use when you build your DLL. For more information, see the documentation included with your development tools.

During initial process startup or after a call to LoadLibrary, the system scans the list of loaded DLLs for the process. For each DLL that has not already been called with the DLL_PROCESS_ATTACH value, the system calls the DLL's entry-point function. This call is made in the context of the thread that caused the process address space to change, such as the primary thread of the process or the thread that called LoadLibrary. Access to the entry point is serialized by the system on a process-wide basis. Threads in DllMain hold the loader lock so no additional DLLs can be dynamically loaded or initialized.

If the DLL's entry-point function returns FALSE following a DLL_PROCESS_ATTACH notification, it receives a DLL_PROCESS_DETACH notification and the DLL is unloaded immediately. However, if the DLL_PROCESS_ATTACH code throws an exception, the entry-point function will not receive the DLL_PROCESS_DETACH notification.

There are cases in which the entry-point function is called for a terminating thread even if the entry-point function was never called with DLL_THREAD_ATTACH for the thread:

  • The thread was the initial thread in the process, so the system called the entry-point function with the DLL_PROCESS_ATTACH value.
  • The thread was already running when a call to the LoadLibrary function was made, so the system never called the entry-point function for it.

When a DLL is unloaded from a process as a result of an unsuccessful load of the DLL, termination of the process, or a call to FreeLibrary, the system does not call the DLL's entry-point function with the DLL_THREAD_DETACH value for the individual threads of the process. The DLL is only sent a DLL_PROCESS_DETACH notification. DLLs can take this opportunity to clean up all resources for all threads known to the DLL.

When handling DLL_PROCESS_DETACH, a DLL should free resources such as heap memory only if the DLL is being unloaded dynamically (the lpvReserved parameter is NULL). If the process is terminating (the lpvReserved parameter is non-NULL), all threads in the process except the current thread either have exited already or have been explicitly terminated by a call to the ExitProcess function, which might leave some process resources such as heaps in an inconsistent state. In this case, it is not safe for the DLL to clean up the resources. Instead, the DLL should allow the operating system to reclaim the memory.

If you terminate a process by calling TerminateProcess or TerminateJobObject, the DLLs of that process do not receive DLL_PROCESS_DETACH notifications. If you terminate a thread by calling TerminateThread, the DLLs of that thread do not receive DLL_THREAD_DETACH notifications.

The entry-point function should perform only simple initialization or termination tasks. It must not call the LoadLibrary or LoadLibraryEx function (or a function that calls these functions), because this may create dependency loops in the DLL load order. This can result in a DLL being used before the system has executed its initialization code. Similarly, the entry-point function must not call the FreeLibrary function (or a function that calls FreeLibrary) during process termination, because this can result in a DLL being used after the system has executed its termination code.

Because Kernel32.dll is guaranteed to be loaded in the process address space when the entry-point function is called, calling functions in Kernel32.dll does not result in the DLL being used before its initialization code has been executed. Therefore, the entry-point function can call functions in Kernel32.dll that do not load other DLLs. For example, DllMain can create synchronization objects such as critical sections and mutexes, and use TLS. Unfortunately, there is not a comprehensive list of safe functions in Kernel32.dll.

Calling functions that require DLLs other than Kernel32.dll may result in problems that are difficult to diagnose. For example, calling User, Shell, and COM functions can cause access violation errors, because some functions load other system components. Conversely, calling functions such as these during termination can cause access violation errors because the corresponding component may already have been unloaded or uninitialized.

Because DLL notifications are serialized, entry-point functions should not attempt to communicate with other threads or processes. Deadlocks may occur as a result.

For information on best practices when writing a DLL, see Dynamic-link library best practices.

If your DLL is linked with the C run-time library (CRT), the entry point provided by the CRT calls the constructors and destructors for global and static C++ objects. Therefore, these restrictions for DllMain also apply to constructors and destructors and any code that is called from them.

Consider calling DisableThreadLibraryCalls when receiving DLL_PROCESS_ATTACH, unless your DLL is linked with static C run-time library (CRT).


Minimum supported client
Windows XP [desktop apps only]
Minimum supported server
Windows Server 2003 [desktop apps only]

See also

Dynamic-Link Library Entry-Point Function

Dynamic-Link Library Functions








What is DllMain used for? ›

DllMain is a placeholder for the library-defined function name. You must specify the actual name you use when you build your DLL. For more information, see the documentation included with your development tools.

Is DllMain necessary? ›

DllMain is not mandatory. If you have some initialization code required to run when loading the dll, you should create a DllMain function, and treat the initialization there. Otherwise it's not required.

Does a DLL need an entry point? ›

A DLL can optionally specify an entry-point function. If present, the system calls the entry-point function whenever a process or thread loads or unloads the DLL. It can be used to perform simple initialization and cleanup tasks.

How to find function names in DLL? ›

dll, by running a variety of command-line tools. For example, you can use dumpbin /exports user32. dll or link /dump /exports user32. dll to obtain function names.

How are DLLs used by malware? ›

DLL hijacking is a method of injecting malicious code into an application by exploiting the way some Windows applications search and load Dynamic Link Libraries (DLL). Only Microsoft operating systems are susceptible to DLL hijacks.

Can DLLs be a virus? ›

Generally speaking, DLL files can't contain viruses because they don't have any built-in methods for self-propagation. However, a program that loads one or more DLLs can be infected with malware if it doesn't correctly filter user input before loading the libraries.

Is it OK to delete DLL? ›

dll files are system files. Deleting the wrong one may cause your computer to crash, so never delete a . dll file unless you're absolutely sure of its function.

What is DLL is missing from your computer? ›

DLL, short for Dynamic Link Library, is a type of essential file that contains a set of instructions used for running almost every program in Windows 10, Windows 8, and Windows 7. If the DLL files are missing from Windows operating system, you may not be able to run the programs or applications you need.

Why do I get DLL errors? ›

dll error messages may occur due to several reasons such as faulty applications, malicious software, damaged Windows registry, corrupt system files, etc. Many Windows users are reporting different types of dll errors on Microsoft, Google and other technology forums and are looking for ways to fix them.

How can I tell if a DLL is used? ›

The following are common methods used to determine DLLs loaded into a process:
  1. Windows Native Method. The native solution in Windows is to run the following: C:\Windows\System32\perfmon.exe /res. ...
  2. SysInternals Process Explorer. ...
  3. SysInternals Process Monitor (ProcMon)
Feb 17, 2022

What happens when a DLL is loaded? ›

Every process that loads the DLL maps it into its virtual address space. After the process loads the DLL into its virtual address, it can call the exported DLL functions. The system maintains a per-process reference count for each DLL. When a thread loads the DLL, the reference count is incremented by one.

Where are DLL looked for? ›

For a list of known DLLs on the current system, see the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs .

How can I check all DLL files? ›

There is no easy or quick way to verify system DLL's or EXE's, the only method Microsoft provides is to use the SFC or DISM commands to check system files. Please provide more information on your question, what files do you believe are suspicious and what problem are you experiencing with your Windows installation.

How do you expose a function in a DLL? ›

You can export functions from a DLL using two methods:
  1. Create a module definition (. def) file and use the . def file when building the DLL. Use this approach if you want to export functions from your DLL by ordinal rather than by name.
  2. Use the keyword __declspec(dllexport) in the function's definition.
Aug 3, 2021

How to decompile a DLL? ›

  1. Open up the Reflector.exe,
  2. Go to View and click Add-Ins,
  3. In the Add-Ins window click Add...,
  4. Then find the dll you have downloaded FileGenerator. ...
  5. Then close the Add-Ins window.
  6. Go to File and click Open and choose the dll that you want to decompile,
  7. After you have opend it, it will appear in the tree view,
Apr 23, 2010

What are the ways hackers will use a DLL? ›

DLLs are executed in the memory of the calling process, with the same access permissions. This means that there is no protection for the calling EXE if the DLL contains any anomalies. Malicious attackers may exploit this fact by using methods such as DLL Hijacking or DLL Proxying to execute their malicious code.

Is DLL a Trojan? ›

dll file, a module that assists the DNS client service in the Windows operating system, essentially by caching the Domain Name System (DNS) names requested during a web browsing session. Due to its behavior, the trojan is also referred to as a 'DLL patcher'.

Can a DLL be hacked? ›

DLL hijacking is a common and difficult-to-detect cyberattack that allows hackers to execute malicious code using a Dynamic Link Library file.

Can a DLL be malicious? ›

Based on our research and observations, there are three types of malicious DLLs. DLLs mostly written to an unprivileged path. DLLs that are unsigned. DLLs that are loaded by a signed process, whether by a utility dedicated to loading DLLs (such as exe) or an executable that loads DLLs as part of its activity.

How do you know if a DLL is a virus? ›

A DLL is a Dynamic Link Library.
These signs generally occur when the virus is active in your computer:
  1. Your web browser has new extensions that you did not install.
  2. Your antivirus software has been disabled and you are unable to re-enable it.
  3. Your computer takes a long time to boot and open programs.

Why do attackers use DLLs? ›

DLL hijacking is a technique used to load malicious code for the purposes of defense evasion, persistence and privilege escalation. Rather than execute malicious code directly via an executable file, adversaries will leverage a legitimate application to load a malicious DLL file.

What happens when you delete System32 DLL? ›

If you delete the System32 folder, your computer will have the following problems: No longer be able to start up. This is because many critical system files are stored in that folder. Without those files, your computer won't be able to boot up properly.

How do I stop Windows 10 Deleting dll Files? ›

If you don't want Windows Defender to remove the . dll files, click "File Types" and type in the . dll and .exe file extension, click "Add". After this, those files that you've set to be excluded won't be removed or deleted again.

How to check if DLL is corrupted? ›

The sfc /scannow command will scan all protected system files, and replace corrupted files with a cached copy that is located in a compressed folder at %WinDir%\System32\dllcache.

What are .DLL files used for? ›

A DLL is a library that contains code and data that can be used by more than one program at the same time. For example, in Windows operating systems, the Comdlg32 DLL performs common dialog box related functions. Each program can use the functionality that is contained in this DLL to implement an Open dialog box.

What is the easiest fix for a missing DLL error? ›

Restart your PC

The easiest way to fix the missing . dll file error is to restart your PC. Many times, there are cache problems that a restart fixes automatically.

How do DLL files get corrupted? ›

If you have manually attempted to alter the contents of a file, then this too can lead to a corruption. An interrupted installation or even an interrupted execution of the DLL may also lead to a corrupt DLL error message.

Can we read DLL files? ›

Dynamic Link Library (DLL) files aren't average text files that can be opened in an editor—they contain compiled code and objects that Windows programs reference during use. If you want to see or edit the code that makes a DLL file work, you can easily do so using a decompiler.

What does DLL stand for? ›

A dynamic link library (DLL) is a collection of small programs that larger programs can load when needed to complete specific tasks. The small program, called a DLL file, contains instructions that help the larger program handle what may not be a core function of the original program.

How do I debug a DLL in Windows? ›

Debug from the DLL project
  1. Set breakpoints in the DLL project.
  2. Right-click the DLL project and choose Set as Startup Project.
  3. Make sure the Solutions Configuration field is set to Debug. Press F5, click the green Start arrow, or select Debug > Start Debugging.
Apr 29, 2022

What are all the types of DLL files? ›

There are two types of DLLs: simple and complex. A simple DLL contains only DLL code in which special code sequences are generated by the compiler for referencing functions and external variables, and using function pointers.

Can I get source code from DLL? ›

You cannot get the exact code, but you can get a decompiled version of it. The most popular (and best) tool is Reflector, but there are also other . Net decompilers (such as Dis#). You can also decompile the IL using ILDASM, which comes bundled with the .

Are DLL files machine code? ›

DLLs do contain compiled machine code. The difference is that the linking between the application EXE and the DLL is done at runtime, instead of at (traditional) link time between OBJ and LIB files.

How do I extract data from a DLL file? ›

  1. Open up the Reflector.exe,
  2. Go to View and click Add-Ins,
  3. In the Add-Ins window click Add...,
  4. Then find the dll you have downloaded FileGenerator. ...
  5. Then close the Add-Ins window.
  6. Go to File and click Open and choose the dll that you want to decompile,
  7. After you have opend it, it will appear in the tree view,
Oct 30, 2014

What is DLL Tool? ›

A dynamic link library (DLL) is a collection of small programs that larger programs can load when needed to complete specific tasks. The small program, called a DLL file, contains instructions that help the larger program handle what may not be a core function of the original program.

What is browser DLL? ›

Command. C:\Windows\System32\svchost.exe -k netsvcs. Description. Windows service that maintains an updated list of computers on the network and supplies this list to computers designated as browsers.

What is a DLL and how is it different from EXE? ›

EXE is an extension used for executable files while DLL is the extension for a dynamic link library. 2.An EXE file can be run independently while a DLL is used by other applications. 3. A DLL file can be reused by other applications while an EXE cannot.

What apps use DLL files? ›

The Microsoft Windows Visual Studio is a program that allows you to view, edit and build code into a DLL file.

Should you delete DLL files? ›

dll Files are installed by software programs while they are installed These files contain code that tells programs how to operate. If you delete . dll files programs may not work properly. We suggest you not to delete these files as they may cause serious issues with the proper functioning of the computer.

What are DLL attacks? ›

DLL Injection attacks aim to target active applications for injecting dynamic malicious code into the computer system through dynamic library. The aim of cyber attackers are achieved through pathway of attacks that load DLL into the secured, trusted applications.

What is DLL in malware analysis? ›

Learning Malware Analysis

A Dynamic-Link Library (DLL) is a module that contains functions (called exported functions or exports) that can be used by another program (such as an Executable or DLL). An executable can use the functions implemented in a DLL by importing it from the DLL.

How do you tell if a file is a DLL? ›

This info is located in the PE header. To view it, you can open it with a PE explorer such as the NTCore CFF Explorer and open the Characterics field of the file header, where you can find whether it is a DLL or executable. Save this answer.


Top Articles
Latest Posts
Article information

Author: Laurine Ryan

Last Updated: 11/21/2023

Views: 5840

Rating: 4.7 / 5 (57 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Laurine Ryan

Birthday: 1994-12-23

Address: Suite 751 871 Lissette Throughway, West Kittie, NH 41603

Phone: +2366831109631

Job: Sales Producer

Hobby: Creative writing, Motor sports, Do it yourself, Skateboarding, Coffee roasting, Calligraphy, Stand-up comedy

Introduction: My name is Laurine Ryan, I am a adorable, fair, graceful, spotless, gorgeous, homely, cooperative person who loves writing and wants to share my knowledge and understanding with you.