User32.dll is a magic item.  As a programmer, if you want to take the machine over, then user32.dll is your best friend.  User32 is a system DLL that gets loaded into all programs, system and user, that do anything with the GUI.  User32 has a nice side benefit that it also loads other DLLs, by name.  The list of DLLs to load is stored in the registry in a string item, AppInit_Dlls.  Yes, this space is only writable by privileged proceses, but if you can get yourself on the AppInit_Dlls list, you’re golden!  This is so handy that it is a common method that viruses use to attach themselves to all the processes on a system and … is how application isolation systems like Citrix Application Streaming do their work.

Notice above, I said ALMOST all processes link to user32.dll.

There are many processes which do not load user32.dll and if they don’t, then things that load as part of AppInit_Dlls will not get loaded.  If you’re in the application isolation business, this is not good because it means that you can’t isolate that application. 

A common question - Does Citrix Application Streaming depend on the application loading user32.dll in order for the isolation system to hook the app’s execution?

Answer: No. 

The more elaborate answer is that AIE on Presentation Server 4.0 did depend on the application loading of user32.dll, but Application Streaming does not have this limitation. 

Propeller talk on user32.dll. 

If you want to know more about hooking processes and user32.dll, here are some good and entertaining references. 

Probably best for a separate post, but the second item here is really interesting.  If you think you have a virus and do a google search for “user32.dll virus” you’ll get 574,000 hits!  Sometimes, it seems like the “fix” for virus is worse than the virus itself.  If you delete user32.dll, you’re up a creek with no paddle!  You can hope that the Windows XP system file protection will put it back, but it’s still a scary proposition. 

Consider that if you are evil, and you’re inserted into system code, then the obvious next step is to hide from anti-virus.  This must be an interesting battle


Joe Nord