It appears that on a particular system, dbghelp.dll is being loaded into all processes. Since I believe this to not be normal behavior, I am guessing that it is being injected by some other application. Is there a way to track down which app is doing this? The actual problem is that this injection is causing the system32\dbghelp.dll to be loaded ahead of our own installed version. And this is a prob, b/c we need to be loading our installed version 6.7.5.0 which includes SymGetSymbolFile that is not found in the older dll. I am currently taking bets that some other app, anti-virus software, or virus is calling CreateProcessWithDll() to load dbghelp.dll into all apps at execution time. I just need some way to figure out who is doing this?
Asked
Active
Viewed 461 times
1 Answers
0
Check with gflags.exe (from the WinDbg package) if there are any global flags set on that system. Some of those might result in the symbols for the process being loaded automatically, which would explain why dbghlp.dll is loaded.
Franci Penov
- 74,861
- 18
- 132
- 169
-
Ah, good to know. It is worth keeping in mind when looking at these type of issues. It turns out that in this case the culprit was SurveyClientNT.EXE. Which the user reports is an IT installed software inventory tracking tool. I would still love to know how to track dll injection source more elegantly ...instead of the brute force method that we used which consisted of app removal/reboot until the problem went away. – user495313 Nov 05 '10 at 15:01