wiredx
asked on
Unload dll from system exe
Hi,
I need to unload dnsapi.dll from lsass.exe which is running - without killing lsass.exe that is.
I've tried using code (freelibrary) from http://www.codeguru.com/Cpp/W-P/files/fileio/article.php/c1287/ but I cant seem to make it work.
Could someone help me with the code? If possible provide fuller code..
Regards,
Kelvin
I need to unload dnsapi.dll from lsass.exe which is running - without killing lsass.exe that is.
I've tried using code (freelibrary) from http://www.codeguru.com/Cpp/W-P/files/fileio/article.php/c1287/ but I cant seem to make it work.
Could someone help me with the code? If possible provide fuller code..
Regards,
Kelvin
>>I need to unload dnsapi.dll from lsass.exe which is running - without killing lsass.exe that is
You can neither kill lsass.exe not can you force it to unload a DLL. Registry entries won't work here either. What is the purpose of that "bold venture"?
You can neither kill lsass.exe not can you force it to unload a DLL. Registry entries won't work here either. What is the purpose of that "bold venture"?
ASKER
the purpose is that dnsapi.dll is some kinda override for c:\windows\system32\driver s\etc\host s and i wanna find out how to disable it
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
well... open up dnsapi.dll in a hex editor, and u will find that there are predefined entries for these domain names.
maybe now u will understand why imt rying to unload it =P
5/15/2004 12:59:13 AM
Search String: microsoft.com
Replace String: halted
Path: C:\WINDOWS\system32\
File Mask: dnsapi.dll
Search Subdirectories, Search ZIP Files
Offset 0x83d3 - go.<microsoft.com>
Offset 0x83e9 - msdn.<microsoft.com>
Offset 0x83ff - office.<microsoft.com>
Offset 0x8420 - microsoftupdate.<microsoft .com>
Offset 0x8438 - wustats.<microsoft.com>
Offset 0x8450 - support.<microsoft.com>
Offset 0x8464 - www.<microsoft.com>
Offset 0x8474 - <microsoft.com>
Offset 0x848b - update.<microsoft.com>
Offset 0x84a5 - download.<microsoft.com>
Offset 0x84ea - windowsupdate.<microsoft.c om>
maybe now u will understand why imt rying to unload it =P
5/15/2004 12:59:13 AM
Search String: microsoft.com
Replace String: halted
Path: C:\WINDOWS\system32\
File Mask: dnsapi.dll
Search Subdirectories, Search ZIP Files
Offset 0x83d3 - go.<microsoft.com>
Offset 0x83e9 - msdn.<microsoft.com>
Offset 0x83ff - office.<microsoft.com>
Offset 0x8420 - microsoftupdate.<microsoft
Offset 0x8438 - wustats.<microsoft.com>
Offset 0x8450 - support.<microsoft.com>
Offset 0x8464 - www.<microsoft.com>
Offset 0x8474 - <microsoft.com>
Offset 0x848b - update.<microsoft.com>
Offset 0x84a5 - download.<microsoft.com>
Offset 0x84ea - windowsupdate.<microsoft.c
Sorry, there are no such entries in that file...
ASKER
there isnt? even in hex? try looking at the offsets.
Steps to do that:
Open your registry and find the key [HKEY_LOCAL_MACHINE\SOFTWA
Create a new sub-key named 'AlwaysUnloadDLL' and set the default value to equal '1' to disable Windows caching the DLL in memory.
Restart Windows for the change to take effect.
Registry Settings
System Key: [HKEY_LOCAL_MACHINE\SOFTWA
AlwaysUnloadDLL]
Value Name: Default
Data Type: REG_SZ (String Value)
Value Data: (1 = enable)