This article needs additional citations for verification .(November 2024) |
DLL hell is an umbrella term for the complications that arise when one works with dynamic-link libraries (DLLs) used with older Microsoft Windows operating systems, [1] particularly legacy 16-bit editions, which all run in a single memory space. DLL hell can appear in many different ways, wherein affected programs may fail to run correctly, if at all. It is the Windows ecosystem-specific form of the general concept dependency hell.
DLLs are Microsoft's implementation of shared libraries. Shared libraries allow common code to be bundled into a wrapper, the DLL, which is used by any application software on the system without loading multiple copies into memory. A simple example might be the GUI text editor, which is widely used by many programs. By placing this code in a DLL, all the applications on the system can use it without using more memory. This contrasts with static libraries, which are functionally similar but copy the code directly into the application. In this case, every application grows by the size of all the libraries it uses, and this can be quite large for modern programs.
The problem arises when the version of the DLL on the computer is different than the version that was used when the program was being created. DLLs have no built-in mechanism for backward compatibility, and even minor changes to the DLL can render its internal structure so different from previous versions that attempting to use them will generally cause the application to crash. Static libraries avoid this problem because the version that was used to build the application is included inside it, so even if a newer version exists elsewhere on the system, this does not affect the application.
A key reason for the version incompatibility is the structure of the DLL file. The file contains a directory of the individual methods (procedures, routines, etc.) contained within the DLL and the types of data they take and return. Even minor changes to the DLL code can cause this directory to be re-arranged, in which case an application that calls a particular method believing it to be the 4th item in the directory might end up calling an entirely different and incompatible routine, which would normally cause the application to crash.
There are several problems commonly encountered with DLLs, especially after numerous applications have been installed and uninstalled on a system. The difficulties include conflicts between DLL versions, difficulty in obtaining required DLLs, and having many unnecessary DLL copies.
Solutions to these problems were known even while Microsoft was writing the DLL system.[ citation needed ] These have been incorporated into the .NET replacement, "Assemblies".
A particular version of a library can be compatible with some programs that use it and incompatible with others. Windows has been particularly vulnerable to this because of its emphasis on dynamic linking of C++ libraries and Object Linking and Embedding (OLE) objects. C++ classes export many methods, and a single change to the class, such as a new virtual method, can make it incompatible with programs that were built against an earlier version. Object Linking and Embedding has very strict rules to prevent this: interfaces are required to be stable, and memory managers are not shared. This is insufficient, however, because the semantics of a class can change. A bug fix for one application may result in the removal of a feature from another. Before Windows 2000, Windows was vulnerable to this because the COM class table was shared across all users and processes. Only one COM object in one DLL/EXE could be declared as having a specific global COM Class ID on a system. If any program needed to create an instance of that class, it got whatever was the current centrally registered implementation. As a result, an installation of a program that installed a new version of a common object might inadvertently break other programs that were previously installed.
A common and troublesome problem occurs when a newly installed program overwrites a working system DLL with an earlier, incompatible version. Early examples of this were the ctl3d.dll
and ctl3dv2.dll
libraries for Windows 3.1: Microsoft-created libraries that third-party publishers would distribute with their software, but each distributing the version they developed with rather than the most recent version. [2] DLL stomping occurs because:
In COM and other parts of Windows, prior to the introduction of side-by-side registry-free assemblies, [5] the Registry was used for determining which underlying DLL to use. If a different version of a module was registered, this DLL would be loaded instead of the expected one. This scenario could be caused by conflicting installations that register different versions of the same libraries, in which case the last installation would prevail.
16-bit versions of Windows (and Windows on Windows) load only one instance of any given DLL; all applications reference the same in-memory copy, until no applications are using it and it is unloaded from memory. (For 32-bit and 64-bit versions of Windows, inter-process sharing occurs only where different executables load a module from exactly the same directory; the code but not the stack is shared between processes through a process called "memory mapping".) Thus, even when the desired DLL is located in a directory where it can be expected to be found, such as in the system directory or the application directory, neither of these instances will be used if another application has started with an incompatible version from a third directory. This issue can manifest itself as a 16-bit application error that occurs only when applications are started in a specific order.
In direct conflict with the DLL stomping problem: If updates to a DLL do not affect all applications that use it, then it becomes much harder to "service" the DLL – that is, to eliminate problems that exist in the current versions of the DLL. (Security fixes are a particularly compelling and painful case.) Instead of fixing just the latest version of the DLL, the implementor must ideally make their fixes and test them for compatibility on every released version of the DLL.
DLL incompatibility has been caused by:
%PATH%
environment variable, both of which vary over time and from system to system, to find dependent DLLs (instead of loading them from an explicitly configured directory);DLL hell was a very common phenomenon on pre-Windows NT versions of Microsoft operating systems, the primary cause being that the 16-bit operating systems did not restrict processes to their own memory space, thereby not allowing them to load their own version of a shared module that they were compatible with. Application installers were expected to be good citizens and verify DLL version information before overwriting the existing system DLLs. Standard tools to simplify application deployment (which always involves shipping the dependent operating-system DLLs) were provided by Microsoft and other 3rd-party tools vendors. Microsoft even required application vendors to use a standard installer and have their installation program certified to work correctly, before being granted use of the Microsoft logo. The good-citizen installer approach did not mitigate the problem, as the rise in popularity of the Internet provided more opportunities to obtain non-conforming applications.
Windows searches several locations for ambiguously DLLs, i.e. ones not fully qualified. Malwares can exploit this behavior in several ways collectively known as DLL search order hijacking. One method is DLL preloading or a binary planting attack. It places DLL files with the same name in a location that is searched earlier, such as the current working directory. When the vulnerable program tries to load the DLL, the malicious version is executed, possibly at high privilege levels if the program runs at that level. [6]
Another method is relative path DLL hijacking, which moves the vulnerable program to a location together with the malicious DLL. The DLL is loaded because the application's directory is searched early. According to CrowdStrike, this method is the most common. [7] DLL sideloading delivers both the legitimate program and malicious library. It may avoid detection because the execution seems as running a reputable program. [8]
Other methods include phantom DLL hijacking, where a malicious DLL file is created against references to a non-existent library, and changing registry values to abuse DLL redirection, which changes the DLL search order. [6]
DLL hijacking was used by state-sponsored groups including Lazarus Group and Tropic Trooper. [8]
Various forms of DLL hell have been solved or mitigated over the years.
A simple solution to DLL hell in an application is to statically link all the libraries, i.e. to include the library version required in the program, instead of picking up a system library with a specified name. [9] This is common in C/C++ applications, where, instead of having to worry about which version of MFC42.DLL
is installed, the application is compiled to be statically linked against the same libraries. This eliminates the DLLs entirely and is possible in standalone applications using only libraries that offer a static option, as Microsoft Foundation Class Library does. However, the main purpose of DLLs – runtime library sharing between programs to reduce memory overhead – is sacrificed; duplicating library code in several programs creates software bloat and complicates the deployment of security fixes or newer versions of dependent software.
The DLL overwriting problem (referred to as DLL Stomping by Microsoft) was somewhat reduced with Windows File Protection (WFP), [10] which was introduced in Windows 2000. [11] This prevents unauthorized applications from overwriting system DLLs, unless they use the specific Windows APIs that permit this. There may still be a risk that updates from Microsoft are incompatible with existing applications, but this risk is typically reduced in current versions of Windows through the use of side-by-side assemblies.
Third-party applications cannot stomp on OS files unless they bundle legitimate Windows updates with their installer, or if they disable the Windows File Protection service during installation, and on Windows Vista or later also take ownership of system files and grant themselves access. The SFC utility could revert these changes at any time.
The solutions here consist of having different copies of the same DLLs for each application, both on disk and in memory.
An easy manual solution to conflicts was placing the different versions of the problem DLL into the applications' folders, rather than a common system-wide folder. This works in general as long as the application is 32-bit or 64-bit, and that the DLL does not use shared memory. In the case of 16-bit applications, the two applications cannot be executed simultaneously on a 16-bit platform, or in the same 16-bit virtual machine under a 32-bit operating system. OLE prevented this before Windows 98 SE/2000, because earlier versions of Windows had a single registry of COM objects for all applications.
Windows 98 SE/2000 introduced a solution called side-by-side assembly , [12] which loads separate copies of DLLs for each application that requires them (and thus allows applications that require conflicting DLLs to run simultaneously). This approach eliminates conflicts by allowing applications to load unique versions of a module into their address space, while preserving the primary benefit of sharing DLLs between applications (i.e. reducing memory use) by using memory mapping techniques to share common code between different processes that do still use the same module. Yet DLLs using shared data between multiple processes cannot take this approach. [13] One negative side effect is that orphaned instances of DLLs may not be updated during automated processes.
Depending on the application architecture and runtime environment, portable applications may be an effective way to reduce some DLL problems, since every program bundles its own private copies of any DLLs it requires. [11] The mechanism relies on applications not fully qualifying the paths to dependent DLLs when loading them, and the operating system searching the executable directory before any shared location. [14] However this technique can also be exploited by malware, [15] and the increased flexibility may also come at the expense of security if the private DLLs are not kept up to date with security patches in the same way that the shared ones are.
Application virtualization can also allow applications to run in a "bubble", which avoids installing DLL files directly into the operating system.
There are other countermeasures to avoid DLL hell, some of which may have to be used simultaneously; some other features that help to mitigate the problem are:
A shared library or shared object is a computer file that contains executable code designed to be used by multiple computer programs or other libraries at runtime.
The Portable Executable (PE) format is a file format for executables, object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems, and in UEFI environments. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. This includes dynamic library references for linking, API export and import tables, resource management data and thread-local storage (TLS) data. On NT operating systems, the PE format is used for EXE, DLL, SYS, MUI and other file types. The Unified Extensible Firmware Interface (UEFI) specification states that PE is the standard executable format in EFI environments.
Windows 9x is a generic term referring to a line of discontinued Microsoft Windows operating systems from 1995 to 2000, which were based on the Windows 95 kernel and its underlying foundation of MS-DOS, both of which were updated in subsequent versions. The first version in the 9x series was Windows 95, which was succeeded by Windows 98 and then Windows Me, which was the third and last version of Windows on the 9x line, until the series was superseded by Windows XP.
Btrieve is a transactional database software product. It is based on Indexed Sequential Access Method (ISAM), which is a way of storing data for fast retrieval. There have been several versions of the product for DOS, Linux, older versions of Microsoft Windows, 32-bit IBM OS/2 and for Novell NetWare.
Multilingual User Interface (MUI) enables the localization of the user interface of an application.
Dependency hell is a colloquial term for the frustration of some software users who have installed software packages which have dependencies on specific versions of other software packages.
The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.
The Global Assembly Cache (GAC) is a machine-wide CLI assembly cache for the Common Language Infrastructure (CLI) in Microsoft's .NET Framework. The approach of having a specially controlled central repository addresses the flaws in the shared library concept and helps to avoid pitfalls of other solutions that led to drawbacks like DLL hell.
In computer science, a static library or statically linked library is a set of routines, external functions and variables which are resolved in a caller at compile-time and copied into a target application by a compiler, linker, or binder, producing an object file and a stand-alone executable. This executable and the process of compiling it are both known as a static build of the program. Historically, libraries could only be static. Static libraries are either merged with other static libraries and object files during building/linking to form a single executable or loaded at run-time into the address space of their corresponding executable at a static memory offset determined at compile-time/link-time.
A dynamic-link library (DLL) is a shared library in the Microsoft Windows or OS/2 operating system.
System File Checker (SFC) is a utility in Microsoft Windows that allows users to scan for and restore corrupted Windows system files.
As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.
In computing, a dynamic linker is the part of an operating system that loads and links the shared libraries needed by an executable when it is executed, by copying the content of libraries from persistent storage to RAM, filling jump tables and relocating pointers. The specific operating system and executable format determine how the dynamic linker functions and how it is implemented.
The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an overview of the core libraries that are included with every modern Windows installation, on top of which most Windows applications are built.
Visual Basic (VB) before .NET, sometimes referred to as Classic Visual Basic, is a third-generation programming language, based on BASIC, and an integrated development environment (IDE), from Microsoft for Windows known for supporting rapid application development (RAD) of graphical user interface (GUI) applications, event-driven programming and both consumption and development of components via the Component Object Model (COM) technology.
Program Files is the directory name of a standard folder in Microsoft Windows operating systems in which applications that are not part of the operating system are conventionally installed. Typically, each application installed under the 'Program Files' directory will have a subdirectory for its application-specific resources. Shared resources, for example resources used by multiple applications from one company, are typically stored in the 'Common Files' directory.
Component Object Model (COM) is a binary-interface technology for software components from Microsoft that enables using objects in a language-neutral way between different programming languages, programming contexts, processes and machines.
Side-by-side assembly technology is a standard for executable files in Windows 98 Second Edition, Windows 2000, and later versions of Windows that attempts to alleviate problems that arise from the use of dynamic-link libraries (DLLs) in Microsoft Windows. Such problems include version conflicts, missing DLLs, duplicate DLLs, and incorrect or missing registration. In side-by-side, Windows stores multiple versions of a DLL in the %systemroot%\WinSxS
directory, and loads them on demand. This reduces dependency problems for applications that include a side-by-side manifest.
In computing on Microsoft platforms, WoW64 is a subsystem of the Windows operating system capable of running 32-bit applications on 64-bit Windows. It is included in all 64-bit versions of Windows, except in Windows Server Server Core where it is an optional component, and Windows Nano Server where it is not included. WoW64 aims to take care of many of the differences between 32-bit Windows and 64-bit Windows, particularly involving structural changes to Windows itself.
The Windows 9x series of operating systems refers to a series of Microsoft Windows operating systems produced from 1995 to 2000. They are based on the Windows 95 kernel which is a monolithic kernel. The basic code is similar in function to MS-DOS. They are 16-/32-bit hybrids and require support from MS-DOS to operate.