Those working with COM know of the famous little utility called regsvr32.exe. This little tool can register a DLL COM server in the system registry, making it available to COM clients.
But how does it work? Is it truly a magical tool? Not so much. When instructed to register a COM DLL, regsvr32.exe does three things:
- Calls LoadLibrary to load the provided DLL into its address space.
- Calls GetProcAddress for the DllRegisterServer function which must be exported by the DLL – otherwise regsvr32 reports failure.
- Calls the function – DllRegisterServer and reports success or error depending on the returned HRESULT.
So in essence, the DLL registers itself.
The curious thing about regsvr32.exe is that using the 64-bit version of regsvr32 manages to register 32-bit COM DLLs (not just 64-bit DLLs).
How can this be? Windows rules state that a 64-bit process cannot load a 32-bit DLL, and vice versa (except for resource-only DLLs, which can be loaded cross architecture, which is not the case with COM DLLs).
Using ProcMonX (ProcMon works just as well), we setup capture for process creation and module load events only, and add a simple filter for regsvr32 process names:
Now by running the 64-bit regsvr32 on a 32-bit COM DLL, we get some output. Here is the interesting parts:
Now it’s clear: the 64-bit regsvr32 recognizes that the DLL is 32-bit and thus spawns the 32 bit regsvr32 to handle it. Perhaps regsvr32 is not that simple, after all.