7.1 How InstallLeapheapRegistry Works

The InstallLeapHeapRegistry program alters the search path that the NT process loader uses to find certain DLLs. By default the loader looks for a DLL first in the same directory as the executable file, secondly in the current directory, thirdly in the Windows system directory (typically C:\WINNT\system32) and finally along the list in the PATH environment variable. This rule may be overridden by naming specific DLLs in a registry key called KnownDLLs, in which case the loader goes direct to the Windows system directory. A standard NT installation nominates a number of DLLs under this key. This override may itself be overridden in another registry key called ExcludeFromKnownDlls, which restores the original rule.

The above description is a simplification.

For LeapHeap to work, the original search rule must be used for several system DLLs. The InstallLeapHeapRegistry program copies all the names it finds in the KnownDLLs key into ExcludeFromKnownDlls. As it does this it creates a registry script 'UndoRegistryChanges.reg', for restoring the original content of the ExcludeFromKnownDlls key when the time comes to uninstall LeapHeap (although there is most unlikely to be anything in there to start with).

The program makes an additional, minor change to the registry if it detects NT version 4. It adds a system environment variable __MSVCRT_HEAP_SELECT with content "__GLOBAL_HEAP_SELECTED,1". The effect is to make applications built by certain versions of the VC++ compiler use the heap API functions instead of local algorithms for small allocations. The previous value, if any, of this environment variable is not saved.

InstallLeapheapRegistry must be run with administrator privilege because of the protection applied to the registry keys it writes. It need only be run the first time LeapHeap is installed. When LeapHeap (for example a new version) is reinstalled, the installer requires only the privileges for writing files into the LeapHeap directory. That is why there are two installation programs.

The InstallLeapheapRegistry program is unnecessary for certain operating system versions such as Windows 2000 SP4. On the other hand, running it does no harm.

Incidentally, the KnownDLLs list has been the focus of a privilege elevation attack on NT. Microsoft Knowledge Base Article Q218473 has a summary. The vulnerability stemmed from inadequate protection given to an internal representation of the list. Simply removing items from the registry version of the list (InstallLeapheapRegistry effectively does this) does not weaken the security of your system.