Geoff Chappell, Software Analyst
SKETCH OF HOW RESEARCH MIGHT CONTINUE AND RESULTS BE PRESENTED
From the very beginning of 32-bit Windows, many Windows API functions that programmers regard as basic, if not actually central, to user-mode Windows programming are implemented not in the user-mode kernel (KERNEL32.DLL) but in a separate ADVAPI32.DLL.
That ADVAPI32 is basic to Windows programming is plain from Microsoft’s descriptions in the file’s version resources:
This separation of base functionality has its merits, but it springs a well-known trap for writers of DLLs, who even now are surprised to find that functions for such seemingly basic work as querying a registry value are off-limits during their DLL’s initialisation. The reason is that the work in question depends not just on NTDLL and KERNEL32 but on ADVAPI32. The latter will have been loaded but may not yet have been called for its initialisation. Functions that are imported from ADVAPI32 may misbehave. Of course, if your perspective comes from debugging the consequences, then you’ll likely think this trap is not known nearly well enough!