Guided path: Loader & runtime
Step 3 of 5
DLL loader, PEB, and module lists
How Windows loads shared libraries and tracks runtime module state.
Official Microsoft docs
Closest official references related to this topic on Microsoft Learn.
Why it matters
Many diagnostics, injection techniques, and runtime bugs revolve around what the loader did, what it loaded, and in what order.
Mental model
The loader is the process librarian. It finds modules, maps them, increments reference counts, and records what is loaded in process runtime structures.
How it works
- 1Windows follows a DLL search strategy unless the caller provides a full path or constrained search flags.
- 2As modules load, the process runtime tracks them through loader-maintained structures exposed via the PEB.
- 3Initialization routines such as DllMain can run during load or unload transitions.
Key terms
- DllMain
- The optional DLL entry point called during attach and detach transitions.
- PEB_LDR_DATA
- Loader-related data in the PEB that tracks loaded modules.
A DLL hijack risk
If an application relies on unsafe DLL search behavior, Windows may load an unexpected module before the intended one is found.
Common misconception
A DLL is not loaded only because it exists on disk. The loader still has to discover it, map it, and accept it for that process architecture.
You should read next
Ranked from your current topic, related links, branch depth, and any active guided path.
expert
WOW64 and cross-architecture compatibility
How 32-bit user-mode applications run on a 64-bit Windows system.
Next step in your guided path
intermediate
PE format
Headers, sections, imports, relocations, and the on-disk structure of Windows images.
Related topic
beginner
Processes & threads
How Windows represents work, isolates applications, and schedules execution.
Related topic