Skip to main content

DLL Hijack Protection Basics: Get to know the system with a simple example

This video demonstrates running a DLL directly with rundll32.exe from an untrusted location.

Command:

rundll32.exe c:\temp\DLL-Notsigned.dll,EntryPointW

This is high-risk behavior: a DLL in a user-writable path is executed directly. DLL Hijack Protection flags and blocks it.

When the blocked DLL is legitimate, the video demonstrates two ways to authorize the load:

  • Option 1: Authorize the identity (allow a specific user or group to perform this action)
  • Option 2: Authorize the DLL itself using a matching rule (path, hash, or publisher)