DLL Search Order Hijacking with vmms.exe / Hyper-V

In one of my darker moments, I decided to install Hyper-V on my Windows 10 desktop. While looking into other issues on my system, I noticed that during sytstem startup vmms.exe, which is related to Hyper-V, was looking for a DLL in a directory I had added to my path.

To test out if this was a potential DLL Search Order Hijacking issue, I created a DLL called RdvTestHooks.dll and copied it to my C:\test-path directory. The code for the DLL can be found below. It just starts a new cmd.exe process. Nothing fancy.

// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
#include <Windows.h>
#include <winternl.h>
#include <map>
#include <string>

                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
	if (ul_reason_for_call != DLL_PROCESS_ATTACH)
		return TRUE;

	// Do evil stuff
	system("start cmd.exe");

	return TRUE;

I restarted my system, and Process Monitor showed that vmms.exe loaded my RdvTestHooks.dll file.

After the DLL was loaded, a new cmd.exe process was started with SYSTEM integrity.

Great! Writable path directory + DLL Search Order Hijacking = Privilege Escalation to SYSTEM when the computer is restarted. Fortunately, Microsoft does not consider DLL search order hijacking a vulnerability to address.

You can add vmms.exe to the list of Windows executables that are vulnerable to DLL hijacking through a writable PATH. I didn’t see any mentions for vmms.exe so I figured I’d write this post, but maybe my Google searching skills are lacking.


I saw something similar with the Hyper-V executable vmcomputer.exe during my testing.

I tried the same process of adding CCGLaunchPad.dll to my C:\test-path directory, but got a strange error when vmcompute.exe tried to load it.

I wasn’t able to figure out what INVALID DEVICE REQUEST meant, but I also didn’t spend more than 5 minutes on it. Maybe the person reading this can figure out how to get vmcompute.exe to load your CCGLaunchPad.dll file. Good luck!