Summary
Tested on Windows 11 10.0.22000 N/A Build 22000.
During January I was investigating Windows 11 and some of the binaries that were installed by default to identify behaviors that could be used for malicious purposes.
The binary DeviceCensus.exe
located in C:\Windows\System32
, when is copied to another different path and it is executed, it tries to load more or less 11 DLLs in the directory where it was executed. Let's say that if you try to execute this binary from AppData
path, then it tries to load the DLLs from AppData
. However, if the DLL doensn't exists in AppData
, then it tries to load from System32
.
Then, if you copy this binary in AppData
and create a DLL with the same name that tries to load, the DLL is loaded.