See registry entries and files used by DLL

Question

I'm quite new with analysing Windows processes, and have during the last week found Xperf very useful, and I have some questions about analysing DLLs.

I was wondering if it is possible to see which registry entries and file paths which are used by a specific DLL image used by a process, and with which tools I can achieve this.

If this is not possible I was wondering what are good strategies to find out which resouces a DLL is using, or alternative approaches.

Answer 1

You can use Process Explorer for this. Most of the other SysInternals process tools are very useful, too - Process Explorer is just one with (complex) UI for showing a lot of data. Process Monitor shows real-time registry, file system, etc. access for processes.

Answer 2

Process Monitor and xperf can both record call stacks for every access to a file. You can then examine those call stacks to look for particular DLLs on the call stack.

But your question is really not well formed. What do you mean "used by a specific DLL"? You could have process A which calls into DLL B which calls into DLL C which calls into DLL D when then reads from a file. Which DLL is 'using' that file? B, C, D, or all of them? The only sensible answer is that it depends.

As Hans Passant said, handles are owned by a process not a DLL, and at most you can come up with heuristics to assign 'ownership' to a particular DLL.