I need to call a couple of USER32.dll RegisterAbcNotification functions, but I don't want to keep the DLL loaded for security hardening reasons.
Wonder what happens if I simply unload it after...
Conversation
Replying to
Hardening is disabling win32k calls, but that likely won't work after using user32
Replying to
Yep.
Trying to enable PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON even after unloading USER32.dll gives me ERROR_WRITE_PROTECT.
And I've had other issues before, it causing child processes not spawning (when running as service).
1
The whole thing is pretty stupid and shouldn't need USER32.dll at all. RegisterPowerSettingNotification just, AFAIK, makes some calls into UMPDC.dll and/or POWRPROF.dll.