Update

I rediscovered it in December 2025 🙂

After checking my post history I noticed I had described it before – here. So, the below is a dup 🙂

Old Post

Browsing through windows libraries I came across a few that had an intriguingly named function being resolved during run-time: DllBidEntryPoint.

The libraries referencing this API are:

• msado15.dll
• msadomd.dll
• msadox.dll
• msadrh15.dll
• msadce.dll
• msadco.dll
• msadds.dll
• msdaprst.dll
• msdarem.dll
• msdaora.dll
• msdasql.dll
• msdatl3.dll
• oledb32.dll
• sqloledb.dll

As usual, the first thing was to go to Google and soon I discovered that it’s a part of a documented tracing interface used by SQL Server called Built-in Diagnostics (BID).

One can use one of these keys:

• HKLM\Software\Microsoft\BidInterface\Loader
• HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\BidInterface\Loader

and add ‘:Path ‘ value name pointing to a DLL that will act as a tracing DLL.

As usual, the linked document contains all the gore details.

It’s been a long time since I looked at phantom DLLs (non-existing DLLs that are expected to be present in predictable locations). So, a quick rundown what we can see on Win10 today folows:

• C:\Windows\System32\edgegdi.dll
  • loaded by gdi.dll, but not present on the most up to date win10 pro installation; it must be signed
  • loaded by a number of processes backgroundTaskHost.exe, BackgroundTransferHost.exe, DllHost.exe, dmclient.exe, HxTsr.exe, LockApp.exe, LogonUI.exe, Microsoft.Photos.exe, mousocoreworker.exe and many others; existing work: found some EoP research on Twitter
• C:\Windows\SysWOW64\rpcss.dll
• C:\Windows\System32\UsoSelfhost.dll
  • loaded by mousocoreworker.exe — possible EoP?
• C:\Windows\System32\Speech_OneCore\common\sapi_onecore.dll
  • loaded by SearchApp.exe
• C:\Windows\System32\windowscoredeviceinfo.dll
  • loaded by taskhostw.exe

There are more, but I reserve them for a possible future post.