When you execute 32-bit version of runonce.exe on a 64-bit version of Windows and pass to it the /RunOnceEx6432 argument you will make the program load iernonce.dll library and execute its RunOnceExProcess API…

Since the iernonce.dll library is loaded using LoadLibraryW we can simply copy runonce.exe to a different folder, and run it from there. This will load the iernonce.dll library we can control…

The little known secret of regsvr32.exe is…

You ready?

You can load multiple DLLs at the same time.

Yup. And not just one extra, but many.

Let’s have a look at an example:

regsvr32.exe c:\WINDOWS\system32\hhctrl.ocx foo

will first load c:\WINDOWS\system32\hhctrl.ocx and then foo.dll.

We can do it multiple times:

regsvr32.exe hhctrl.ocx hhctrl.ocx hhctrl.ocx hhctrl.ocx hhctrl.ocx foo