DLL search order is the sequence Windows follows when an application asks to load a Dynamic Link Library (DLL). It checks several locations, such as the application folder, system directories, and other configured paths, until it finds a matching file name. The exact order depends on the process configuration and Windows settings.
This matters because attackers can abuse predictable search behavior. If a legitimate program loads a DLL by name only, a malicious file placed in an earlier search location may be loaded instead. That is the basis of DLL sideloading and binary planting, common techniques for running malware through trusted software. Defenders watch for unexpected DLLs near signed executables, libraries loaded from writable or nonstandard paths, and parent-child chains that do not match normal software behavior. Tightening DLL search rules and monitoring module loads can reduce this risk.



