HKML\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
What is the purpose of the KnownDLLs?(To load some Dlls faster?)
If I have a admin's token, I can control the registry values.
Isn't there any security hole?
Why did Microsoft support the feature?
This allows the normal DLL search path to be ignored, and load the specified version.
Whilst not a security hole per se (as you already need to be have admin rights to change the value), it would be possible to redirect calls to go via a rogue DLL.
It was a feature added to improve performance, as there is no need to scan several potentially large directories to find the DLL.
It's not a security hole if it relies on you being admin. If you're already admin, there are easier ways to introduce rogue DLLs into the system (for instance, copying them over the top of the OS).
This is an example of what Raymond Chen calls being on the other side of this airtight hatchway.
The only thing KnownDLLs does is prevent implicitly loaded DLLs being loaded from the applications folder.
For security reasons, the only folder that a "KnownDll" is valid in is c:\Windows\System32 (or your localized equivalent) - and this folder is 2nd on the search list after the folder of the process.
In essence, it prevents rogue copies of system dll's - such as kernel32.dll - being loaded from an applications folder.
It doesn't stop an an application loading a dll using a fully qualified path. It doesn't stop a lengthy search of the path or the discovery of system dlls in the path - system32 is always searched before those locations anyway.