DLL hijacking vulnerabilities in Nirsoft tools


Level 2
Apr 20, 2020
Using NirSoft tools in the home environment is safe (except maybe in the Downloads folder).
DLL hijacking is simply one of the secondary chains of the infection (but not the first).
Auto-run malware is rare nowadays, because of Windows settings introduced in Windows Vista SP2. There were dangerous autorun attacks based on icon shortcut exploits, but they were patched by Microsoft a few years ago. So, the infections via flash drives must assume that the user must manually run something. The DLL hijacking method is used mostly to hide the source of infection. The average user can be infected in a simpler way without DLL hijacking.

Thanks for the perspective, I was wondering how serious this threat is. Nirsoft has some helpful utilities, I like to keep these in my toolbox.

Andy Ful

Level 67
Content Creator
Dec 23, 2014
This Nirsoft tools vulnerability is not important for home users, at all. The DLL hijacking is mostly used to hide the source of infection, so the user has to use the already infected device or has to be already infected. It is much simpler to infect someone without using DLL hijacking. If one is worried about it, then he/she should mitigate in the first place more popular and effective methods, like all possible autostart registry entries (one hundred or more ). (y)
Also, removing this vulnerability from NirSoft tools does not improve much the security, because the attackers usually do not use these tools for DLL hijacking, but Microsoft binaries.
It can be relevant for people who rely on anti-exe solutions.

If one is still worried, then he/she can simply check the Downloads folder for DLLs and remove them from there. This should be done not because of NirSoft tools, but because of other more popular application installers and portable applications.

Maybe the developer should avoid this vulnerability, but it would be too much to demand it for free tools. He probably thinks that this vulnerability is not important for non-security tools. It would be better if the developer explained it on the NirSoft website.
Last edited: