Geoff Chappell - Software Analyst
This function loads a DLL into the Windows Explorer process.
HRESULT SHLoadInProc (REFCLSID rclsid);
The rclsid argument provides the CLSID of any COM object class for which the intended DLL is the in-process server.
The function returns zero for success, else an error code.
Though SHELL32 implements the function, its role is just that of a switchboard, to direct the call to the taskbar. If there is no top-level window with the class name expected of the taskbar, namely “Shell_TrayWnd”, then the function has nowhere to send the request, and fails (returning E_FAIL).
The taskbar may be, and typically is, implemented in another process. The given CLSID is communicated to the taskbar window by sending it as data in a message. Whatever is returned from sending this message is then returned by the function.
With one exception, the response to the message is just to create an instance of the given object class and immediately release it. The exception is that if the given CLSID is {EA486701-7F92-11CF-9E05-444553540000}, then the message handler fails the function (with E_FAIL as the return value). Otherwise, the function’s return value is whatever HRESULT was produced by trying to create the object.
Note that the point to the function is not directly anything to do with the given object class but with whatever DLL is the in-process server for that object class. The action of creating an instance only to destroy it immediately is enough to get this DLL loaded into the process that implements the taskbar window (typically the Windows Explorer) and thus to get code executed in the context of that process.
The SHLoadInProc function is exported by name from all known SHELL32 versions. It has long been documented.
This is an ancient SHELL32 function. It is found in version 1.30 from Win32s and 3.51 from Windows NT 3.51, though admittedly with implementations that fail trivially (returning E_NOTIMPL having done nothing but set ERROR_CALL_NOT_IMPLEMENTED as the error code). The function has been “live” since version 4.00.
From the Windows Vista build of version 6.00 onwards, SHLoadInProc is coded for trivial failure, so that it does nothing but return E_NOTIMPL.