This article Home link: Pit expandenvironmentstrings in Windows API
Risk:
The process inherits the environment variables of its parent process, and when a directory such as%appdata% is expanded, it is possible that the parent process has modified the environment variable, so you may not get the%appdata% of the current session you want.
Suggestions:
Use the SHGetFolderPath series function to do the job.
GetModuleFileName
Risk:
When called in a DLL, if the passed-in instance parameter is NULL, then the path to the exe of the process that loads the DLL is obtained, and if you need to get the path to the DLL, the incoming instance parameter needs to be the DLL's hmodule.
ShellExecuteEx
risk:
After calling the API, if the initial mask setting is incorrect, the hprocess in the shellexecuteinfo struct may be empty.
Recommendation: If you are sure you want to use hprocess, confirm that the Fmask member of the Shellexecuteinfo struct is set to See_mask_ before calling ShellExecuteEx Nocloseprocess. and the annotations to the Hprocess members on MSDN are as follows:
A handle to the newly started application. This member are set on return and are always NULL unless fmask are set to see_mask_nocloseprocess. Even if Fmask is set to See_mask_nocloseprocess, hprocess would be NULL if no process was launched. For example, if a document to being launched is a URL and an instance of Internet Explorer is already running, it'll displa Y the document. No new process is launched, and hprocess would be NULL.
Note ShellExecuteEx does not always return an hprocess, even if a process was launched as the result of the call. For example, a hprocess does not return when you use See_mask_invokeidlist to invoke IContextMenu.
Urldownloadtofile
Risk 1:
Use Urldownloadtofile to download files, if the contents of the file is gzip compressed, that is, return header including Content-encoding:gzip, if the calling thread does not initialize COM, then Urldownloadtofile will fail, Because the URLMON cannot handle the compressed packets correctly.
Suggestions:
You need to make sure that the thread has called CoInitialize before calling this function.
Risk 2:
It will automatically find this file in the local cache before downloading the file using Urldownloadtofile, so it may end up not getting the latest content on the server.
Suggestions:
You can add random parameters to the URL to prevent caching, or you can use Deleteurlcacheentry to clean up the cache and then use Urldownloadtofile to download the file.