Why do Windows functions all begin with a pointless MOV EDI, EDI instruction? - The Old New Thing If you look at the disassembly of functions inside Windows DLLs, you'll find that they begin with the seemingly pointless instruction MOV EDI, EDI . This instruction copies a register to itself and updates no flags; it is completely meaningless. So why is it there? It's a hot-patch point . The MOV EDI, EDI instruction is a two-byte NOP , which is just enough space to patch in a jump instruction so that the function can be updated on the fly. The intention is that the MOV EDI, EDI instruction will be replaced with a two-byte JMP $-5 instruction to redirect control to five bytes of patch space that comes immediately before the start of the function.
Category:Windows 7 Services - Process and Service wiki