MSDN Blogs - MSDN Blogs. Why do Windows functions all begin with a pointless MOV EDI, EDI instruction? - The Old New Thing. If you look at the disassembly of functions inside Windows DLLs, you'll find that they begin with the seemingly pointless instruction MOV EDI, EDI.
This instruction copies a register to itself and updates no flags; it is completely meaningless. So why is it there? It's a hot-patch point. The MOV EDI, EDI instruction is a two-byte NOP, which is just enough space to patch in a jump instruction so that the function can be updated on the fly. The intention is that the MOV EDI, EDI instruction will be replaced with a two-byte JMP $-5 instruction to redirect control to five bytes of patch space that comes immediately before the start of the function.