What Actually Calls main()? Unveiling the Windows C++ Startup Chain

When a Windows PE executable is launched, the operating system creates a new process and its primary thread, which begins execution at the program's Original Entry Point (OEP). The OEP is a jump instruction that redirects execution to one of the CRT startup functions.

Process creation and OEP

After the process is created, the main thread receives a time slice and starts executing code at the OEP. In a VC++ compiled binary, the OEP is typically at an address like 0x00400000 + 0x00011078 = 0x00411078, as shown by tools such as PEID and OllyDbg.

Which function calls main ?

Debugging a simple VS2008 program reveals that the user‑defined wmain (or main in ANSI mode) is called by _tmainCRTStartup. This function is itself invoked by one of four CRT startup wrappers, depending on the subsystem and character set:

mainCRTStartup – ANSI console wmainCRTStartup – Unicode console WinMainCRTStartup – ANSI GUI wWinMainCRTStartup – Unicode GUI

These wrappers are implemented in crtexe.c and perform several crucial steps before reaching the user code.

What the startup wrappers do

The first call is to __security_init_cookie(), which sets up a stack cookie to detect buffer‑overflow attacks. Next, _initterm() runs global constructors and initializes static objects. Finally, the wrapper calls the appropriate entry point ( main, wmain, WinMain, or wWinMain).

Examining the assembly of wmainCRTStartup shows the same jump instruction observed earlier in OllyDbg, confirming that program execution truly begins at this CRT startup function.

Conclusion

The executable’s entry point is the OEP, which jumps to a CRT startup wrapper. That wrapper performs security initialization, global object construction, and then calls the user’s main / wmain / WinMain / wWinMain. Thus, while main is the logical entry point of a C++ program, the actual entry point of a Windows PE file is the compiler‑provided mainCRTStartup (or its Unicode/GUI variants).

Note: This description applies to executables built with VC++ on Windows; Linux ELF binaries follow a different startup sequence.