I am trying to use the Debug API's to solve some specific problem and I track the LOAD_DLL_DEBUG_EVENT to be informed if a specific dll module is loaded, (the dll module actually is an exe file).

I use:

GetModuleFileNameEx(
    hCurrentProcess, 
    (HMODULE)pDebugEv->u.LoadDll.lpBaseOfDll, 
    szModuleFileName, 
    sizeof(szModuleFileName) / sizeof(TCHAR)
);

in order to obtain the loaded module's filename.

To my surprise what I get instead are multiple references to cryptbase.dll being loaded, each on a different tid, but not the module in question.

I don't want to go the hard way of hooking cryptbase.dll and its associated import calls so is there an easier solution to obtain the loaded module's filename ?