AppInit DLL command line logger Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

ATTENTION: due to the termination of my provider's homepage service, the web pages and all content located below will become unavailable on January 31, 2017!

All web pages and other content will then be available solely on
Please update your bookmarks and references!

AppInit DLL command line logger


Log command lines of Win32 applications to the file %SystemRoot%\Debug\AppInit.log.


APPINIT.DLL is an implementation of AppInit_DLLs which are loaded and called when a Win32 application loads %SystemRoot%\System32\USER32.DLL and Windows' module loader calls its DllMain() routine.
This typically happens when a Win32 application is loaded and executed.

If permissions allow APPINIT.DLL creates the file %SystemRoot%\Debug\AppInit.log if it does not exist and writes a Unicode BOM, then appends the command line returned from the Win32 function GetCommandLine() and a terminating as well as separating CR/LF pair in UTF-16LE encoding to this file.

APPINIT.DLL is unloaded immediately after return from its initial DLL_PROCESS_ATTACH call.

The NTFS access rights of the directory %SystemRoot%\Debug\ allow only privileged users (NT AUTHORITY\SYSTEM and BUILTIN\Administrators) to create the file %SystemRoot%\Debug\AppInit.log.
The file's inherited access rights also allow only privileged users to write, but unprivileged users (BUILTIN\Users) to read.

On Windows® Vista and newer versions of Windows NT, file and directory operations of 32-bit applications run by unprivileged users which fail due to missing write access rights in %SystemRoot%\ and below as well as "%ProgramFiles%\" and below, on 64-bit editions also "%ProgramFiles(x86)%\" and below, are redirected to the directory "%LOCALAPPDATA%\VirtualStore\", resulting in "%LOCALAPPDATA%\VirtualStore\Windows\Debug\AppInit.log".

Caveat: the file AppInit.log can grow quite large!
Note: it can be cleared or erased any time.

Note: the command line a Win32 application receives from the Win32 function GetCommandLine() can differ from the command line supplied by the caller:

The name of the executable in the command line that the operating system provides to a process is not necessarily identical to that in the command line that the calling process gives to the CreateProcess() function. The operating system may prepend a fully qualified path to an executable name that is provided without a fully qualified path.
Additionally, when the Win32 functions CreateProcess(), CreateProcessAsUser(), CreateProcessWithLogonW() or CreateProcessWithTokenW() are called using a command line with an unquoted long filename or pathname containing spaces (a well-known weakness: CWE-428: Unquoted Search Path or Element) they play try & error to guess the pathname of the executable:
[…] the module name must be the first white space-delimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:
c:\program.exe files\sub dir\program name
c:\program files\sub.exe dir\program name
c:\program files\sub dir\program.exe name
c:\program files\sub dir\program name.exe
In the latter three cases the command line is but modified too: Windows adds quotes around the part of the command line which forms the result of this interpretation and yields the pathname of the executable if this contains a space.


On February 10, 2015 Microsoft® published the (optional) update 3004375 for Windows 7 and newer versions of Windows NT which provides the logging of command lines too.
For additional information see the Security Advisory 3004375.

Background information

The MSDN article AppInit_DLLs in Windows 7 and Windows Server 2008 R2 documents the changes introduced with Windows 7 and Windows Server 2008 R2.

Caveat: The MSDN article AppInit DLLs and Secure Boot documents that the AppInit_DLLs infrastructure is disabled since Windows 8 and Windows Server 2012 when Secure Boot is enabled.

Implementation and build details

APPINIT.DLL is a pure Win32 DLL, written in ANSI C without the MSVCRT libraries, built with the platform SDK for Windows Server 2003 R2 for use on Windows 2000 and newer versions of Windows NT.

APPINIT.DLL is available for the I386 alias x86, AMD64 alias x64 and IA64 processor architectures of Windows NT.

Code authenticity and integrity

APPINIT.DLL is digitally signed using an X.509 certificate issued by WEB.DE TrustCenter E-Mail Certification Authority.
Serial number
MD5: 25 a0 d6 b0 bc 37 fe 49 42 d1 64 ca e6 7a f5 7f
SHA-1: 47 79 b5 28 f0 84 e6 ce f8 77 7b 62 dc c4 b3 1f fe de 07 14
Download and install the CA and root X.509 certificates of WEB.DE to validate and verify the digital signature.

Note: the digital signature remains valid past the certificates expiration date due to its counter signature alias timestamp!


AMD64\APPINIT.DLL, I386\APPINIT.DLL, IA64\APPINIT.DLL and the setup script APPINIT.INF are packaged in the (compressed and digitally signed) cabinet file APPINIT.CAB.
Microsoft (R) Cabinet Extraction Tool - Version 5.1.2600.5512
Copyright (c) Microsoft Corporation. All rights reserved..


10-31-2016  9:31:52p A---        12,892 APPINIT.INF
10-31-2016  9:35:48p A---        17,528 AMD64\APPINIT.DLL
10-31-2016  9:36:36p A---        17,016 I386\APPINIT.DLL
10-31-2016  9:35:22p A---        21,624 IA64\APPINIT.DLL
                 4 Files         69,060 bytes

Execute the command line
"%SystemRoot%\System32\Expand.exe" /R APPINIT.CAB /F:* "‹target directory›"
on Windows Vista and newer versions of Windows NT to extract all files into the specified directory, preserving their paths.
Note: Expand.exe from prior versions of Windows NT ignore the paths and junk them!
Use Extract.exe from the Support Tools on Windows XP and Windows Server 2003 instead.


The installation requires administrative privileges.

The setup script APPINIT.INF copies the appropriate APPINIT.DLL to %SystemRoot%\System32\APPINIT.DLL and creates the following Registry entries to activate it:


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
Note: on systems with AMD64 alias x64 processor architecture the installation must be run in the native (64-bit) execution environment to install APPINIT.DLL for both processor architectures!

Automatic online installation

If visited with Internet Explorer, this web page will prompt to install (the contents of) the package using Internet Component Download.
Note: on systems with AMD64 alias x64 processor architecture Internet Explorer (x64) must be used!

Manual offline installation

Download the package APPINIT.CAB and verify its digital signature, then open it in Windows Explorer, extract its contents preserving the directory structure, right-click the extracted setup script APPINIT.INF to display its context menu and click Install to run the installation.


The deinstallation requires administrative privileges.

On Windows XP and Windows Server 2003 open the Add/Remove Programs applet of the Control Panel, tick the checkbox Updates, select the entry AppInit DLL Command Line Logger underneath Systemkonfiguration and click the Remove button.

On Windows Vista and newer versions of Windows NT open the Control Panel and click the entry View installed updates underneath the Programs and Features or Programs category.
In Installed Updates select the entry AppInit DLL Command Line Logger underneath Systemkonfiguration and click the Uninstall menu entry.


If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, errors, inaccuracies, omissions, vulnerabilities or weaknesses, …:
don't hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Notes: I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely to be discarded.
I abhor top posts and expect inline quotes in replies.

Terms and conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!
• Copyright © 1995-2017 • Stefan Kanthak • <­skanthak­@­arcor­.­de­>