DllMain()routine called from Windows’® module loader whenever a Win32 application loads
Note: the MSDN article AppInit_DLLs in Windows 7 and Windows Server 2008 R2 documents the changes introduced with Windows 7 and Windows Server 2008 R2.
Caveat: the MSDN article AppInit DLLs and Secure Boot documents that the AppInit_DLLs infrastructure is disabled since Windows 8 and Windows Server 2012 when Secure Boot is enabled.
%SystemRoot%\Debug\AppInit.logif it does not exist and writes a Unicode BOM to it;
GetCommandLineW()plus a terminating as well as separating
CR/LFpair in Windows’ native UTF-16LE encoding to the file.
FALSEfrom the initial call of its DllMain() routine to let Windows’ module loader unload it immediately afterwards.
access rights of the directory
allow only privileged users (
BUILTIN\Administrators) to create the file
The file’s inherited access rights also allow only privileged users to write, but unprivileged users (
On Windows Vista and newer versions of
Windows NT, file and directory operations of 32-bit
applications run by unprivileged users which fail due to missing
write access rights in
%SystemRoot%\ and below as well
"%ProgramFiles%\" and below, on
64-bit editions also
and below, are redirected to the directory
"%LOCALAPPDATA%\VirtualStore\", resulting in
Caveat: the file
AppInit.log can grow
Note: it can be cleared or erased any time.
Note: the command line a Win32
application receives from the Win32 function
can differ from the command line supplied by the caller:
The name of the executable in the command line that the operating system provides to a process is not necessarily identical to that in the command line that the calling process gives to the CreateProcess() function. The operating system may prepend a fully qualified path to an executable name that is provided without a fully qualified path.Additionally, when the Win32 functions
CreateProcessWithTokenW()are called using a command line with an unquoted
longfilename or pathname containing spaces (a well-known weakness: CWE-428: Unquoted Search Path or Element) they play try & error to guess the pathname of the executable:
[…] the module name must be the first white space-delimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:In the latter three cases the command line is but modified too: Windows adds quotes around the part of the command line which forms the result of this
- c:\program.exe files\sub dir\program name
- c:\program files\sub.exe dir\program name
- c:\program files\sub dir\program.exe name
- c:\program files\sub dir\program name.exe
interpretationand yields the pathname of the executable if this contains a space.
APPINIT.DLLis called only from Win32 applications which load
APPINIT.DLLis a pure Win32 DLL, written in ANSI C, built without the MSVCRT libraries, with the Platform SDK for Windows Server 2003 R2, for use on Windows 2000 and newer versions of Windows NT.
APPINIT.DLL is available for the I386
alias x86, AMD64 alias x64
and IA64 processor architectures of
APPINIT.DLLand the cabinet file
APPINIT.CABare digitally signed using an X.509 certificate issued by WEB.DE TrustCenter E-Mail Certification Authority.
Download and install the CA and root X.509 certificates of WEB.DE to validate and verify the digital signature.
-----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEA6ipnm9vAs63w+TM+9UcG1yQ8CRIxMz/tTXry9MCbeHpkiM/qdPaRWlwVTW2j PhC81xwIPZXgE1FE4DgE1eImb33DG2YfEBY/ARpMaGUnme+85WmExWWc/YMUAaHOMYQ3TQDX 0V/7yuhfa9Uc29ljtQ2AB0MjhXTJvGguvZZTI5A3rcN4+AKwmETdYH+8OQKMU2s+2H9CVfaD waX0aj9CeibGNooLTgDchzCBIC5J47qHned/3ZqnMDjYCv3Yc1HNgcbM+ZKzPoD8jShb/ptI wWPo9s00KEs9ti68RsmejqKovAmdLSzFLGARbue2uiqs4piJkxI0LS5+NTTPyZjsSwIDAQAB -----END RSA PUBLIC KEY-----
Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!
IA64\APPINIT.DLLand the setup script
APPINIT.INFare packaged in the (compressed and digitally signed) cabinet file
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. X:\>EXTRACT.EXE /D APPINIT.CAB Microsoft (R) Cabinet Extraction Tool - Version 5.1.2600.5512 Copyright (c) Microsoft Corporation. All rights reserved.. Cabinet APPINIT.CAB 06-11-2018 10:18:54p A--- 12,990 APPINIT.INF 06-11-2018 10:17:38p A--- 30,824 AMD64\APPINIT.DLL 06-11-2018 10:17:30p A--- 30,824 I386\APPINIT.DLL 06-11-2018 10:17:48p A--- 34,920 IA64\APPINIT.DLL 4 Files 109,558 bytes X:\>dir APPINIT.CAB Volume in drive X has no label. Volume Serial Number is FEED-BAC3 Directory of X:\ 06/11/2018 10:19 PM 28,996 APPINIT.CAB 1 File(s) 28,996 bytes 0 Dir(s) 987,654,321 bytes free X:\>SIGNTOOL.EXE Verify /V APPINIT.CAB Verifying: APPINIT.CAB SHA1 hash of file: (not calculated) Signing Certificate Chain: Issued to: WEB.DE TrustCenter Issued by: WEB.DE TrustCenter Expires: 30.08.2024 09:49:34 SHA1 hash: C8301016951187E6320569B3ED54F34845B51638 Issued to: WEB.DE TrustCenter E-Mail Certification Authority Issued by: WEB.DE TrustCenter Expires: 30.08.2024 09:50:51 SHA1 hash: 8946380C6E370988FB587257A9F9A5CD323045F0 Issued to: Stefan Kanthak Issued by: WEB.DE TrustCenter E-Mail Certification Authority Expires: 15.12.2018 02:16:19 SHA1 hash: 8C5B7521404177AC54131302066BB069102E830E The signature is timestamped: 11.06.2018 22:19:23 Timestamp Verified by: Issued to: Thawte Timestamping CA Issued by: Thawte Timestamping CA Expires: 01.01.2021 01:59:59 SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 Issued to: Symantec Time Stamping Services CA - G2 Issued by: Thawte Timestamping CA Expires: 31.12.2020 01:59:59 SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1 Issued to: Symantec Time Stamping Services Signer - G4 Issued by: Symantec Time Stamping Services CA - G2 Expires: 30.12.2020 01:59:59 SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4 Successfully verified: APPINIT.CAB Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0 X:\>Run the command line
"%SystemRoot%\System32\Expand.exe" /R APPINIT.CAB /F:* "‹target directory›"on Windows Vista and newer versions of Windows NT to extract all files into the specified directory, preserving their paths.
Expand.exe from prior
versions of Windows NT ignore the paths and junk them;
the Support Tools on Windows XP and
Windows Server 2003 instead!
Note: switch to
Details view and turn on
Path column when you open
The setup script
copies the appropriate
%SystemRoot%\System32\APPINIT.DLL and creates the
entries to activate it:
Note: on systems with AMD64 alias x64 processor architecture, the installation must be run in the native (64-bit) execution environment to install
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="C:\\Windows\\System32\\AppInit.dll" "LoadAppInit_DLLs"=dword:00000001 "RequireSignedAppInit_DLLs"=dword:00000000
APPINIT.DLLfor both processor architectures!
Note: on systems with AMD64 alias x64 processor architecture, Internet Explorer (x64) must be used!
APPINIT.CABand verify its digital signature, then open it in Windows Explorer, extract its contents preserving the directory structure, right-click the extracted setup script
APPINIT.INFto display its context menu and click
Installto run the installation.
On Windows XP and Windows Server 2003,
open the Add/Remove Programs applet of the
tick the checkbox
Updates, select the entry
Command Line Logger underneath
and click the
On Windows Vista and newer versions of
Windows NT, open the Control Panel and
click the entry View installed updates underneath the
Programs and Features or Programs
In Installed Updates select the entry
Command Line Logger underneath
and click the
Uninstall menu entry.
Use the X.509 certificate to send S/MIME encrypted mail.
Notes: I dislike
even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely to be discarded.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.