Jump to content

Malwarebytes Anti-Rootkit BETA Detects AppInit_DLLs

AdvancedSetup
 Share

Recommended Posts

  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

In some cases MBAR may detect an entry for AppInit_DLLs

Using the following information you can review what is running there to decide what you want MBAR to do about that entry.

If still in doubt simply click NO the first time around. If it crashes or stops unexpectedly then run it again and choose YES

post-2065-0-93224500-1393818243_thumb.pn

Further information on the AppInit_DLLs entry that is found in the Registry.

32-bit DLL on x86 32-bit, and 64-bit DLL on x64 64-bit Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

32-bit DLL on x64 64-bit Windows

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows

Working with the AppInit_DLLs registry value

Article ID: 197571 - Last Review: November 21, 2006 - Revision: 4.1

APPLIES TO

Microsoft Win32 Application Programming Interface, when used with:

Microsoft Windows NT 4.0

Microsoft Windows 2000 Standard Edition

the operating system: Microsoft Windows XP

AppInit_DLLs in Windows 7 and Windows Server 2008 R2

 

Description

AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Microsoft is modifying the AppInit DLLs facility in Windows 7 and Windows Server 2008 R2 to add a new code-signing requirement. This will help improve the system reliability and performance, as well as improve visibility into the origin of software.

Windows 7

All DLLs that are loaded by the AppInit_DLLs infrastructure should be code-signed. In the interests of application compatibility, the Windows 7 Operating System will load all AppInit DLLs. However, Microsoft recommends that all application developers code-sign their DLLs to help improve the reliability of Windows and prepare for code-signing enforcement in future versions of Windows. The RequireSignedAppInit_DLLs registry key controls this behavior and its value on Windows 7 is set to 0 by default.

Windows Server 2008 R2

All DLLs that are loaded by the AppInit_DLLs infrastructure must be code-signed. The RequireSignedAppInit_DLLs registry key controls this behavior and its value on Windows Server 2008 R2 is set to 1 by default.

You can open REGEDIT.EXE and browse to the listed keys to see what is found or you can run the following code from a Command prompt to see what is listed there.

32-bit and 64-bit query

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs"
Query on 64-bit for a 32-bit DLL

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs"
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.