Event ID 11 WinInt - TechNet Articles - United States (English) - TechNet Wiki

Table of Contents


Applies to: Windows Server 2008, Windows Server 2008,  Windows 7, Windows Vista

Event ID 11 WinInt

Details

Product

Windows Operating System

ID

11

Source

WinInt

Version

6.1

Message

Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure that they relate to trusted applications.

 

Cause

If an application enables AppInit DLLs, the Windows operating system logs a warning
in the System Event Log. The event log entry includes a list of the DLLs that are loaded
by using the AppInit_DLL mechanism. You can view this list on the Details tab in Event
Viewer. Windows Initiator (WinInt) logs this warning one time for each boot session.

In Windows Vista, Windows 7, and Windows Server 2008 R2, the AppInit_DLLs infrastructure
is disabled by default.

User action

Code sign DLLs: We recommend that you code sign all DLLs that the AppInit_DLLs infrastructure
loads into Windows 7. But for application compatibility, by default Windows 7 loads all AppInit
DLLs, regardless of whether these DLLs are code signed. Never-the-less, we recommend that
you digitally code sign your AppInit DLLs to help improve the reliability and security of Windows 
7 and to prepare for more stringent code-signing requirements in future versions of Windows.

In Windows 7, the RequireSignedAppInit_DLLs registry value controls whether AppInit DLLs must
 be code signed.This value is set to 0 (load any DLLs) by default.

Windows Server 2008 R2, all DLLs that load by using the AppInit_DLLs infrastructure must be
code signed. The RequireSignedAppInit_DLLs registry value is set to 1 (load only code-signed DLLs) by default.

Run DLLs only in required processes: The AppInit_DLLs infrastructure loads the specified DLLs
in all user-mode processes on the system. If an AppInit DLL must provide API hooks only to specific
processes, the DLL should call the GetModuleFileName function from within DllMain to retrieve the name
of the process in which it is loaded. If the process is not a process that requires the API hook that the
AppInit DLL provides, the DLL should simply return from DllMain. For more information, see AppInit
DLLs in Windows 7 and Windows Server 2008 R2
.

 

Additional resources

AppInit
DLLs in Windows&nb/197571" target="_blank">Working with the AppInit_DLLs registry value 

  

Boot Configuration Data in Windows Vista
  

Code-Signing Best Practices
 

Protected Processes in Windows Vista