Look for AppInit_DLLs

Look for AppInit_DLLs

Postby campbedj » Tue Feb 17, 2015 5:23 pm

I've had several systems lately that show events in the eventlog from source Wininit, warning eventid 11 (Custom dynamic link libraries are being loaded for every application). It might be useful for a part of the startup scan (or maybe in dFunk) to either look for that event in the eventlog or look for a couple registry entries.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs should typically be blank.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs should typically be 0x0, not 0x1.

Devin
campbedj
 
Posts: 31
Joined: Tue Feb 04, 2014 11:37 am

Re: Look for AppInit_DLLs

Postby bored369 » Wed Feb 18, 2015 6:15 am

The AppInit_DLLs is in dFunk under the Registry Hijacks tab.
If you clear that the latter shouldn't be a concern, but it does appear to be 0x0 in my Win10 registry.
Researching it I also found:
RequireSignedAppInit_DLLs (REG_DWORD)
Only load code-signed DLLs.
0x0 – Load any DLLs.
0x1 – Load only code-signed DLLs.
Which sounds like a nice idea to have as well, but I don't have that key in my Win10 registry at all, so I imagine it's default is also 0x0 but having it added might be a good idea as well.

I'll point these out to Nick and see what he thinks about them as well, may get them added to the Hijacks tab in future dFunk versions. I'll have him check into adding an alert for the event log entry if that relates specifically to having AppInit Dlls in there and enabled.
Chief Operating Officer, dSupportOnline official support of Foolish IT
& long time tech friend of Nick & avid Foolish IT product user since before Foolish IT was even created!

Image
User avatar
bored369
Foolish IT Staff
 
Posts: 183
Joined: Sat Feb 01, 2014 6:57 am
Location: Anderson, SC

Re: Look for AppInit_DLLs

Postby campbedj » Wed Feb 18, 2015 5:50 pm

The AppInit_DLLs section in dFunk shows if any files are listed in the AppInit_DLLs key, but does not show if LoadAppInit_DLLs is set to 0x1. Since that is the condition that makes the event trigger in the eventlog, I'd like to at least know if it is set. Sure, it doesn't actually hurt anything being set as long as no files are listed, but it's the principle, man! :-)

Maybe an extra checkbox under the list of AppInit_DLLs that is checked if LoadAppInit_DLLs is 0x1 and if I uncheck that, it resets it back to the default?

Not the end of the world, by any means, but for me that's just a sign that "something" has been mucking about in the registry and triggers me to take a deeper look.

Devin
campbedj
 
Posts: 31
Joined: Tue Feb 04, 2014 11:37 am

Re: Look for AppInit_DLLs

Postby bored369 » Wed Feb 18, 2015 7:45 pm

I concur, I'll add it to the bug tracker as a feature request for the HiJack tab of dFunk.

Have any opinions on that RequireSignedAppInit_DLLs think it should be added as a second check option so in case the system get re-infected it'll have a little more chance of not running badly made dlls at the least? I think it would be a nice option.
Chief Operating Officer, dSupportOnline official support of Foolish IT
& long time tech friend of Nick & avid Foolish IT product user since before Foolish IT was even created!

Image
User avatar
bored369
Foolish IT Staff
 
Posts: 183
Joined: Sat Feb 01, 2014 6:57 am
Location: Anderson, SC

Re: Look for AppInit_DLLs

Postby campbedj » Thu Feb 19, 2015 3:24 pm

You know, I don't think I've ever even seen a legitimate use of the AppInit_DLLs, so if by setting the RequireSignedAppInit_DLLs it makes one more hurdle that would trip up any malware, I'm all for it. At least having an option of turning that on easily seems like it could be a good thing.

I'd love to hear anyone else's thoughts on the matter.
Devin
campbedj
 
Posts: 31
Joined: Tue Feb 04, 2014 11:37 am

Re: Look for AppInit_DLLs

Postby Xander » Thu Feb 19, 2015 4:23 pm

[quote="campbedj"]You know, I don't think I've ever even seen a legitimate use of the AppInit_DLLs/quote]I can't think of any either so maybe this would be one where D7II could check for this on startup and, if found, automatically run dFunk (or alert us to run it)?
User avatar
Xander
 
Posts: 662
Joined: Fri Feb 08, 2013 6:08 pm
Location: Near Niagara Falls

Re: Look for AppInit_DLLs

Postby Nick » Tue Mar 03, 2015 1:27 pm

like it!
Author of d7/d7II and other PC technician's tools. http://www.FoolishIT.com

Image
User avatar
Nick
Site Admin
 
Posts: 2718
Joined: Mon Nov 19, 2012 7:54 pm


Return to d7II Feature Suggestions