Event ID 11 WinInt

Applies to: Windows Server 2008, Windows Server 2008,  Windows 7, Windows Vista

Details

Product	Windows Operating System
ID	11
Source	WinInt
Version	6.1
Message	Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure that they relate to trusted applications.

 

Cause

If an application enables AppInit DLLs, the Windows operating system logs a warning

in the System Event Log. The event log entry includes a list of the DLLs that are loaded

by using the AppInit_DLL mechanism. You can view this list on the Details tab in Event

Viewer. Windows Initiator (WinInt) logs this warning one time for each boot session.

In Windows Vista, Windows 7, and Windows Server 2008 R2, the AppInit_DLLs infrastructure

is disabled by default.

User action

Code sign DLLs:

We recommend that you code sign all DLLs that the AppInit_DLLs infrastructure

loads into Windows 7. But for application compatibility, by default Windows 7 loads all AppInit

DLLs, regardless of whether these DLLs are code signed. Never-the-less, we recommend that

you digitally code sign your AppInit DLLs to help improve the reliability and security of Windows 

7 and to prepare for more stringent code-signing requirements in future versions of Windows.

In Windows 7, the RequireSignedAppInit_DLLs registry value controls whether AppInit DLLs must

 be code signed.This value is set to 0 (load any DLLs) by default.

Windows Server 2008 R2, all DLLs that load by using the AppInit_DLLs infrastructure must be

code signed. The RequireSignedAppInit_DLLs registry value is set to 1 (load only code-signed DLLs) by default.

Run DLLs only in required processes:

The AppInit_DLLs infrastructure loads the specified DLLs

in all user-mode processes on the system. If an AppInit DLL must provide API hooks only to specific

processes, the DLL should call the GetModuleFileName function from within DllMain to retrieve the name

of the process in which it is loaded. If the process is not a process that requires the API hook that the

AppInit DLL provides, the DLL should simply return from DllMain. For more information, see AppInit

DLLs in Windows 7 and Windows Server 2008 R2.  

Additional resources

• Working with the AppInit_DLLs registry value 
• Boot Configuration Data in Windows Vista
• Code-Signing Best Practices
• Protected Processes in Windows Vista