AppInit_DLLs Registry Key Honored On Vista?

43 views
Skip to first unread message

Le Chaud Lapin

unread,
Feb 16, 2006, 11:35:34 AM2/16/06
to
Hi,

I'm posting here because I don't know where else to post.

I haved used AppInit_DLLs for quick and easy DLL-injection for many
years on pre-Vista OS's.

But for some reason, my test DLL is not being injected under Vista.

Anyone have any experience or idea about this?

Thanks.

-Le Chaud Lapin-

Reference: http://support.microsoft.com/kb/q197571

Ivan Brugiolo [MSFT]

unread,
Feb 16, 2006, 1:00:08 PM2/16/06
to
AppInit_DLLs has been hardened for Vista.
Only singed DLLs will be allowed to be loaded that way, and,
the list is untouchable after the session has been initialized.
This is of course preliminary information for a not released product.

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Le Chaud Lapin" <unorigina...@yahoo.com> wrote in message
news:1140107734.0...@f14g2000cwb.googlegroups.com...

Skywing

unread,
Feb 16, 2006, 1:12:55 PM2/16/06
to
Can you clarify how these DLLs must be signed? With any trusted CA, or is
this also exclusively (ugh!) VeriSign like with drivers?

"Ivan Brugiolo [MSFT]" <Ivan.B...@online.microsoft.com> wrote in message
news:%23Mu%23TLyMG...@TK2MSFTNGP10.phx.gbl...

Le Chaud Lapin

unread,
Feb 16, 2006, 1:25:42 PM2/16/06
to
Ivan Brugiolo [MSFT] wrote:
> AppInit_DLLs has been hardened for Vista.
> Only singed DLLs will be allowed to be loaded that way, and,
> the list is untouchable after the session has been initialized.
> This is of course preliminary information for a not released product.

What is the recommended way to do real-time DLL-injection into a
process under Vista? Will global hooks still work?

-Le Chaud Lapin-

qfel

unread,
Feb 16, 2006, 1:49:49 PM2/16/06
to
I hope Vista will not need signed user, who is accepted by some company as
"OS friendly and unlike to crash the system or some applications, even with
his very own reasons"

Ivan Brugiolo [MSFT]

unread,
Feb 16, 2006, 1:19:18 PM2/16/06
to
This part, I do not have information to answer properly.
Looks like anything that can be digested by WinVerifyTrust().

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Skywing" <skywing_...@valhallalegends.com> wrote in message
news:uAeedSyM...@TK2MSFTNGP10.phx.gbl...

Ivan Brugiolo [MSFT]

unread,
Feb 16, 2006, 3:02:59 PM2/16/06
to
Global hooks will only work across compatible desktop integrity levels.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Le Chaud Lapin" <unorigina...@yahoo.com> wrote in message

news:1140114342.0...@g44g2000cwa.googlegroups.com...

Le Chaud Lapin

unread,
Feb 16, 2006, 5:51:36 PM2/16/06
to
Ivan Brugiolo [MSFT] wrote:
> Global hooks will only work across compatible desktop integrity levels.

Without going into too much detail on exactly what this means, let me
ask a more direct question.

Assuming that I have a web site where my engineers can download an
injectable DLL, how much trouble am I going to have to make this work
on Vista. Naturally, I am trying to avoid any reboots, etc.

-Le Chaud Lapin-

Ivan Brugiolo [MSFT]

unread,
Feb 16, 2006, 7:28:04 PM2/16/06
to
This is most likley the most protected scenario.
IExplore.exe would run by default in the lowest integrity
and desktop-integrity level. Writing outside of the IE-Cache
would require elevation.
After that, depending on how you plan to inject the module,
you might need an elevated trampoline process to inject
something to a non elevated process.
Should be doable with a couple of elevation prompts.

--

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Le Chaud Lapin" <unorigina...@yahoo.com> wrote in message

news:1140130296....@o13g2000cwo.googlegroups.com...

Ivan Brugiolo [MSFT]

unread,
Feb 17, 2006, 11:55:03 AM2/17/06
to
I will have to amend this answer with something more correct.

The signing part is not in any build of Vista, and, as of today,
to restore the AppInit_DLLs functionality there is one more
registry key, named LoadAppInit_DLLs with the value of 1
that needs to be created for the other key to take effect.

I apologize for the earlier mistake, and,
I would like to thank my colleague Pavel for poiting this out.

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Ivan Brugiolo [MSFT]" <Ivan.B...@online.microsoft.com> wrote in message
news:%23Mu%23TLyMG...@TK2MSFTNGP10.phx.gbl...

Le Chaud Lapin

unread,
Feb 17, 2006, 3:25:58 PM2/17/06
to
Ivan Brugiolo [MSFT] wrote:
> I will have to amend this answer with something more correct.
>
> The signing part is not in any build of Vista, and, as of today,
> to restore the AppInit_DLLs functionality there is one more
> registry key, named LoadAppInit_DLLs with the value of 1
> that needs to be created for the other key to take effect.
>

I tried adding a DWORD value of 1 for LoadAppInit_DLLs right along-side
the LoadAppInit_DLLs. Then I put the name of my (3-letter name) DLL in
the AppInit_DLLs key. Then I tried to lunch Notepad to see if the DLL
had been injected, and it appears not. Windows Defender did pop up and
asked if I wanted to allow "Application Initialization Registration",
and I chose "Allow", then tried to launch Notepad again and the DLL was
not being loaded.

Am I doing this right?

-Le Chaud Lapin-

Ivan Brugiolo [MSFT]

unread,
Feb 17, 2006, 5:44:48 PM2/17/06
to
Did registry virtualization kicked-in ?
I just tried with IconCodecService.dll, and it worked.

--
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Le Chaud Lapin" <unorigina...@yahoo.com> wrote in message

news:1140207958.2...@g14g2000cwa.googlegroups.com...

Le Chaud Lapin

unread,
Feb 17, 2006, 7:42:19 PM2/17/06
to
Ivan Brugiolo [MSFT] wrote:
> Did registry virtualization kicked-in ?
> I just tried with IconCodecService.dll, and it worked.

IconCodecService.dll was the DLL that was registered by default.
Unfortunately, I have no debugging tools (or even a compiler) installed
on the system. I am builing a 32-bit DLL on a Windows XP machine and
copying it over manually to the 64-bit Vista machine. The Vista build
I have is from December, and..well, let's just say it takes about 4
minutes from boot time until I can bring up Windows Explorer.

So to see if the injection occurs, I put a DebugBreak at
DLL_PROCESS_ATTACH and wait for exception. My host app is Notepad.

As far as the registry virtualization, I have no idea if it is
happening. My experience with Vista and the new features is
essentially non-existent.

How would I know that the registry modifications are being virtualized?

-Le Chaud Lapin-

Skywing

unread,
Feb 17, 2006, 8:18:25 PM2/17/06
to
Are you loading a 32bit or 64bit app? Remember that you can't put a 32-bit
dll into a 64-bit process.

(You should also check that you're writing to the 32-bit view of the
registry when you're making the App_InitDLLs value.)

"Le Chaud Lapin" <unorigina...@yahoo.com> wrote in message

news:1140223339.6...@g14g2000cwa.googlegroups.com...

Le Chaud Lapin

unread,
Mar 3, 2006, 6:37:08 PM3/3/06
to
Ivan Brugiolo [MSFT] wrote:
> Did registry virtualization kicked-in ?
> I just tried with IconCodecService.dll, and it worked.

I did feel something kick me, but it was probably not virutalization.

I revisited this problem after 2-week lapse and I am having more
trouble than before - now I get no pop-ups at all from Windows
Defender.

I am using 32-bit CALC.EXE that I copied from XP, along with 32-bit DLL
to be injected, and storing the DLL in various windows directories.

What did you do to get it to work?

-Le Chaud Lapin-

Stefan Kuhr

unread,
Mar 4, 2006, 4:34:30 PM3/4/06
to
Hello Ivan,

"Ivan Brugiolo [MSFT]" wrote:
>
> I will have to amend this answer with something more correct.
>
> The signing part is not in any build of Vista, and, as of today,
> to restore the AppInit_DLLs functionality there is one more
> registry key, named LoadAppInit_DLLs with the value of 1
> that needs to be created for the other key to take effect.
>
> I apologize for the earlier mistake, and,
> I would like to thank my colleague Pavel for poiting this out.
>

I can confirm that creating the LoadAppInit_DLLs named DWORD value with
a value of 1 enables the old functionality. I tested this with the
February x86 CTP (Build 5308) and it works with both signed and unsigned
DLLs. But here is another question: Why does MS use this value with its
precious 32 characters that it allows and uses 21 of them for
IconCodecService.dll (including the separator)? At least even with
deleting IconCodecService.dll from the value, IconCodecService.dll was
loaded into explorer.exe anyway. Or is this 32 (or so) character limit
not anymore existent for this registry value on Vista? Or do ISVs have
to delete IconCodecService.dll to get their "hooks" running on Vista?

Why is IconCodecService.dll there at all by default in this value if by
default this value is disabled? Does it only get loaded into other
processes if LoadAppInit_DLLs is set and why is that the case?

--
Stefan

Pavel Lebedinsky [MSFT]

unread,
Mar 4, 2006, 11:11:26 PM3/4/06
to
For 32-bit apps on a 64-bit OS you need to set this value under
HKLM\Software\Wow6432Node\...

--
This posting is provided "AS IS" with no warranties, and confers no
rights.

Le Chaud Lapin

unread,
Mar 5, 2006, 12:28:32 PM3/5/06
to
Pavel Lebedinsky [MSFT] wrote:
> For 32-bit apps on a 64-bit OS you need to set this value under
> HKLM\Software\Wow6432Node\...

"..."

????

Come on, we're engineers here! You should know better!!! :)

What is "..."

Respectfully,

-Le Chaud Lapin-

Ivan Brugiolo [MSFT]

unread,
Mar 5, 2006, 2:01:50 PM3/5/06
to
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows.

--

--
This posting is provided "AS IS" with no warranties, and confers no rights.

Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"Le Chaud Lapin" <unorigina...@yahoo.com> wrote in message

news:1141579712.1...@t39g2000cwt.googlegroups.com...

Reply all
Reply to author
Forward
0 new messages