{ "id": "2d4ea9aa-e02a-46e9-8767-9dc3a560ec63", "created_at": "2026-04-06T00:13:23.574289Z", "updated_at": "2026-04-10T03:23:51.471885Z", "deleted_at": null, "sha1_hash": "63ef75519df7bb8dd96d43ad85eb1b3e55776496", "title": "AppInit DLLs and Secure Boot - Win32 apps", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42377, "plain_text": "AppInit DLLs and Secure Boot - Win32 apps\r\nBy stevewhims\r\nArchived: 2026-04-05 17:12:31 UTC\r\nStarting in Windows 8, the AppInit_DLLs infrastructure is disabled when secure boot is enabled.\r\nAbout AppInit_DLLs\r\nThe AppInit_DLLs infrastructure provides an easy way to hook system APIs by allowing custom DLLs to be\r\nloaded into the address space of every interactive application. Applications and malicious software both use\r\nAppInit DLLs for the same basic reason, which is to hook APIs; after the custom DLL is loaded, it can hook a\r\nwell-known system API and implement alternate functionality. Only a small set of modern legitimate applications\r\nuse this mechanism to load DLLs, while a large set of malware use this mechanism to compromise systems. Even\r\nlegitimate AppInit_DLLs can unintentionally cause system deadlocks and performance problems, therefore usage\r\nof AppInit_DLLs is not recommended.\r\nAppInit_DLLs and secure boot\r\nWindows 8 adopted UEFI and secure boot to improve the overall system integrity and to provide strong protection\r\nagainst sophisticated threats. When secure boot is enabled, the AppInit_DLLs mechanism is disabled as part of a\r\nno-compromise approach to protect customers against malware and threats.\r\nPlease note that secure boot is a UEFI protocol and not a Windows 8 feature. More info on UEFI and the secure\r\nboot protocol specification can be found at https://www.uefi.org.\r\nAppInit_DLLs certification requirement for Windows 8 desktop apps\r\nOne of the certification requirements for Windows 8 desktop apps is that the app must not load arbitrary DLLs to\r\nintercept Win32 API calls using the AppInit_DLLs mechanism. For more detailed information about the\r\ncertification requirements, refer to section 1.1 of Certification requirements for Windows 8 desktop apps.\r\nSummary\r\nThe AppInit_DLLs mechanism is not a recommended approach for legitimate applications because it can\r\nlead to system deadlocks and performance problems.\r\nThe AppInit_DLLs mechanism is disabled by default when secure boot is enabled.\r\nUsing AppInit_DLLs in a Windows 8 desktop app is a Windows desktop app certification failure.\r\nTo download a whitepaper with info about AppInit_DLLs on Windows 7 and Windows Server 2008 R2, visit the\r\nWindows Hardware Dev Center Archive, and search for AppInit DLLs in Windows 7 and Windows Server 2008\r\nR2.\r\nhttps://msdn.microsoft.com/en-us/library/dn280412\r\nPage 1 of 2\n\nSource: https://msdn.microsoft.com/en-us/library/dn280412\r\nhttps://msdn.microsoft.com/en-us/library/dn280412\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://msdn.microsoft.com/en-us/library/dn280412" ], "report_names": [ "dn280412" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434403, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/63ef75519df7bb8dd96d43ad85eb1b3e55776496.pdf", "text": "https://archive.orkl.eu/63ef75519df7bb8dd96d43ad85eb1b3e55776496.txt", "img": "https://archive.orkl.eu/63ef75519df7bb8dd96d43ad85eb1b3e55776496.jpg" } }