none
Why does not the "AppCertDlls" key exist on Windows 10? RRS feed

  • Question

  • The question is the title. The path to "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session \ Manager" contains the AppCertDlls key, which is listed in the dll file. However, when I go to that path, the AppCertDlls key is not visible. Is Windows 10 on a different path? I tried searching for that key and it failed. Please ask for help.

    Wednesday, September 5, 2018 7:44 AM

All replies

  • If you power on a clean Windows 7 host/VM, you'll also see that the AppCertDlls key is not natively present on this OS as well. Checkout the implementation within kernel32's proc() function and you can see it'll treat a missing AppCertDlls key as STATUS_SUCCESS.

    With that said, you can always create the key and values (assuming you have high integrity privileges):

    • Create the registry key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\\Session Manager\AppCertDlls" (notice "Session Manager" is a single key and not "Session\Manager"
    • Create a REG_EXPAND_SZ value named whatever you desire.
    • Set the newly created REG_EXPAND_SZ value data to the path of your DLL.
    • Reboot your host for the setting to take effect.

    Windows 7

    Windows 10

    Best of luck!

    • Proposed as answer by Kyle Hanslovan Thursday, September 6, 2018 3:54 AM
    Thursday, September 6, 2018 3:50 AM
  • I did the same thing as you said.

    1. Create a key value with AppCertDlls
    2. Create a REG_EXPAND_SZ value
    3. Enter the path to the DLL
    4. Rebooting.

    However, booting does not work. I tried it several times, but it is the third time to reinstall Windows. Is the problem with the DLL I registered?
    Monday, September 10, 2018 12:41 AM
  • Out of curiosity, what are you trying to accomplish? Are you sure this is the method you should be using? With regard to "booting does not work", troubleshooting this Windows feature is probably better suited for KernelMode.info.

    Generally speaking, (ab)using this legacy feature to load DLLs into processes is not very stable and smells of malware. Others agree:

    http://www.kernelmode.info/forum/viewtopic.php?f=15&t=2053&sid=3c9967524c4b033d54b509067d81c2c0&start=10#p28917

    https://twitter.com/NYXChochi/status/1037963103990730754

    • Marked as answer by Wangyu Choi Tuesday, September 11, 2018 12:17 AM
    • Unmarked as answer by Wangyu Choi Tuesday, September 11, 2018 12:17 AM
    Monday, September 10, 2018 2:29 PM