none
AppInit_DLLs registry key question RRS feed

  • Question

  • Hello,

    Recently I had a quite interesting issue with Windows Firewall, Remote Access Control Manager services and Start Menu not opening. After days of research I finally traced issue down to 3rd party crypto provider. It appeared that during installation this provider altered AppInit_DLLs registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    and

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows

    so that its dll is located there. For example:

    C:\Windows\system32\nvinitx.dll,C:\WINDOWS\system32\nvinitx.dll,C:\PROGRA~1\COMMON~1\avest\AVESTC~1\AvSSPc.dll

    (also note Nvidia driver presence).

    Issue with Firewall and RACM was that I couldn't start these services (error message:

    The Remote Access Connection Manager service terminated with the following service-specific error: A security package specific error occurred.

    With Start menu issue was that when I logged in with Wi-Fi disabled and via fingerprint start menu just didn't open with error message:

    Faulting application name: SearchUI.exe, version: 10.0.10240.16515, time stamp: 0x55fa5578
    Faulting module name: CortanaApi.dll, version: 0.0.0.0, time stamp: 0x55fa5354
    Exception code: 0x80000003
    Fault offset: 0x0000000000151a73
    Faulting process id: 0xaf8
    Faulting application start time: 0x01d1080c1f7706c7
    Faulting application path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    Faulting module path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
    Report Id: 4c0a4844-6f71-4767-822d-e44f97bb72cb
    Faulting package full name: Microsoft.Windows.Cortana_1.4.8.176_neutral_neutral_cw5n1h2txyewy
    Faulting package-relative application ID: CortanaUI

    After I renamed crypto provider folders so that system won't find dlls - everything went back to normal.

    This crypto provider is used by application from local "IRS" so when I need to send tax form I rename everything back. However, I'm curious how is it possible that this crypto provider put the whole system to the knees making it unreliable and unusable?

    Thursday, October 22, 2015 8:40 AM

All replies

  • Hi Alexander,

    Thanks for sharing!

    I will take a further research on this topic, and if any update, I will update here.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, October 23, 2015 9:52 AM
    Moderator
  • Hi Michael,

    Thanks, looking forward to hear any details from you. I have more errors from eventviewer if you need. Also, I've just tried to "play" with Wow6432Node and found out that renaming folders of 32 bit version of crypto provider (located under Program Files (x86) ) causes most of 32 bit .NET apps to crash. Seems like this crypto thing is quite unstable.

    Friday, October 23, 2015 1:09 PM
  • Hi Alexander,

    Apologize for the late response.

    Currently I didn't find out any helpful information that I could share.

    If this 3rd-party provider is not stable enough under Windows 10, please consider temporarily remove it, and submit feedbacks on the vendor side.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, November 9, 2015 7:14 AM
    Moderator