shell32.dll Keeps Popping Up

Every time my PC comes out of sleep, Comodo pops up telling me that while C:\windows\system32\shell32.dll has a trusted publisher, the file is not yet whitelisted. It’s kidding, right? shell32.dll not whitelisted?
I keep hitting the option to trust it, yet it keeps popping up often, but not always, when the the PC comes out of sleep. It will not remember the setting. It is in the trusted list.
Please help. It’s one of the reasons Comodo drives people nuts with its intrusive, unnecessary popups. How can Microsoft shell32.dll pop up as an issue?

Are you using any kind of theme pack to change the Windows UI? They often change the shell32.dll.

Look up shell32.dll in Unrecognised Files, select it and move it to Trusted Files. Does that do the trick for you or not?

Thanks for the reply. It is already in trusted files. Yesterday I added it to Defense+/Computer Security Policy/Defense + rules as a windows System Application. It hasn’t popped up since. I’ll see how that goes. I am not using any theme packs.
I appreciate the response.

I use slide show for my desktop backgrounds and i get not so often shell32.dll
sandbox pop ups when coming out of standby but no alerts when computer has been
turned on for longer period of time, only Defense+ alerts for both instances.

shell32.dll is in trusted files list.

W7 SP1 64 bit CIS 5.5.XXX and CIS 5.8.XXX.RC2

If you can add it, then it’s probably not got a valid signature.

Just tried, and it says that it is already a trusted file and refuses to add it.

I checked my shell32.dll on Virus total and according to them the file is safe.

Do you have ‘block all unknown requests if the application is closed’ ticked? Mouse

Block all unknown requests if the application is closed=No.

Create rules for safe application=Yes.

It may be you have an incorrect rule for shell32.dll in the computer security policy ~ D+ rules. If so please try deleting it.

What mode are you running in? Safe? Paranoid?

I may not have been sufficiently specific earlier - to check if it’s vendor trusted:

  1. Delete from trusted files (may not have said this earlier but you may have done it)
  2. Try re-adding, see if it objects.

If it does not, you have a shell32.dll with an invalid certificate (tailored version most likely) or you have deleted a Microsoft certificate authority entry in the TVL.

shell32.dll both in System32 and SysWOW64 are not digitally signed and TVL
is default(not edited/deleted).

shell32.dll from system32 folder and SysWOW64 are both on trusted files list and
different sizes(14.174.208 bytes and 12.872.192 bytes)

SysWOW64 shell32.dll Defense + rules access rights all set to ask ask,
protection settings all inactive settings.
Allowed HKLM\SYSTEM\ControlSet???\Control*
Allowed C:\Windows\CMICNFG3.INI.imi

shell32.dll in system32 folder Defense+ rules all is set allowed except:
Protected registry key and protected fies and folders.

Protected registry keys:
HKUS*\Control Panel*
\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Proxy
*\SOFTWARE\Microsoft\Internet Explorer\Download*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts.???* (three question marks
instead of the smiley)
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders*Start Menu
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders*Startup

Protected files folder:
C:\Users\User Name\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

I left everything to default and did not delete any rules.

So you are in safe mode?

OK well the main problem is that shell32 is not digitally signed. So its either:

  1. Malware (unlikrly, due to VT test)
  2. A patched version (fairly common)

If you think on reflection any chance of malware you need an expert for recommendations, and I’ll try to find one, languy maybe

Otherwise the recommended fix would be to put OS disk in computer and run ‘sfc /scannow’ to set all OS files back to MS signed status. You’d lose extra functionality (if any) in the patched shell32 and any other patched files.

If running in Safe mode you should then delete D+ rules relating to shell32.dll. Whatever mode you should remove from Trusted Files list.

If you don’t want to revert back to original or are in paranoid, I’ll give different instructions.

Best wishes


The disc from W7 is retail with no service pack and i installed SP1 through
windows update (about 80 MB) and prior to that i updated windows.

I did sfc /scannow and everything is all right.

Thanks for your help Mouse1 :-TU.

Hmm would have expected sfc to find something.

Though possibly if you delete the D+ rules, and maybe uncheck make rules for safe files, you’ll be OK

For completeness could you use this signature checker:;msg456633#msg456633

It adds a registry key. If you don’t want to add a key, and yu are familar with the command line google sysinternals sigcheck and use it with the certificate revocation check enabled.

If it says signed by MS and you are not getting a warning when you add shell32 to the TFL (after deleting the file from the TV Lfirst), it may suggest that your TVL is corrupt. Happens occasionally.

Best wishes


OH don’t worry about service packs, sfc automatically copes

This issue is now officially driving me crazy and I am almost ready to switch to another program. Certainly not willing to buy the pro version unless this is fixed. ‘Although Microsoft Windows is a trusted publisher, they have not yet been whitelisted by us’
Really? MS windows not whitelisted? Seriously?
Clicking the option to not notify me again is useless … it continues continuously. Why offer the option if it is ignored.
Nothing I do stops this popup. It’s trusted; all suggestions here implemented (including making is a Windows System Application) but every second or third time I come out of sleep it pops up (why not every time for heavens sake?).
My file is dated 11/20/10 so it has not been changed in nearly a year. It is not like it is being changed.
I only installed Windows 7 in Sept 11.
The file is NOT corrupt. I installed it with SP1 slipstreamed.

What did you use to slipstream sp1 in? Some slipstream programs have an option to hex edit windows system file to allow unsigned theme packs to be applied.

I used the official Digital River downloads that you would get if you purchased via download. Works great as long as you have a valid activation code. I had a copy of Windows 7 Home premium and did not want to go through all the updates. I verified this download works just fine with my Vista and upgrade serial numbers. No bootlegging or editing need or used. I have no theme packs installed. I don’t use themes.
Even if that were the case, why does it not accept the option to not notify again?

Add my name to the OP’s and bbrener’s and others who are suffering with this malady–very annoying, and Comodo needs to figure it out.

It occurs on multiple of my W7 HP x64 PCs, both coming-out of Sleep/Standby and also out of Hibernate. On all machines I have Aero in use, and a “custom theme” in that the images are custom, and Slide Show/Shuffle enabled. No customization other than pics as I’ve said (in one case they’re 2160x1600 hi res and others e.g. using UK or Canada or Aus etc i.e. Windows standard images, no 3rd-party at all.

It happened again this a.m. when I came-out of Hibernate and the desktop background changed.

I have tried setting the shell32.dlls in both system32 and sysWOW64 dirs as Installer or Updater but it still keeps popping-up.

Comodo, figure this out and fix it! Please!

I should add that I’m running 5.8 official non-beta released in the last few days.

When you switch back the customisations you made and switch back to the default theme does the same thing happen or does the problem go?

Can you make sure that the rule you made for shell32.dll is above the "All Applications rule?

Dll files usually get run by rundll32.exe. So I would think working with a rule for rundll32.exe could be an option. I seriously doubt that making a rule for shell32.dll will make the problem go away.

@BBrener. I am not familiar with the Digital River downloads. From what I gather it provides you with an ISO image. Is that image claimed to be an original Microsoft installation DVD?

To make sure the ISO image you are using is an original. Sign up for a free Microsoft Technet account. You can then log in to Technet. In the Downloads section you can see what images can be downloaded from there if you have a paid subscription. The details about the downloads of the ISO images will provide you with hash codes to check the ISO images.

Yes, Digital River is apparently the source for the genuine Microsoft downloads. The ISO’s make genuine DVD’s. Look at the details in the post. You will see all the versions and options (32 bit; 64 bit original; SP1 etc) listed in various languages. Who else would do that??
I already installed and it worked. I know it is genuine. Google it if you like.

The question is why do we have to go through the suggested shennanigans? Surely Comodo should take of what is clearly an issue.