Windows 7 event log warnings

Chippy_boy99 · January 8, 2011, 4:36pm

I hope someone can help? Every time I boot up Windows 7, I get a warning message in the Windows event log.

“Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.”

The program causing the warning is C:\Windows\system32\guard32.dll which I believe is part of CIS?

The file properties show Product Version 5.3.174622.1216 File version is 5.3.43550.1216

Does anyone know what the problem is, and how to fix it?

Thanks

Chip

Citizen_K · January 8, 2011, 5:24pm

It is a warning only; nothing to worry about.

Guard32.dll is loaded into each running application. That gives a lot of influence on the computer. That’s why Windows gives the warning.

Chippy_boy99 · January 8, 2011, 5:37pm

Thanks for the reply.

Actually, I am not running either Defense+ or Sandbox - both are disabled. Which is why I thought it was a CIS firewall issue.

This being the case is there any way to stop the Event log warning? Am I safe to unregister and remove the guard32.dll file?

Citizen_K · January 8, 2011, 6:03pm

I don’t know how to tell Windows to stop logging it.

When unregistering it you will get more D+ alerts and I security is decreased some. I would not disable it just because it shows up in the Windows logs. When you want to be absolutely sure there is no harm done check the digital signature of guard32.dll to make sure it is the real deal.

Other than that don’t fix it when it is not broken. What’s more important a few entries in Event Viewer more or your system’s security?

Chippy_boy99 · January 9, 2011, 12:20pm

Thanks again for the advice.

For what it’s worth, I found I can fix this very simply. I’ll post the solution here just in case anyone googling for an answer should ever need it.

Basically, any AppInit DLL’s are referenced here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

Just remove the entry AppInit_DLLs and then guard32.dll will no longer load and no longer cause the error. I figure this is safe to do since I am not using Defense+ nor Sandbox. I checked the firewall functionality (inbound and outbound protection) with guard32.dll disabled and it still works perfectly.

You can also toggle the AppInit_DLL’s on or off with the “Autoruns” tool, by removing or replacing the appropriate checkmark under the AppInit tab. Very straightforward.

Cheers all.

Dennis2 · January 9, 2011, 12:27pm

Please note you do so at your own risk this could cause problems at any time.