wininit event ID 14 for guard64.dll

I am running on a Dell XPS 8300 system
OS : win7 64 bits.
A warning is issued on the event log
Level : warning
source : wininit
Event ID : 14
task category
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications.
The file in question : guard64.dll

It was a clean install. After noting the warning, I removed CIS and re-installed again. Same message happens. Listdlls (from SystemInternals) showed that guard64.dll is missing.

Any suggestion is welcomed.

Event viewer shows the same message for me too. I am on Win 7 x86 running v 5.8 beta 2.

The guard32.dll is digitally signed and the signature is valid so it is the real deal. I don’t know why Windows Event Viewer reports this. It is not something to worry about if the digital signature is kosher.

Please make sure that the guard64.dll is present or not present when checking with Explorer.

Guard64.dll is in c:\windows\system32.

I am new to the 64 bit OS. Some peculiar observations:

  1. Find Guard64.dll under …\system32, under windows explorer but no guard32.dll
  2. Find Guard32.dll under …\system32 using XYplorer but no guard64.dll (XYplorer has problem in identifying 64 bits application).

Using listdlls of sysinternals, find guard64.dll is loaded this time, but no guard32.dll. Very different from the result I observed yesterday, where guard32.dll was found , but no guard64.dll.

Would appreciate if someone can explain this for me as it casts questions on the integrity of the CIS, even there is no observable impact.

Many thanks.

I am not using 64 bits Windows so I cannot comment on some of its intracacies.

In 32 bits Windows versions CIS will use the guard32.dll. In 64 bits versions it will use the guard64.dll.

That event noticed by Windows has been observed before and has not bearing on the integrity of CIS nor on system security.

When in doubt about CIS integrity look in the main screen for messages or run Diagnostics or check with Task Manager to see that cmdagent.exe is running (you will have to enable "Show processes of all users’ in Task Manager.

On Windows 64 bit systems there are two primary locations where system files are stored, Windows\System32 and Windows\SysWOW64. The System32 folder contains the 64 bit binaries and the SysWOW64 folder contains the 32 bit binaries, which are required for compatibility reasons. Basically, when a 32 bit application tries to access a file in System32, it’s redirected by the OS to SysWOW64.

Incidentally, WOW stands for Windows on Windows 64.

Thanks , guys for the advice on Comodo and on 64 bits OS.
I ran the diagnostic. It is OK.
I did a bit more searching in this forum. There is a related post. Some has the same problem earlier this year.
Looks like I have to live with the warning, until there is enough complaints on it.

The events you’re seeing are actually by design and are part of the Windows AppInit_DLLs infrastructure, which can be controlled by a registry setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

LoadAppInit_DLLs - either 1 or 0.

A value of 1 AppInit_DLLs are enabled
A value of 0 AppInit_DLLs are disabled

Basically, AppInit_DLLs allows applications to load DLLs into all user mode processes. The Event is simply telling you that AppInit_DLLs are being loaded and that perhaps you should check to make sure the dlls are recognisable, otherwise, you may have a compromised system.

AppInit DLLs in Windows 7 and Windows Server 2008 R2 From the document:

System Event Log Entry If an application enables AppInit DLLs, Windows logs a warning in the System Event Log. The event log entry includes a list of the DLLs that are loaded by using the AppInit_DLL mechanism. You can view this list on the Details tab in Event Viewer. Wininit logs this warning one time for each boot session. Table 2 shows the fields of the event log entry when you view the entry in Event Viewer.

A quick way to view the DLLs being loaded is by using Autoruns under the AppInit tab.

By the way, this event is not exclusive to CIS, you’ll find most, if not all applications that use ‘hooking’ will also produce the event.

[attachment deleted by admin]

Thanks, Radaghast. This does clear most of my doubts. Hopefully, this is my last question.

The setting:

  1. The registry setting for AppInit_DLLs is
    LoadAppInit_DLLs is 1 (enabled)

  2. Under Autorun’s AppInit tab, there are 2 entries
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\guard64.dll
    HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls\guard32.dll

  3. While listDlls yields only 1 entry: guard64.dll

Question: Is the missing of guard32.dll in the listing of loaded dll a problem? (Guard32.dll is in sysWOW64)

Thank you again.

If you run ListDLLs without arguments, or some other process that can list loaded DLLs, such as Process Hacker, on 64 bit versions of Windows, both guard32 and guard64 will be loaded. However, events are only generated for guard32.dll on 32 bit systems and guard64.dll on 64 bit systems.

[attachment deleted by admin]

Thanks. You are most helpful. Have cleared all my questions.

■■■■ it… It took so long for the validation e-mail to arrive that I forgot what I was going to say… he he he… :slight_smile:

Welcome to the Comodo Forum 4:04 PM (29 minutes ago)

Maybe it’ll come back to me, but now I’ve gotta run…