APPCERT.DLL
evaluates the SAFER
security level
of every application to be started by the Win32
functions
CreateProcess()
,
CreateProcessAsUser()
,
CreateProcessWithLogonW()
and
CreateProcessWithTokenW()
:
it allows process creation for the security levels
SAFER_LEVELID_FULLYTRUSTED
alias Unrestrictedand
SAFER_LEVELID_NORMALUSER
alias Basic User, or denies process creation for the security levels
SAFER_LEVELID_CONSTRAINED
alias Restricted,
SAFER_LEVELID_UNTRUSTED
alias Untrustedand
SAFER_LEVELID_DISALLOWED
alias Disallowed.
In case of denial it writes an entry
865,
866,
867,
868
or
882
from source Software Restriction Policies
(on
Windows XP and Windows Server 2003) or
Microsoft-Windows-SoftwareRestrictionPolicies
(on
Windows Vista® and newer versions of
Windows™ NT)
to the Event Log.
CREATE_PRESERVE_CODE_AUTHZ_LEVEL
of the Win32 functions
CreateProcess()
,
CreateProcessAsUser()
,
CreateProcessWithLogonW()
and
CreateProcessWithTokenW()
allows unprivileged users to bypass both
AppLocker
and
SAFER
alias
Software Restriction Policies
in all versions of
Windows™ NT:
- CREATE_PRESERVE_CODE_AUTHZ_LEVEL
0x02000000- Allows the caller to execute a child process that bypasses the process restrictions that would normally be applied automatically to the process.
This bypass may also be exercised indirect: the flag
SAFER_TOKEN_MAKE_INERT
of the Win32
function
SaferComputeTokenFromLevel()
allows to create an inert
token
which can then be (ab)used with the Win32 functions
CreateProcessAsUser()
and
CreateProcessWithTokenW()
;
both Win32 functions but require privileges to be held
by their caller which are not assigned to unprivileged users.
Note: the flag
LOAD_IGNORE_CODE_AUTHZ_LEVEL
of the
Win32 function
LoadLibraryEx()
and the flag SANDBOX_INERT
of the
Win32 function
CreateRestrictedToken()
enable this bypass too; both are but disabled for unprivileged users
in Windows 8 and newer versions of
Windows NT (in Windows 7 and
Windows Server 2008 R2 with the hotfix
2532445,
the hotfix
2894252,
or the convenience
rollup update
3125574).
Enable
SAFER
alias
Software Restriction Policies
and block execution in the user’s %TMP%
directory
per registry path rule, for example with the following
Registry
entries:
REGEDIT4
; Copyright © 2004-2025, Stefan Kanthak <stefan.kanthak@nexgo.de>
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"AuthentiCodeEnabled"=dword:00000000
"DefaultLevel"=dword:00040000 ; 'Unrestricted'
"PolicyScope"=dword:00000000 ; Apply to 'Users' and 'Administrators'
"TransparentEnabled"=dword:00000002 ; Apply to executable files and DLLs
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{6B29FC40-CA47-1067-B31D-00DD010662DA}]
"Description"="%TMP%"
"ItemData"=hex(2):"25,48,4b,45,59,5f,43,55,52,52,45,4e,54,5f,55,53,45,52,5c,45,6e,76,69,72,6f,6e,6d,65,6e,74,5c,54,4d,50,25,00
;"ItemData"=expand:"%HKEY_CURRENT_USER\\Environment\\TMP%"
GUID
Copy the Command Processor
%COMSPEC%
into your %TMP%
directory and
verify that execution is blocked there:
COPY "%COMSPEC%" "%TMP%" "%TMP%\Cmd.exe" RENAME "%TMP%\Cmd.exe" cmd12345.tmp "%TMP%\cmd12345.tmp" "%SystemRoot%\System32\CertUtil.exe" /ERROR %ERRORLEVEL%
1 file(s) copied. This program is blocked by group policy. For more information, contact your system administrator. This program is blocked by group policy. For more information, contact your system administrator. 0x4ec (WIN32: 1260 ERROR_ACCESS_DISABLED_BY_POLICY) -- 1260 (1260) Error message text: This program is blocked by group policy. For more information, contact your system administrator. CertUtil: -error command completed successfully.
Create the text file APPCERT.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2025, Stefan Kanthak <stefan.kanthak@nexgo.de>
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
__declspec(safebuffers)
BOOL CDECL PrintConsole(HANDLE hConsole, [SA_FormatString(Style="printf")] LPCWSTR lpFormat, ...)
{
WCHAR szOutput[1024];
DWORD dwOutput;
DWORD dwConsole;
va_list vaInput;
va_start(vaInput, lpFormat);
dwOutput = wvsprintf(szOutput, lpFormat, vaInput);
va_end(vaInput);
if (dwOutput == 0)
return FALSE;
if (!WriteConsole(hConsole, szOutput, dwOutput, &dwConsole, NULL))
return FALSE;
return dwConsole == dwOutput;
}
const STARTUPINFO si = {sizeof(si)};
__declspec(noreturn)
VOID CDECL wmainCRTStartup(VOID)
{
PROCESS_INFORMATION pi;
WCHAR szSource[MAX_PATH];
DWORD dwSource;
WCHAR szBuffer[MAX_PATH];
DWORD dwBuffer;
DWORD dwError = ERROR_SUCCESS;
HANDLE hConsole = GetStdHandle(STD_ERROR_HANDLE);
if (hConsole == INVALID_HANDLE_VALUE)
dwError = GetLastError();
else
{
dwSource = GetEnvironmentVariable(L"COMSPEC", szSource, sizeof(szSource) / sizeof(*szSource));
if (dwSource == 0)
PrintConsole(hConsole,
L"GetEnvironmentVariable() returned error %lu\n",
dwError = GetLastError());
else
{
dwBuffer = GetTempPath(sizeof(szBuffer) / sizeof(*szBuffer), szBuffer);
if (dwBuffer == 0)
PrintConsole(hConsole,
L"GetTempPath() returned error %lu\n",
dwError = GetLastError());
else
{
if (GetTempFileName(szBuffer, L"cmd", 0, szBuffer) == 0)
PrintConsole(hConsole,
L"GetTempFileName() returned error %lu\n",
dwError = GetLastError());
else
{
if (!CopyFile(szSource, szBuffer, FALSE))
PrintConsole(hConsole,
L"CopyFile() returned error %lu\n",
dwError = GetLastError());
else
{
if (!CreateProcess(szBuffer,
L"CMD.EXE /D /K SET \"\"",
(LPSECURITY_ATTRIBUTES) NULL,
(LPSECURITY_ATTRIBUTES) NULL,
FALSE,
CREATE_DEFAULT_ERROR_MODE | CREATE_NEW_CONSOLE | CREATE_PRESERVE_CODE_AUTHZ_LEVEL | CREATE_UNICODE_ENVIRONMENT,
L"",
(LPCWSTR) NULL,
&si,
&pi))
PrintConsole(hConsole,
L"CreateProcess() returned error %lu\n",
dwError = GetLastError());
else
{
PrintConsole(hConsole,
L"Process %lu with primary thread %lu started from file \'%ls\'\n",
pi.dwProcessId, pi.dwThreadId, szBuffer);
if (!CloseHandle(pi.hThread))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
dwError = GetLastError());
if (!CloseHandle(pi.hProcess))
PrintConsole(hConsole,
L"CloseHandle() returned error %lu\n",
dwError = GetLastError());
}
}
if (!DeleteFile(szBuffer))
PrintConsole(hConsole,
L"DeleteFile() returned error %lu\n",
dwError = GetLastError());
}
}
}
}
ExitProcess(dwError);
}
Run the following four command lines to build the console
application APPCERT.EXE
from the source file
APPCERT.C
created in step 3. and cleanup
afterwards:
SET CL=/GA /GF /GS /Gd /Gy /O2 /Os /Oy /W4 /we4013 /Zl SET LINK=/EMITTOOLVERSIONINFO:NO /ENTRY:wmainCRTStartup /LARGEADDRESSAWARE /NOCOFFGRPINFO /NODEFAULTLIB /OPT:REF /OSVERSION:5.1 /RELEASE /SUBSYSTEM:CONSOLE /VERSION:0.815 CL.EXE APPCERT.C KERNEL32.LIB USER32.LIB ERASE APPCERT.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.
Note: APPCERT.EXE
is a pure
Win32 console application and builds without the
MSVCRT
libraries.
Note: the command lines can be copied and pasted as block into a Command Processor window.
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. APPCERT.C APPCERT.C(86) : warning C4090: 'function' : different 'const' qualifiers Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. …
Execute the console application APPCERT.EXE
built in
step 4.: the copy of the
Command Processor starts from the
%TMP%
directory despite the blocking
SAFER
registry path rule!
CreateProcess()
,
CreateProcessAsUser()
,
CreateProcessWithLogonW()
and
CreateProcessWithTokenW()
in every (user) process; their CreateProcessNotify()
routine is called with PROCESS_CREATION_QUERY
as reason
whenever an application is to be started.
NTSTATUS
like
0xC0000372
alias STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY
,
process creation is denied and the Win32 functions
CreateProcess*()
yield an error code like 786 alias
ERROR_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY
;
process creation is allowed only if all AppCertDlls
return a non-negative NTSTATUS
like
0x00000000
alias STATUS_SUCCESS
.
Caveat: the NTSTATUS
0xC0000372
alias STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY
was
chosen deliberately to avoid possible problems in non-interactive
processes: as its name implies, it instructs its receiver to deny
access without displaying an error message.
Note: the APPCERT.DLL
offered for
download use the other NTSTATUS
codes to let their
caller(s) display error messages.
Note: AppCertDlls are not documented by Microsoft®!
Note: Windows 11, where
Services.exe
and
WinInit.exe
execute as Protected Process Lite, writes an error
message with event id 3033 plus an information message with event id
3089 and source Microsoft-Windows-CodeIntegrity
to the
Microsoft-Windows-CodeIntegrity/Operational
event log.
WMIC.exe NTEvent Where "(EventCode='3033' Or EventCode='3089') And SourceName='Microsoft-Windows-CodeIntegrity'" Get /Value
Category=0 CategoryString= ComputerName=… Data= EventCode=3089 EventIdentifier=3089 EventType=4 InsertionStrings= Logfile=Microsoft-Windows-CodeIntegrity/Operational Message=Signature information for another event. Match using the Correlation Id. RecordNumber=… SourceName=Microsoft-Windows-CodeIntegrity TimeGenerated=… TimeWritten=… Type=Information User=NT AUTHORITY\SYSTEM Category=0 CategoryString= ComputerName=… Data= EventCode=3033 EventIdentifier=3033 EventType=2 InsertionStrings={"\Device\HarddiskVolume0\Windows\System32\wininit.exe", "\Device\HarddiskVolume0\Windows\System32\AppCert.Dll", "Windows"} Logfile=Microsoft-Windows-CodeIntegrity/Operational Message=Code Integrity determined that a process (\Device\HarddiskVolume0\Windows\System32\wininit.exe) attempted to load \Device\HarddiskVolume0\Windows\System32\AppCert.Dll that did not meet the Windows signing level requirements. RecordNumber=… SourceName=Microsoft-Windows-CodeIntegrity TimeGenerated=… TimeWritten=… Type=Error User=NT AUTHORITY\SYSTEM Category=0 CategoryString= ComputerName=… Data= EventCode=3089 EventIdentifier=3089 EventType=4 InsertionStrings= Logfile=Microsoft-Windows-CodeIntegrity/Operational Message=Signature information for another event. Match using the Correlation Id. RecordNumber=… SourceName=Microsoft-Windows-CodeIntegrity TimeGenerated=… TimeWritten=… Type=Information User=NT AUTHORITY\SYSTEM Category=0 CategoryString= ComputerName=… Data= EventCode=3033 EventIdentifier=3033 EventType=2 InsertionStrings={"\Device\HarddiskVolume0\Windows\System32\services.exe", "\Device\HarddiskVolume0\Windows\System32\AppCert.Dll", "Windows"} Logfile=Microsoft-Windows-CodeIntegrity/Operational Message=Code Integrity determined that a process (\Device\HarddiskVolume0\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume0\Windows\System32\AppCert.Dll that did not meet the Windows signing level requirements. RecordNumber=… SourceName=Microsoft-Windows-CodeIntegrity TimeGenerated=… TimeWritten=… Type=Error User=NT AUTHORITY\SYSTEM
APPCERT.DLL
from the source and install it.
Create the text file APPCERT.C
with the following
content in an arbitrary, preferable empty directory:
// Copyright © 2004-2025, Stefan Kanthak <stefan.kanthak@nexgo.de>
#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN
#define WINVER 0x0500
#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <winsafer.h>
#include <wintrust.h>
typedef enum _REASON
{
PROCESS_CREATION_QUERY = 1,
PROCESS_CREATION_ALLOWED = 2,
PROCESS_CREATION_DENIED = 3
} REASON;
// see <https://msdn.microsoft.com/en-us/library/cc231200.aspx>
// and <https://msdn.microsoft.com/en-us/library/cc704588.aspx>
typedef enum _NTSTATUS
{
STATUS_SUCCESS = 0x00000000,
STATUS_ACCESS_DISABLED_BY_POLICY_DEFAULT = 0xC0000361,
STATUS_ACCESS_DISABLED_BY_POLICY_PATH = 0xC0000362,
STATUS_ACCESS_DISABLED_BY_POLICY_PUBLISHER = 0xC0000363,
STATUS_ACCESS_DISABLED_BY_POLICY_OTHER = 0xC0000364,
STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY = 0xC0000372
} NTSTATUS;
__declspec(safebuffers)
NTSTATUS NTAPI CreateProcessNotify(LPCWSTR lpApplicationName, REASON enReason)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
// see <https://msdn.microsoft.com/en-us/library/ms722431.aspx>
SAFER_CODE_PROPERTIES scp = {sizeof(scp),
SAFER_CRITERIA_AUTHENTICODE | SAFER_CRITERIA_IMAGEHASH | SAFER_CRITERIA_IMAGEPATH,
(LPCWSTR) NULL,
(HANDLE) NULL,
0,
{0},
0,
{0, 0},
(ALG_ID) 0,
(LPBYTE) NULL,
HWND_DESKTOP,
WTD_UI_NONE};
SAFER_LEVEL_HANDLE slh;
DWORD dwLevelId;
DWORD dwDummy;
switch (enReason)
{
case PROCESS_CREATION_QUERY:
// called once for each process that is to be created:
// return STATUS_SUCCESS to allow process creation or
// return STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY to deny process creation
scp.ImagePath = lpApplicationName;
// see <https://msdn.microsoft.com/en-us/library/ms722428.aspx>
if (!SaferIdentifyLevel(1, &scp, &slh, NULL))
OutputDebugStringA("AppCert!CreateProcessNotify: SaferIdentifyLevel() failed!\n");
else
{ // see <https://msdn.microsoft.com/en-us/library/ms722426.aspx>
if (!SaferGetLevelInformation(slh, SaferObjectLevelId, &dwLevelId, sizeof(dwLevelId), &dwDummy))
OutputDebugStringA("AppCert!CreateProcessNotify: SaferGetLevelInformation() failed!\n");
else
// see <https://msdn.microsoft.com/en-us/library/ms722425.aspx>
if (dwLevelId < SAFER_LEVELID_NORMALUSER)
{
ntStatus = STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY;
// see <https://msdn.microsoft.com/en-us/library/ms722430.aspx>
if (!SaferRecordEventLogEntry(slh, scp.ImagePath, NULL))
OutputDebugStringA("AppCert!CreateProcessNotify: SaferRecordEventLogEntry() failed!\n");
}
// see <https://msdn.microsoft.com/en-us/library/ms722423.aspx>
if (!SaferCloseLevel(slh))
OutputDebugStringA("AppCert!CreateProcessNotify: SaferCloseLevel() failed!\n");
}
break;
case PROCESS_CREATION_ALLOWED:
// called once for each process that is allowed creation;
// the return value is discarded
// …
break;
case PROCESS_CREATION_DENIED:
// called once for each process that is denied creation;
// the return value is discarded
// …
break;
default:
;
}
// the return value is only used for PROCESS_CREATION_QUERY,
// and discarded for all other reasons
return ntStatus;
}
Run the following four command lines to build the
DLL
APPCERT.DLL
from the source file
APPCERT.C
created in step 1. and cleanup
afterwards:
SET CL=/GA /GF /GS /Gd /Gy /O1 /Os /Oy- /W4 /we4013 /Zl SET LINK= /DLL /EXPORT:CreateProcessNotify /LARGEADDRESSAWARE /NOCOFFGRPINFO /NODEFAULTLIB /NOENTRY /OPT:REF /OSVERSION:5.1 /RELEASE /SUBSYSTEM:WINDOWS /VERSION:0.815 CL.EXE APPCERT.C ADVAPI32.LIB KERNEL32.LIB ERASE APPCERT.EXP APPCERT.LIB APPCERT.OBJFor details and reference see the MSDN articles Compiler Options and Linker Options.
Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.
Note: APPCERT.DLL
is a pure
Win32
DLL
and builds without the
MSVCRT
libraries.
Note: the command lines can be copied and pasted as block into a Command Processor window.
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for x64 Copyright (C) Microsoft Corporation. All rights reserved. APPCERT.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. Creating library APPCERT.lib and object APPCERT.exp …Note: for systems with AMD64 alias x64 processor architecture, build
APPCERT.DLL
for the I386 alias
x86 processor architecture too!
Microsoft (R) C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86 Copyright (C) Microsoft Corporation. All rights reserved. APPCERT.C Microsoft (R) Incremental Linker Version 10.00.40219.386 Copyright (C) Microsoft Corporation. All rights reserved. Creating library APPCERT.lib and object APPCERT.exp …
Copy the DLL
APPCERT.DLL
built in step 2. into
Windows’
system directory
%SystemRoot%\System32\
.
Note: on systems with AMD64 alias
x64 processor architecture, additionally copy
APPCERT.DLL
built for the I386 alias
x86 processor architecture into the directory
%SystemRoot%\SysWoW64\
.
Run the following command line to activate it:
"%SystemRoot%\System32\Reg.exe" ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls" /V "AppCert.dll" /T REG_SZ /D "%SystemRoot%\System32\AppCert.dll" /F
APPCERT.DLL
is a pure Win32
DLL, written in
ANSI C,
built with the APPCERT.DLL
is available for the I386
alias x86, AMD64 alias x64
and IA64 processor architectures of
Windows NT.
APPCERT.DLL
and the cabinet file
APPCERT.CAB
are
digitally signed
using an
X.509
certificate
issued by
WEB.DE TrustCenter E-Mail Certification Authority.
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA6ipnm9vAs63w+TM+9UcG1yQ8CRIxMz/tTXry9MCbeHpkiM/qdPaRWlwVTW2j
PhC81xwIPZXgE1FE4DgE1eImb33DG2YfEBY/ARpMaGUnme+85WmExWWc/YMUAaHOMYQ3TQDX
0V/7yuhfa9Uc29ljtQ2AB0MjhXTJvGguvZZTI5A3rcN4+AKwmETdYH+8OQKMU2s+2H9CVfaD
waX0aj9CeibGNooLTgDchzCBIC5J47qHned/3ZqnMDjYCv3Yc1HNgcbM+ZKzPoD8jShb/ptI
wWPo9s00KEs9ti68RsmejqKovAmdLSzFLGARbue2uiqs4piJkxI0LS5+NTTPyZjsSwIDAQAB
-----END RSA PUBLIC KEY-----
Download and install the
CA
and
root
X.509 certificates of
WEB.DE
to validate and verify the digital signature.
Note: unfortunately WEB.DE abandoned their trust center in 2018 and removed all pages and download links in 2019; fortunately the Wayback Machine archived the TrustCenter page, the CA and the root certificate.
Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!
AMD64\APPCERT.DLL
,
I386\APPCERT.DLL
,
IA64\APPCERT.DLL
and the
setup script
APPCERT.INF
are packaged in the (compressed and
digitally signed)
cabinet
file
APPCERT.CAB
.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. X:\>EXTRACT.EXE /D APPCERT.CAB Microsoft (R) Cabinet Extraction Tool - Version 5.1.2600.5512 Copyright (c) Microsoft Corporation. All rights reserved.. Cabinet APPCERT.CAB 06-11-2018 10:07:18p A--- 12,291 APPCERT.INF 06-11-2018 10:05:40p A--- 31,960 AMD64\APPCERT.DLL 06-11-2018 10:05:30p A--- 31,448 I386\APPCERT.DLL 06-11-2018 10:05:46p A--- 35,544 IA64\APPCERT.DLL 4 Files 111,243 bytes X:\>DIR APPCERT.CAB Volume in drive X has no label. Volume Serial Number is 1957-0427 Directory of X:\ 06/11/2018 10:08 PM 29,628 APPCERT.CAB 1 File(s) 29,628 bytes 0 Dir(s) 9,876,543,210 bytes free X:\>SIGNTOOL.EXE Verify /V APPCERT.CAB Verifying: APPCERT.CAB SHA1 hash of file: (not calculated) Signing Certificate Chain: Issued to: WEB.DE TrustCenter Issued by: WEB.DE TrustCenter Expires: 30.08.2024 09:49:34 SHA1 hash: C8301016951187E6320569B3ED54F34845B51638 Issued to: WEB.DE TrustCenter E-Mail Certification Authority Issued by: WEB.DE TrustCenter Expires: 30.08.2024 09:50:51 SHA1 hash: 8946380C6E370988FB587257A9F9A5CD323045F0 Issued to: Stefan Kanthak Issued by: WEB.DE TrustCenter E-Mail Certification Authority Expires: 15.12.2018 02:16:19 SHA1 hash: 8C5B7521404177AC54131302066BB069102E830E The signature is timestamped: 11.06.2018 22:08:12 Timestamp Verified by: Issued to: Thawte Timestamping CA Issued by: Thawte Timestamping CA Expires: 01.01.2021 01:59:59 SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656 Issued to: Symantec Time Stamping Services CA - G2 Issued by: Thawte Timestamping CA Expires: 31.12.2020 01:59:59 SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1 Issued to: Symantec Time Stamping Services Signer - G4 Issued by: Symantec Time Stamping Services CA - G2 Expires: 30.12.2020 01:59:59 SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4 Successfully verified: APPCERT.CAB Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0 X:\>On Windows Vista and newer versions of Windows NT, run the following command line to extract all files into the specified directory, preserving their paths:
"%SystemRoot%\System32\Expand.exe" APPCERT.CAB /F:* "‹target directory›"Note:
Expand.exe
from prior
versions of Windows NT ignores the paths and junks
them; use Extract.exe
from the Support Tools on Windows XP and
Windows Server 2003 instead!
Note: if you open APPCERT.CAB
with
Windows Explorer, switch to
Details
view and turn on the Path
column!
The setup script
APPCERT.INF
copies the appropriate APPCERT.DLL
to
%SystemRoot%\System32\APPCERT.DLL
and creates the
following
Registry
entry to activate it:
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls]
"AppCert.dll"="C:\\Windows\\System32\\AppCert.dll"
Caveat: this Registry entry is
not preserved by the bi-annual function updates
or upgrades on Windows 10 and has to be restored
afterwards!
Note: on systems with AMD64 alias
x64 processor architecture, the installation
must be run in the native (64-bit) execution
environment to install APPCERT.DLL
for both processor
architectures!
I386\APPCERT.DLL
to
%SystemRoot%\System32\APPCERT.DLL
.
AMD64\APPCERT.DLL
to
%SystemRoot%\System32\APPCERT.DLL
and
I386\APPCERT.DLL
to
%SystemRoot%\SysWoW64\APPCERT.DLL
.
IA64\APPCERT.DLL
to
%SystemRoot%\System32\APPCERT.DLL
.
Note: on systems with AMD64 alias x64 processor architecture, Internet Explorer (x64) must be used!
APPCERT.CAB
and verify its digital signature, then open it in
Windows Explorer, extract its
contents preserving the directory structure, right-click the
extracted setup script
APPCERT.INF
to display its context menu and click Installto run the installation.
Note: on Windows Vista and newer
versions of Windows NT,
InfDefaultInstall.exe
,
the application registered for the Install
verb of
*.inf
files, requests administrative privileges.
On Windows XP and Windows Server 2003,
open the Add/Remove Programs applet of the
Control Panel,
tick the checkbox Updates
, select the entry
Prevent bypass of AppLocker and SAFER alias Software Restriction Policies
underneath Systemkonfiguration
and click the
button.
On Windows Vista and newer versions of
Windows NT, open the Control Panel and
click the entry View installed updates underneath the
Programs and Features or Programs
category.
In Installed Updates select the entry
Prevent bypass of AppLocker and SAFER alias Software Restriction Policies
underneath Systemkonfiguration
and click the
Uninstall
menu entry.
Use the X.509 certificate to send S/MIME encrypted mail.
Note: email in weird format and without a proper sender name is likely to be discarded!
I dislike
HTML (and even
weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your
nickname.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.
cookiesin the web browser.
The web service is operated and provided by
Telekom Deutschland GmbH The web service provider stores a session cookie
in the web
browser and records every visit of this web site with the following
data in an access log on their server(s):