Command Line Logger

Me, myself & IT

Command Line Logger

Purpose
Background Information
Operation
Limitation
Alternatives
Implementation and Build Details
Authenticity and Integrity
Download
Installation: Automatic online installation; Manual offline installation
Update
Deinstallation

Purpose

Log command lines of Win32 applications to the file %SystemRoot%\Debug\AppInit.log.

Background Information

AppInit_DLLs are loaded and their DllMain() DllMain() _DllMainCRTStartup() routine called from Windows’^™ module loader after User32.dll is loaded, which typically is a load-time dependency of Win32 applications.

Since Windows 7 and Windows Server 2008 R2, AppInit_DLLs are loaded by the function LoadAppInitDlls() exported from Kernel32.dll, which is called from User32.dll during its initialisation; in prior versions of Windows User32.dll loads AppInit_DLLs itself.

Note: the MSDN article AppInit_DLLs in Windows 7 and Windows Server 2008 R2 documents some of the changes introduced with Windows 7 and Windows Server 2008 R2.

Note: Windows 7 and newer versions of Windows NT write a warning message with event id 11 and source Microsoft-Windows-Wininit to the System event log.

WMIC.exe NTEvent Where "EventCode='11' And SourceName='Microsoft-Windows-Wininit'" Get /Value

Category=0
CategoryString=
ComputerName=…
Data=
EventCode=11
EventIdentifier=11
EventType=2
InsertionStrings={"1"}
Logfile=System
Message=Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.
RecordNumber=…
SourceName=Microsoft-Windows-Wininit
TimeGenerated=…
TimeWritten=…
Type=Warning
User=NT AUTHORITY\SYSTEM

Caveat: the MSDN article AppInit DLLs and Secure Boot documents that the AppInit_DLLs infrastructure is disabled since Windows 8 and Windows Server 2012 when Secure Boot is enabled.

Operation

If file system permissions allow, APPINIT.DLL

creates the file %SystemRoot%\Debug\AppInit.log if it does not exist and writes a Unicode BOM to it;
appends the command line returned from the Win32 function GetCommandLineW() plus a terminating as well as separating CR/LF pair in Windows’ native UTF-16LE encoding to the file.

APPINIT.DLL returns FALSE from the initial call of its DllMain() routine to let Windows’ module loader unload it immediately after writing the command line.

The NTFS access rights of the directory %SystemRoot%\Debug\ allow only privileged users (NT AUTHORITY\SYSTEM alias LocalSystem and BUILTIN\Administrators) to create the file %SystemRoot%\Debug\AppInit.log.
The file’s inherited access rights also allow only privileged users to write, but unprivileged users (BUILTIN\Users) to read.

On Windows Vista^® and newer versions of Windows NT, file and directory operations of 32-bit applications run by unprivileged users which fail due to missing write access rights in %SystemRoot%\ and below as well as "%ProgramFiles%\" and below, on 64-bit editions also "%ProgramFiles(x86)%\" and below, are redirected to the directory "%LOCALAPPDATA%\VirtualStore\", resulting in "%LOCALAPPDATA%\VirtualStore\Windows\Debug\AppInit.log".

Caveat: the file AppInit.log can grow quite large!
Note: it can be cleared or erased any time.

Note: the command line a Win32 application receives from the Win32 function GetCommandLine() can differ from the command line supplied by the caller:

The name of the executable in the command line that the operating system provides to a process is not necessarily identical to that in the command line that the calling process gives to the CreateProcess() function. The operating system may prepend a fully qualified path to an executable name that is provided without a fully qualified path.

Additionally, when the Win32 functions CreateProcess(), CreateProcessAsUser(), CreateProcessWithLogonW() or CreateProcessWithTokenW() are called using a command line with an unquoted long filename or pathname containing spaces (a well-known weakness: CWE-428: Unquoted Search Path or Element) they play try & error to guess the pathname of the executable:

[…] the module name must be the first white space-delimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:

c:\program.exe files\sub dir\program name

c:\program files\sub.exe dir\program name

c:\program files\sub dir\program.exe name

c:\program files\sub dir\program name.exe

In the latter three cases the command line is but modified too: Windows adds quotes around the part of the command line which forms the result of this interpretation and yields the pathname of the executable if this contains a space.

Limitation

APPINIT.DLL is called only from Win32 applications which load User32.dll.

Alternatives

On February 10, 2015 Microsoft^® published the (optional) update 3004375 for Windows 7 and newer versions of Windows NT which provides the logging of command lines too.
For additional information see the Security Advisory 3004375.

Implementation and Build Details

APPINIT.DLL is a pure Win32 DLL, written in ANSI C, built with the ~~Platform SDK for Windows Server 2003 R2~~ Microsoft Visual C++ Compiler 2010 SP1 from update 2519277, but without the MSVCRT libraries, for use on Windows 2000 and newer versions of Windows NT as well as Windows PE.

APPINIT.DLL is available for the I386 alias x86, AMD64 alias x64 and IA64 processor architectures of Windows NT.

Authenticity and Integrity

APPINIT.DLL and the cabinet file APPINIT.CAB are digitally signed using an X.509 certificate issued by WEB.DE TrustCenter E-Mail Certification Authority.

Serial number of the certificate: 0x0465CEF9 = 73780985
Fingerprint of the certificate: MD5: 33 33 6e 1d 26 18 a7 c2 be 87 11 68 05 2c 70 09; SHA-1: 8c 5b 75 21 40 41 77 ac 54 13 13 02 06 6b b0 69 10 2e 83 0e

Download and install the CA and root X.509 certificates of WEB.DE to validate and verify the digital signature.

Note: unfortunately WEB.DE abandoned their trust center in 2018 and removed all pages and download links in 2019; fortunately the Wayback Machine archived the TrustCenter page, the CA and the root certificate.

Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!

Download

AMD64\APPINIT.DLL, I386\APPINIT.DLL, IA64\APPINIT.DLL and the setup script APPINIT.INF are packaged in the (compressed and digitally signed) cabinet file APPINIT.CAB.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

X:\>EXTRACT.EXE /D APPINIT.CAB
Microsoft (R) Cabinet Extraction Tool - Version 5.1.2600.5512
Copyright (c) Microsoft Corporation. All rights reserved..

 Cabinet APPINIT.CAB

06-11-2018 10:18:54p A---        12,990 APPINIT.INF
06-11-2018 10:17:38p A---        30,824 AMD64\APPINIT.DLL
06-11-2018 10:17:30p A---        30,824 I386\APPINIT.DLL
06-11-2018 10:17:48p A---        34,920 IA64\APPINIT.DLL
                 4 Files        109,558 bytes

X:\>DIR APPINIT.CAB
 Volume in drive X has no label.
 Volume Serial Number is 1957-0427

 Directory of X:\

06/11/2018  10:19 PM            28,996 APPINIT.CAB
               1 File(s)         28,996 bytes
               0 Dir(s)    9,876,543,210 bytes free

X:\>SIGNTOOL.EXE Verify /V APPINIT.CAB

Verifying: APPINIT.CAB
SHA1 hash of file: (not calculated)
Signing Certificate Chain:
    Issued to: WEB.DE TrustCenter
    Issued by: WEB.DE TrustCenter
    Expires:   30.08.2024 09:49:34
    SHA1 hash: C8301016951187E6320569B3ED54F34845B51638

        Issued to: WEB.DE TrustCenter E-Mail Certification Authority
        Issued by: WEB.DE TrustCenter
        Expires:   30.08.2024 09:50:51
        SHA1 hash: 8946380C6E370988FB587257A9F9A5CD323045F0

            Issued to: Stefan Kanthak
            Issued by: WEB.DE TrustCenter E-Mail Certification Authority
            Expires:   15.12.2018 02:16:19
            SHA1 hash: 8C5B7521404177AC54131302066BB069102E830E

The signature is timestamped: 11.06.2018 22:19:23
Timestamp Verified by:
    Issued to: Thawte Timestamping CA
    Issued by: Thawte Timestamping CA
    Expires:   01.01.2021 01:59:59
    SHA1 hash: BE36A4562FB2EE05DBB3D32323ADF445084ED656

        Issued to: Symantec Time Stamping Services CA - G2
        Issued by: Thawte Timestamping CA
        Expires:   31.12.2020 01:59:59
        SHA1 hash: 6C07453FFDDA08B83707C09B82FB3D15F35336B1

            Issued to: Symantec Time Stamping Services Signer - G4
            Issued by: Symantec Time Stamping Services CA - G2
            Expires:   30.12.2020 01:59:59
            SHA1 hash: 65439929B67973EB192D6FF243E6767ADF0834E4

Successfully verified: APPINIT.CAB

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

X:\>

On Windows Vista and newer versions of Windows NT, run the following command line to extract all files into the specified directory, preserving their paths:

"%SystemRoot%\System32\Expand.exe" APPINIT.CAB /F:* "‹target directory›"

Note: Expand.exe from prior versions of Windows NT ignores the paths and junks them; use Extract.exe from the Support Tools on Windows XP and Windows Server 2003 instead!

Note: if you open APPINIT.CAB with Windows Explorer, switch to Details view and turn on the Path column!

Installation

Installation requires administrative privileges and access rights.

The setup script APPINIT.INF copies the appropriate APPINIT.DLL to %SystemRoot%\System32\APPINIT.DLL and creates the following Registry entries to activate it:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\Windows\\System32\\AppInit.dll"
"LoadAppInit_DLLs"=dword:00000001
"RequireSignedAppInit_DLLs"=dword:00000000

Note: on systems with AMD64 alias x64 processor architecture, the installation must be run in the native (64-bit) execution environment to install APPINIT.DLL for both processor architectures!

Automatic online installation

When visited with Internet Explorer, this web page will prompt to install (the contents of) the package using Internet Component Download.

Note: on systems with AMD64 alias x64 processor architecture, Internet Explorer (x64) must be used!

Manual offline installation

Download the package APPINIT.CAB and verify its digital signature, then open it in Windows Explorer, extract its contents preserving the directory structure, right-click the extracted setup script APPINIT.INF to display its context menu and click Install to run the installation.

Note: on Windows Vista and newer versions of Windows NT, InfDefaultInstall.exe, the application registered for the Install verb of *.inf files, requests administrative privileges.

Update

The setup script supports the update from any previous version: just install the current version!

Deinstallation

Deinstallation requires administrative privileges and access rights.

On Windows XP and Windows Server 2003, open the Add/Remove Programs applet of the Control Panel, tick the checkbox Updates, select the entry Command Line Logger underneath Systemkonfiguration and click the Remove button.

On Windows Vista and newer versions of Windows NT, open the Control Panel and click the entry View installed updates underneath the Programs and Features or Programs category.
In Installed Updates select the entry Command Line Logger underneath Systemkonfiguration and click the Uninstall menu entry.

Contact and Feedback

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.