[Résolu] Windows 7 : Avertissement dans journaux système

[Meyen]

Bonjour,

 

Je n'arrive pas à comprendre pourquoi dès que je démarre Windows 7 64 bits je vois tjrs le même avertissement :

 

Les bibliothèques de liens dynamiques sont chargées pour chaque application. L’administrateur système doit vérifier la liste des bibliothèques pour s’assurer qu’elles sont associées à des applications approuvées.

 

Nom du journal :System

Source : Microsoft-Windows-Wininit

Date : 13/06/2013 19:18:36

ID de l’événement :11

Catégorie de la tâche :Aucun

Niveau : Avertissement

Mots clés :

Utilisateur : Système

Ordinateur : Meyen

Description :

Les bibliothèques de liens dynamiques sont chargées pour chaque application. L’administrateur système doit vérifier la liste des bibliothèques pour s’assurer qu’elles sont associées à des applications approuvées.

XML de l’événement :

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft-Windows-Wininit" Guid="{206F6DEA-D3C5-4D10-BC72-989F03C8B84B}" />

<EventID>11</EventID>

<Version>0</Version>

<Level>3</Level>

<Task>0</Task>

<Opcode>0</Opcode>

<Keywords>0x4000000000000000</Keywords>

<TimeCreated SystemTime="2013-06-13T17:18:36.053646000Z" />

<EventRecordID>227872</EventRecordID>

<Correlation />

<Execution ProcessID="592" ThreadID="624" />

<Channel>System</Channel>

<Computer>Meyen</Computer>

<Security UserID="S-1-5-18" />

</System>

<EventData>

<Data Name="StringCount">1</Data>

<Data Name="String"> C:\Windows\system32\guard64.dll</Data>

</EventData>

</Event>

 

Auriez-vous une idée ou un conseil pour savoir pourquoi j'ai cet avertissement dans le journal système ?

 

Merci

[Meyen]

j'ai peut-être la réponse :

 

The events you're seeing are actually by design and are part of the Windows AppInit_DLLs infrastructure, which can be controlled by a registry setting:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

LoadAppInit_DLLs - either 1 or 0.

 

A value of 1 AppInit_DLLs are enabled

A value of 0 AppInit_DLLs are disabled

 

Basically, AppInit_DLLs allows applications to load DLLs into all user mode processes. The Event is simply telling you that AppInit_DLLs are being loaded and that perhaps you should check to make sure the dlls are recognisable, otherwise, you may have a compromised system.

 

AppInit DLLs in Windows 7 and Windows Server 2008 R2 From the document:

 

Quote

System Event Log Entry

If an application enables AppInit DLLs, Windows logs a warning in the System Event Log. The event log entry includes a list of the DLLs that are loaded by using the AppInit_DLL mechanism. You can view this list on the Details tab in Event Viewer. Wininit logs this warning one time for each boot session. Table 2 shows the fields of the event log entry when you view the entry in Event Viewer.

 

 

A quick way to view the DLLs being loaded is by using Autoruns under the AppInit tab.

 

By the way, this event is not exclusive to CIS, you'll find most, if not all applications that use 'hooking' will also produce the event.

[Meyen]

System Event Log Entry

If an application enables AppInit DLLs, Windows logs a warning in the System Event Log. The event log entry includes a list of the DLLs that are loaded by using the AppInit_DLL mechanism. You can view this list on the Details tab in Event Viewer. Wininit logs this warning one time for each boot session. Table 2 shows the fields of the event log entry when you view the entry in Event Viewer.

Table 2. System Event Log Entry Fields in Event Viewer

 

Provider Level Event ID Channel Message

Wininit Warning 11 System Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure that they relate to trusted applications.

 

Source : AppInit DLLs in Windows 7 and Windows Server 2008 R2