Winnit Event ID 11

[julio99]

Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. This is what I am getting in the event viewer. I''ve tried Googling this till the cows come home and I still can't find a resolution for this. It seems to show about every 4 hours according to the timeline in Event Viewer and it pops up after a WLAN Auto Config/WLAN AutoConfig service has successfully stopped. Event ID 4001. The same thing about 4 times a day. I'm not getting any crashes, yet, but I know there is something to this as it comes as a warning. I read a thread somewhere in Microsoft that was a possible solution to change the registry value in this stringHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLL whether it was 32 0r 64 to 0 but I don't know enough about this to do that yet until I hear from someone in the know. In the x64 regedit string I showed above it has : AppInit_DLLs RG_SZ c:\progra~2\gs That is the value of the string that the one solution I read about on google said to change from 1 to 0. That value c:\progra~2\gs looks suspicious to me and when I googled it I got a few very similar threads that said it was a piece of malware from flash. Just a thought. They were telling me to get rid of it with a program called AXEKILLER. Like I sid I would rather figure it out if anyone knows before I take some killer software to a legit registry entry.

 

[Shintaro]

Mate,

Can you please either take a screen shot or a export of the events.

 

[julio99]

OK I took 2 screens of the regedit where the Microsoft article had me go to either change values or in my instance what I did was uncheck the box in Autoruns that had one of the registry strings. The registry string that I have added that says Autoruns disabled was a string that I thought was malware of some kind as it was related to a "SearchProtect" entry that I had deleted a while back but apparently stuck around in the registry so I un checked it in the Autoruns box and the Winnit 11 Event Error went away, but I'm not sure if this was the proper procedure. I will send you a link to where I was directed and you can tell me if it sounds plausible as a solution.
http://answers.microsoft.com/en-us/...-wininit/cf21d920-4a10-4b67-a850-c59b5f20d658 Look under "Dig Deep" post page 1

 

[Shintaro]

Mate,

I wanted either the screen shot of the event in Event Viewer or an export from the Event Viewer. We need to see the actual event and before and after it would be useful as well. That is why an export is more useful and preferable than a screen shot.

 

[julio99]

Because I unchecked the line in Autoruns the Winnit 11 was gone. When I post I don't just sit and wait. I go about researching and trying to solve the issue. Whether I did this right or not time will tell. As I said the Winnit Event 11 was right after I restarted and it is no longer there so unchecking the Applnit line in Autoruns stopped the Event. To tell you the truth I think this all started with a piece of Malware/Adware called SearchProtect that I got rid of through uninstall, but I might have had a leftover entry in the registry that was causing this. I guess time will tell. Sorry I got ahead of myself. I hope I did the right thing or I may pay by my impatience. Thanks

 

[TrainableMan]

So is HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLL now set to 0? From what I read when this is set to 1 it expects at least one DLL and if the last one was removed, for example by antivirus software, then this should be set back to 0 to avoid the error.

Disabling AppInit in Autoruns may bypass it but I think you should simply set the registry value to 0 instead.

 

[julio99]

I wondered why I hadn't heard from you. OK so should I put the checkmark back in the Autoruns line and then change the reg entry? Is it ok to have that set to 0? That was my hesitation in the first place. Do you run win7 Train? If so how does your reg string read, 0 or 1? I'll wait to hear from you and then I'll go and change it if you feel that is the right move.

 

[TrainableMan]

Mine is completely empty.

I hadn't replied because I never heard of it before your question and found little of it in search. But the one thing I read, if it is to be believed was that it is a way to slip DLLs in as approved and it mentioned when they are removed it should go back to 0. Now mine is blank rather than 0 so I would probably go with that instead but you could try either.

As you mentioned you had a virus and they likely were trying to say it was an approved DLL. Once the DLL was deleted this setting probably remained to give you the error. Definitely worth a shot anyway. You can always create a restore point first just in case it causes a boot problem buy I doubt it will.

 

[Shintaro]

Mate,

I understand your impatience, however I can't and never will make a decision on any changes without all the evidence of the cause. I have been down that track too many times and been burnt too many times.

If it works for you, great. It's great that you found a solution. Hopefully I can be of some help in the future.

 

[julio99]

Do you see the one that you have highlighted? Mine has/had c:\progra~2\gs which I looked up and it is part and parcel of some form of Adware or Malware, but I uninstalled it but the registry entry must have changed which I will now explain to you. Do you see the line exactly 6 lines down from the one you highlighted? The one that says LoadApplnit_DLLs REG_DWORD?? Do you see that yours has a 0 at the end? That is the one that the Microsoft article I was reading said to change the value to 0 so that is what I did. for some reason the one on top doesn't have a value so it was the one that has DWORD that you change. The top entry Applnit_DLLs in mine had that c:\progra~2\gs which was the adware/malware tha was causing the 1 in the lower string. So I went and changed the x32 reg string and the Wow6432 reg string to 0 and all is good with no Winnit 11 entries in Event Viewer.

Mate,

I understand your impatience, however I can't and never will make a decision on any changes without all the evidence of the cause. I have been down that track too many times and been burnt too many times.

If it works for you, great. It's great that you found a solution. Hopefully I can be of some help in the future.

Absolutely! You were right to ask for the particulars otherwise it could have just gotten to be a bigger problem. Just putting on the finishing touches to cleaning this up. When it comes to the registry I like to be extra careful so I don't end up having to fix things because of working too fast. Thanks again.

 

[TrainableMan]

OK so you sent the dword one to 0 and it works. That's good. I think you had found the solution and it is working.

 

[julio99]

I also deleted the c;\progra~2\gs from the top Applnit_DLLs REG_SZ in both the 32 and 64 registry strings so mine now looks just like yours. I think I just needed someone's encouragement for me to finish this. It was a good thing that you added your knowledge. Thanx again Train!!!

 

[TrainableMan]

You're Welcome