AppInit_DLLs

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

AppInit_DLLs forces Windows to inject a comma-separated list of DLLs into every process that loads User32.dll — which covers virtually every GUI-based application on the system. This mechanism was so aggressively abused by banking trojans and rootkits that Microsoft restricted it to signed DLLs on systems with Secure Boot enabled. An unsigned entry here is a severe compromise indicator.

Key Name AppInit_DLLs — REG_SZ containing a space or comma-separated list of DLL paths. Companion value LoadAppInit_DLLs must be set to 1 to activate injection.

Trace Type Persistence

Hive SOFTWARE Machine-wide. Both 32-bit and 64-bit paths exist under Wow6432Node and the native path respectively.

Last Write Time Marks when the DLL list or LoadAppInit_DLLs flag was last written — directly timestamps when this injection mechanism was configured on the host.

User Specific No Applies system-wide. Any DLL listed here is injected into all eligible processes regardless of which user account launches them.

Forensic Value

Identify deep-rooted persistence: Any unsigned DLL in this value represents a major breach. Actors often use this after establishing initial persistence via Run Keys to move deeper into the system.
Detect keyloggers and banking trojans: AppInit_DLLs is a hallmark of credential-harvesting malware that needs to inject into browsers and financial software simultaneously.
Prove scope of compromise: Because injection targets every User32.dll-loading process, a malicious DLL here means every application was potentially compromised.

For more Info check out these Articles: RunKeys