Hi guys,

so I was just coding around a little and testing my stuff in OllyDBG and was wondering why I could not find the CreateProcess function in my intermodular calls list. Then I was checking out my IAT of my app and there could also not found the CreateProcess function and just found a address to AcLayers address which seems to be on top before calling the function. Just wanna know why and of course why? Is it just a on top protection function or something? Is it needed to use it by Windows and is there a way to prevent / disable that and is there also a function list what APIs are affected from those OnTop AcLayers PRE calls? Why that injection? Below my IAT part..

0045C108 >77175980  KERNEL32.ExitProcess
0045C10C >77173830  JMP to KERNELBA.DeleteFileA
0045C110 >6E1018A0  AcLayers.6E1018A0  <---- CreateProcessA inside call
0045C114 >77173800  JMP to KERNELBA.CreateFileA
0045C118 >77167D40  KERNEL32.CompareStringA
0045C11C >771735B0  JMP to KERNELBA.CloseHandle

greetz

It's called Application Compatibility Engine. Google for "shim Application Compatibility Engine" to learn more.

To disable this feature, there's a system-wide setting: https://admx.help/?Category=Windows_11_2022&Policy=Microsoft.Policies.ApplicationCompatibility::AppCompatTurnOffEngine