Appinit DLLs

https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-010712-2952-99
https://msdn.microsoft.com/en-us/library/windows/desktop/dd744762(v=vs.85).aspx

Loads given list of DLLs in all user mode procs
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : "Appinit_Dlls"
HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\ : "Appinit_Dlls"

RequireSignedAppInit_DLLs
Forces appinit_dlls to be signed. Disabled by default on Win7 for backwards compatibility. Plans to enforce signing in future Win versions (need to test 10).
According to random internet guy, this gets modified by Avast. Probably others too.

https://reverseengineering.stackexchange.com/questions/1376/what-happens-when-a-dll-is-added-to-appinit-dll
user32.dll!ClientThreadSetup -> Kernel32.dll!LoadAppInitDlls -> checks LoadAppInit_DLLs reg key -> call Kernel32.dll!BaseLoadAppInitDLLs -> for each DLL in AppInit_DLLs reg key call Kernel32.dll!LoadLibraryEx (LOAD_LIBRARY_REQUIRE_SIGNED_TARGET == RequireSignedAppINit_DLLs reg key)