This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 84%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hi there. A part of our WDAC implementation - in audit mode - I am trying to track down why addinutil.exe is launching. This is running on a number of machines at different times e.g. it has run across approx 500 out of 1200 machines since Oct'23.
The alert is being generated at random times on peoples machines. On my laptop it was xmas day and my M365 office says the Install date was xmas day. However this is not the case of others e.g. the addinutil has run but it has no bearing on their office install date. I was thinking of office/windows updates but CBSLog doesn't go back far enough on the laptops.
I'm getting fresh alerts in daily from other laptops. If anyone knows a good way of tracking the process and parent/child processes, that might help. Otherwise I'm officially stuck!!! :)
This is the event in the Code Integrity Log:
Event ID: 3076
Source: CodeIntegrity
User: SYSTEM
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\msiexec.exe) attempted to load \Device\HarddiskVolume3\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{9f475646-155f-4862-85b5-9d31fcd4bbb4}). However, due to code integrity auditing policy, the image was allowed to load.
The only 'pattern' ive been able to find so far, across multiple machines are the following events in the Application Log:
Event ID: 1040
Source: MsiInstaller
User: SYSTEM
Beginning a Windows Installer transaction: c:\program files\microsoft office\root\integration\c2rint.16.msi. Client Process Id: 15868.
Event ID: 11728
Source: MsiInstaller
User: SYSTEM
Product: Office 16 Click-to-Run Extensibility Component -- Configuration completed successfully.
Event ID: 1035
Source: MsiInstaller
User: SYSTEM
Windows Installer reconfigured the product. Product Name: Office 16 Click-to-Run Extensibility Component. Product Version: 16.0.16130.20714. Product Language: 0. Manufacturer: Microsoft Corporation. Reconfiguration success or error status: 0.
Thank you!
Hello TheLoops,
"AddinUtil.exe" is commonly used for managing Office add-ins. Ensure that there are no unwanted or unexpected add-ins causing the launches.
Hello TheLoops,
"AddinUtil.exe" is commonly used for managing Office add-ins. Ensure that there are no unwanted or unexpected add-ins causing the launches.
Hi Hossein, Sorry for the delay in responding. I've been comparing Office Add-ins on laptops that have launched the addinutil.exe and laptops without, and they all seem to have the same add-ins. Which has just made me think of the versions of office installed... as i've just remembered some people talking about having the new version of Teams installed.... Otherwise I'm at a loss. But i'll update the blog WHEN we get to the bottom of it If you have any other idea's, I'm all ears!