Note that a lot of information on this page may be inaccurate or out of date; I haven't tested it with Service Pack 2, for instance. Proceed at your own risk!

WinSCard APDU View Utility

This DLL allows you to intercept all APDUs sent and received from the WinNT5 PC/SC smartcard subsystem. It should work on all editions of Win2k or WinXP, with any level (including zero) of service pack. It may or may not work on Win95/98/Me systems (with Microsoft's PC/SC subsystem installed). If you try it, please let me know your results!

(Previous instructions that replaced the system32 or dllchache became inaccurate due to Windows File Protection with one of the Win2K service packs. These new instructions should work without affecting Windows File Protection.)

Let %dir% be the directory where the executable module for the process to be hooked is located, and let %exe% be the name of the executable module itself. For instance, if you wanted to hook Microsoft Internet Explorer, for most people we would have the following:

The full path to the executable would then be %dir%\%exe%, which in this case would evaluate to "C:\Program Files\Internet Explorer\iexplore.exe".

You will require the winscard.dll file from my ZIP distribution. I will call this file %zip%\winscard.dll. Do not confuse this file with the winscard.dll file that may be found in your %system32% directory ("C:\Windows\system32" or "C:\WinNT\system32")!

To install the hook, from a command prompt execute the following instructions:

  1. cd "%dir%"
  2. copy "%windir%\system32\winscard.dll" "%dir%"
  3. rename "%dir%\winscard.dll" "%dir%\original.dll"
  4. start "%dir%\%exe%"

The file "%dir%\winscard.txt" will be created containing the APDU dump. (You can take a look at winscard.txt sample output.) Don't forget to terminate your application when finished.

To remove the hook, from a command prompt execute the following instructions:

  1. del /q "%dir%\original.dll"
  2. del /q "%dir%\winscard.dll"

Important Note

This set of installation and use instructions assume that when an executable loads winscard.dll, it will search first in the application's current directory, then it will search the same directory that the executable file is in, and then it will search in the Windows system directory. A very small (but nonzero) number of applications directly attempt to load "%windir%\system32\winscard.dll" rather than rely on implicit library linking. These few executables will bypass my hook DLL no matter where you place it. If you never see a winscard.txt file, this could be your problem. (Note, however, that the winscard.txt gets written to the applications "current directory", which may change after starting the program. Your best bet is to search the entire disk for winscard.txt before assuming that things aren't working).

For Hackers Only

If you are sure that the application is specifiacally loading "%windir%\system32\winscard.dll", all is not lost, but you will need to do some more work, and you do need to know what you are doing. Amateurs beware: don't even think about doing this! What you need to do is replace the system winscard.dll, bypassing Windows File Protection. To do this:

  1. boot to a command prompt (otherwise known as a "recovery console"),
  2. rename "%windir%\system32\winscard.dll" to "%windir%\system32\original.dll",
  3. delete "%windir%\system32\dllcache\winscard.dll", and
  4. install "%zip%\winscard.dll" to "%windir%\system32\winscard.dll".

You can now reboot and create APDU dumps as required. You may have to hunt all over the disk to find the winscard.txt file. Note that if Windows decides to do a File Protection check, it may hang at some point in the execution. As of Win2k-sp3, I can't find a reliable way to bypass File Protection. If you know of a tested method, href=""please let me know!

I'm working on V2 right now... with it, you'll be able to hook any executable, no matter what... File Protection... absolute load paths... none of them will stop V2! At least... it works in theory... (grin)!

To remove the hook, you need to:

  1. reboot again to a command prompt,
  2. delete "%windir%\system32\dllcache\winscard.dll",
  3. delete "%windir%\system32\dllcache\original.dll", then
  4. rename "%windir%\system32\original.dll" to "%windir%\system32\winscard.dll", and
  5. copy "%windir%\system32\winscard.dll" to "%windir%\system32\dllcache\winscard.dll".

Upon rebooting, your system should be whole and should be able to pass a Windows File Protection check.

Note that DLL search rules are sort-of broken on Win95/98/Me, and it may be better to replace the system winscard.dll in a similar manner as above, rather than rely on DLL seach path rules under these operating systems.


Download the source and binaries here. A copy of these instructions is included in the ZIP file.

This work may be used and distributed under the terms of the GNU Public License.

Note that the ZIP file makes reference to the two files original.dll and original.h. These two files are actually renamed from Microsoft's winscard.dll and winscard.h from the Windows binary distribution and the Microsoft Platform SDK. The Microsoft EULA states that I can't redistribute them, so I don't.

Version 1.3, 18 September 2001. Instructions revised on 11 October 2002.