This is expected behaviour. wintrust.dll is a core Windows system component and is not distributed as a standalone dependency. Its file size, hash, and internal version are build-specific and vary with the Windows release, cumulative updates, servicing stack, architecture, and signing catalog.

As a result, there is no single original or canonical hash for wintrust.dll. The hash you referenced corresponds to a specific historical Windows build and cannot be independently sourced outside the original Microsoft installation media or update package it shipped with.

Seeing a newer and different wintrust.dll on a current Windows 11 system is normal and does not imply modification. What matters in this context is that the DLL originates from a legitimate Windows build rather than matching a specific historical hash; differences in version, size, or hash are expected and do not by themselves indicate a problem.

In practice, substituting a different wintrust.dll from a legitimate Windows build is supported and generally works, although the provided DLL is the one tested and known to behave consistently.

For a more detailed breakdown, see Versioning and Authenticity under WinTrust in the Troubleshoot Section.

As an additional data point, I’ve also verified this by patching a current Windows 11 wintrust.dll (v10.0.26100.7705 - 531KB) using the same script that was originally tested against the provided wintrust.dll (v10.0.19041.630 - 374KB).

In this case, the patch applied cleanly, the expected byte changes were made, and behaviour was consistent.

This confirms that using a wintrust.dll from a legitimate Windows installation generally works in practice even when versions differ, while the provided DLL remains the known and tested baseline.