diff --git a/Recipe b/Recipe
index ebc9908f..67435c68 100644
--- a/Recipe
+++ b/Recipe
@@ -224,7 +224,7 @@ SSH      = ssh sshcrc sshdes sshmd5 sshrsa sshrand sshsha sshblowf
          + sshdh sshcrcda sshpubk sshzlib sshdss x11fwd portfwd
          + sshaes sshccp sshsh256 sshsh512 sshbn wildcard pinger ssharcf
          + sshgssc pgssapi sshshare sshecc
-WINSSH   = SSH winnoise winsecur winpgntc wingss winshare winnps winnpc
+WINSSH   = SSH winnoise wincapi winpgntc wingss winshare winnps winnpc
          + winhsock errsock
 UXSSH    = SSH uxnoise uxagentc uxgss uxshare
 
@@ -235,7 +235,7 @@ SFTP     = sftp int64 logging
 # Pageant or PuTTYgen).
 MISC     = timing callback misc version settings tree234 proxy conf
 WINMISC  = MISC winstore winnet winhandl cmdline windefs winmisc winproxy
-         + wintime winhsock errsock
+         + wintime winhsock errsock winsecur
 UXMISC   = MISC uxstore uxsel uxnet uxpeer cmdline uxmisc uxproxy time
 OSXMISC  = MISC uxstore uxsel osxsel uxnet uxpeer uxmisc uxproxy time
 
diff --git a/windows/wincapi.c b/windows/wincapi.c
new file mode 100644
index 00000000..2550b6de
--- /dev/null
+++ b/windows/wincapi.c
@@ -0,0 +1,27 @@
+/*
+ * wincapi.c: implementation of wincapi.h.
+ */
+
+#include "putty.h"
+
+#if !defined NO_SECURITY
+
+#define WINCAPI_GLOBAL
+#include "wincapi.h"
+
+int got_crypt(void)
+{
+    static int attempted = FALSE;
+    static int successful;
+    static HMODULE crypt;
+
+    if (!attempted) {
+        attempted = TRUE;
+        crypt = load_system32_dll("crypt32.dll");
+        successful = crypt &&
+            GET_WINDOWS_FUNCTION(crypt, CryptProtectMemory);
+    }
+    return successful;
+}
+
+#endif /* !defined NO_SECURITY */
diff --git a/windows/wincapi.h b/windows/wincapi.h
new file mode 100644
index 00000000..06ee2d36
--- /dev/null
+++ b/windows/wincapi.h
@@ -0,0 +1,18 @@
+/*
+ * wincapi.h: Windows Crypto API functions defined in wincrypt.c
+ * that use the crypt32 library. Also centralises the machinery
+ * for dynamically loading that library.
+ */
+
+#if !defined NO_SECURITY
+
+#ifndef WINCAPI_GLOBAL
+#define WINCAPI_GLOBAL extern
+#endif
+
+DECL_WINDOWS_FUNCTION(WINCAPI_GLOBAL, BOOL, CryptProtectMemory,
+		      (LPVOID,DWORD,DWORD));
+
+int got_crypt(void);
+
+#endif
diff --git a/windows/window.c b/windows/window.c
index 23f98a47..db426347 100644
--- a/windows/window.c
+++ b/windows/window.c
@@ -19,6 +19,7 @@
 #include "terminal.h"
 #include "storage.h"
 #include "win_res.h"
+#include "winsecur.h"
 
 #ifndef NO_MULTIMON
 #include <multimon.h>
@@ -390,6 +391,20 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
 	return 1;
     }
 
+    /*
+     * Protect our process
+     */
+    {
+      char *error = NULL;
+
+      if (! setprocessacl(error)) {
+	/* FIXME: prepare to stuff this into event log somehow */
+    	MessageBox(NULL, "Process protection",
+    		   error, MB_OK | MB_ICONEXCLAMATION);
+      }
+      sfree(error);
+
+    }
     /*
      * Process the command line.
      */
diff --git a/windows/winsecur.c b/windows/winsecur.c
index 6e4bd7d4..9cdac26c 100644
--- a/windows/winsecur.c
+++ b/windows/winsecur.c
@@ -36,21 +36,6 @@ int got_advapi(void)
     return successful;
 }
 
-int got_crypt(void)
-{
-    static int attempted = FALSE;
-    static int successful;
-    static HMODULE crypt;
-
-    if (!attempted) {
-        attempted = TRUE;
-        crypt = load_system32_dll("crypt32.dll");
-        successful = crypt &&
-            GET_WINDOWS_FUNCTION(crypt, CryptProtectMemory);
-    }
-    return successful;
-}
-
 PSID get_user_sid(void)
 {
     HANDLE proc = NULL, tok = NULL;
@@ -237,7 +222,7 @@ int make_private_security_descriptor(DWORD permissions,
     return ret;
 }
 
-int protectprocess(char *error)
+int setprocessacl(char *error)
 {
     SID_IDENTIFIER_AUTHORITY world_auth = SECURITY_WORLD_SID_AUTHORITY;
     SID_IDENTIFIER_AUTHORITY nt_auth = SECURITY_NT_AUTHORITY;
diff --git a/windows/winsecur.h b/windows/winsecur.h
index bd649827..03e8314d 100644
--- a/windows/winsecur.h
+++ b/windows/winsecur.h
@@ -32,13 +32,6 @@ DECL_WINDOWS_FUNCTION(WINSECUR_GLOBAL, DWORD, SetEntriesInAclA,
 		      (ULONG, PEXPLICIT_ACCESS, PACL, PACL *));
 int got_advapi(void);
 
-/*
- * Functions loaded from crypt32.dll.
- */
-DECL_WINDOWS_FUNCTION(WINSECUR_GLOBAL, BOOL, CryptProtectMemory,
-		      (LPVOID, DWORD, DWORD));
-int got_crypt(void);
-
 /*
  * Find the SID describing the current user. The return value (if not
  * NULL for some error-related reason) is smalloced.
@@ -60,4 +53,6 @@ int make_private_security_descriptor(DWORD permissions,
                                      PACL *acl,
                                      char **error);
 
+int setprocessacl(char *error);
+
 #endif
diff --git a/windows/winshare.c b/windows/winshare.c
index 2f21638e..5f1c7244 100644
--- a/windows/winshare.c
+++ b/windows/winshare.c
@@ -14,7 +14,7 @@
 #include "proxy.h"
 #include "ssh.h"
 
-#include "winsecur.h"
+#include "wincapi.h"
 
 #ifdef COVERITY
 /*