diff --git a/lib/hx509/hx_locl.h b/lib/hx509/hx_locl.h
index 2d1c036d5..3e3ab23c6 100644
--- a/lib/hx509/hx_locl.h
+++ b/lib/hx509/hx_locl.h
@@ -39,16 +39,19 @@
 #include <stdlib.h>
 #include <ctype.h>
 #include <errno.h>
+#ifdef HAVE_STRINGS_H
 #include <strings.h>
+#endif
 #include <assert.h>
 #include <stdarg.h>
 #include <err.h>
 #include <limits.h>
 
+#include <roken.h>
+
 #include <getarg.h>
 #include <base64.h>
 #include <hex.h>
-#include <roken.h>
 #include <com_err.h>
 #include <parse_units.h>
 #include <parse_bytes.h>
diff --git a/lib/hx509/libhx509-exports.def b/lib/hx509/libhx509-exports.def
new file mode 100644
index 000000000..6f32e492c
--- /dev/null
+++ b/lib/hx509/libhx509-exports.def
@@ -0,0 +1,233 @@
+EXPORTS
+	_hx509_cert_assign_key
+	_hx509_cert_private_key
+	_hx509_certs_keys_free
+	_hx509_certs_keys_get
+	_hx509_expr_eval
+	_hx509_expr_free
+	_hx509_expr_parse
+	_hx509_generate_private_key
+	_hx509_generate_private_key_bits
+	_hx509_generate_private_key_free
+	_hx509_generate_private_key_init
+	_hx509_generate_private_key_is_ca
+	_hx509_map_file_os
+	_hx509_name_from_Name
+	_hx509_private_key2SPKI
+	_hx509_private_key_free
+	_hx509_private_key_ref
+	_hx509_request_add_dns_name
+	_hx509_request_add_email
+	_hx509_request_free
+	_hx509_request_get_SubjectPublicKeyInfo
+	_hx509_request_get_name
+	_hx509_request_init
+	_hx509_request_parse
+	_hx509_request_print
+	_hx509_request_set_SubjectPublicKeyInfo
+;	_hx509_request_set_email
+	_hx509_request_set_name
+	_hx509_request_to_pkcs10
+	_hx509_request_to_pkcs10
+	_hx509_unmap_file_os
+	_hx509_write_file
+	hx509_bitstring_print
+	hx509_ca_sign
+	hx509_ca_sign_self
+	hx509_ca_tbs_add_crl_dp_uri
+	hx509_ca_tbs_add_eku
+	hx509_ca_tbs_add_san_hostname
+	hx509_ca_tbs_add_san_jid
+	hx509_ca_tbs_add_san_ms_upn
+	hx509_ca_tbs_add_san_otherName
+	hx509_ca_tbs_add_san_pkinit
+	hx509_ca_tbs_add_san_rfc822name
+	hx509_ca_tbs_free
+	hx509_ca_tbs_init
+	hx509_ca_tbs_set_ca
+	hx509_ca_tbs_set_domaincontroller
+	hx509_ca_tbs_set_notAfter
+	hx509_ca_tbs_set_notAfter_lifetime
+	hx509_ca_tbs_set_notBefore
+	hx509_ca_tbs_set_proxy
+	hx509_ca_tbs_set_serialnumber
+	hx509_ca_tbs_set_spki
+	hx509_ca_tbs_set_subject
+	hx509_ca_tbs_set_template
+	hx509_ca_tbs_subject_expand
+	hx509_ca_tbs_template_units
+;	hx509_cert
+;	hx509_cert_attribute
+	hx509_cert_binary
+	hx509_cert_check_eku
+	hx509_cert_cmp
+	hx509_cert_find_subjectAltName_otherName
+	hx509_cert_free
+	hx509_cert_get_SPKI
+	hx509_cert_get_SPKI_AlgorithmIdentifier
+	hx509_cert_get_attribute
+	hx509_cert_get_base_subject
+	hx509_cert_get_friendly_name
+	hx509_cert_get_issuer
+	hx509_cert_get_notAfter
+	hx509_cert_get_notBefore
+	hx509_cert_get_serialnumber
+	hx509_cert_get_subject
+	hx509_cert_init
+	hx509_cert_init_data
+	hx509_cert_keyusage_print
+	hx509_cert_ref
+	hx509_cert_set_friendly_name
+	hx509_certs_add
+	hx509_certs_append
+	hx509_certs_end_seq
+	hx509_certs_filter
+	hx509_certs_find
+	hx509_certs_free
+	hx509_certs_info
+	hx509_certs_init
+	hx509_certs_iter
+	hx509_certs_merge
+	hx509_certs_next_cert
+	hx509_certs_start_seq
+	hx509_certs_store
+	hx509_ci_print_names
+	hx509_clear_error_string
+	hx509_cms_create_signed
+	hx509_cms_create_signed_1
+	hx509_cms_decrypt_encrypted
+	hx509_cms_envelope_1
+	hx509_cms_unenvelope
+	hx509_cms_unwrap_ContentInfo
+	hx509_cms_verify_signed
+	hx509_cms_wrap_ContentInfo
+	hx509_context_free
+	hx509_context_init
+	hx509_context_set_missing_revoke
+	hx509_crl_add_revoked_certs
+	hx509_crl_alloc
+	hx509_crl_free
+	hx509_crl_lifetime
+	hx509_crl_sign
+	hx509_crypto_aes128_cbc
+	hx509_crypto_aes256_cbc
+	hx509_crypto_allow_weak
+	hx509_crypto_available
+	hx509_crypto_decrypt
+	hx509_crypto_des_rsdi_ede3_cbc
+	hx509_crypto_destroy
+	hx509_crypto_encrypt
+	hx509_crypto_enctype_by_name
+	hx509_crypto_free_algs
+	hx509_crypto_get_params
+	hx509_crypto_init
+	hx509_crypto_provider
+	hx509_crypto_select
+	hx509_crypto_set_key_data
+	hx509_crypto_set_key_name
+	hx509_crypto_set_params
+	hx509_crypto_set_random_key
+	hx509_env_add
+	hx509_env_add_binding
+	hx509_env_find
+	hx509_env_find_binding
+	hx509_env_free
+;	hx509_env_init
+	hx509_env_lfind
+	hx509_err
+	hx509_free_error_string
+	hx509_free_octet_string_list
+	hx509_general_name_unparse
+	hx509_get_error_string
+	hx509_get_one_cert
+	hx509_lock_add_cert
+	hx509_lock_add_certs
+	hx509_lock_add_password
+	hx509_lock_command_string
+	hx509_lock_free
+	hx509_lock_init
+	hx509_lock_prompt
+	hx509_lock_reset_certs
+	hx509_lock_reset_passwords
+	hx509_lock_reset_promper
+	hx509_lock_set_prompter
+	hx509_name_binary
+	hx509_name_cmp
+	hx509_name_copy
+	hx509_name_expand
+	hx509_name_free
+	hx509_name_is_null_p
+	hx509_name_normalize
+	hx509_name_to_Name
+	hx509_name_to_string
+	hx509_ocsp_request
+	hx509_ocsp_verify
+	hx509_oid_print
+	hx509_oid_sprint
+	hx509_parse_name
+	hx509_peer_info_add_cms_alg
+	hx509_peer_info_alloc
+	hx509_peer_info_free
+	hx509_peer_info_set_cert
+	hx509_peer_info_set_cms_algs
+	hx509_pem_add_header
+	hx509_pem_find_header
+	hx509_pem_free_header
+	hx509_pem_read
+	hx509_pem_write
+	hx509_print_stdout
+	hx509_prompt_hidden
+	hx509_query_alloc
+	hx509_query_free
+	hx509_query_match_cmp_func
+	hx509_query_match_eku
+	hx509_query_match_expr
+	hx509_query_match_friendly_name
+	hx509_query_match_issuer_serial
+	hx509_query_match_option
+	hx509_query_statistic_file
+	hx509_query_unparse_stats
+	hx509_revoke_add_crl
+	hx509_revoke_add_ocsp
+	hx509_revoke_free
+	hx509_revoke_init
+	hx509_revoke_ocsp_print
+	hx509_revoke_verify
+	hx509_set_error_string
+	hx509_set_error_stringv
+	hx509_signature_md2
+	hx509_signature_md5
+	hx509_signature_rsa
+	hx509_signature_rsa_with_md2
+	hx509_signature_rsa_with_md5
+	hx509_signature_rsa_with_sha1
+	hx509_signature_rsa_with_sha256
+	hx509_signature_rsa_with_sha384
+	hx509_signature_rsa_with_sha512
+	hx509_signature_sha1
+	hx509_signature_sha256
+	hx509_signature_sha384
+	hx509_signature_sha512
+	hx509_unparse_der_name
+	hx509_validate_cert
+	hx509_validate_ctx_add_flags
+	hx509_validate_ctx_free
+	hx509_validate_ctx_init
+	hx509_validate_ctx_set_print
+	hx509_verify_attach_anchors
+	hx509_verify_attach_revoke
+	hx509_verify_ctx_f_allow_default_trustanchors
+	hx509_verify_destroy_ctx
+	hx509_verify_hostname
+	hx509_verify_init_ctx
+	hx509_verify_path
+	hx509_verify_set_max_depth
+	hx509_verify_set_proxy_certificate
+	hx509_verify_set_strict_rfc3280_verification
+	hx509_verify_set_time
+	hx509_verify_signature
+	hx509_xfree
+	initialize_hx_error_table_r
+
+; pkcs11 symbols
+	C_GetFunctionList
diff --git a/lib/hx509/softp11.c b/lib/hx509/softp11.c
index 813209e85..98ab500d9 100644
--- a/lib/hx509/softp11.c
+++ b/lib/hx509/softp11.c
@@ -31,6 +31,8 @@
  * SUCH DAMAGE.
  */
 
+#define CRYPTOKI_EXPORTS 1
+
 #include "hx_locl.h"
 #include "pkcs11.h"
 
@@ -38,6 +40,14 @@
 #define HANDLE_OBJECT_ID(h)	((h) & OBJECT_ID_MASK)
 #define OBJECT_ID(obj)		HANDLE_OBJECT_ID((obj)->object_handle)
 
+#ifndef HAVE_RANDOM
+#define random() rand()
+#define srandom(s) srand(s)
+#endif
+
+#ifdef _WIN32
+#include <shlobj.h>
+#endif
 
 struct st_attr {
     CK_ATTRIBUTE attribute;
@@ -687,6 +697,11 @@ read_conf_file(const char *fn, CK_USER_TYPE userType, const char *pin)
     CK_RV ret = CKR_OK;
     CK_RV failed = CKR_OK;
 
+    if (fn == NULL) {
+        st_logf("Can't open configuration file.  No file specified\n");
+        return CKR_GENERAL_ERROR;
+    }
+
     f = fopen(fn, "r");
     if (f == NULL) {
 	st_logf("can't open configuration file %s\n", fn);
@@ -792,7 +807,52 @@ func_not_supported(void)
     return CKR_FUNCTION_NOT_SUPPORTED;
 }
 
-CK_RV
+static char *
+get_config_file_for_user(void)
+{
+    char *fn = NULL, *home = NULL;
+
+#ifndef _WIN32
+    if (!issuid()) {
+        fn = getenv("SOFTPKCS11RC");
+        if (fn)
+            fn = strdup(fn);
+        home = getenv("HOME");
+    }
+    if (fn == NULL && home == NULL) {
+        struct passwd *pw = getpwuid(getuid());
+        if(pw != NULL)
+            home = pw->pw_dir;
+    }
+    if (fn == NULL) {
+        if (home)
+            asprintf(&fn, "%s/.soft-token.rc", home);
+        else
+            fn = strdup("/etc/soft-token.rc");
+    }
+#else  /* Windows */
+
+    char appdatafolder[MAX_PATH];
+
+    fn = getenv("SOFTPKCS11RC");
+
+    /* Retrieve the roaming AppData folder for the current user.  The
+       current user is the user account represented by the current
+       thread token. */
+
+    if (fn == NULL &&
+        SUCCEEDED(SHGetFolderPath(NULL, CSIDL_APPDATA, NULL, SHGFP_TYPE_CURRENT, appdatafolder))) {
+
+        asprintf(&fn, "%s\\.soft-token.rc", appdatafolder);
+    }
+
+#endif  /* _WIN32 */
+
+    return fn;
+}
+
+
+CK_RV CK_SPEC
 C_Initialize(CK_VOID_PTR a)
 {
     CK_C_INITIALIZE_ARGS_PTR args = a;
@@ -805,7 +865,7 @@ C_Initialize(CK_VOID_PTR a)
 
     OpenSSL_add_all_algorithms();
 
-    srandom(getpid() ^ time(NULL));
+    srandom(getpid() ^ (int) time(NULL));
 
     for (i = 0; i < MAX_NUM_SESSION; i++) {
 	soft_token.state[i].session_handle = CK_INVALID_HANDLE;
@@ -838,29 +898,7 @@ C_Initialize(CK_VOID_PTR a)
 	st_logf("\tFlags\t%04x\n", (unsigned int)args->flags);
     }
 
-    {
-	char *fn = NULL, *home = NULL;
-
-	if (getuid() == geteuid()) {
-	    fn = getenv("SOFTPKCS11RC");
-	    if (fn)
-		fn = strdup(fn);
-	    home = getenv("HOME");
-	}
-	if (fn == NULL && home == NULL) {
-	    struct passwd *pw = getpwuid(getuid());	
-	    if(pw != NULL)
-		home = pw->pw_dir;
-	}
-	if (fn == NULL) {
-	    if (home)
-		asprintf(&fn, "%s/.soft-token.rc", home);
-	    else
-		fn = strdup("/etc/soft-token.rc");
-	}
-
-	soft_token.config_file = fn;
-    }
+    soft_token.config_file = get_config_file_for_user();
 
     /*
      * This operations doesn't return CKR_OK if any of the
@@ -1456,7 +1494,7 @@ C_Sign(CK_SESSION_HANDLE hSession,
     struct session_state *state;
     struct st_object *o;
     CK_RV ret;
-    uint hret;
+    int hret;
     const AlgorithmIdentifier *alg;
     heim_octet_string sig, data;