魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2022-07-04 18:54:35 2022-07-04 18:56:44 129 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp02-1 win7-sp1-x64-shaapp02-1 KVM 2022-07-04 18:54:37 2022-07-04 18:56:45
魔盾分数

10.0

恶意的

文件详细信息

文件名 LYShark1.exe
文件大小 3178496 字节
文件类型 PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 3BCA5FC5
MD5 4a0b38f0c902d33234c1f7dc9644edd1
SHA1 db9ee5de4ecc3023cc10a7bd6dad89b51c75420f
SHA256 c2c3ab2825fc2a5ca59176bb08db8f6691bfbbafa45749b8f5888c5958156308
SHA512 e9c9bd62d75e4826d3d2c71ac7d648088285d6e0367e75c8a06292bd3ba9eb1e4cc2d8c374e441aab4c27b176e25f0da0182bb9a4d8f84f90c880a26cf4d615c
Ssdeep 49152:WhFPrDteSsgB3oDc1ZmCqfMjoUfFWxKynem5m378qZe01uN8F:sFzDteSsgB3oa4nOoU9gKd34qw01uCF
PEiD 无匹配
Yara
  • DebuggerHiding__Thread ()
  • DebuggerTiming__Ticks (Detected timing ticks function)
  • disable_dep (Bypass DEP)
  • network_tcp_socket (Detected network communications over RAW socket)
  • network_dns (Detected network communications use DNS)
  • screenshot (Detected take screenshot function)
  • create_process (Detection function for creating a new process)
  • keylogger (Detected keylogger function)
  • win_registry (Detected system registries modification function)
  • change_win_registry (Change registries to affect system)
  • win_files_operation (Affect private profile)
  • win_hook (Detected hook table access function)
  • win_private_profile (Detected private profile access function)
  • Maldun_Anomoly_Combined_Activities_5 (Spotted potential mallicious behaviors like logging and network communication)
  • Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files)
  • IsPE32 (Detected a 32bit PE sample)
  • IsWindowsGUI (Detected a Windows GUI sample)
  • IsPacked (Detected Entropy signature)
  • HasRichSignature (Detected Rich Signature)
  • CRC32_poly_Constant (Look for CRC32 [poly])
  • CRC32_table (Look for CRC32 table)
  • BLOWFISH_Constants (Look for Blowfish constants)
  • MD5_Constants (Look for MD5 constants)
  • RIPEMD160_Constants (Look for RIPEMD-160 constants)
  • SHA1_Constants (Look for SHA1 constants)
  • DES_sbox (Look for DES [sbox])
  • RijnDael_AES (Look for RijnDael AES)
  • with_images (Detected the presence of an or several images)
  • with_urls (Detected the presence of an or several urls)
VirusTotal VirusTotal查询失败

特征

通过进程尝试延迟分析任务
Process: LYShark1.exe tried to sleep 103 seconds, actually delayed analysis time by 0 seconds
创建RWX内存
至少有一个进程在执行过程中崩溃
二进制文件可能包含加密或压缩数据
section: name: .rdata, entropy: 7.55, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x001ff000, virtual_size: 0x001febb0
多次尝试建立挂起的进程
强制将一个创建的进程加载为另一个不相关进程的子进程
装载一个驱动器
driver service name: \Registry\Machine\System\CurrentControlSet\Services\rBF7DUg
创建一个隐藏文件或系统文件
file: C:\SharkDriver.dll
可疑的样本异常终止
魔盾安全Yara规则检测结果 - 高危
Warning: Bypass DEP
Critical: Spotted potential mallicious behaviors like logging and network communication
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

运行截图

网络分析

访问主机记录

直接访问 IP地址 国家名
45.248.9.242 unknown
45.248.9.53 unknown

域名解析

域名 响应
w4.eydata.net CNAME 56e0e1c564d55fc2.waf-jiasu.yhui-cloud.com
A 45.248.9.242
CNAME f39da93f36fa424d.waf-jiasu.yhui-cloud.com
w.eydata.net CNAME e56128a093377e88.waf-jiasu.yhui-cloud.com
A 45.248.9.53
CNAME cc7f3fa9bc6c480e.waf-jiasu.yhui-cloud.com

TCP连接

IP地址 端口
184.28.98.99 80
45.248.9.242 443
45.248.9.53 443

UDP连接

IP地址 端口
192.168.122.1 53
192.168.122.1 53
192.168.122.1 53

HTTP请求

URL HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip 
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址 0x00400000
入口地址 0x004a263a
声明校验值 0x00000000
实际校验值 0x00312bc5
最低操作系统版本要求 4.0
编译时间 2022-07-04 18:33:19
载入哈希 9d656f467d0fba73e6d99b4b0d38884d

版本信息

LegalCopyright: \u4f5c\u8005\u7248\u6743\u6240\u6709 \u8bf7\u5c0a\u91cd\u5e76\u4f7f\u7528\u6b63\u7248
FileVersion: 1.0.0.0
Comments: \u672c\u7a0b\u5e8f\u4f7f\u7528\u6613\u8bed\u8a00\u7f16\u5199(http://www.eyuyan.com)
ProductName: \u6613\u8bed\u8a00\u7a0b\u5e8f
ProductVersion: 1.0.0.0
FileDescription: \u6613\u8bed\u8a00\u7a0b\u5e8f
Translation: 0x0804 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000c7377 0x000c8000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.53
.rdata 0x000c9000 0x001febb0 0x001ff000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 7.55
.data 0x002c8000 0x0006c34a 0x0001c000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.42
.rsrc 0x00335000 0x00023fc4 0x00024000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.47

导入

库 MSVFW32.dll:
0x4c941c - DrawDibDraw
库 AVIFIL32.dll:
0x4c9018 - AVIStreamInfoA
0x4c901c - AVIStreamGetFrame
库 WINMM.dll:
0x4c973c - midiStreamOut
0x4c9740 - midiOutPrepareHeader
0x4c9744 - midiStreamProperty
0x4c9748 - midiStreamOpen
0x4c974c - waveOutOpen
0x4c9750 - waveOutGetNumDevs
0x4c9754 - waveOutClose
0x4c9758 - waveOutReset
0x4c975c - waveOutPause
0x4c9760 - waveOutWrite
0x4c9764 - waveOutPrepareHeader
0x4c9768 - waveOutUnprepareHeader
0x4c976c - PlaySoundA
0x4c9770 - midiOutUnprepareHeader
0x4c9774 - midiStreamRestart
0x4c9778 - midiStreamClose
0x4c977c - midiOutReset
0x4c9780 - midiStreamStop
库 WS2_32.dll:
0x4c9798 - closesocket
0x4c979c - WSACleanup
0x4c97a0 - WSAAsyncSelect
0x4c97a4 - inet_ntoa
0x4c97a8 - accept
0x4c97ac - getpeername
0x4c97b0 - recv
0x4c97b4 - ioctlsocket
0x4c97b8 - recvfrom
库 KERNEL32.dll:
0x4c91f8 - lstrcpynA
0x4c91fc - FileTimeToLocalFileTime
0x4c9200 - FlushFileBuffers
0x4c9204 - LockFile
0x4c9208 - UnlockFile
0x4c920c - SetEndOfFile
0x4c9210 - GetThreadLocale
0x4c9214 - lstrcmpiA
0x4c9218 - GlobalDeleteAtom
0x4c921c - GlobalFindAtomA
0x4c9220 - GlobalAddAtomA
0x4c9224 - GlobalGetAtomNameA
0x4c9228 - lstrcmpA
0x4c922c - LocalAlloc
0x4c9230 - TlsAlloc
0x4c9234 - GlobalHandle
0x4c9238 - TlsFree
0x4c923c - TlsSetValue
0x4c9240 - LocalReAlloc
0x4c9244 - TlsGetValue
0x4c9248 - GetFileTime
0x4c924c - GetCurrentThread
0x4c9250 - GlobalFlags
0x4c9254 - SetErrorMode
0x4c9258 - GetProcessVersion
0x4c925c - GetCPInfo
0x4c9260 - GetOEMCP
0x4c9264 - GetStartupInfoA
0x4c9268 - RtlUnwind
0x4c926c - GetSystemTime
0x4c9270 - GetLocalTime
0x4c9274 - RaiseException
0x4c9278 - HeapSize
0x4c927c - GetACP
0x4c9280 - UnhandledExceptionFilter
0x4c9284 - FreeEnvironmentStringsA
0x4c9288 - FreeEnvironmentStringsW
0x4c928c - GetEnvironmentStrings
0x4c9290 - GetEnvironmentStringsW
0x4c9294 - SetHandleCount
0x4c9298 - GetStdHandle
0x4c929c - GetFileType
0x4c92a0 - GetEnvironmentVariableA
0x4c92a4 - HeapDestroy
0x4c92a8 - HeapCreate
0x4c92ac - VirtualFree
0x4c92b0 - SetEnvironmentVariableA
0x4c92b4 - LCMapStringA
0x4c92b8 - LCMapStringW
0x4c92bc - VirtualAlloc
0x4c92c0 - IsBadWritePtr
0x4c92c4 - SetUnhandledExceptionFilter
0x4c92c8 - GetStringTypeA
0x4c92cc - GetStringTypeW
0x4c92d0 - CompareStringA
0x4c92d4 - CompareStringW
0x4c92d8 - IsBadReadPtr
0x4c92dc - IsBadCodePtr
0x4c92e0 - SetStdHandle
0x4c92e4 - FileTimeToSystemTime
0x4c92e8 - FormatMessageA
0x4c92ec - LocalFree
0x4c92f0 - InterlockedDecrement
0x4c92f4 - InterlockedIncrement
0x4c92f8 - GetVersion
0x4c92fc - GetTimeZoneInformation
0x4c9300 - SetLastError
0x4c9304 - TerminateProcess
0x4c9308 - GetCurrentProcess
0x4c930c - GetFileSize
0x4c9310 - SetFilePointer
0x4c9314 - GetTempFileNameA
0x4c9318 - CreateSemaphoreA
0x4c931c - ResumeThread
0x4c9320 - ReleaseSemaphore
0x4c9324 - EnterCriticalSection
0x4c9328 - LeaveCriticalSection
0x4c932c - GetProfileStringA
0x4c9330 - WriteFile
0x4c9334 - WaitForMultipleObjects
0x4c9338 - CreateFileA
0x4c933c - SetEvent
0x4c9340 - FindResourceA
0x4c9344 - LoadResource
0x4c9348 - LockResource
0x4c934c - ReadFile
0x4c9350 - GetModuleFileNameA
0x4c9354 - WideCharToMultiByte
0x4c9358 - MultiByteToWideChar
0x4c935c - GetCurrentThreadId
0x4c9360 - ExitProcess
0x4c9364 - GlobalSize
0x4c9368 - GlobalFree
0x4c936c - DeleteCriticalSection
0x4c9370 - InitializeCriticalSection
0x4c9374 - lstrcatA
0x4c9378 - lstrlenA
0x4c937c - WinExec
0x4c9380 - lstrcpyA
0x4c9384 - FindNextFileA
0x4c9388 - GlobalReAlloc
0x4c938c - HeapFree
0x4c9390 - HeapReAlloc
0x4c9394 - GetProcessHeap
0x4c9398 - HeapAlloc
0x4c939c - GetFullPathNameA
0x4c93a0 - FreeLibrary
0x4c93a4 - LoadLibraryA
0x4c93a8 - GetLastError
0x4c93ac - GetVersionExA
0x4c93b0 - WritePrivateProfileStringA
0x4c93b4 - CreateThread
0x4c93b8 - CreateEventA
0x4c93bc - Sleep
0x4c93c0 - GlobalAlloc
0x4c93c4 - GlobalLock
0x4c93c8 - GlobalUnlock
0x4c93cc - GetTempPathA
0x4c93d0 - FindFirstFileA
0x4c93d4 - FindClose
0x4c93d8 - SetFileAttributesA
0x4c93dc - GetFileAttributesA
0x4c93e0 - DeleteFileA
0x4c93e4 - SetCurrentDirectoryA
0x4c93e8 - GetVolumeInformationA
0x4c93ec - GetModuleHandleA
0x4c93f0 - GetProcAddress
0x4c93f4 - MulDiv
0x4c93f8 - GetCommandLineA
0x4c93fc - GetTickCount
0x4c9400 - WaitForSingleObject
0x4c9404 - CloseHandle
0x4c9408 - InterlockedExchange
0x4c940c - DuplicateHandle
库 USER32.dll:
0x4c9490 - GetSysColorBrush
0x4c9494 - GetNextDlgGroupItem
0x4c9498 - PostThreadMessageA
0x4c949c - SetWindowContextHelpId
0x4c94a0 - CharNextA
0x4c94a4 - GetMenuCheckMarkDimensions
0x4c94a8 - SetMenuItemBitmaps
0x4c94ac - CheckMenuItem
0x4c94b0 - IsDialogMessageA
0x4c94b4 - ScrollWindowEx
0x4c94b8 - SendDlgItemMessageA
0x4c94bc - MapWindowPoints
0x4c94c0 - AdjustWindowRectEx
0x4c94c4 - GetScrollPos
0x4c94c8 - RegisterClassA
0x4c94cc - GetClassLongA
0x4c94d0 - RemovePropA
0x4c94d4 - GetMessageTime
0x4c94d8 - GetLastActivePopup
0x4c94dc - GetForegroundWindow
0x4c94e0 - RegisterWindowMessageA
0x4c94e4 - GetWindowPlacement
0x4c94e8 - EndDialog
0x4c94ec - CreateDialogIndirectParamA
0x4c94f0 - DestroyWindow
0x4c94f4 - EndPaint
0x4c94f8 - BeginPaint
0x4c94fc - CharUpperA
0x4c9500 - GetWindowTextLengthA
0x4c9504 - UnregisterHotKey
0x4c9508 - RegisterHotKey
0x4c950c - CreateWindowExA
0x4c9510 - GetDlgItem
0x4c9514 - GetClassNameA
0x4c9518 - GetDesktopWindow
0x4c951c - GetWindowTextA
0x4c9520 - SetWindowTextA
0x4c9524 - GetMenuItemCount
0x4c9528 - GetMenuItemID
0x4c952c - GetMenuStringA
0x4c9530 - GetMenuState
0x4c9534 - GetTabbedTextExtentA
0x4c9538 - GrayStringA
0x4c953c - TabbedTextOutA
0x4c9540 - WindowFromDC
0x4c9544 - EnumChildWindows
0x4c9548 - GetWindowDC
0x4c954c - UnhookWindowsHookEx
0x4c9550 - CallNextHookEx
0x4c9554 - SetWindowsHookExA
0x4c9558 - GetPropA
0x4c955c - MoveWindow
0x4c9560 - CallWindowProcA
0x4c9564 - SetPropA
0x4c9568 - DrawTextA
0x4c956c - GetCursor
0x4c9570 - DrawStateA
0x4c9574 - FrameRect
0x4c9578 - GetNextDlgTabItem
0x4c957c - LoadIconA
0x4c9580 - TranslateMessage
0x4c9584 - DrawFrameControl
0x4c9588 - DrawEdge
0x4c958c - DrawFocusRect
0x4c9590 - WindowFromPoint
0x4c9594 - GetMessageA
0x4c9598 - DispatchMessageA
0x4c959c - RegisterClipboardFormatA
0x4c95a0 - CreateIconFromResourceEx
0x4c95a4 - CreateIconFromResource
0x4c95a8 - DrawIconEx
0x4c95ac - CreatePopupMenu
0x4c95b0 - AppendMenuA
0x4c95b4 - ModifyMenuA
0x4c95b8 - CreateMenu
0x4c95bc - CreateAcceleratorTableA
0x4c95c0 - GetDlgCtrlID
0x4c95c4 - GetSubMenu
0x4c95c8 - EnableMenuItem
0x4c95cc - ClientToScreen
0x4c95d0 - EnumDisplaySettingsA
0x4c95d4 - LoadImageA
0x4c95d8 - SystemParametersInfoA
0x4c95dc - ShowWindow
0x4c95e0 - IsWindowEnabled
0x4c95e4 - TranslateAcceleratorA
0x4c95e8 - GetKeyState
0x4c95ec - CopyAcceleratorTableA
0x4c95f0 - PostQuitMessage
0x4c95f4 - IsZoomed
0x4c95f8 - GetClassInfoA
0x4c95fc - DefWindowProcA
0x4c9600 - GetSystemMenu
0x4c9604 - DeleteMenu
0x4c9608 - GetMenu
0x4c960c - SetMenu
0x4c9610 - PeekMessageA
0x4c9614 - IsIconic
0x4c9618 - SetFocus
0x4c961c - GetActiveWindow
0x4c9620 - GetWindow
0x4c9624 - DestroyAcceleratorTable
0x4c9628 - SetWindowRgn
0x4c962c - GetMessagePos
0x4c9630 - ScreenToClient
0x4c9634 - CopyRect
0x4c9638 - LoadBitmapA
0x4c963c - WinHelpA
0x4c9640 - KillTimer
0x4c9644 - SetTimer
0x4c9648 - ReleaseCapture
0x4c964c - GetCapture
0x4c9650 - SetCapture
0x4c9654 - GetScrollRange
0x4c9658 - SetScrollRange
0x4c965c - SetScrollPos
0x4c9660 - SetRect
0x4c9664 - InflateRect
0x4c9668 - IntersectRect
0x4c966c - DestroyIcon
0x4c9670 - PtInRect
0x4c9674 - OffsetRect
0x4c9678 - IsWindowVisible
0x4c967c - EnableWindow
0x4c9680 - RedrawWindow
0x4c9684 - GetWindowLongA
0x4c9688 - SetWindowLongA
0x4c968c - GetSysColor
0x4c9690 - SetActiveWindow
0x4c9694 - SetCursorPos
0x4c9698 - LoadCursorA
0x4c969c - SetCursor
0x4c96a0 - GetDC
0x4c96a4 - FillRect
0x4c96a8 - IsRectEmpty
0x4c96ac - ReleaseDC
0x4c96b0 - IsChild
0x4c96b4 - TrackPopupMenu
0x4c96b8 - DestroyMenu
0x4c96bc - SetForegroundWindow
0x4c96c0 - GetWindowRect
0x4c96c4 - EqualRect
0x4c96c8 - UpdateWindow
0x4c96cc - ValidateRect
0x4c96d0 - InvalidateRect
0x4c96d4 - GetClientRect
0x4c96d8 - GetFocus
0x4c96dc - GetParent
0x4c96e0 - GetTopWindow
0x4c96e4 - PostMessageA
0x4c96e8 - IsWindow
0x4c96ec - SetParent
0x4c96f0 - DestroyCursor
0x4c96f4 - SendMessageA
0x4c96f8 - SetWindowPos
0x4c96fc - MessageBeep
0x4c9700 - MessageBoxA
0x4c9704 - GetCursorPos
0x4c9708 - GetSystemMetrics
0x4c970c - EmptyClipboard
0x4c9710 - SetClipboardData
0x4c9714 - OpenClipboard
0x4c9718 - GetClipboardData
0x4c971c - CloseClipboard
0x4c9720 - wsprintfA
0x4c9724 - LoadStringA
0x4c9728 - SetRectEmpty
0x4c972c - MapDialogRect
0x4c9730 - ChildWindowFromPointEx
0x4c9734 - UnregisterClassA
库 GDI32.dll:
0x4c907c - CreateRectRgn
0x4c9080 - CombineRgn
0x4c9084 - PatBlt
0x4c9088 - CreatePen
0x4c908c - GetObjectA
0x4c9090 - SelectObject
0x4c9094 - CreatePatternBrush
0x4c9098 - CreateBitmap
0x4c909c - CreateBrushIndirect
0x4c90a0 - CreateDCA
0x4c90a4 - CreateCompatibleBitmap
0x4c90a8 - GetPolyFillMode
0x4c90ac - GetStretchBltMode
0x4c90b0 - CreateFontA
0x4c90b4 - SetWindowOrgEx
0x4c90b8 - SaveDC
0x4c90bc - RestoreDC
0x4c90c0 - CreatePenIndirect
0x4c90c4 - PtVisible
0x4c90c8 - RectVisible
0x4c90cc - ExtTextOutA
0x4c90d0 - Escape
0x4c90d4 - SetPolyFillMode
0x4c90d8 - SetROP2
0x4c90dc - SetMapMode
0x4c90e0 - SetViewportOrgEx
0x4c90e4 - OffsetViewportOrgEx
0x4c90e8 - SetViewportExtEx
0x4c90ec - ScaleViewportExtEx
0x4c90f0 - SetWindowExtEx
0x4c90f4 - ScaleWindowExtEx
0x4c90f8 - GetClipBox
0x4c90fc - ExcludeClipRect
0x4c9100 - FillRgn
0x4c9104 - LineTo
0x4c9108 - CreateSolidBrush
0x4c910c - ExtSelectClipRgn
0x4c9110 - GetViewportExtEx
0x4c9114 - GetTextMetricsA
0x4c9118 - GetMapMode
0x4c911c - SetBkColor
0x4c9120 - CreateRectRgnIndirect
0x4c9124 - CreateDIBSection
0x4c9128 - SetPixel
0x4c912c - ExtCreateRegion
0x4c9130 - SetStretchBltMode
0x4c9134 - GetClipRgn
0x4c9138 - CreatePolygonRgn
0x4c913c - SelectClipRgn
0x4c9140 - DeleteObject
0x4c9144 - CreateDIBitmap
0x4c9148 - GetSystemPaletteEntries
0x4c914c - CreatePalette
0x4c9150 - StretchBlt
0x4c9154 - SelectPalette
0x4c9158 - RealizePalette
0x4c915c - GetDIBits
0x4c9160 - GetWindowExtEx
0x4c9164 - GetViewportOrgEx
0x4c9168 - GetWindowOrgEx
0x4c916c - BeginPath
0x4c9170 - EndPath
0x4c9174 - PathToRegion
0x4c9178 - CreateEllipticRgn
0x4c917c - CreateRoundRectRgn
0x4c9180 - GetTextColor
0x4c9184 - SetDIBitsToDevice
0x4c9188 - GetPixel
0x4c918c - CreateCompatibleDC
0x4c9190 - SetPixelV
0x4c9194 - Ellipse
0x4c9198 - Rectangle
0x4c919c - LPtoDP
0x4c91a0 - DPtoLP
0x4c91a4 - GetCurrentObject
0x4c91a8 - RoundRect
0x4c91ac - SetTextColor
0x4c91b0 - SetBkMode
0x4c91b4 - GetStockObject
0x4c91b8 - CreateFontIndirectA
0x4c91bc - EndPage
0x4c91c0 - EndDoc
0x4c91c4 - DeleteDC
0x4c91c8 - StartDocA
0x4c91cc - StartPage
0x4c91d0 - BitBlt
0x4c91d4 - GetTextExtentPoint32A
0x4c91d8 - MoveToEx
0x4c91dc - TranslateCharsetInfo
0x4c91e0 - GetDeviceCaps
0x4c91e4 - GetBkMode
0x4c91e8 - GetBkColor
0x4c91ec - GetROP2
0x4c91f0 - TextOutA
库 MSIMG32.dll:
0x4c9414 - GradientFill
库 WINSPOOL.DRV:
0x4c9788 - DocumentPropertiesA
0x4c978c - OpenPrinterA
0x4c9790 - ClosePrinter
库 comdlg32.dll:
0x4c97c0 - GetFileTitleA
0x4c97c4 - GetSaveFileNameA
0x4c97c8 - GetOpenFileNameA
0x4c97cc - ChooseColorA
库 ADVAPI32.dll:
0x4c9000 - RegCreateKeyExA
0x4c9004 - RegQueryValueA
0x4c9008 - RegSetValueExA
0x4c900c - RegOpenKeyExA
0x4c9010 - RegCloseKey
库 SHELL32.dll:
0x4c9478 - Shell_NotifyIconA
0x4c947c - ShellExecuteA
0x4c9480 - DragAcceptFiles
0x4c9484 - DragFinish
0x4c9488 - DragQueryFileA
库 ole32.dll:
0x4c97d4 - CoRegisterMessageFilter
0x4c97d8 - CoFreeUnusedLibraries
0x4c97dc - CreateILockBytesOnHGlobal
0x4c97e0 - StgCreateDocfileOnILockBytes
0x4c97e4 - StgOpenStorageOnILockBytes
0x4c97e8 - CoGetClassObject
0x4c97ec - OleFlushClipboard
0x4c97f0 - CoTaskMemFree
0x4c97f4 - CoRevokeClassObject
0x4c97f8 - CoTaskMemAlloc
0x4c97fc - CLSIDFromProgID
0x4c9800 - OleInitialize
0x4c9804 - OleUninitialize
0x4c9808 - CLSIDFromString
0x4c980c - OleIsCurrentClipboard
库 OLEAUT32.dll:
0x4c9424 - SafeArrayAccessData
0x4c9428 - SafeArrayUnaccessData
0x4c942c - SafeArrayGetDim
0x4c9430 - SafeArrayGetLBound
0x4c9434 - SafeArrayGetUBound
0x4c9438 - VariantChangeType
0x4c943c - VariantClear
0x4c9440 - VariantCopy
0x4c9444 - SysAllocString
0x4c9448 - SafeArrayCreate
0x4c944c - LoadTypeLib
0x4c9450 - SysFreeString
0x4c9454 - SafeArrayGetElemsize
0x4c9458 - SysAllocStringByteLen
0x4c945c - SysAllocStringLen
0x4c9460 - SysStringLen
0x4c9464 - VariantTimeToSystemTime
0x4c9468 - UnRegisterTypeLib
0x4c946c - OleCreateFontIndirect
0x4c9470 - RegisterTypeLib
库 COMCTL32.dll:
0x4c9024 - ImageList_EndDrag
0x4c9028 - ImageList_DragShowNolock
0x4c902c - ImageList_DragMove
0x4c9030 - ImageList_DragLeave
0x4c9034 - ImageList_DragEnter
0x4c9038 - ImageList_Destroy
0x4c903c - ImageList_Create
0x4c9040 - ImageList_BeginDrag
0x4c9044 - ImageList_Add
0x4c9048 - ImageList_Draw
0x4c904c - ImageList_AddMasked
0x4c9050 - _TrackMouseEvent
0x4c9054 - ImageList_SetBkColor
0x4c9058 - ImageList_GetImageCount
0x4c905c - ImageList_GetImageInfo
0x4c9060 - ImageList_GetIcon
0x4c9064 - ImageList_Duplicate
0x4c9068 - ImageList_DrawIndirect
0x4c906c - ImageList_Write
0x4c9070 - ImageList_Read
0x4c9074 - None
库 oledlg.dll:
0x4c9814 - None

投放文件

无信息

行为分析

互斥量(Mutexes)
  • Local\MSCTF.Asm.MutexDefault1
  • Local\WERReportingForProcess2040
  • Global\d8ad2561-9d3b-11ec-a15c-525400ebf89f
执行的命令
  • C:\Windows\System32\svchost.exe -k WerSvcGroup
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  • C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  • C:\Windows\system32\sppsvc.exe
  • C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1000
创建的服务
  • rBF7DUg
启动的服务
  • rBF7DUg
  • WerSvc

进程

LYShark1.exe PID: 2484, 上一级进程 PID: 2240

services.exe PID: 424, 上一级进程 PID: 328

svchost.exe PID: 2988, 上一级进程 PID: 424

WerFault.exe PID: 688, 上一级进程 PID: 2988

taskhost.exe PID: 1596, 上一级进程 PID: 424

mscorsvw.exe PID: 624, 上一级进程 PID: 424

mscorsvw.exe PID: 1860, 上一级进程 PID: 424

访问的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\SharkDriver.dll
  • C:\
  • C:\Users\test\AppData\Local\Temp\iphlpapi.dll
  • C:\Windows\System32\IPHLPAPI.DLL
  • C:\Users\test\AppData\Local\Temp\WINNSI.DLL
  • C:\Windows\System32\winnsi.dll
  • C:\Users\test\AppData\Local\Temp\ntdll.dll
  • C:\ntdll.dll
  • \??\PhysicalDrive0
  • C:\Users\test\AppData\Local\Temp\wininet.dll
  • C:\wininet.dll
  • C:\Users\test\AppData\Local\Temp\Kernel32.dll
  • C:\Kernel32.dll
  • C:\Users\test\AppData\Local\Temp\kernel32.dll
  • C:\kernel32.dll
  • \??\TGame64
  • C:\Users\test\AppData\Local\Temp\advapi32.dll
  • C:\advapi32.dll
  • C:\Users\test\AppData\Local\Temp\rBF7DUg.sys
  • C:\Users\test\AppData\Local\Temp\shlwapi.dll
  • C:\shlwapi.dll
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\sysnative\tzres.dll
  • C:\Users\test\AppData\Local\Temp\user32.dll
  • C:\Windows\sysnative\LogFiles\Scm\c016366b-7126-46ca-b36b-592a3d95a60b
  • C:\Windows\sysnative\LogFiles\Scm\2f57269b-1e09-4e2d-ab1e-b0fdac7d279c
  • C:\Windows\Temp
  • C:\Windows\sysnative\LogFiles\Scm\da41de71-8431-42fb-9db0-eb64a961dead
  • C:\Users\test\AppData\Local\Temp
  • C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI\ResolutionHost
  • C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
  • C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp
  • C:\Windows\ServiceProfiles
  • C:\Windows\ServiceProfiles\LocalService
  • C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp
  • C:\Windows\ServiceProfiles\NetworkService
  • C:\ProgramData\Microsoft\Windows\WER\ReportQueue
  • C:\Windows\SysWOW64\winxp\triage.ini
  • C:\Windows\SysWOW64\WINXP
  • C:\Windows\SysWOW64\winext
  • C:\Windows\SysWOW64\winext\arcade
  • C:\Windows\SysWOW64\pri
  • C:\Windows\SysWOW64
  • C:\Windows\SysWOW64\
  • C:\ProgramData\Oracle\Java\javapath
  • C:\ProgramData\Oracle\Java\javapath\
  • C:\Windows\System32
  • C:\Windows\System32\
  • C:\Windows
  • C:\Windows\
  • C:\Windows\System32\wbem
  • C:\Windows\System32\wbem\
  • C:\Windows\System32\WindowsPowerShell\v1.0
  • C:\Windows\System32\WindowsPowerShell\v1.0\
  • C:\Program Files (x86)\WinRAR
  • C:\Program Files (x86)\WinRAR\
  • C:\Windows\SysWOW64\WINXP\dbghelp.dll
  • C:\Windows\SysWOW64\winext\dbghelp.dll
  • C:\Windows\SysWOW64\winext\arcade\dbghelp.dll
  • C:\Windows\SysWOW64\pri\dbghelp.dll
  • C:\Windows\SysWOW64\dbghelp.dll
  • C:\Windows\SysWOW64\WINXP\ext.dll
  • C:\Windows\SysWOW64\winext\ext.dll
  • C:\Windows\SysWOW64\winext\arcade\ext.dll
  • C:\Windows\SysWOW64\pri\ext.dll
  • C:\Windows\SysWOW64\ext.dll
  • C:\ProgramData\Oracle\Java\javapath\ext.dll
  • C:\Windows\System32\ext.dll
  • C:\Windows\ext.dll
  • C:\Windows\System32\wbem\ext.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\ext.dll
  • C:\Program Files (x86)\WinRAR\ext.dll
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
  • C:\Windows\SysWOW64\WINXP\exts.dll
  • C:\Windows\SysWOW64\winext\exts.dll
  • C:\Windows\SysWOW64\winext\arcade\exts.dll
  • C:\Windows\SysWOW64\pri\exts.dll
  • C:\Windows\SysWOW64\exts.dll
  • C:\ProgramData\Oracle\Java\javapath\exts.dll
  • C:\Windows\System32\exts.dll
  • C:\Windows\exts.dll
  • C:\Windows\System32\wbem\exts.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\exts.dll
  • C:\Program Files (x86)\WinRAR\exts.dll
  • C:\Windows\SysWOW64\WINXP\uext.dll
  • C:\Windows\SysWOW64\winext\uext.dll
  • C:\Windows\SysWOW64\winext\arcade\uext.dll
  • C:\Windows\SysWOW64\pri\uext.dll
  • C:\Windows\SysWOW64\uext.dll
  • C:\ProgramData\Oracle\Java\javapath\uext.dll
  • C:\Windows\System32\uext.dll
  • C:\Windows\uext.dll
  • C:\Windows\System32\wbem\uext.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\uext.dll
  • C:\Program Files (x86)\WinRAR\uext.dll
  • C:\Windows\SysWOW64\WINXP\ntsdexts.dll
  • C:\Windows\SysWOW64\winext\ntsdexts.dll
  • C:\Windows\SysWOW64\winext\arcade\ntsdexts.dll
  • C:\Windows\SysWOW64\pri\ntsdexts.dll
  • C:\Windows\SysWOW64\ntsdexts.dll
  • C:\ProgramData\Oracle\Java\javapath\ntsdexts.dll
  • C:\Windows\System32\ntsdexts.dll
  • C:\Windows\ntsdexts.dll
  • C:\Windows\System32\wbem\ntsdexts.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\ntsdexts.dll
  • C:\Program Files (x86)\WinRAR\ntsdexts.dll
  • C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
  • C:\Program Files (x86)
  • C:\Program Files (x86)\Adobe\Reader 11.0
  • C:\Windows\SysWOW64\zh-CN\werui.dll.mui
  • \Device\KsecDD
  • C:\Windows\SysWOW64\werui.dll
  • C:\Windows\SysWOW64\zh-CN\DUser.dll.mui
  • C:\Windows\SysWOW64\WerFault.exe.Local\
  • C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb
  • C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui
  • C:\Windows\win.ini
  • C:\Windows\System32\zh-CN\erofflps.txt
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ndpsetup.bat
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ndpsetup.bat
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
读取的文件
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\SharkDriver.dll
  • C:\Windows\System32\IPHLPAPI.DLL
  • C:\Windows\System32\winnsi.dll
  • \??\PhysicalDrive0
  • \??\TGame64
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\sysnative\tzres.dll
  • C:\Windows\sysnative\LogFiles\Scm\c016366b-7126-46ca-b36b-592a3d95a60b
  • C:\Windows\sysnative\LogFiles\Scm\2f57269b-1e09-4e2d-ab1e-b0fdac7d279c
  • C:\Windows\sysnative\LogFiles\Scm\da41de71-8431-42fb-9db0-eb64a961dead
  • C:\Windows\SysWOW64\winxp\triage.ini
  • C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
  • C:\Windows\SysWOW64\zh-CN\werui.dll.mui
  • \Device\KsecDD
  • C:\Windows\SysWOW64\werui.dll
  • C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
  • C:\Windows\SysWOW64\zh-CN\DUser.dll.mui
  • C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui
  • C:\Windows\win.ini
  • C:\Windows\System32\zh-CN\erofflps.txt
修改的文件
  • C:\SharkDriver.dll
  • \??\PhysicalDrive0
  • \??\TGame64
  • C:\Users\test\AppData\Local\Temp\rBF7DUg.sys
  • C:\Windows\sysnative\LogFiles\Scm\c016366b-7126-46ca-b36b-592a3d95a60b
  • C:\Windows\sysnative\LogFiles\Scm\da41de71-8431-42fb-9db0-eb64a961dead
  • C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
删除的文件
  • C:\Users\test\AppData\Local\Temp\rBF7DUg.sys
注册表键
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\SharkDriver.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\LYShark1.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\rBF7DUg
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\rBF7DUg\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
  • HKEY_USERS\S-1-5-18
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_USERS\.DEFAULT\Environment
  • HKEY_USERS\.DEFAULT\Volatile Environment
  • HKEY_USERS\.DEFAULT\Volatile Environment\0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
  • HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
  • HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Environment
  • HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Volatile Environment
  • HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Volatile Environment\0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\WOW64
  • HKEY_USERS\S-1-5-19
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19\ProfileImagePath
  • HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_USERS\S-1-5-19\Environment
  • HKEY_USERS\S-1-5-19\Volatile Environment
  • HKEY_USERS\S-1-5-19\Volatile Environment\0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\WOW64
  • HKEY_USERS\S-1-5-20
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\ProfileImagePath
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_USERS\S-1-5-20\Environment
  • HKEY_USERS\S-1-5-20\Volatile Environment
  • HKEY_USERS\S-1-5-20\Volatile Environment\0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Group
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Group
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
  • HKEY_USERS\.DEFAULT\Control Panel\International
  • HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
  • HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
  • HKEY_USERS\.DEFAULT\Control Panel\International\sList
  • HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
  • HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
  • HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
  • HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
  • HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
  • HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
  • HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
  • HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
  • HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
  • HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
  • HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
  • HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
  • HKEY_USERS\.DEFAULT\Control Panel\International\s1159
  • HKEY_USERS\.DEFAULT\Control Panel\International\s2359
  • HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
  • HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
  • HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
  • HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
  • HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
  • HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
  • HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
  • HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
  • HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
  • HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
  • HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
  • HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wersvc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
  • HKEY_LOCAL_MACHINE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\NoReflection
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PropertyBag
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\NoReflection
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord
  • HKEY_CURRENT_USER\Software\Microsoft\Windiff
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\CurrentType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MachineID
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontShowUI
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableArchive
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableQueue
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceQueue
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DebugApplications
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Disabled
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontShowUI
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableArchive
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableQueue
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceQueue
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DebugApplications
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseSSL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerPortNumber
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseAuthentication
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\RacWerSampleTime
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\Software\Microsoft\DirectUI
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
  • HKEY_CURRENT_USER\Software\Classes
  • HKEY_CURRENT_USER\Software\Classes\AppID\taskhost.exe
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WDI\DiagnosticModules
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NameResource
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WDI\Config
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\Config\ServerName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\CLResolutionInterval
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\DisplayInterval
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\SkipWatson
  • HKEY_LOCAL_MACHINE\Software\Microsoft\RADAR\HeapLeakDetection\Settings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\Settings\ReflectionInterval
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenServiceDebugLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\Install
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DefaultVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ZapSet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGenService\Roots
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGENService\State
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenServiceDebugLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NicPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\RegistryRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DefaultVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ZapSet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN64\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN64\Default
读取的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\SharkDriver.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
  • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\rBF7DUg\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
  • HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
  • HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19\ProfileImagePath
  • HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\WOW64
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\ProfileImagePath
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\Environment
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\RequiredPrivileges
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Group
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ObjectName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Tag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnGroup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Group
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
  • HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
  • HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
  • HKEY_USERS\.DEFAULT\Control Panel\International\sList
  • HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
  • HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
  • HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
  • HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
  • HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
  • HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
  • HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
  • HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
  • HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
  • HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
  • HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
  • HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
  • HKEY_USERS\.DEFAULT\Control Panel\International\s1159
  • HKEY_USERS\.DEFAULT\Control Panel\International\s2359
  • HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
  • HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
  • HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
  • HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
  • HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
  • HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
  • HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
  • HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
  • HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
  • HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
  • HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
  • HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
  • HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\NoReflection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\NoReflection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\CurrentType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MachineID
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontShowUI
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableArchive
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableQueue
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceQueue
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Disabled
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontShowUI
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableArchive
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableQueue
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceQueue
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseSSL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerPortNumber
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseAuthentication
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\RacWerSampleTime
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NeverLowerPagePriority
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NameResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\Config\ServerName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\CLResolutionInterval
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\DisplayInterval
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\SkipWatson
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\Settings\ReflectionInterval
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenServiceDebugLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\Install
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DefaultVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ZapSet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenServiceDebugLog
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NicPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\RegistryRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DefaultVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ZapSet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
修改的注册表键
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord
删除的注册表键 无信息
API解析
  • kernel32.dll.IsProcessorFeaturePresent
  • cryptbase.dll.SystemFunction036
  • kernel32.dll.SortGetHandle
  • kernel32.dll.SortCloseHandle
  • comctl32.dll.RegisterClassNameW
  • uxtheme.dll.EnableThemeDialogTexture
  • uxtheme.dll.OpenThemeData
  • comctl32.dll.InitCommonControlsEx
  • urlmon.dll.#414
  • kernel32.dll.VirtualAlloc
  • kernel32.dll.GetModuleHandleA
  • kernel32.dll.FlsAlloc
  • kernel32.dll.FlsGetValue
  • kernel32.dll.FlsSetValue
  • kernel32.dll.FlsFree
  • ntdll.dll.RtlAdjustPrivilege
  • sharkdriver.dll.Install
  • wininet.dll.InternetOpenA
  • wininet.dll.InternetConnectA
  • wininet.dll.HttpOpenRequestA
  • wininet.dll.HttpSendRequestA
  • rasapi32.dll.RasConnectionNotificationW
  • sechost.dll.NotifyServiceStatusChangeA
  • wininet.dll.InternetReadFile
  • wininet.dll.HttpQueryInfoA
  • wininet.dll.InternetCloseHandle
  • kernel32.dll.Wow64DisableWow64FsRedirection
  • kernel32.dll.CreateFileA
  • advapi32.dll.OpenSCManagerA
  • shlwapi.dll.PathFindFileNameA
  • advapi32.dll.CreateServiceA
  • advapi32.dll.StartServiceA
  • advapi32.dll.CloseServiceHandle
  • gdi32.dll.GetLayout
  • gdi32.dll.GdiRealizationInfo
  • gdi32.dll.FontIsLinked
  • advapi32.dll.RegOpenKeyExW
  • advapi32.dll.RegQueryInfoKeyW
  • gdi32.dll.GetTextFaceAliasW
  • advapi32.dll.RegEnumValueW
  • advapi32.dll.RegCloseKey
  • advapi32.dll.RegQueryValueExW
  • advapi32.dll.RegQueryValueExA
  • advapi32.dll.RegEnumKeyExW
  • gdi32.dll.GetTextExtentExPointWPri
  • ole32.dll.CoInitializeEx
  • ole32.dll.CoUninitialize
  • ole32.dll.CoRegisterInitializeSpy
  • ole32.dll.CoRevokeInitializeSpy
  • user32.dll.GetSystemMetrics
  • user32.dll.MonitorFromWindow
  • user32.dll.MonitorFromRect
  • user32.dll.MonitorFromPoint
  • user32.dll.EnumDisplayMonitors
  • user32.dll.GetMonitorInfoA
  • gdi32.dll.GetFontAssocStatus
  • oleaut32.dll.SysAllocString
  • oleaut32.dll.SysStringLen
  • oleaut32.dll.SysFreeString
  • gdi32.dll.GdiIsMetaPrintDC
  • user32.dll.FindWindowA
  • wersvc.dll.ServiceMain
  • wersvc.dll.SvchostPushServiceGlobals
  • advapi32.dll.RegGetValueW
  • sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
  • faultrep.dll.WerpInitiateCrashReporting
  • wer.dll.WerpCreateMachineStore
  • shell32.dll.SHGetFolderPathEx
  • ole32.dll.StringFromGUID2
  • profapi.dll.#104
  • userenv.dll.CreateEnvironmentBlock
  • sechost.dll.ConvertSidToStringSidW
  • sspicli.dll.GetUserNameExW
  • userenv.dll.DestroyEnvironmentBlock
  • imm32.dll.ImmDisableIME
  • psapi.dll.GetModuleFileNameExW
  • version.dll.GetFileVersionInfoSizeW
  • version.dll.GetFileVersionInfoW
  • version.dll.VerQueryValueW
  • wer.dll.WerpCreateIntegratorReportId
  • wer.dll.WerReportCreate
  • advapi32.dll.OpenProcessToken
  • wer.dll.WerpSetIntegratorReportId
  • wer.dll.WerReportSetParameter
  • dbgeng.dll.DebugCreate
  • ntdll.dll.CsrGetProcessId
  • ntdll.dll.DbgBreakPoint
  • ntdll.dll.DbgPrint
  • ntdll.dll.DbgPrompt
  • ntdll.dll.DbgUiConvertStateChangeStructure
  • ntdll.dll.DbgUiGetThreadDebugObject
  • ntdll.dll.DbgUiIssueRemoteBreakin
  • ntdll.dll.DbgUiSetThreadDebugObject
  • ntdll.dll.NtAllocateVirtualMemory
  • ntdll.dll.NtClose
  • ntdll.dll.NtCreateDebugObject
  • ntdll.dll.NtCreateFile
  • ntdll.dll.NtDebugActiveProcess
  • ntdll.dll.NtDebugContinue
  • ntdll.dll.NtFreeVirtualMemory
  • ntdll.dll.NtOpenProcess
  • ntdll.dll.NtOpenThread
  • ntdll.dll.NtQueryInformationProcess
  • ntdll.dll.NtQueryInformationThread
  • ntdll.dll.NtQueryMutant
  • ntdll.dll.NtQueryObject
  • ntdll.dll.NtQuerySystemInformation
  • ntdll.dll.NtRemoveProcessDebug
  • ntdll.dll.NtResumeThread
  • ntdll.dll.NtSetInformationDebugObject
  • ntdll.dll.NtSetInformationProcess
  • ntdll.dll.NtSystemDebugControl
  • ntdll.dll.NtWaitForDebugEvent
  • ntdll.dll.RtlAnsiStringToUnicodeString
  • ntdll.dll.RtlCreateProcessParameters
  • ntdll.dll.RtlCreateUserProcess
  • ntdll.dll.RtlDestroyProcessParameters
  • ntdll.dll.RtlDosPathNameToNtPathName_U
  • ntdll.dll.RtlFindMessage
  • ntdll.dll.RtlFreeHeap
  • ntdll.dll.RtlFreeUnicodeString
  • ntdll.dll.RtlGetUnloadEventTrace
  • ntdll.dll.RtlGetUnloadEventTraceEx
  • ntdll.dll.RtlInitAnsiString
  • ntdll.dll.RtlInitUnicodeString
  • ntdll.dll.RtlTryEnterCriticalSection
  • ntdll.dll.RtlUnicodeStringToAnsiString
  • ntdll.dll.NtOpenProcessToken
  • ntdll.dll.NtOpenThreadToken
  • ntdll.dll.NtQueryInformationToken
  • kernel32.dll.CloseProfileUserMapping
  • kernel32.dll.CreateToolhelp32Snapshot
  • kernel32.dll.DebugActiveProcessStop
  • kernel32.dll.DebugBreak
  • kernel32.dll.DebugBreakProcess
  • kernel32.dll.DebugSetProcessKillOnExit
  • kernel32.dll.Module32First
  • kernel32.dll.Module32FirstW
  • kernel32.dll.Module32Next
  • kernel32.dll.Module32NextW
  • kernel32.dll.OpenThread
  • kernel32.dll.Process32First
  • kernel32.dll.Process32FirstW
  • kernel32.dll.Process32Next
  • kernel32.dll.Process32NextW
  • kernel32.dll.ProcessIdToSessionId
  • kernel32.dll.SetProcessShutdownParameters
  • kernel32.dll.Thread32First
  • kernel32.dll.Thread32Next
  • kernel32.dll.GetTimeZoneInformation
  • kernel32.dll.DuplicateHandle
  • kernel32.dll.Wow64GetThreadSelectorEntry
  • advapi32.dll.ControlService
  • advapi32.dll.CreateServiceW
  • advapi32.dll.DeleteService
  • advapi32.dll.EnumServicesStatusExA
  • advapi32.dll.EnumServicesStatusExW
  • advapi32.dll.GetEventLogInformation
  • advapi32.dll.GetTokenInformation
  • advapi32.dll.LookupAccountSidW
  • advapi32.dll.OpenSCManagerW
  • advapi32.dll.OpenServiceA
  • advapi32.dll.OpenServiceW
  • advapi32.dll.StartServiceW
  • advapi32.dll.GetSidSubAuthority
  • advapi32.dll.GetSidSubAuthorityCount
  • version.dll.GetFileVersionInfoSizeExW
  • version.dll.GetFileVersionInfoExW
  • dbghelp.dll.WinDbgExtensionDllInit
  • dbghelp.dll.ExtensionApiVersion
  • wer.dll.WerpSetDynamicParameter
  • wer.dll.WerReportAddDump
  • wer.dll.WerpSetCallBack
  • wer.dll.WerReportSetUIOption
  • wer.dll.WerpAddRegisteredDataToReport
  • wer.dll.WerReportSubmit
  • user32.dll.LoadStringW
  • advapi32.dll.AllocateAndInitializeSid
  • advapi32.dll.CheckTokenMembership
  • user32.dll.GetProcessWindowStation
  • user32.dll.GetThreadDesktop
  • user32.dll.GetUserObjectInformationW
  • advapi32.dll.FreeSid
  • sensapi.dll.IsNetworkAlive
  • rpcrt4.dll.RpcBindingFromStringBindingW
  • rpcrt4.dll.RpcBindingSetAuthInfoExW
  • rpcrt4.dll.NdrClientCall2
  • user32.dll.CharUpperW
  • werui.dll.WerUICreate
  • werui.dll.WerUIStart
  • ole32.dll.CoInitialize
  • oleaut32.dll.#500
  • kernel32.dll.CreateActCtxW
  • kernel32.dll.ActivateActCtx
  • dui70.dll.InitProcessPriv
  • kernel32.dll.QueryActCtxW
  • kernel32.dll.FindActCtxSectionStringW
  • kernel32.dll.DeactivateActCtx
  • comctl32.dll.LoadIconWithScaleDown
  • ntdll.dll.RtlRunEncodeUnicodeString
  • ntdll.dll.RtlRunDecodeUnicodeString
  • dui70.dll.InitThread
  • duser.dll.InitGadgets
  • user32.dll.RegisterMessagePumpHook
  • dui70.dll.?GetClassInfoPtr@CCBase@DirectUI@@SGPAUIClassInfo@2@XZ
  • dui70.dll.?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@@XZ
  • dui70.dll.??0CritSecLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@@Z
  • dui70.dll.?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N@Z
  • dui70.dll.??0ClassInfoBase@DirectUI@@QAE@XZ
  • dui70.dll.?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z
  • dui70.dll.?Register@ClassInfoBase@DirectUI@@QAEJXZ
  • dui70.dll.?IsGlobal@ClassInfoBase@DirectUI@@UBE_NXZ
  • dui70.dll.?GetName@ClassInfoBase@DirectUI@@UBEPBGXZ
  • dui70.dll.?GetModule@ClassInfoBase@DirectUI@@UBEPAUHINSTANCE__@@XZ
  • dui70.dll.??1CritSecLock@DirectUI@@QAE@XZ
  • dui70.dll.??0CCBase@DirectUI@@QAE@KPBG@Z
  • dui70.dll.?Initialize@CCBase@DirectUI@@QAEJIPAVElement@2@PAK@Z
  • duser.dll.CreateGadget
  • duser.dll.SetGadgetMessageFilter
  • duser.dll.SetGadgetStyle
  • dui70.dll.?OnPropertyChanging@Element@DirectUI@@UAE_NPBUPropertyInfo@2@HPAVValue@2@1@Z
  • dui70.dll.?HandleUiaPropertyChangingListener@Element@DirectUI@@UAEXPBUPropertyInfo@2@@Z
  • dui70.dll.?HandleUiaPropertyListener@Element@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z
  • dui70.dll.?DirectionProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ
  • dui70.dll.?OnPropertyChanged@CCBase@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z
  • dui70.dll.?SetFontSize@Element@DirectUI@@QAEJH@Z
  • dui70.dll.?SetWidth@Element@DirectUI@@QAEJH@Z
  • dui70.dll.?SetHeight@Element@DirectUI@@QAEJH@Z
  • dui70.dll.?EndDefer@Element@DirectUI@@QAEXK@Z
  • dui70.dll.?OnGroupChanged@Element@DirectUI@@UAEXH_N@Z
  • duser.dll.InvalidateGadget
  • dui70.dll.CreateDUIWrapper
  • dui70.dll.?SetNotifyHandler@CCBase@DirectUI@@QAEXP6GHIIJPAJPAX@Z1@Z
  • shell32.dll.ExtractIconExW
  • comctl32.dll.TaskDialogIndirect
  • uxtheme.dll.IsThemeActive
  • duser.dll.SetGadgetRootInfo
  • dwmapi.dll.DwmIsCompositionEnabled
  • uxtheme.dll.IsAppThemed
  • ole32.dll.CreateStreamOnHGlobal
  • xmllite.dll.CreateXmlReader
  • xmllite.dll.CreateXmlReaderInputWithEncodingName
  • duser.dll.FindStdColor
  • oleaut32.dll.#6
  • duser.dll.SetGadgetParent
  • duser.dll.GetDUserModule
  • duser.dll.AttachWndProcW
  • kernel32.dll.InterlockedPopEntrySList
  • kernel32.dll.InterlockedPushEntrySList
  • kernel32.dll.InterlockedCompareExchange
  • duser.dll.GetGadgetRect
  • duser.dll.GetGadgetRgn
  • duser.dll.GetGadgetTicket
  • dui70.dll.?GetPICount@ClassInfoBase@DirectUI@@UBEIXZ
  • dui70.dll.?GetByClassIndex@ClassInfoBase@DirectUI@@UAEPBUPropertyInfo@2@I@Z
  • dui70.dll.?OnHosted@HWNDHost@DirectUI@@MAEXPAVElement@2@@Z
  • dui70.dll.?CreateAccNameLabel@HWNDHost@DirectUI@@IAEPAUHWND__@@PAU3@@Z
  • dui70.dll.?OnMessage@HWNDHost@DirectUI@@UAE_NIIJPAJ@Z
  • dui70.dll.?CreateHWND@CCBase@DirectUI@@UAEPAUHWND__@@PAU3@@Z
  • dui70.dll.?PostCreate@CCBase@DirectUI@@MAEXPAUHWND__@@@Z
  • dui70.dll.?IsContentProtected@Element@DirectUI@@UAE_NXZ
  • duser.dll.GetGadgetFocus
  • duser.dll.SetGadgetFocus
  • duser.dll.DUserSendEvent
  • duser.dll.SetGadgetRect
  • comctl32.dll.SetWindowSubclass
  • comctl32.dll.DefSubclassProc
  • dui70.dll.?GetHWND@HWNDHost@DirectUI@@UAEPAUHWND__@@XZ
  • user32.dll.FrostCrashedWindow
  • uxtheme.dll.BufferedPaintInit
  • uxtheme.dll.BeginBufferedPaint
  • uxtheme.dll.GetBufferedPaintDC
  • uxtheme.dll.GetBufferedPaintTargetDC
  • uxtheme.dll.EndBufferedPaint
  • duser.dll.FindGadgetFromPoint
  • sechost.dll.LookupAccountNameLocalW
  • sechost.dll.LookupAccountSidLocalW
  • rpcrt4.dll.UuidFromStringW
  • radarrs.dll.WdiDiagnosticModuleMain
  • radarrs.dll.WdiHandleInstance
  • radarrs.dll.WdiGetDiagnosticModuleInterfaceVersion
  • advapi32.dll.StartServiceCtrlDispatcherW
  • advapi32.dll.RegisterServiceCtrlHandlerExW
  • advapi32.dll.SetServiceStatus