魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2020-06-06 16:48:39 | 2020-06-06 16:51:07 | 148 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-hpdapp01-1 | win7-sp1-x64-hpdapp01-1 | KVM | 2020-06-06 16:48:46 | 2020-06-06 16:51:08 |
| 魔盾分数 |
|---|
8.7125恶意的 |
文件详细信息
| 文件名 | zombie.exe |
|---|---|
| 文件大小 | 1285120 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 17D6B857 |
| MD5 | 484fbe7079c2a215dd7a0efe77a0d1d4 |
| SHA1 | e0eeb51b336f29527e9af9aa9930dd76a21852d7 |
| SHA256 | dc1b34834edc438ae9139a103696b49c12eaf6903128f2b8910f07315f9ead91 |
| SHA512 | ffc195b6a89295177a3ca4c889135783bd49b0e7fdea0573c0b08239836f088aeac9311e851192ebfb15960c5188ddebb839a608afda3bcfed84d96535c0f79e |
| Ssdeep | 24576:C+0dE0nEGEeRink5J/LvW/4qT86MfzzLp2NJWEUWALbtt0:CHNn1Een5Nvq8TfX+uWALbtC |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | 无此文件扫描结果 |
特征
创建RWX内存
至少有一个进程在执行过程中崩溃
二进制文件可能包含加密或压缩数据
section: name: .data, entropy: 7.99, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00121400, virtual_size: 0x00137a2c
多次尝试建立挂起的进程
魔盾安全Yara规则检测结果 - 安全告警
强制将一个创建的进程加载为另一个不相关进程的子进程
装载一个驱动器
driver service name: \Registry\Machine\System\CurrentControlSet\Services\quzubizdzshz
可能是恶意的样本写入可疑的执行文件并混淆扩展名
运行截图
网络分析
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x00401000 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x00147f2b |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 2020-06-06 16:46:45 |
| 载入哈希 | d16f20d5224b729ea5f67da7132210a9 |
版本信息
| LegalCopyright: | Kind |
| FileVersion: | 2.0.0.0 |
| CompanyName: | Kind |
| Comments: | Kind |
| ProductName: | Kind |
| ProductVersion: | 2.0.0.0 |
| FileDescription: | Kind |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000165f2 | 0x00016600 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.35 |
| .rdata | 0x00018000 | 0x000018da | 0x00001a00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.06 |
| .data | 0x0001a000 | 0x00137a2c | 0x00121400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.99 |
| .rsrc | 0x00152000 | 0x00000278 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.80 |
导入
库 WINMM.dll:
• 0x4181c4 - timeGetTime
库 KERNEL32.dll:
• 0x418040 - GetModuleFileNameA
• 0x418044 - LCMapStringA
• 0x418048 - WriteFile
• 0x41804c - CreateFileA
• 0x418050 - DeleteFileA
• 0x418054 - GetCommandLineA
• 0x418058 - GetTickCount
• 0x41805c - GetProcAddress
• 0x418060 - LoadLibraryA
• 0x418064 - IsBadReadPtr
• 0x418068 - HeapFree
• 0x41806c - HeapReAlloc
• 0x418070 - HeapAlloc
• 0x418074 - ExitProcess
• 0x418078 - GetModuleHandleA
• 0x41807c - GetProcessHeap
• 0x418080 - MultiByteToWideChar
• 0x418084 - Wow64RevertWow64FsRedirection
• 0x418088 - Wow64DisableWow64FsRedirection
• 0x41808c - RtlMoveMemory
• 0x418090 - MapViewOfFile
• 0x418094 - OpenFileMappingA
• 0x418098 - Sleep
• 0x41809c - Module32First
• 0x4180a0 - CloseHandle
• 0x4180a4 - Process32Next
• 0x4180a8 - Process32First
• 0x4180ac - CreateToolhelp32Snapshot
• 0x4180b0 - FreeLibrary
• 0x4180b4 - lstrcpyA
• 0x4180b8 - lstrcatA
• 0x4180bc - MulDiv
• 0x4180c0 - GetTempPathA
• 0x4180c4 - GetSystemDirectoryA
• 0x4180c8 - GetWindowsDirectoryA
库 USER32.dll:
• 0x418138 - LoadBitmapA
• 0x41813c - RegisterHotKey
• 0x418140 - ReleaseCapture
• 0x418144 - ScreenToClient
• 0x418148 - SendMessageA
• 0x41814c - SetCapture
• 0x418150 - SetWindowLongA
• 0x418154 - GetCursorPos
• 0x418158 - GetSysColor
• 0x41815c - CreateWindowExA
• 0x418160 - IsWindowVisible
• 0x418164 - CallWindowProcA
• 0x418168 - TranslateMessage
• 0x41816c - GetMessageA
• 0x418170 - PeekMessageA
• 0x418174 - GetDC
• 0x418178 - GetWindow
• 0x41817c - UnregisterHotKey
• 0x418180 - DispatchMessageA
• 0x418184 - wsprintfA
• 0x418188 - MessageBoxA
• 0x41818c - GetAsyncKeyState
• 0x418190 - BringWindowToTop
• 0x418194 - UpdateWindow
• 0x418198 - MoveWindow
• 0x41819c - GetWindowTextLengthA
• 0x4181a0 - FindWindowExA
• 0x4181a4 - GetClientRect
• 0x4181a8 - ClientToScreen
• 0x4181ac - FindWindowA
• 0x4181b0 - GetWindowThreadProcessId
• 0x4181b4 - GetClassNameA
• 0x4181b8 - GetWindowTextA
• 0x4181bc - GetDesktopWindow
库 GDI32.dll:
• 0x41802c - GetDeviceCaps
• 0x418030 - TranslateCharsetInfo
• 0x418034 - DeleteObject
• 0x418038 - CreateFontA
库 MSVCRT.dll:
• 0x4180d0 - atoi
• 0x4180d4 - free
• 0x4180d8 - malloc
• 0x4180dc - __CxxFrameHandler
• 0x4180e0 - ??3@YAXPAX@Z
• 0x4180e4 - strrchr
• 0x4180e8 - strchr
• 0x4180ec - realloc
• 0x4180f0 - memmove
• 0x4180f4 - strncmp
• 0x4180f8 - calloc
• 0x4180fc - _ftol
• 0x418100 - floor
• 0x418104 - modf
• 0x418108 - _CIfmod
• 0x41810c - rand
• 0x418110 - srand
• 0x418114 - sprintf
库 SHLWAPI.dll:
• 0x418130 - PathFileExistsA
库 SHELL32.dll:
• 0x41811c - DragFinish
• 0x418120 - SHGetSpecialFolderPathA
• 0x418124 - DragQueryFileA
• 0x418128 - DragAcceptFiles
库 COMCTL32.dll:
• 0x418000 - ImageList_Add
• 0x418004 - ImageList_Create
• 0x418008 - ImageList_Destroy
• 0x41800c - ImageList_DragEnter
• 0x418010 - ImageList_DragLeave
• 0x418014 - ImageList_DragMove
• 0x418018 - ImageList_DragShowNolock
• 0x41801c - ImageList_EndDrag
• 0x418020 - None
• 0x418024 - ImageList_BeginDrag
投放文件
行为分析
互斥量(Mutexes)
- Local\WERReportingForProcess2704
- Global\b0192281-4986-11ea-a52f-525400ff13a8
执行的命令
- C:\Windows\System32\svchost.exe -k WerSvcGroup
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
- C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
- C:\Windows\system32\sppsvc.exe
创建的服务
- quzubizdzshz
启动的服务
- quzubizdzshz
- WerSvc
进程
zombie.exe PID: 2704, 上一级进程 PID: 2356
services.exe PID: 428, 上一级进程 PID: 332
svchost.exe PID: 2972, 上一级进程 PID: 428
WerFault.exe PID: 2212, 上一级进程 PID: 2972
mscorsvw.exe PID: 2396, 上一级进程 PID: 428
mscorsvw.exe PID: 424, 上一级进程 PID: 428
访问的文件
- C:\Users\test\AppData\Local\Temp\D3DCompiler_42.dll
- C:\Windows\System32\D3DCompiler_42.dll
- C:\Windows\system\D3DCompiler_42.dll
- C:\Windows\D3DCompiler_42.dll
- C:\ProgramData\Oracle\Java\javapath\D3DCompiler_42.dll
- C:\Windows\System32\wbem\D3DCompiler_42.dll
- C:\Windows\System32\WindowsPowerShell\v1.0\D3DCompiler_42.dll
- C:\Program Files (x86)\WinRAR\D3DCompiler_42.dll
- C:\Users\test\Desktop\BdHxNbTv.sys
- C:\Windows\sysnative\quzubizdzshz.sys
- \??\quzubizdzshz
- C:\Windows\sysnative\LogFiles\Scm\c016366b-7126-46ca-b36b-592a3d95a60b
- C:\Windows\sysnative\LogFiles\Scm\2f57269b-1e09-4e2d-ab1e-b0fdac7d279c
- C:\Windows\Temp
- C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI\ResolutionHost
- C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp
- C:\Windows\ServiceProfiles
- C:\Windows\ServiceProfiles\LocalService
- C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp
- C:\Windows\ServiceProfiles\NetworkService
- C:\Windows\sysnative\LogFiles\Scm\da41de71-8431-42fb-9db0-eb64a961dead
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\ProgramData\Microsoft\Windows\WER\ReportQueue
- C:\Users\test\AppData\Local\Temp
- C:\Windows\SysWOW64\winxp\triage.ini
- C:\Windows\SysWOW64\WINXP
- C:\Windows\SysWOW64\winext
- C:\Windows\SysWOW64\winext\arcade
- C:\Windows\SysWOW64\pri
- C:\Windows\SysWOW64
- C:\Windows\SysWOW64\
- C:\ProgramData\Oracle\Java\javapath
- C:\ProgramData\Oracle\Java\javapath\
- C:\Windows\System32
- C:\Windows\System32\
- C:\Windows
- C:\Windows\
- C:\Windows\System32\wbem
- C:\Windows\System32\wbem\
- C:\Windows\System32\WindowsPowerShell\v1.0
- C:\Windows\System32\WindowsPowerShell\v1.0\
- C:\Program Files (x86)\WinRAR
- C:\Program Files (x86)\WinRAR\
- C:\Windows\SysWOW64\WINXP\dbghelp.dll
- C:\Windows\SysWOW64\winext\dbghelp.dll
- C:\Windows\SysWOW64\winext\arcade\dbghelp.dll
- C:\Windows\SysWOW64\pri\dbghelp.dll
- C:\Windows\SysWOW64\dbghelp.dll
- C:\Windows\SysWOW64\WINXP\ext.dll
- C:\Windows\SysWOW64\winext\ext.dll
- C:\Windows\SysWOW64\winext\arcade\ext.dll
- C:\Windows\SysWOW64\pri\ext.dll
- C:\Windows\SysWOW64\ext.dll
- C:\ProgramData\Oracle\Java\javapath\ext.dll
- C:\Windows\System32\ext.dll
- C:\Windows\ext.dll
- C:\Windows\System32\wbem\ext.dll
- C:\Windows\System32\WindowsPowerShell\v1.0\ext.dll
- C:\Program Files (x86)\WinRAR\ext.dll
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- C:\Windows\SysWOW64\WINXP\exts.dll
- C:\Windows\SysWOW64\winext\exts.dll
- C:\Windows\SysWOW64\winext\arcade\exts.dll
- C:\Windows\SysWOW64\pri\exts.dll
- C:\Windows\SysWOW64\exts.dll
- C:\ProgramData\Oracle\Java\javapath\exts.dll
- C:\Windows\System32\exts.dll
- C:\Windows\exts.dll
- C:\Windows\System32\wbem\exts.dll
- C:\Windows\System32\WindowsPowerShell\v1.0\exts.dll
- C:\Program Files (x86)\WinRAR\exts.dll
- C:\Windows\SysWOW64\WINXP\uext.dll
- C:\Windows\SysWOW64\winext\uext.dll
- C:\Windows\SysWOW64\winext\arcade\uext.dll
- C:\Windows\SysWOW64\pri\uext.dll
- C:\Windows\SysWOW64\uext.dll
- C:\ProgramData\Oracle\Java\javapath\uext.dll
- C:\Windows\System32\uext.dll
- C:\Windows\uext.dll
- C:\Windows\System32\wbem\uext.dll
- C:\Windows\System32\WindowsPowerShell\v1.0\uext.dll
- C:\Program Files (x86)\WinRAR\uext.dll
- C:\Windows\SysWOW64\WINXP\ntsdexts.dll
- C:\Windows\SysWOW64\winext\ntsdexts.dll
- C:\Windows\SysWOW64\winext\arcade\ntsdexts.dll
- C:\Windows\SysWOW64\pri\ntsdexts.dll
- C:\Windows\SysWOW64\ntsdexts.dll
- C:\ProgramData\Oracle\Java\javapath\ntsdexts.dll
- C:\Windows\System32\ntsdexts.dll
- C:\Windows\ntsdexts.dll
- C:\Windows\System32\wbem\ntsdexts.dll
- C:\Windows\System32\WindowsPowerShell\v1.0\ntsdexts.dll
- C:\Program Files (x86)\WinRAR\ntsdexts.dll
- C:\Users\test\AppData\Local\Temp\zombie.exe
- C:\Windows\SysWOW64\zh-CN\werui.dll.mui
- \Device\KsecDD
- C:\Windows\SysWOW64\werui.dll
- C:\Windows\SysWOW64\zh-CN\DUser.dll.mui
- C:\Windows\SysWOW64\WerFault.exe.Local\
- C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb
- C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui
- C:\Windows\win.ini
- C:\Windows\Fonts\staticcache.dat
- C:\Windows\System32\zh-CN\erofflps.txt
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ndpsetup.bat
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ndpsetup.bat
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
读取的文件
- C:\Users\test\Desktop\BdHxNbTv.sys
- \??\quzubizdzshz
- C:\Windows\sysnative\LogFiles\Scm\c016366b-7126-46ca-b36b-592a3d95a60b
- C:\Windows\sysnative\LogFiles\Scm\2f57269b-1e09-4e2d-ab1e-b0fdac7d279c
- C:\Windows\sysnative\LogFiles\Scm\da41de71-8431-42fb-9db0-eb64a961dead
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\SysWOW64\winxp\triage.ini
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- C:\Windows\SysWOW64\zh-CN\werui.dll.mui
- \Device\KsecDD
- C:\Windows\SysWOW64\werui.dll
- C:\Users\test\AppData\Local\Temp\zombie.exe
- C:\Windows\SysWOW64\zh-CN\DUser.dll.mui
- C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui
- C:\Windows\win.ini
- C:\Windows\Fonts\staticcache.dat
- C:\Windows\System32\zh-CN\erofflps.txt
修改的文件
- C:\Users\test\Desktop\BdHxNbTv.sys
- C:\Windows\sysnative\quzubizdzshz.sys
- \??\quzubizdzshz
- C:\Windows\sysnative\LogFiles\Scm\c016366b-7126-46ca-b36b-592a3d95a60b
- C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
删除的文件
- C:\Users\test\Desktop\BdHxNbTv.sys
注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AFD
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AFD\Vname
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\quzubizdzshz
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\quzubizdzshz\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
- HKEY_USERS\S-1-5-18
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
- HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_USERS\.DEFAULT\Environment
- HKEY_USERS\.DEFAULT\Volatile Environment
- HKEY_USERS\.DEFAULT\Volatile Environment\0
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\WOW64
- HKEY_USERS\S-1-5-19
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19\ProfileImagePath
- HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_USERS\S-1-5-19\Environment
- HKEY_USERS\S-1-5-19\Volatile Environment
- HKEY_USERS\S-1-5-19\Volatile Environment\0
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\WOW64
- HKEY_USERS\S-1-5-20
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\ProfileImagePath
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_USERS\S-1-5-20\Environment
- HKEY_USERS\S-1-5-20\Volatile Environment
- HKEY_USERS\S-1-5-20\Volatile Environment\0
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ObjectName
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
- HKEY_CURRENT_USER
- HKEY_USERS\.DEFAULT\Control Panel\International
- HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
- HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
- HKEY_USERS\.DEFAULT\Control Panel\International\sList
- HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
- HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
- HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
- HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
- HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
- HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
- HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
- HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
- HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
- HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
- HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
- HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
- HKEY_USERS\.DEFAULT\Control Panel\International\s1159
- HKEY_USERS\.DEFAULT\Control Panel\International\s2359
- HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
- HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
- HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
- HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
- HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
- HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
- HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
- HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
- HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
- HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
- HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
- HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
- HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
- HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
- HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
- HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wersvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
- HKEY_LOCAL_MACHINE
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\NoReflection
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PropertyBag
- HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
- HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Environment
- HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Volatile Environment
- HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Volatile Environment\0
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\NoReflection
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord
- HKEY_CURRENT_USER\Software\Microsoft\Windiff
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\CurrentType
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MachineID
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontShowUI
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableArchive
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableQueue
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceQueue
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DebugApplications
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Disabled
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontShowUI
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableArchive
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableQueue
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceQueue
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DebugApplications
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerServer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseSSL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerPortNumber
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseAuthentication
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\RacWerSampleTime
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\Software\Microsoft\DirectUI
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
- HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenServiceDebugLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\Install
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DefaultVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Version
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ZapSet
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGenService\Roots
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGENService\State
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN32\Default
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN32\Default
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenServiceDebugLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NicPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\RegistryRoot
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DefaultVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Version
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ZapSet
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueue\WIN64\Default
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenQueueMSI\WIN64\Default
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AFD\Vname
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\quzubizdzshz\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
- HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Appinfo\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AxInstSV\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BDESVC\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\bthserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\dot3svc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EapHost\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EFS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\fdPHost\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hidserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hkmsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupListener\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HomeGroupProvider\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\idsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\IPBusEnum\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KeyIso\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\KtmRm\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\lltdsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MpsSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MSiSCSI\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\napagent\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Netlogon\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetMsmqActivator\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetPipeActivator\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpActivator\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetTcpPortSharing\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2pimsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\p2psvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PeerDistSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pla\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPAutoReg\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PNRPsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ProtectedStorage\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasAuto\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RasMan\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteAccess\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RemoteRegistry\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCPolicySvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\seclogon\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppuinotify\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SstpSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SysMain\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TabletInputService\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TapiSrv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\THREADORDER\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\W32Time\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WbioSrvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WcsPlugInService\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wecsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wercplsupport\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinDefend\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinHttpAutoProxySvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRM\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Wlansvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPCSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WPDBusEnum\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wudfsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WwanSvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppIDSvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FDResPub\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Mcx2Svc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QWAVE\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SCardSvr\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SensrSvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SSDPSRV\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TBS\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\upnphost\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wcncsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19\ProfileImagePath
- HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20\ProfileImagePath
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sppsvc\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ObjectName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
- HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
- HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
- HKEY_USERS\.DEFAULT\Control Panel\International\sList
- HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
- HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
- HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
- HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
- HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
- HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
- HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
- HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
- HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
- HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
- HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
- HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
- HKEY_USERS\.DEFAULT\Control Panel\International\s1159
- HKEY_USERS\.DEFAULT\Control Panel\International\s2359
- HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
- HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
- HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
- HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
- HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
- HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
- HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
- HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
- HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
- HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
- HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
- HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
- HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
- HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
- HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
- HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\NoReflection
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
- HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\NoReflection
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\CurrentType
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MachineID
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontShowUI
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableArchive
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableQueue
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceQueue
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Disabled
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontShowUI
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableArchive
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableQueue
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceQueue
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerServer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseSSL
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerPortNumber
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseAuthentication
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\RacWerSampleTime
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenServiceDebugLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\Install
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DefaultVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Version
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ZapSet
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenServiceDebugLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NicPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\RegistryRoot
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DefaultVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Version
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ZapSet
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
修改的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AFD\Vname
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord
删除的注册表键
无信息
API解析
- kernel32.dll.GetModuleHandleA
- kernel32.dll.GetProcAddress
- advapi32.dll.RegCloseKey
- kernel32.dll.VirtualProtect
- kernel32.dll.GetTickCount
- kernel32.dll.CloseHandle
- kernel32.dll.GetSystemDirectoryA
- kernel32.dll.CreateFileA
- kernel32.dll.GetLastError
- kernel32.dll.Wow64RevertWow64FsRedirection
- kernel32.dll.CopyFileA
- kernel32.dll.MultiByteToWideChar
- kernel32.dll.GetCurrentThreadId
- kernel32.dll.DeviceIoControl
- kernel32.dll.WriteConsoleW
- kernel32.dll.Wow64DisableWow64FsRedirection
- kernel32.dll.UnhandledExceptionFilter
- kernel32.dll.SetUnhandledExceptionFilter
- kernel32.dll.GetCurrentProcess
- kernel32.dll.TerminateProcess
- kernel32.dll.IsProcessorFeaturePresent
- kernel32.dll.QueryPerformanceCounter
- kernel32.dll.GetCurrentProcessId
- kernel32.dll.GetSystemTimeAsFileTime
- kernel32.dll.InitializeSListHead
- kernel32.dll.IsDebuggerPresent
- kernel32.dll.GetStartupInfoW
- kernel32.dll.GetModuleHandleW
- kernel32.dll.InterlockedFlushSList
- kernel32.dll.RtlUnwind
- kernel32.dll.SetLastError
- kernel32.dll.EnterCriticalSection
- kernel32.dll.LeaveCriticalSection
- kernel32.dll.DeleteCriticalSection
- kernel32.dll.InitializeCriticalSectionAndSpinCount
- kernel32.dll.TlsAlloc
- kernel32.dll.TlsGetValue
- kernel32.dll.TlsSetValue
- kernel32.dll.TlsFree
- kernel32.dll.FreeLibrary
- kernel32.dll.LoadLibraryExW
- kernel32.dll.RaiseException
- kernel32.dll.ExitProcess
- kernel32.dll.GetModuleHandleExW
- kernel32.dll.GetModuleFileNameW
- kernel32.dll.HeapAlloc
- kernel32.dll.HeapFree
- kernel32.dll.FindClose
- kernel32.dll.FindFirstFileExW
- kernel32.dll.FindNextFileW
- kernel32.dll.IsValidCodePage
- kernel32.dll.GetACP
- kernel32.dll.GetOEMCP
- kernel32.dll.GetCPInfo
- kernel32.dll.GetCommandLineA
- kernel32.dll.GetCommandLineW
- kernel32.dll.WideCharToMultiByte
- kernel32.dll.GetEnvironmentStringsW
- kernel32.dll.FreeEnvironmentStringsW
- kernel32.dll.GetStdHandle
- kernel32.dll.GetFileType
- kernel32.dll.LCMapStringW
- kernel32.dll.GetProcessHeap
- kernel32.dll.GetStringTypeW
- kernel32.dll.HeapSize
- kernel32.dll.HeapReAlloc
- kernel32.dll.SetStdHandle
- kernel32.dll.FlushFileBuffers
- kernel32.dll.WriteFile
- kernel32.dll.GetConsoleCP
- kernel32.dll.GetConsoleMode
- kernel32.dll.SetFilePointerEx
- kernel32.dll.CreateFileW
- advapi32.dll.RegCreateKeyA
- advapi32.dll.CreateServiceA
- advapi32.dll.CloseServiceHandle
- advapi32.dll.RegQueryValueExA
- advapi32.dll.OpenSCManagerA
- advapi32.dll.DeleteService
- advapi32.dll.ControlService
- advapi32.dll.StartServiceA
- advapi32.dll.RegSetValueExA
- advapi32.dll.RegOpenKeyExA
- advapi32.dll.OpenServiceA
- kernel32.dll.InitializeCriticalSectionEx
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsGetValue
- kernel32.dll.LCMapStringEx
- kernel32.dll.AreFileApisANSI
- kernel32.dll.LoadLibraryA
- kernel32.dll.VirtualAlloc
- kernel32.dll.VirtualFree
- kernel32.dll.IsBadReadPtr
- d3d11.dll.D3D11CreateDeviceAndSwapChain
- ntdll.dll.ZwProtectVirtualMemory
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- wersvc.dll.ServiceMain
- wersvc.dll.SvchostPushServiceGlobals
- advapi32.dll.RegGetValueW
- sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
- faultrep.dll.WerpInitiateCrashReporting
- wer.dll.WerpCreateMachineStore
- shell32.dll.SHGetFolderPathEx
- ole32.dll.StringFromGUID2
- profapi.dll.#104
- userenv.dll.CreateEnvironmentBlock
- sechost.dll.ConvertSidToStringSidW
- sspicli.dll.GetUserNameExW
- imm32.dll.ImmDisableIME
- psapi.dll.GetModuleFileNameExW
- version.dll.GetFileVersionInfoSizeW
- version.dll.GetFileVersionInfoW
- version.dll.VerQueryValueW
- wer.dll.WerpCreateIntegratorReportId
- wer.dll.WerReportCreate
- advapi32.dll.OpenProcessToken
- wer.dll.WerpSetIntegratorReportId
- wer.dll.WerReportSetParameter
- dbgeng.dll.DebugCreate
- ntdll.dll.CsrGetProcessId
- ntdll.dll.DbgBreakPoint
- ntdll.dll.DbgPrint
- ntdll.dll.DbgPrompt
- ntdll.dll.DbgUiConvertStateChangeStructure
- ntdll.dll.DbgUiGetThreadDebugObject
- ntdll.dll.DbgUiIssueRemoteBreakin
- ntdll.dll.DbgUiSetThreadDebugObject
- ntdll.dll.NtAllocateVirtualMemory
- ntdll.dll.NtClose
- ntdll.dll.NtCreateDebugObject
- ntdll.dll.NtCreateFile
- ntdll.dll.NtDebugActiveProcess
- ntdll.dll.NtDebugContinue
- ntdll.dll.NtFreeVirtualMemory
- ntdll.dll.NtOpenProcess
- ntdll.dll.NtOpenThread
- ntdll.dll.NtQueryInformationProcess
- ntdll.dll.NtQueryInformationThread
- ntdll.dll.NtQueryMutant
- ntdll.dll.NtQueryObject
- ntdll.dll.NtQuerySystemInformation
- ntdll.dll.NtRemoveProcessDebug
- ntdll.dll.NtResumeThread
- ntdll.dll.NtSetInformationDebugObject
- ntdll.dll.NtSetInformationProcess
- ntdll.dll.NtSystemDebugControl
- ntdll.dll.NtWaitForDebugEvent
- ntdll.dll.RtlAnsiStringToUnicodeString
- ntdll.dll.RtlCreateProcessParameters
- ntdll.dll.RtlCreateUserProcess
- ntdll.dll.RtlDestroyProcessParameters
- ntdll.dll.RtlDosPathNameToNtPathName_U
- ntdll.dll.RtlFindMessage
- ntdll.dll.RtlFreeHeap
- ntdll.dll.RtlFreeUnicodeString
- ntdll.dll.RtlGetUnloadEventTrace
- ntdll.dll.RtlGetUnloadEventTraceEx
- ntdll.dll.RtlInitAnsiString
- ntdll.dll.RtlInitUnicodeString
- ntdll.dll.RtlTryEnterCriticalSection
- ntdll.dll.RtlUnicodeStringToAnsiString
- ntdll.dll.NtOpenProcessToken
- ntdll.dll.NtOpenThreadToken
- ntdll.dll.NtQueryInformationToken
- kernel32.dll.CloseProfileUserMapping
- kernel32.dll.CreateToolhelp32Snapshot
- kernel32.dll.DebugActiveProcessStop
- kernel32.dll.DebugBreak
- kernel32.dll.DebugBreakProcess
- kernel32.dll.DebugSetProcessKillOnExit
- kernel32.dll.Module32First
- kernel32.dll.Module32FirstW
- kernel32.dll.Module32Next
- kernel32.dll.Module32NextW
- kernel32.dll.OpenThread
- kernel32.dll.Process32First
- kernel32.dll.Process32FirstW
- kernel32.dll.Process32Next
- kernel32.dll.Process32NextW
- kernel32.dll.ProcessIdToSessionId
- kernel32.dll.SetProcessShutdownParameters
- kernel32.dll.Thread32First
- kernel32.dll.Thread32Next
- kernel32.dll.GetTimeZoneInformation
- kernel32.dll.DuplicateHandle
- kernel32.dll.Wow64GetThreadSelectorEntry
- advapi32.dll.CreateServiceW
- advapi32.dll.EnumServicesStatusExA
- advapi32.dll.EnumServicesStatusExW
- advapi32.dll.GetEventLogInformation
- advapi32.dll.GetTokenInformation
- advapi32.dll.LookupAccountSidW
- advapi32.dll.OpenSCManagerW
- advapi32.dll.OpenServiceW
- advapi32.dll.StartServiceW
- advapi32.dll.GetSidSubAuthority
- advapi32.dll.GetSidSubAuthorityCount
- version.dll.GetFileVersionInfoSizeExW
- version.dll.GetFileVersionInfoExW
- dbghelp.dll.WinDbgExtensionDllInit
- dbghelp.dll.ExtensionApiVersion
- wer.dll.WerpSetDynamicParameter
- wer.dll.WerReportAddDump
- wer.dll.WerpSetCallBack
- wer.dll.WerReportSetUIOption
- wer.dll.WerpAddRegisteredDataToReport
- wer.dll.WerReportSubmit
- advapi32.dll.RegOpenKeyExW
- user32.dll.LoadStringW
- advapi32.dll.RegQueryValueExW
- advapi32.dll.AllocateAndInitializeSid
- advapi32.dll.CheckTokenMembership
- user32.dll.GetProcessWindowStation
- user32.dll.GetThreadDesktop
- user32.dll.GetUserObjectInformationW
- advapi32.dll.FreeSid
- sensapi.dll.IsNetworkAlive
- rpcrt4.dll.RpcBindingFromStringBindingW
- rpcrt4.dll.RpcBindingSetAuthInfoExW
- rpcrt4.dll.NdrClientCall2
- user32.dll.CharUpperW
- werui.dll.WerUICreate
- werui.dll.WerUIStart
- ole32.dll.CoInitialize
- cryptbase.dll.SystemFunction036
- ole32.dll.CoUninitialize
- oleaut32.dll.#500
- kernel32.dll.CreateActCtxW
- kernel32.dll.ActivateActCtx
- dui70.dll.InitProcessPriv
- kernel32.dll.QueryActCtxW
- kernel32.dll.FindActCtxSectionStringW
- kernel32.dll.DeactivateActCtx
- comctl32.dll.LoadIconWithScaleDown
- ntdll.dll.RtlRunEncodeUnicodeString
- ntdll.dll.RtlRunDecodeUnicodeString
- dui70.dll.InitThread
- duser.dll.InitGadgets
- user32.dll.RegisterMessagePumpHook
- dui70.dll.?GetClassInfoPtr@CCBase@DirectUI@@SGPAUIClassInfo@2@XZ
- dui70.dll.?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@@XZ
- dui70.dll.??0CritSecLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@@Z
- dui70.dll.?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N@Z
- dui70.dll.??0ClassInfoBase@DirectUI@@QAE@XZ
- dui70.dll.?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z
- dui70.dll.?Register@ClassInfoBase@DirectUI@@QAEJXZ
- dui70.dll.?IsGlobal@ClassInfoBase@DirectUI@@UBE_NXZ
- dui70.dll.?GetName@ClassInfoBase@DirectUI@@UBEPBGXZ
- dui70.dll.?GetModule@ClassInfoBase@DirectUI@@UBEPAUHINSTANCE__@@XZ
- dui70.dll.??1CritSecLock@DirectUI@@QAE@XZ
- dui70.dll.??0CCBase@DirectUI@@QAE@KPBG@Z
- dui70.dll.?Initialize@CCBase@DirectUI@@QAEJIPAVElement@2@PAK@Z
- duser.dll.CreateGadget
- duser.dll.SetGadgetMessageFilter
- duser.dll.SetGadgetStyle
- dui70.dll.?OnPropertyChanging@Element@DirectUI@@UAE_NPBUPropertyInfo@2@HPAVValue@2@1@Z
- dui70.dll.?HandleUiaPropertyChangingListener@Element@DirectUI@@UAEXPBUPropertyInfo@2@@Z
- dui70.dll.?HandleUiaPropertyListener@Element@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z
- dui70.dll.?DirectionProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ
- dui70.dll.?OnPropertyChanged@CCBase@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z
- dui70.dll.?SetFontSize@Element@DirectUI@@QAEJH@Z
- dui70.dll.?SetWidth@Element@DirectUI@@QAEJH@Z
- dui70.dll.?SetHeight@Element@DirectUI@@QAEJH@Z
- dui70.dll.?EndDefer@Element@DirectUI@@QAEXK@Z
- dui70.dll.?OnGroupChanged@Element@DirectUI@@UAEXH_N@Z
- duser.dll.InvalidateGadget
- dui70.dll.CreateDUIWrapper
- dui70.dll.?SetNotifyHandler@CCBase@DirectUI@@QAEXP6GHIIJPAJPAX@Z1@Z
- shell32.dll.ExtractIconExW
- comctl32.dll.TaskDialogIndirect
- uxtheme.dll.IsThemeActive
- duser.dll.SetGadgetRootInfo
- dwmapi.dll.DwmIsCompositionEnabled
- uxtheme.dll.IsAppThemed
- ole32.dll.CreateStreamOnHGlobal
- xmllite.dll.CreateXmlReader
- xmllite.dll.CreateXmlReaderInputWithEncodingName
- duser.dll.FindStdColor
- oleaut32.dll.#6
- duser.dll.SetGadgetParent
- duser.dll.GetDUserModule
- duser.dll.AttachWndProcW
- kernel32.dll.InterlockedPopEntrySList
- kernel32.dll.InterlockedPushEntrySList
- kernel32.dll.InterlockedCompareExchange
- comctl32.dll.RegisterClassNameW
- uxtheme.dll.OpenThemeData
- duser.dll.GetGadgetRect
- duser.dll.GetGadgetRgn
- duser.dll.GetGadgetTicket
- dui70.dll.?GetPICount@ClassInfoBase@DirectUI@@UBEIXZ
- dui70.dll.?GetByClassIndex@ClassInfoBase@DirectUI@@UAEPBUPropertyInfo@2@I@Z
- dui70.dll.?OnHosted@HWNDHost@DirectUI@@MAEXPAVElement@2@@Z
- dui70.dll.?CreateAccNameLabel@HWNDHost@DirectUI@@IAEPAUHWND__@@PAU3@@Z
- uxtheme.dll.EnableThemeDialogTexture
- dui70.dll.?OnMessage@HWNDHost@DirectUI@@UAE_NIIJPAJ@Z
- dui70.dll.?CreateHWND@CCBase@DirectUI@@UAEPAUHWND__@@PAU3@@Z
- dui70.dll.?PostCreate@CCBase@DirectUI@@MAEXPAUHWND__@@@Z
- dui70.dll.?IsContentProtected@Element@DirectUI@@UAE_NXZ
- duser.dll.GetGadgetFocus
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- duser.dll.SetGadgetFocus
- duser.dll.DUserSendEvent
- duser.dll.SetGadgetRect
- comctl32.dll.SetWindowSubclass
- comctl32.dll.DefSubclassProc
- dui70.dll.?GetHWND@HWNDHost@DirectUI@@UAEPAUHWND__@@XZ
- uxtheme.dll.BufferedPaintInit
- uxtheme.dll.BeginBufferedPaint
- uxtheme.dll.GetBufferedPaintDC
- uxtheme.dll.GetBufferedPaintTargetDC
- uxtheme.dll.EndBufferedPaint
- duser.dll.FindGadgetFromPoint
- advapi32.dll.StartServiceCtrlDispatcherW