魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2019-11-18 16:15:42	2019-11-18 16:17:57	135 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp01-1	win7-sp1-x64-hpdapp01-1	KVM	2019-11-18 16:15:48	2019-11-18 16:17:58

魔盾分数
9.1 恶意的

文件详细信息

文件名	PsQREdit 2.4.3huajun.exe
文件大小	252400 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	41C8196D
MD5	eedbf7a7d70fd618773edf8c5898a995
SHA1	792f5fb9e60c7ff63fb659276b626d2666f2b9ee
SHA256	f1bb56ffe4f4c9714a5f70ea93630abfaee0bd3ffa3b99565879e2c14899cdcc
SHA512	d48377b4b29085e098fdc941e4c9915c995684e4c6e994708a057a8305864f8f6a3fdcf923689011e168e6260491a5aaf1b22b12ec1085e61d3cc8729905b115
Ssdeep	3072:ec8z0aBu5qWohUjAfA1dvYS6M3f+VqiO4pnCcYZojFlYQotLBnRQf22J3J0wJ16o:ec8QY8AY4p3YakhRKO2J3JTTL
PEiD	无匹配
Yara	screenshot (Detected take screenshot function) create_process (Detection function for creating a new process) keylogger (Detected keylogger function) win_registry (Detected system registries modification function) change_win_registry (Change registries to affect system) Maldun_Anomoly_Combined_Activities_7 (Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files) with_images (Detected the presence of an or several images) with_urls (Detected the presence of an or several urls) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) HasOverlay (Detected Overlay signature) HasDigitalSignature (Detected Digital Signature) HasRichSignature (Detected Rich Signature)
VirusTotal	VirusTotal链接 VirusTotal扫描时间: 2019-11-18 08:13:38 扫描结果: 0/67

特征

魔盾安全Yara规则检测结果 - 安全告警

Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files

Informational: Detected Overlay signature

检测到样本尝试模糊或欺骗文件类型

运行截图

网络分析

无信息

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x00421e2a
声明校验值	0x000453ad
实际校验值	0x000453ad
最低操作系统版本要求	4.0
编译时间	2009-10-05 12:43:57
载入哈希	ca18b8f109eb3059d32a73332f5c1c1b

版本信息

LegalCopyright:	(C) 2003-2009 Psytec Inc.
InternalName:	PsQREdit
FileVersion:	2, 4, 3, 1
CompanyName:	Psytec Inc.
PrivateBuild:
LegalTrademarks:
Comments:	QR Code Editor for Cellular Phones
ProductName:	Psytec QR Code Editor
SpecialBuild:
ProductVersion:	2, 4, 3, 1
FileDescription:	Psytec QR Code Editor
OriginalFilename:	PsQREdit.exe
Translation:	0x0411 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00022302	0x00023000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	6.32
.rdata	0x00024000	0x00005974	0x00006000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.18
.data	0x0002a000	0x00004034	0x00004000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.60
.rsrc	0x0002f000	0x0000d28a	0x0000e000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.55

导入

库 USER32.dll:

• 0x424668 - IsWindow

• 0x42466c - LoadMenuA

• 0x424670 - GetSubMenu

• 0x424674 - EnableMenuItem

• 0x424678 - GetClientRect

• 0x42467c - EnableWindow

• 0x424680 - GetFocus

• 0x424684 - GetClassNameA

• 0x424688 - OpenClipboard

• 0x42468c - IsClipboardFormatAvailable

• 0x424690 - CloseClipboard

• 0x424694 - GetWindowRect

• 0x424698 - LoadIconA

• 0x42469c - GetKeyState

• 0x4246a0 - IsIconic

• 0x4246a4 - GetWindowLongA

• 0x4246a8 - SendMessageA

• 0x4246ac - GetKeyboardLayout

• 0x4246b0 - RegisterWindowMessageA

• 0x4246b4 - ClientToScreen

• 0x4246b8 - PtInRect

• 0x4246bc - SetCapture

• 0x4246c0 - ReleaseCapture

• 0x4246c4 - LoadImageA

• 0x4246c8 - UpdateWindow

• 0x4246cc - SetForegroundWindow

• 0x4246d0 - PostMessageA

• 0x4246d4 - RegisterClipboardFormatA

• 0x4246d8 - SetRect

• 0x4246dc - LoadCursorA

• 0x4246e0 - SetCursor

• 0x4246e4 - MonitorFromRect

• 0x4246e8 - GetMonitorInfoA

• 0x4246ec - CopyRect

• 0x4246f0 - LoadBitmapA

• 0x4246f4 - FillRect

• 0x4246f8 - EmptyClipboard

• 0x4246fc - SetClipboardData

• 0x424700 - SetWindowTextA

• 0x424704 - GetParent

• 0x424708 - ValidateRect

• 0x42470c - GetDC

• 0x424710 - ReleaseDC

• 0x424714 - InvalidateRect

库 SHLWAPI.dll:

• 0x42465c - PathFindFileNameA

• 0x424660 - PathFindExtensionA

库 gdiplus.dll:

• 0x424728 - GdipGetImagePixelFormat

• 0x42472c - GdipGetImageHorizontalResolution

• 0x424730 - GdipGetImageVerticalResolution

• 0x424734 - GdipBitmapGetPixel

• 0x424738 - GdiplusShutdown

• 0x42473c - GdipGetImageHeight

• 0x424740 - GdipGetImageWidth

• 0x424744 - GdipCreateBitmapFromFile

• 0x424748 - GdipAlloc

• 0x42474c - GdiplusStartup

• 0x424750 - GdipSaveImageToFile

• 0x424754 - GdipBitmapUnlockBits

• 0x424758 - GdipBitmapLockBits

• 0x42475c - GdipSetImagePalette

• 0x424760 - GdipBitmapSetResolution

• 0x424764 - GdipCreateBitmapFromScan0

• 0x424768 - GdipGetImageEncoders

• 0x42476c - GdipGetImageEncodersSize

• 0x424770 - GdipCloneImage

• 0x424774 - GdipFree

• 0x424778 - GdipDisposeImage

库 IMM32.dll:

• 0x424078 - ImmSetConversionStatus

• 0x42407c - ImmSetOpenStatus

• 0x424080 - ImmGetContext

• 0x424084 - ImmAssociateContext

• 0x424088 - ImmGetOpenStatus

• 0x42408c - ImmGetConversionListW

• 0x424090 - ImmReleaseContext

库 MFC42.DLL:

• 0x4240ec - None

• 0x4240f0 - None

• 0x4240f4 - None

• 0x4240f8 - None

• 0x4240fc - None

• 0x424100 - None

• 0x424104 - None

• 0x424108 - None

• 0x42410c - None

• 0x424110 - None

• 0x424114 - None

• 0x424118 - None

• 0x42411c - None

• 0x424120 - None

• 0x424124 - None

• 0x424128 - None

• 0x42412c - None

• 0x424130 - None

• 0x424134 - None

• 0x424138 - None

• 0x42413c - None

• 0x424140 - None

• 0x424144 - None

• 0x424148 - None

• 0x42414c - None

• 0x424150 - None

• 0x424154 - None

• 0x424158 - None

• 0x42415c - None

• 0x424160 - None

• 0x424164 - None

• 0x424168 - None

• 0x42416c - None

• 0x424170 - None

• 0x424174 - None

• 0x424178 - None

• 0x42417c - None

• 0x424180 - None

• 0x424184 - None

• 0x424188 - None

• 0x42418c - None

• 0x424190 - None

• 0x424194 - None

• 0x424198 - None

• 0x42419c - None

• 0x4241a0 - None

• 0x4241a4 - None

• 0x4241a8 - None

• 0x4241ac - None

• 0x4241b0 - None

• 0x4241b4 - None

• 0x4241b8 - None

• 0x4241bc - None

• 0x4241c0 - None

• 0x4241c4 - None

• 0x4241c8 - None

• 0x4241cc - None

• 0x4241d0 - None

• 0x4241d4 - None

• 0x4241d8 - None

• 0x4241dc - None

• 0x4241e0 - None

• 0x4241e4 - None

• 0x4241e8 - None

• 0x4241ec - None

• 0x4241f0 - None

• 0x4241f4 - None

• 0x4241f8 - None

• 0x4241fc - None

• 0x424200 - None

• 0x424204 - None

• 0x424208 - None

• 0x42420c - None

• 0x424210 - None

• 0x424214 - None

• 0x424218 - None

• 0x42421c - None

• 0x424220 - None

• 0x424224 - None

• 0x424228 - None

• 0x42422c - None

• 0x424230 - None

• 0x424234 - None

• 0x424238 - None

• 0x42423c - None

• 0x424240 - None

• 0x424244 - None

• 0x424248 - None

• 0x42424c - None

• 0x424250 - None

• 0x424254 - None

• 0x424258 - None

• 0x42425c - None

• 0x424260 - None

• 0x424264 - None

• 0x424268 - None

• 0x42426c - None

• 0x424270 - None

• 0x424274 - None

• 0x424278 - None

• 0x42427c - None

• 0x424280 - None

• 0x424284 - None

• 0x424288 - None

• 0x42428c - None

• 0x424290 - None

• 0x424294 - None

• 0x424298 - None

• 0x42429c - None

• 0x4242a0 - None

• 0x4242a4 - None

• 0x4242a8 - None

• 0x4242ac - None

• 0x4242b0 - None

• 0x4242b4 - None

• 0x4242b8 - None

• 0x4242bc - None

• 0x4242c0 - None

• 0x4242c4 - None

• 0x4242c8 - None

• 0x4242cc - None

• 0x4242d0 - None

• 0x4242d4 - None

• 0x4242d8 - None

• 0x4242dc - None

• 0x4242e0 - None

• 0x4242e4 - None

• 0x4242e8 - None

• 0x4242ec - None

• 0x4242f0 - None

• 0x4242f4 - None

• 0x4242f8 - None

• 0x4242fc - None

• 0x424300 - None

• 0x424304 - None

• 0x424308 - None

• 0x42430c - None

• 0x424310 - None

• 0x424314 - None

• 0x424318 - None

• 0x42431c - None

• 0x424320 - None

• 0x424324 - None

• 0x424328 - None

• 0x42432c - None

• 0x424330 - None

• 0x424334 - None

• 0x424338 - None

• 0x42433c - None

• 0x424340 - None

• 0x424344 - None

• 0x424348 - None

• 0x42434c - None

• 0x424350 - None

• 0x424354 - None

• 0x424358 - None

• 0x42435c - None

• 0x424360 - None

• 0x424364 - None

• 0x424368 - None

• 0x42436c - None

• 0x424370 - None

• 0x424374 - None

• 0x424378 - None

• 0x42437c - None

• 0x424380 - None

• 0x424384 - None

• 0x424388 - None

• 0x42438c - None

• 0x424390 - None

• 0x424394 - None

• 0x424398 - None

• 0x42439c - None

• 0x4243a0 - None

• 0x4243a4 - None

• 0x4243a8 - None

• 0x4243ac - None

• 0x4243b0 - None

• 0x4243b4 - None

• 0x4243b8 - None

• 0x4243bc - None

• 0x4243c0 - None

• 0x4243c4 - None

• 0x4243c8 - None

• 0x4243cc - None

• 0x4243d0 - None

• 0x4243d4 - None

• 0x4243d8 - None

• 0x4243dc - None

• 0x4243e0 - None

• 0x4243e4 - None

• 0x4243e8 - None

• 0x4243ec - None

• 0x4243f0 - None

• 0x4243f4 - None

• 0x4243f8 - None

• 0x4243fc - None

• 0x424400 - None

• 0x424404 - None

• 0x424408 - None

• 0x42440c - None

• 0x424410 - None

• 0x424414 - None

• 0x424418 - None

• 0x42441c - None

• 0x424420 - None

• 0x424424 - None

• 0x424428 - None

• 0x42442c - None

• 0x424430 - None

• 0x424434 - None

• 0x424438 - None

• 0x42443c - None

• 0x424440 - None

• 0x424444 - None

• 0x424448 - None

• 0x42444c - None

• 0x424450 - None

• 0x424454 - None

• 0x424458 - None

• 0x42445c - None

• 0x424460 - None

• 0x424464 - None

• 0x424468 - None

• 0x42446c - None

• 0x424470 - None

• 0x424474 - None

• 0x424478 - None

• 0x42447c - None

• 0x424480 - None

• 0x424484 - None

• 0x424488 - None

• 0x42448c - None

• 0x424490 - None

• 0x424494 - None

• 0x424498 - None

• 0x42449c - None

• 0x4244a0 - None

• 0x4244a4 - None

• 0x4244a8 - None

• 0x4244ac - None

• 0x4244b0 - None

• 0x4244b4 - None

• 0x4244b8 - None

• 0x4244bc - None

• 0x4244c0 - None

• 0x4244c4 - None

• 0x4244c8 - None

• 0x4244cc - None

• 0x4244d0 - None

• 0x4244d4 - None

• 0x4244d8 - None

• 0x4244dc - None

• 0x4244e0 - None

• 0x4244e4 - None

• 0x4244e8 - None

• 0x4244ec - None

• 0x4244f0 - None

• 0x4244f4 - None

• 0x4244f8 - None

• 0x4244fc - None

• 0x424500 - None

• 0x424504 - None

• 0x424508 - None

• 0x42450c - None

• 0x424510 - None

• 0x424514 - None

• 0x424518 - None

• 0x42451c - None

• 0x424520 - None

• 0x424524 - None

• 0x424528 - None

• 0x42452c - None

• 0x424530 - None

• 0x424534 - None

• 0x424538 - None

• 0x42453c - None

• 0x424540 - None

• 0x424544 - None

• 0x424548 - None

• 0x42454c - None

• 0x424550 - None

• 0x424554 - None

• 0x424558 - None

• 0x42455c - None

• 0x424560 - None

• 0x424564 - None

• 0x424568 - None

• 0x42456c - None

• 0x424570 - None

• 0x424574 - None

• 0x424578 - None

• 0x42457c - None

• 0x424580 - None

• 0x424584 - None

• 0x424588 - None

• 0x42458c - None

• 0x424590 - None

• 0x424594 - None

• 0x424598 - None

• 0x42459c - None

• 0x4245a0 - None

• 0x4245a4 - None

• 0x4245a8 - None

• 0x4245ac - None

• 0x4245b0 - None

• 0x4245b4 - None

• 0x4245b8 - None

• 0x4245bc - None

• 0x4245c0 - None

• 0x4245c4 - None

• 0x4245c8 - None

• 0x4245cc - None

库 MSVCRT.dll:

• 0x4245d4 - mbstowcs

• 0x4245d8 - _setmbcp

• 0x4245dc - _exit

• 0x4245e0 - __lconv_init

• 0x4245e4 - _controlfp

• 0x4245e8 - _onexit

• 0x4245ec - __dllonexit

• 0x4245f0 - ?terminate@@YAXXZ

• 0x4245f4 - __set_app_type

• 0x4245f8 - __p__fmode

• 0x4245fc - __p__commode

• 0x424600 - _adjust_fdiv

• 0x424604 - __setusermatherr

• 0x424608 - _initterm

• 0x42460c - __getmainargs

• 0x424610 - _acmdln

• 0x424614 - exit

• 0x424618 - __CxxFrameHandler

• 0x42461c - _mbsicmp

• 0x424620 - free

• 0x424624 - _mbscmp

• 0x424628 - memmove

• 0x42462c - malloc

• 0x424630 - realloc

• 0x424634 - _CIasin

• 0x424638 - _ftol

• 0x42463c - _except_handler3

• 0x424640 - setlocale

• 0x424644 - wcscmp

• 0x424648 - _XcptFilter

库 KERNEL32.dll:

• 0x424098 - MapViewOfFile

• 0x42409c - UnmapViewOfFile

• 0x4240a0 - CreateFileA

• 0x4240a4 - GetLastError

• 0x4240a8 - CloseHandle

• 0x4240ac - GlobalSize

• 0x4240b0 - GlobalAlloc

• 0x4240b4 - GlobalUnlock

• 0x4240b8 - GlobalLock

• 0x4240bc - GlobalFree

• 0x4240c0 - GetVersionExA

• 0x4240c4 - lstrcpyA

• 0x4240c8 - lstrlenA

• 0x4240cc - lstrcmpiA

• 0x4240d0 - GetFileSize

• 0x4240d4 - WideCharToMultiByte

• 0x4240d8 - MultiByteToWideChar

• 0x4240dc - GetModuleHandleA

• 0x4240e0 - GetStartupInfoA

• 0x4240e4 - CreateFileMappingA

库 GDI32.dll:

• 0x424030 - BitBlt

• 0x424034 - DeleteObject

• 0x424038 - CreateFontIndirectA

• 0x42403c - GetPixel

• 0x424040 - Rectangle

• 0x424044 - CreateDCA

• 0x424048 - CreatePatternBrush

• 0x42404c - CreatePen

• 0x424050 - CreateSolidBrush

• 0x424054 - GetDIBits

• 0x424058 - CreateBitmap

• 0x42405c - SetPixel

• 0x424060 - GetTextExtentPoint32A

• 0x424064 - CreateCompatibleDC

• 0x424068 - CreateCompatibleBitmap

• 0x42406c - StretchBlt

• 0x424070 - GetStockObject

库 comdlg32.dll:

• 0x42471c - GetSaveFileNameA

• 0x424720 - GetOpenFileNameA

库 ADVAPI32.dll:

• 0x424000 - RegDeleteKeyA

• 0x424004 - RegQueryValueExA

• 0x424008 - RegOpenKeyExA

• 0x42400c - RegSetValueExA

• 0x424010 - RegDeleteValueA

• 0x424014 - RegCloseKey

• 0x424018 - RegEnumKeyExA

• 0x42401c - RegCreateKeyExA

库 SHELL32.dll:

• 0x424650 - ShellExecuteA

• 0x424654 - DragQueryFileA

库 COMCTL32.dll:

• 0x424024 - ImageList_SetImageCount

• 0x424028 - ImageList_ReplaceIcon

库 ole32.dll:

• 0x424780 - OleUninitialize

• 0x424784 - RegisterDragDrop

• 0x424788 - OleInitialize

• 0x42478c - RevokeDragDrop

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\MSCTF.Asm.MutexDefault1

执行的命令 无信息

创建的服务 无信息

启动的服务 无信息

进程

PsQREdit 2.4.3huajun.exe PID: 2488, 上一级进程 PID: 2336

访问的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Users\test\AppData\Local\Temp\PsQREdit 2.4.3huajun.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui

修改的文件 无信息

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_CURRENT_USER\Software\Psytec\QR Code Editor\Setting
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\PsQREdit 2.4.3huajun.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Item\{B2C7F219-68FB-47D8-9881-AA681D0944F0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations

读取的注册表键

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations

修改的注册表键 无信息

删除的注册表键 无信息

API解析

cryptbase.dll.SystemFunction036
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
gdi32.dll.GetFontAssocStatus
comctl32.dll.InitCommonControlsEx
comctl32.dll.RegisterClassNameW
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
imm32.dll.ImmIsIME
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmAssociateContext
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
imm32.dll.ImmLockIMC
imm32.dll.ImmUnlockIMC
imm32.dll.ImmSetCompositionFontW
imm32.dll.ImmGetCompositionWindow
imm32.dll.ImmSetCompositionWindow
oleaut32.dll.VariantCopy
uxtheme.dll.SetWindowTheme
comctl32.dll.DllGetVersion
comctl32.dll.ImageList_Create
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.EndBufferedPaint
gdi32.dll.GdiIsMetaPrintDC
uxtheme.dll.BufferedPaintRenderAnimation
uxtheme.dll.BeginBufferedAnimation
uxtheme.dll.EndBufferedAnimation
shell32.dll.DragAcceptFiles
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString