魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2016-11-06 20:08:05 | 2016-11-06 20:10:20 | 135 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64 | win7-sp1-x64 | KVM | 2016-11-06 20:08:05 | 2016-11-06 20:10:20 |
| 魔盾分数 |
|---|
2.0正常的 |
文件详细信息
| 文件名 | index.dat |
|---|---|
| 文件大小 | 32768 字节 |
| 文件类型 | Internet Explorer cache file version Ver 5.2 |
| CRC32 | B451CA0B |
| MD5 | 0aee387ca0a52dcdd8f8a29ea76edb42 |
| SHA1 | 5df81547dcadb2a7b8bc689da8e1383ba1a84cb9 |
| SHA256 | c31bc37e102b70a472837d530ec80bdaea28b0fefda3e9aa8c8cda98c4200c4e |
| SHA512 | 101bdb7178e031b1fbd78d595d778d06174749246cdcb70eb4b92af534910e30e0627147260ec319bccecf7a105c814b6b32c077a777fb5e90bd1459c78dcdf9 |
| Ssdeep | 12:qjtSaFpbZli3zIoYDPO7em4GZj03W/cKYDPOCG5A30WUsOXQDG9YRm4GZ5:qj4avEIoYTCebGZ7ZYTlEJ0oQQ4bGZ |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal | 无此文件扫描结果 |
特征
强制将一个创建的进程加载为另一个不相关进程的子进程
运行截图
网络分析
静态分析
投放文件
行为分析
互斥量(Mutexes)
- Local\MSCTF.Asm.MutexDefault1
执行的命令
- C:\Windows\system32\svchost.exe -k netsvcs
创建的服务
无信息
启动的服务
无信息
进程
cmd.exe PID: 1396, 上一级进程 PID: 1468
services.exe PID: 452, 上一级进程 PID: 356
svchost.exe PID: 1484, 上一级进程 PID: 452
rundll32.exe PID: 1048, 上一级进程 PID: 1396
访问的文件
- C:\Windows\Temp
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\sysnative\appmgmt\S-1-5-21-2280033686-3172497658-3481507381-1000\AppMgmt.ini
- C:\Windows\System32\shell32.dll
- C:\Windows\System32\shell32.dll.manifest
- C:\Windows\System32\shell32.dll.123.Manifest
- C:\Windows\SysWOW64\shell32.dll
- C:\Windows\Fonts\staticcache.dat
读取的文件
- \Device\KsecDD
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\sysnative\appmgmt\S-1-5-21-2280033686-3172497658-3481507381-1000\AppMgmt.ini
- C:\Windows\System32\shell32.dll
- C:\Windows\System32\shell32.dll.123.Manifest
- C:\Windows\SysWOW64\shell32.dll
- C:\Windows\Fonts\staticcache.dat
修改的文件
无信息
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\WOW64
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_USERS\.DEFAULT\Environment
- HKEY_USERS\.DEFAULT\Volatile Environment
- HKEY_USERS\.DEFAULT\Volatile Environment\0
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Group
- HKEY_LOCAL_MACHINE
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\CoInitializeSecurityParam
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\AuthenticationLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\ImpersonationLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\AuthenticationCapabilities
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\CoInitializeSecurityAppID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\DeferredCoInitializeSecurityServices
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\DefaultRpcStackSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\SystemCritical
- HKEY_CURRENT_USER\Software\Classes
- HKEY_LOCAL_MACHINE\Software\Classes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\svchost.exe
- HKEY_USERS\.DEFAULT\Control Panel\International
- HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
- HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
- HKEY_USERS\.DEFAULT\Control Panel\International\sList
- HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
- HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
- HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
- HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
- HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
- HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
- HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
- HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
- HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
- HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
- HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
- HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
- HKEY_USERS\.DEFAULT\Control Panel\International\s1159
- HKEY_USERS\.DEFAULT\Control Panel\International\s2359
- HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
- HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
- HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
- HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
- HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
- HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
- HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
- HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
- HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
- HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
- HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
- HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
- HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
- HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
- HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
- HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceManifest
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceMain
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
- HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
- HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.dat
- HKEY_CLASSES_ROOT\.dat
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\(Default)
- HKEY_CLASSES_ROOT\.dat\OpenWithProgids
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dat\OpenWithProgids
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dat
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\shell\openas
- HKEY_CLASSES_ROOT\Unknown
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\CurVer
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\\xe5\xbe\xae\xe8\xbd\xaf\xe9\x9b\x85\xe9\xbb\x91
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
- HKEY_CURRENT_USER\Keyboard Layout\Toggle
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\WOW64
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
- HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Environment
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winmgmt\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\Group
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\ObjectName
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\WOW64
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wuauserv\RequiredPrivileges
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Type
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\ErrorControl
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Tag
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnService
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\DependOnGroup
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wscsvc\Group
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\CoInitializeSecurityParam
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\AuthenticationLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\ImpersonationLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\AuthenticationCapabilities
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\CoInitializeSecurityAppID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\DeferredCoInitializeSecurityServices
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\DefaultRpcStackSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\SystemCritical
- HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
- HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
- HKEY_USERS\.DEFAULT\Control Panel\International\sList
- HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
- HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
- HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
- HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
- HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
- HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
- HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
- HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
- HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
- HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
- HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
- HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
- HKEY_USERS\.DEFAULT\Control Panel\International\s1159
- HKEY_USERS\.DEFAULT\Control Panel\International\s2359
- HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
- HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
- HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
- HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
- HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
- HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
- HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
- HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
- HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
- HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
- HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
- HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
- HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
- HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
- HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
- HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceDll
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceManifest
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\AppMgmt\Parameters\ServiceMain
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.dat
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dat\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command\(Default)
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- ole32.dll.CoInitializeEx
- cryptbase.dll.SystemFunction036
- ole32.dll.CoInitializeSecurity
- sechost.dll.LookupAccountNameLocalW
- advapi32.dll.LookupAccountSidW
- sechost.dll.LookupAccountSidLocalW
- ole32.dll.CoCreateInstance
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- appmgmts.dll.ServiceMain
- rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
- shell32.dll.OpenAs_RunDLLW
- uxtheme.dll.ThemeInitApiHook
- user32.dll.IsProcessDPIAware
- dwmapi.dll.DwmIsCompositionEnabled
- shell32.dll.#102
- propsys.dll.#430
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegGetValueW
- advapi32.dll.RegCloseKey
- ole32.dll.CoTaskMemFree
- advapi32.dll.OpenThreadToken
- ole32.dll.CoTaskMemAlloc
- comctl32.dll.InitCommonControlsEx
- uxtheme.dll.EnableThemeDialogTexture
- uxtheme.dll.OpenThemeData
- uxtheme.dll.GetThemeBool
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GdiIsMetaPrintDC
- ole32.dll.CoUninitialize
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoRevokeInitializeSpy
- gdi32.dll.GetTextExtentExPointWPri
- uxtheme.dll.BufferedPaintInit
- uxtheme.dll.BufferedPaintRenderAnimation
- uxtheme.dll.BeginBufferedAnimation
- uxtheme.dll.IsThemeBackgroundPartiallyTransparent
- uxtheme.dll.DrawThemeParentBackground
- uxtheme.dll.GetThemePartSize
- uxtheme.dll.DrawThemeBackground
- uxtheme.dll.GetThemeBackgroundContentRect
- uxtheme.dll.DrawThemeText
- uxtheme.dll.EndBufferedAnimation
- uxtheme.dll.GetThemeTransitionDuration
- oleaut32.dll.SysAllocString
- oleaut32.dll.SysStringLen
- oleaut32.dll.SysFreeString