魔盾安全分析报告

分析类型	开始时间	结束时间	持续时间	分析引擎版本
FILE	2021-04-21 16:50:09	2021-04-21 16:52:46	157 秒	1.4-Maldun

虚拟机机器名	标签	虚拟机管理	开机时间	关机时间
win7-sp1-x64-hpdapp01-1	win7-sp1-x64-hpdapp01-1	KVM	2021-04-21 16:50:15	2021-04-21 16:52:47

魔盾分数
7.3125 恶意的

文件详细信息

文件名	Install.exe
文件大小	217088 字节
文件类型	PE32 executable (GUI) Intel 80386, for MS Windows
CRC32	2292C5F4
MD5	99aeaecb36dce3dca06074dd48108964
SHA1	639b784b44dd31376b9aa16079171d59308a20cc
SHA256	b280af73d5d4cf7ed45d44048b6ed2c3572a8b094fd94fedb6980fa8fe5c59ca
SHA512	9cd515760c903cb6523aa1f28474a34de413d6364e198044e33c15db09a3ae35c6f5d648a5afd3dc12638adc89922234049c0f1199b6175e6c3ec8a576458aa4
Ssdeep	3072:wnDjKDfAoDL3nJ+gW5ZZTaUDp2MQUtNuSbu:wDjKDvL3npWpTRlNoL
PEiD	无匹配
Yara	DebuggerException__SetConsoleCtrl () win_files_operation (Affect private profile) IsPE32 (Detected a 32bit PE sample) IsWindowsGUI (Detected a Windows GUI sample) HasRichSignature (Detected Rich Signature)
VirusTotal	VirusTotal查询失败

特征

至少有一个进程在执行过程中崩溃

创建RWX内存

魔盾安全Yara检测结果 - 普通

发起了一些HTTP请求

url: http://59.80.44.45/acroipm.adobe.com/202104211652/23F2CC8D77E1D18E88E877DE26ABD578/11/rdr/CHS/win/nooem/none/message.zip

多次尝试建立挂起的进程

强制将一个创建的进程加载为另一个不相关进程的子进程

将自己装载到Windows开机自动启动项目

service name: netsvcs_Microsoft Wsacug wgwioqeo

service path: %SystemRoot%\System32\svchost.exe -k netsvcs -p

key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Parameters\ServiceDll

data: C:\Program Files (x86)\Aimgea.dll

运行截图

网络分析

域名解析

域名	响应
acroipm.adobe.com	CNAME acroipm.adobe.com.edgesuite.net A 23.220.203.65 CNAME a1983.dscd.akamai.net A 23.220.203.58
www.baidu.com	CNAME www.a.shifen.com A 180.101.49.11 A 180.101.49.12

TCP连接

IP地址	端口
23.220.203.65	80
59.80.44.45	80

UDP连接

IP地址	端口
192.168.122.1	53
192.168.122.1	53
192.168.122.1	53

HTTP请求

URL	HTTP数据
http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip	GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache
http://59.80.44.45/acroipm.adobe.com/202104211652/23F2CC8D77E1D18E88E877DE26ABD578/11/rdr/CHS/win/nooem/none/message.zip	GET /acroipm.adobe.com/202104211652/23F2CC8D77E1D18E88E877DE26ABD578/11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: / User-Agent: IPM Host: 59.80.44.45 Connection: Keep-Alive Cache-Control: no-cache

URL

HTTP数据

http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip

GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

http://59.80.44.45/acroipm.adobe.com/202104211652/23F2CC8D77E1D18E88E877DE26ABD578/11/rdr/CHS/win/nooem/none/message.zip

GET /acroipm.adobe.com/202104211652/23F2CC8D77E1D18E88E877DE26ABD578/11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
User-Agent: IPM
Host: 59.80.44.45
Connection: Keep-Alive
Cache-Control: no-cache

静态分析

PE 信息

初始地址	0x00400000
入口地址	0x0040248e
声明校验值	0x00000000
实际校验值	0x0003fca3
最低操作系统版本要求	4.0
编译时间	2021-04-04 14:35:21
载入哈希	188b8aa3e48c571af09aae8527c2eef5

版本信息

LegalCopyright:	Copyright (C) 2020
InternalName:	sadqwe
FileVersion:	1, 0, 0, 1
CompanyName:
LegalTrademarks:
ProductName:	sadqwe Application
ProductVersion:	1, 0, 0, 1
FileDescription:	sadqwe MFC Application
OriginalFilename:	sadqwe.EXE
Translation:	0x0409 0x04b0

PE数据组成

名称	虚拟地址	虚拟大小	原始数据大小	特征	熵(Entropy)
.text	0x00001000	0x00001744	0x00002000	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	4.89
.rdata	0x00003000	0x0000109c	0x00002000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	3.09
.data	0x00005000	0x00006784	0x00007000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	3.81
.rsrc	0x0000c000	0x00028874	0x00029000	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.15

导入

库 MFC42.DLL:

• 0x403044 - None

• 0x403048 - None

• 0x40304c - None

• 0x403050 - None

• 0x403054 - None

• 0x403058 - None

• 0x40305c - None

• 0x403060 - None

• 0x403064 - None

• 0x403068 - None

• 0x40306c - None

• 0x403070 - None

• 0x403074 - None

• 0x403078 - None

• 0x40307c - None

• 0x403080 - None

• 0x403084 - None

• 0x403088 - None

• 0x40308c - None

• 0x403090 - None

• 0x403094 - None

• 0x403098 - None

• 0x40309c - None

• 0x4030a0 - None

• 0x4030a4 - None

• 0x4030a8 - None

• 0x4030ac - None

• 0x4030b0 - None

• 0x4030b4 - None

• 0x4030b8 - None

• 0x4030bc - None

• 0x4030c0 - None

• 0x4030c4 - None

• 0x4030c8 - None

• 0x4030cc - None

• 0x4030d0 - None

• 0x4030d4 - None

• 0x4030d8 - None

• 0x4030dc - None

• 0x4030e0 - None

• 0x4030e4 - None

• 0x4030e8 - None

• 0x4030ec - None

• 0x4030f0 - None

• 0x4030f4 - None

• 0x4030f8 - None

• 0x4030fc - None

• 0x403100 - None

• 0x403104 - None

• 0x403108 - None

• 0x40310c - None

• 0x403110 - None

• 0x403114 - None

• 0x403118 - None

• 0x40311c - None

• 0x403120 - None

• 0x403124 - None

• 0x403128 - None

• 0x40312c - None

• 0x403130 - None

• 0x403134 - None

• 0x403138 - None

• 0x40313c - None

• 0x403140 - None

• 0x403144 - None

• 0x403148 - None

• 0x40314c - None

• 0x403150 - None

• 0x403154 - None

• 0x403158 - None

• 0x40315c - None

• 0x403160 - None

• 0x403164 - None

• 0x403168 - None

• 0x40316c - None

• 0x403170 - None

• 0x403174 - None

• 0x403178 - None

• 0x40317c - None

• 0x403180 - None

• 0x403184 - None

• 0x403188 - None

• 0x40318c - None

• 0x403190 - None

• 0x403194 - None

• 0x403198 - None

• 0x40319c - None

• 0x4031a0 - None

• 0x4031a4 - None

• 0x4031a8 - None

• 0x4031ac - None

• 0x4031b0 - None

• 0x4031b4 - None

• 0x4031b8 - None

• 0x4031bc - None

• 0x4031c0 - None

• 0x4031c4 - None

• 0x4031c8 - None

• 0x4031cc - None

• 0x4031d0 - None

• 0x4031d4 - None

• 0x4031d8 - None

• 0x4031dc - None

• 0x4031e0 - None

• 0x4031e4 - None

• 0x4031e8 - None

• 0x4031ec - None

• 0x4031f0 - None

• 0x4031f4 - None

• 0x4031f8 - None

• 0x4031fc - None

• 0x403200 - None

• 0x403204 - None

• 0x403208 - None

• 0x40320c - None

• 0x403210 - None

• 0x403214 - None

• 0x403218 - None

• 0x40321c - None

• 0x403220 - None

• 0x403224 - None

• 0x403228 - None

• 0x40322c - None

• 0x403230 - None

• 0x403234 - None

• 0x403238 - None

• 0x40323c - None

• 0x403240 - None

• 0x403244 - None

• 0x403248 - None

• 0x40324c - None

• 0x403250 - None

• 0x403254 - None

• 0x403258 - None

• 0x40325c - None

• 0x403260 - None

• 0x403264 - None

• 0x403268 - None

• 0x40326c - None

• 0x403270 - None

• 0x403274 - None

• 0x403278 - None

• 0x40327c - None

• 0x403280 - None

• 0x403284 - None

• 0x403288 - None

• 0x40328c - None

• 0x403290 - None

• 0x403294 - None

• 0x403298 - None

• 0x40329c - None

• 0x4032a0 - None

• 0x4032a4 - None

• 0x4032a8 - None

• 0x4032ac - None

• 0x4032b0 - None

• 0x4032b4 - None

• 0x4032b8 - None

• 0x4032bc - None

• 0x4032c0 - None

• 0x4032c4 - None

• 0x4032c8 - None

• 0x4032cc - None

• 0x4032d0 - None

• 0x4032d4 - None

• 0x4032d8 - None

• 0x4032dc - None

• 0x4032e0 - None

• 0x4032e4 - None

• 0x4032e8 - None

• 0x4032ec - None

• 0x4032f0 - None

• 0x4032f4 - None

• 0x4032f8 - None

• 0x4032fc - None

• 0x403300 - None

• 0x403304 - None

• 0x403308 - None

• 0x40330c - None

库 MSVCRT.dll:

• 0x403314 - _except_handler3

• 0x403318 - __set_app_type

• 0x40331c - __p__fmode

• 0x403320 - __p__commode

• 0x403324 - _adjust_fdiv

• 0x403328 - __setusermatherr

• 0x40332c - _initterm

• 0x403330 - __getmainargs

• 0x403334 - _acmdln

• 0x403338 - exit

• 0x40333c - _XcptFilter

• 0x403340 - _exit

• 0x403344 - _onexit

• 0x403348 - __dllonexit

• 0x40334c - fopen

• 0x403350 - fwrite

• 0x403354 - fclose

• 0x403358 - __CxxFrameHandler

• 0x40335c - _setmbcp

• 0x403360 - _controlfp

库 KERNEL32.dll:

• 0x403000 - GetProcAddress

• 0x403004 - HeapAlloc

• 0x403008 - GetProcessHeap

• 0x40300c - VirtualAlloc

• 0x403010 - HeapFree

• 0x403014 - VirtualFree

• 0x403018 - FreeLibrary

• 0x40301c - ExitProcess

• 0x403020 - SizeofResource

• 0x403024 - LockResource

• 0x403028 - LoadResource

• 0x40302c - FindResourceA

• 0x403030 - ExpandEnvironmentStringsA

• 0x403034 - GetModuleHandleA

• 0x403038 - GetStartupInfoA

• 0x40303c - LoadLibraryA

库 USER32.dll:

• 0x403368 - EnableWindow

投放文件

无信息

行为分析

互斥量(Mutexes)

Local\WERReportingForProcess304
Global\c2796fa1-4432-11eb-954e-5254000b9d82

执行的命令

C:\Windows\SysWOW64\svchost.exe -k netsvcs -p
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe -u -p 304 -s 1092

创建的服务

netsvcs_Microsoft Wsacug wgwioqeo

启动的服务

netsvcs_Microsoft Wsacug wgwioqeo
WerSvc

进程

Install.exe PID: 2764, 上一级进程 PID: 2156

services.exe PID: 428, 上一级进程 PID: 340

svchost.exe PID: 2000, 上一级进程 PID: 428

svchost.exe PID: 2100, 上一级进程 PID: 428

WerFault.exe PID: 2380, 上一级进程 PID: 2100

访问的文件

C:\Program Files (x86)\Aimgea.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\11250032.bak
C:\Users\test\AppData\Local\Temp\Install.exe
C:\Windows\sysnative\LogFiles\Scm\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec
C:\Windows\Temp
C:\Windows\sysnative\LogFiles\Scm\c016366b-7126-46ca-b36b-592a3d95a60b
C:\Windows\sysnative\LogFiles\Scm\2f57269b-1e09-4e2d-ab1e-b0fdac7d279c
C:\Windows\sysnative\LogFiles\Scm\34583c36-c717-46d6-9414-5c9857a3fb58
C:\Windows\sysnative\LogFiles\Scm\47536d45-eeec-4bdc-8183-a4dc1f8da9e4
C:\Windows\sysnative\LogFiles\Scm\5c0aeeea-c154-45be-8499-bea5f11baff6
C:\Windows\sysnative\LogFiles\Scm\a7c73732-9f11-4281-8d19-764d4ec9d94d
C:\Windows\sysnative\LogFiles\Scm\ac4e5acf-89f7-4220-ba21-81ee183975e2
C:\Windows\sysnative\LogFiles\Scm\be669c13-8165-4536-96d0-6d6c39292aae
C:\Windows\sysnative\LogFiles\Scm\ca4b8ff2-a4d2-4d88-a52e-3a5bdaf7f56e
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\sysnative\LogFiles\Scm\fb3c354d-297a-4eb2-9b58-090f6361906b
C:\Windows\sysnative\LogFiles\Scm\fdd56c73-f0d5-41b6-b767-6effd7966428
C:\Windows\sysnative\LogFiles\Scm\da41de71-8431-42fb-9db0-eb64a961dead
\Device\KsecDD
C:\program files (x86)\Aimgea.dll
C:\ProgramData\Microsoft\Windows\WER\ReportQueue
C:\Users\test\AppData\Local\Temp
C:\Windows\SysWOW64\winxp\triage.ini
C:\Windows\SysWOW64\WINXP
C:\Windows\SysWOW64\winext
C:\Windows\SysWOW64\winext\arcade
C:\Windows\SysWOW64\pri
C:\Windows\SysWOW64
C:\Windows\SysWOW64\
C:\ProgramData\Oracle\Java\javapath
C:\ProgramData\Oracle\Java\javapath\
C:\Windows\System32
C:\Windows\System32\
C:\Windows
C:\Windows\
C:\Windows\System32\wbem
C:\Windows\System32\wbem\
C:\Windows\System32\WindowsPowerShell\v1.0
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Program Files (x86)\WinRAR
C:\Program Files (x86)\WinRAR\
C:\Windows\SysWOW64\WINXP\dbghelp.dll
C:\Windows\SysWOW64\winext\dbghelp.dll
C:\Windows\SysWOW64\winext\arcade\dbghelp.dll
C:\Windows\SysWOW64\pri\dbghelp.dll
C:\Windows\SysWOW64\dbghelp.dll
C:\Windows\SysWOW64\WINXP\ext.dll
C:\Windows\SysWOW64\winext\ext.dll
C:\Windows\SysWOW64\winext\arcade\ext.dll
C:\Windows\SysWOW64\pri\ext.dll
C:\Windows\SysWOW64\ext.dll
C:\ProgramData\Oracle\Java\javapath\ext.dll
C:\Windows\System32\ext.dll
C:\Windows\ext.dll
C:\Windows\System32\wbem\ext.dll
C:\Windows\System32\WindowsPowerShell\v1.0\ext.dll
C:\Program Files (x86)\WinRAR\ext.dll
C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
C:\Windows\SysWOW64\WINXP\exts.dll
C:\Windows\SysWOW64\winext\exts.dll
C:\Windows\SysWOW64\winext\arcade\exts.dll
C:\Windows\SysWOW64\pri\exts.dll
C:\Windows\SysWOW64\exts.dll
C:\ProgramData\Oracle\Java\javapath\exts.dll
C:\Windows\System32\exts.dll
C:\Windows\exts.dll
C:\Windows\System32\wbem\exts.dll
C:\Windows\System32\WindowsPowerShell\v1.0\exts.dll
C:\Program Files (x86)\WinRAR\exts.dll
C:\Windows\SysWOW64\WINXP\uext.dll
C:\Windows\SysWOW64\winext\uext.dll
C:\Windows\SysWOW64\winext\arcade\uext.dll
C:\Windows\SysWOW64\pri\uext.dll
C:\Windows\SysWOW64\uext.dll
C:\ProgramData\Oracle\Java\javapath\uext.dll
C:\Windows\System32\uext.dll
C:\Windows\uext.dll
C:\Windows\System32\wbem\uext.dll
C:\Windows\System32\WindowsPowerShell\v1.0\uext.dll
C:\Program Files (x86)\WinRAR\uext.dll
C:\Windows\SysWOW64\WINXP\ntsdexts.dll
C:\Windows\SysWOW64\winext\ntsdexts.dll
C:\Windows\SysWOW64\winext\arcade\ntsdexts.dll
C:\Windows\SysWOW64\pri\ntsdexts.dll
C:\Windows\SysWOW64\ntsdexts.dll
C:\ProgramData\Oracle\Java\javapath\ntsdexts.dll
C:\Windows\System32\ntsdexts.dll
C:\Windows\ntsdexts.dll
C:\Windows\System32\wbem\ntsdexts.dll
C:\Windows\System32\WindowsPowerShell\v1.0\ntsdexts.dll
C:\Program Files (x86)\WinRAR\ntsdexts.dll
C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
C:\Program Files (x86)
C:\Program Files (x86)\Adobe\Reader 11.0
C:\Windows\SysWOW64\zh-CN\werui.dll.mui
C:\Windows\SysWOW64\werui.dll
C:\Windows\SysWOW64\zh-CN\DUser.dll.mui
C:\Windows\SysWOW64\WerFault.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui
C:\Windows\win.ini
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\zh-CN\erofflps.txt
C:\Users\test\AppData\Local\Microsoft\Windows\WER\ReportArchive
C:\Users\test\AppData\Local\Microsoft\Windows\WER\ReportArchive\*_*_*_*
C:\Users\test\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_AcroRd32.exe_4fe2ce986f7366f2618fd3c6025be40ce32f91a_09e148cd
C:\Users\test\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_AcroRd32.exe_4fe2ce986f7366f2618fd3c6025be40ce32f91a_09e148cd\Report.wer

读取的文件

C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\sysnative\LogFiles\Scm\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec
C:\Windows\sysnative\LogFiles\Scm\c016366b-7126-46ca-b36b-592a3d95a60b
C:\Windows\sysnative\LogFiles\Scm\2f57269b-1e09-4e2d-ab1e-b0fdac7d279c
C:\Windows\sysnative\LogFiles\Scm\34583c36-c717-46d6-9414-5c9857a3fb58
C:\Windows\sysnative\LogFiles\Scm\47536d45-eeec-4bdc-8183-a4dc1f8da9e4
C:\Windows\sysnative\LogFiles\Scm\5c0aeeea-c154-45be-8499-bea5f11baff6
C:\Windows\sysnative\LogFiles\Scm\a7c73732-9f11-4281-8d19-764d4ec9d94d
C:\Windows\sysnative\LogFiles\Scm\ac4e5acf-89f7-4220-ba21-81ee183975e2
C:\Windows\sysnative\LogFiles\Scm\be669c13-8165-4536-96d0-6d6c39292aae
C:\Windows\sysnative\LogFiles\Scm\ca4b8ff2-a4d2-4d88-a52e-3a5bdaf7f56e
C:\Windows\sysnative\LogFiles\Scm\eaca24ff-236c-401d-a1e7-b3d5267b8a50
C:\Windows\sysnative\LogFiles\Scm\fb3c354d-297a-4eb2-9b58-090f6361906b
C:\Windows\sysnative\LogFiles\Scm\fdd56c73-f0d5-41b6-b767-6effd7966428
C:\Windows\sysnative\LogFiles\Scm\da41de71-8431-42fb-9db0-eb64a961dead
\Device\KsecDD
C:\program files (x86)\Aimgea.dll
C:\Windows\SysWOW64\winxp\triage.ini
C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
C:\Windows\SysWOW64\zh-CN\werui.dll.mui
C:\Windows\SysWOW64\werui.dll
C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe
C:\Windows\SysWOW64\zh-CN\DUser.dll.mui
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_zh-cn_b7a33d2d3f47b7fb\COMCTL32.dll.mui
C:\Windows\win.ini
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\zh-CN\erofflps.txt

修改的文件

C:\Program Files (x86)\Aimgea.dll
C:\Windows\sysnative\LogFiles\Scm\044a6734-e90e-4f8f-b357-b2dc8ab3b5ec
C:\Windows\sysnative\LogFiles\Scm\c016366b-7126-46ca-b36b-592a3d95a60b
C:\Users\test\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_AcroRd32.exe_4fe2ce986f7366f2618fd3c6025be40ce32f91a_09e148cd\Report.wer

删除的文件 无信息

注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs_Microsoft Wsacug wgwioqeo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs_Microsoft Wsacug wgwioqeo\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\China Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\CoInitializeSecurityParam
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\ImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\AuthenticationCapabilities
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\CoInitializeSecurityAppID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\DeferredCoInitializeSecurityServices
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\SystemCritical
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\svchost.exe
HKEY_CURRENT_USER
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Parameters\ServiceManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Parameters\ServiceMain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\wersvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\NoReflection
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PropertyBag
HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Environment
HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Volatile Environment
HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Volatile Environment\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\NoReflection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord
HKEY_CURRENT_USER\Software\Microsoft\Windiff
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\CurrentType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MachineID
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DebugApplications
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontShowUI
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableArchive
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableQueue
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceQueue
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DebugApplications
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseSSL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerPortNumber
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseAuthentication
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\RacWerSampleTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectUI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6FD5A890
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\LocalDumps

读取的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\CoInitializeSecurityParam
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\ImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\AuthenticationCapabilities
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\CoInitializeSecurityAppID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\DeferredCoInitializeSecurityServices
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs\SystemCritical
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\sCountry
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Parameters\ServiceManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Parameters\ServiceMain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\WerSvcGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceMain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ServiceTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Parameters\ServiceDllUnloadOnStop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\NoReflection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{62AB5D82-FDC1-4DC3-A9DD-070D1D495D97}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2280033686-3172497658-3481507381-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-2280033686-3172497658-3481507381-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\TraceFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\NoReflection
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\CurrentType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MachineID
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\APPCRASH
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontShowUI
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableArchive
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableQueue
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceQueue
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseSSL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerPortNumber
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseAuthentication
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\RacWerSampleTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\\xe5\xae\x8b\xe4\xbd\x93
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\6FD5A890
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession

修改的注册表键

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Description
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs_Microsoft Wsacug wgwioqeo\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvcs_Microsoft Wsacug wgwioqeo\Parameters\ServiceDll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WerSvc\Type
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord

删除的注册表键 无信息

API解析

kernel32.dll.VirtualAlloc
kernel32.dll.IsBadReadPtr
kernel32.dll.HeapReAlloc
kernel32.dll.HeapAlloc
kernel32.dll.GetProcessHeap
kernel32.dll.SetUnhandledExceptionFilter
kernel32.dll.GetModuleFileNameA
kernel32.dll.GetSystemDirectoryA
kernel32.dll.GetTickCount
kernel32.dll.MoveFileA
kernel32.dll.MoveFileExA
kernel32.dll.ExpandEnvironmentStringsA
kernel32.dll.SetLastError
kernel32.dll.lstrcmpiA
kernel32.dll.lstrlenA
kernel32.dll.lstrcpyA
kernel32.dll.ExitProcess
kernel32.dll.lstrcatA
kernel32.dll.LoadLibraryA
kernel32.dll.GetLastError
kernel32.dll.GetProcAddress
kernel32.dll.DisableThreadLibraryCalls
advapi32.dll.OpenServiceA
advapi32.dll.StartServiceA
advapi32.dll.CreateServiceA
advapi32.dll.LockServiceDatabase
advapi32.dll.UnlockServiceDatabase
advapi32.dll.CloseServiceHandle
advapi32.dll.RegCreateKeyExA
advapi32.dll.RegSetValueExA
advapi32.dll.RegDeleteValueA
advapi32.dll.RegQueryValueExA
msvcrt.dll.malloc
msvcrt.dll.strchr
msvcrt.dll.??2@YAPAXI@Z
msvcrt.dll.__CxxFrameHandler
msvcrt.dll._CxxThrowException
msvcrt.dll.??3@YAXPAX@Z
msvcrt.dll.??1type_info@@UAE@XZ
msvcrt.dll.free
msvcrt.dll._initterm
msvcrt.dll._adjust_fdiv
msvcrt.dll._except_handler3
user32.dll.wsprintfA
kernel32.dll.VirtualFree
kernel32.dll.VirtualProtect
advapi32.dll.RegCloseKey
advapi32.dll.RegOpenKeyExA
advapi32.dll.ChangeServiceConfig2A
advapi32.dll.OpenSCManagerA
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
advapi32.dll.RegDeleteKeyA
kernel32.dll.FlsGetValue
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoInitializeSecurity
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.CoCreateInstance
aimgea.dll.ServiceMain
ws2_32.dll.#6
ws2_32.dll.#57
ws2_32.dll.#19
ws2_32.dll.#3
ws2_32.dll.#16
ws2_32.dll.#18
ws2_32.dll.#23
ws2_32.dll.#52
ws2_32.dll.#9
ws2_32.dll.#4
ws2_32.dll.#116
ws2_32.dll.#21
ws2_32.dll.#115
msvcrt.dll._beginthreadex
msvcrt.dll.strncat
msvcrt.dll.realloc
msvcrt.dll.strrchr
msvcrt.dll.strncpy
msvcrt.dll.strstr
msvcrt.dll._ftol
msvcrt.dll.ceil
msvcrt.dll.memmove
msvcrt.dll._stricmp
msvcrt.dll._strnicmp
kernel32.dll.LeaveCriticalSection
kernel32.dll.EnterCriticalSection
kernel32.dll.DeleteCriticalSection
kernel32.dll.CreateEventA
kernel32.dll.CloseHandle
kernel32.dll.WaitForSingleObject
kernel32.dll.ResetEvent
kernel32.dll.SetEvent
kernel32.dll.InterlockedExchange
kernel32.dll.CancelIo
kernel32.dll.Sleep
kernel32.dll.CreateFileA
kernel32.dll.GetFileAttributesA
kernel32.dll.CreateProcessA
kernel32.dll.GetCurrentProcess
kernel32.dll.FreeLibrary
kernel32.dll.TerminateThread
kernel32.dll.InitializeCriticalSection
kernel32.dll.HeapFree
kernel32.dll.Process32Next
kernel32.dll.Process32First
kernel32.dll.GetLocalTime
kernel32.dll.GetSystemInfo
kernel32.dll.GetDiskFreeSpaceExA
kernel32.dll.GetDriveTypeA
kernel32.dll.GlobalMemoryStatusEx
kernel32.dll.GetVersionExA
kernel32.dll.SetErrorMode
kernel32.dll.GetCurrentThreadId
kernel32.dll.WriteFile
user32.dll.GetUserObjectInformationA
user32.dll.SetThreadDesktop
user32.dll.CloseDesktop
user32.dll.OpenInputDesktop
user32.dll.GetThreadDesktop
advapi32.dll.OpenEventLogA
advapi32.dll.ClearEventLogA
advapi32.dll.CloseEventLog
advapi32.dll.RegEnumKeyExA
advapi32.dll.RegEnumValueA
advapi32.dll.RegQueryValueA
advapi32.dll.AdjustTokenPrivileges
advapi32.dll.LookupPrivilegeValueA
advapi32.dll.OpenProcessToken
kernel32.dll.CreateToolhelp32Snapshot
ws2_32.dll.WSAIoctl
wersvc.dll.ServiceMain
wersvc.dll.SvchostPushServiceGlobals
advapi32.dll.RegGetValueW
sechost.dll.ConvertStringSecurityDescriptorToSecurityDescriptorW
faultrep.dll.WerpInitiateCrashReporting
wer.dll.WerpCreateMachineStore
shell32.dll.SHGetFolderPathEx
ole32.dll.StringFromGUID2
profapi.dll.#104
userenv.dll.CreateEnvironmentBlock
sechost.dll.ConvertSidToStringSidW
sspicli.dll.GetUserNameExW
userenv.dll.DestroyEnvironmentBlock
imm32.dll.ImmDisableIME
psapi.dll.GetModuleFileNameExW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
wer.dll.WerpCreateIntegratorReportId
wer.dll.WerReportCreate
wer.dll.WerpSetIntegratorReportId
wer.dll.WerReportSetParameter
dbgeng.dll.DebugCreate
ntdll.dll.CsrGetProcessId
ntdll.dll.DbgBreakPoint
ntdll.dll.DbgPrint
ntdll.dll.DbgPrompt
ntdll.dll.DbgUiConvertStateChangeStructure
ntdll.dll.DbgUiGetThreadDebugObject
ntdll.dll.DbgUiIssueRemoteBreakin
ntdll.dll.DbgUiSetThreadDebugObject
ntdll.dll.NtAllocateVirtualMemory
ntdll.dll.NtClose
ntdll.dll.NtCreateDebugObject
ntdll.dll.NtCreateFile
ntdll.dll.NtDebugActiveProcess
ntdll.dll.NtDebugContinue
ntdll.dll.NtFreeVirtualMemory
ntdll.dll.NtOpenProcess
ntdll.dll.NtOpenThread
ntdll.dll.NtQueryInformationProcess
ntdll.dll.NtQueryInformationThread
ntdll.dll.NtQueryMutant
ntdll.dll.NtQueryObject
ntdll.dll.NtQuerySystemInformation
ntdll.dll.NtRemoveProcessDebug
ntdll.dll.NtResumeThread
ntdll.dll.NtSetInformationDebugObject
ntdll.dll.NtSetInformationProcess
ntdll.dll.NtSystemDebugControl
ntdll.dll.NtWaitForDebugEvent
ntdll.dll.RtlAnsiStringToUnicodeString
ntdll.dll.RtlCreateProcessParameters
ntdll.dll.RtlCreateUserProcess
ntdll.dll.RtlDestroyProcessParameters
ntdll.dll.RtlDosPathNameToNtPathName_U
ntdll.dll.RtlFindMessage
ntdll.dll.RtlFreeHeap
ntdll.dll.RtlFreeUnicodeString
ntdll.dll.RtlGetUnloadEventTrace
ntdll.dll.RtlGetUnloadEventTraceEx
ntdll.dll.RtlInitAnsiString
ntdll.dll.RtlInitUnicodeString
ntdll.dll.RtlTryEnterCriticalSection
ntdll.dll.RtlUnicodeStringToAnsiString
ntdll.dll.NtOpenProcessToken
ntdll.dll.NtOpenThreadToken
ntdll.dll.NtQueryInformationToken
kernel32.dll.CloseProfileUserMapping
kernel32.dll.DebugActiveProcessStop
kernel32.dll.DebugBreak
kernel32.dll.DebugBreakProcess
kernel32.dll.DebugSetProcessKillOnExit
kernel32.dll.Module32First
kernel32.dll.Module32FirstW
kernel32.dll.Module32Next
kernel32.dll.Module32NextW
kernel32.dll.OpenThread
kernel32.dll.Process32FirstW
kernel32.dll.Process32NextW
kernel32.dll.ProcessIdToSessionId
kernel32.dll.SetProcessShutdownParameters
kernel32.dll.Thread32First
kernel32.dll.Thread32Next
kernel32.dll.GetTimeZoneInformation
kernel32.dll.DuplicateHandle
kernel32.dll.Wow64GetThreadSelectorEntry
advapi32.dll.ControlService
advapi32.dll.CreateServiceW
advapi32.dll.DeleteService
advapi32.dll.EnumServicesStatusExA
advapi32.dll.EnumServicesStatusExW
advapi32.dll.GetEventLogInformation
advapi32.dll.GetTokenInformation
advapi32.dll.OpenSCManagerW
advapi32.dll.OpenServiceW
advapi32.dll.StartServiceW
advapi32.dll.GetSidSubAuthority
advapi32.dll.GetSidSubAuthorityCount
version.dll.GetFileVersionInfoSizeExW
version.dll.GetFileVersionInfoExW
dbghelp.dll.WinDbgExtensionDllInit
dbghelp.dll.ExtensionApiVersion
wer.dll.WerpSetDynamicParameter
wer.dll.WerReportAddDump
wer.dll.WerpSetCallBack
wer.dll.WerReportSetUIOption
wer.dll.WerpAddRegisteredDataToReport
wer.dll.WerReportSubmit
advapi32.dll.RegOpenKeyExW
user32.dll.LoadStringW
advapi32.dll.RegQueryValueExW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.CheckTokenMembership
user32.dll.GetProcessWindowStation
user32.dll.GetUserObjectInformationW
advapi32.dll.FreeSid
sensapi.dll.IsNetworkAlive
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.NdrClientCall2
user32.dll.CharUpperW
werui.dll.WerUICreate
werui.dll.WerUIStart
ole32.dll.CoInitialize
ole32.dll.CoUninitialize
oleaut32.dll.#500
kernel32.dll.CreateActCtxW
kernel32.dll.ActivateActCtx
dui70.dll.InitProcessPriv
kernel32.dll.QueryActCtxW
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.DeactivateActCtx
comctl32.dll.LoadIconWithScaleDown
ntdll.dll.RtlRunEncodeUnicodeString
ntdll.dll.RtlRunDecodeUnicodeString
dui70.dll.InitThread
duser.dll.InitGadgets
user32.dll.RegisterMessagePumpHook
dui70.dll.?GetClassInfoPtr@CCBase@DirectUI@@SGPAUIClassInfo@2@XZ
dui70.dll.?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@@XZ
dui70.dll.??0CritSecLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@@Z
dui70.dll.?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N@Z
dui70.dll.??0ClassInfoBase@DirectUI@@QAE@XZ
dui70.dll.?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z
dui70.dll.?Register@ClassInfoBase@DirectUI@@QAEJXZ
dui70.dll.?IsGlobal@ClassInfoBase@DirectUI@@UBE_NXZ
dui70.dll.?GetName@ClassInfoBase@DirectUI@@UBEPBGXZ
dui70.dll.?GetModule@ClassInfoBase@DirectUI@@UBEPAUHINSTANCE__@@XZ
dui70.dll.??1CritSecLock@DirectUI@@QAE@XZ
dui70.dll.??0CCBase@DirectUI@@QAE@KPBG@Z
dui70.dll.?Initialize@CCBase@DirectUI@@QAEJIPAVElement@2@PAK@Z
duser.dll.CreateGadget
duser.dll.SetGadgetMessageFilter
duser.dll.SetGadgetStyle
dui70.dll.?OnPropertyChanging@Element@DirectUI@@UAE_NPBUPropertyInfo@2@HPAVValue@2@1@Z
dui70.dll.?HandleUiaPropertyChangingListener@Element@DirectUI@@UAEXPBUPropertyInfo@2@@Z
dui70.dll.?HandleUiaPropertyListener@Element@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z
dui70.dll.?DirectionProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ
dui70.dll.?OnPropertyChanged@CCBase@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z
dui70.dll.?SetFontSize@Element@DirectUI@@QAEJH@Z
dui70.dll.?SetWidth@Element@DirectUI@@QAEJH@Z
dui70.dll.?SetHeight@Element@DirectUI@@QAEJH@Z
dui70.dll.?EndDefer@Element@DirectUI@@QAEXK@Z
dui70.dll.?OnGroupChanged@Element@DirectUI@@UAEXH_N@Z
duser.dll.InvalidateGadget
dui70.dll.CreateDUIWrapper
dui70.dll.?SetNotifyHandler@CCBase@DirectUI@@QAEXP6GHIIJPAJPAX@Z1@Z
shell32.dll.ExtractIconExW
comctl32.dll.TaskDialogIndirect
uxtheme.dll.IsThemeActive
duser.dll.SetGadgetRootInfo
dwmapi.dll.DwmIsCompositionEnabled
uxtheme.dll.IsAppThemed
ole32.dll.CreateStreamOnHGlobal
xmllite.dll.CreateXmlReader
xmllite.dll.CreateXmlReaderInputWithEncodingName
duser.dll.FindStdColor
oleaut32.dll.#6
duser.dll.SetGadgetParent
duser.dll.GetDUserModule
duser.dll.AttachWndProcW
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.InterlockedPopEntrySList
kernel32.dll.InterlockedPushEntrySList
kernel32.dll.InterlockedCompareExchange
comctl32.dll.RegisterClassNameW
uxtheme.dll.OpenThemeData
duser.dll.GetGadgetRect
duser.dll.GetGadgetRgn
duser.dll.GetGadgetTicket
dui70.dll.?GetPICount@ClassInfoBase@DirectUI@@UBEIXZ
dui70.dll.?GetByClassIndex@ClassInfoBase@DirectUI@@UAEPBUPropertyInfo@2@I@Z
dui70.dll.?OnHosted@HWNDHost@DirectUI@@MAEXPAVElement@2@@Z
dui70.dll.?CreateAccNameLabel@HWNDHost@DirectUI@@IAEPAUHWND__@@PAU3@@Z
uxtheme.dll.EnableThemeDialogTexture
dui70.dll.?OnMessage@HWNDHost@DirectUI@@UAE_NIIJPAJ@Z
dui70.dll.?CreateHWND@CCBase@DirectUI@@UAEPAUHWND__@@PAU3@@Z
dui70.dll.?PostCreate@CCBase@DirectUI@@MAEXPAUHWND__@@@Z
dui70.dll.?IsContentProtected@Element@DirectUI@@UAE_NXZ
duser.dll.GetGadgetFocus
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
duser.dll.SetGadgetFocus
duser.dll.DUserSendEvent
duser.dll.SetGadgetRect
comctl32.dll.SetWindowSubclass
comctl32.dll.DefSubclassProc
dui70.dll.?GetHWND@HWNDHost@DirectUI@@UAEPAUHWND__@@XZ
user32.dll.FrostCrashedWindow
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.GetBufferedPaintDC
uxtheme.dll.GetBufferedPaintTargetDC
uxtheme.dll.EndBufferedPaint
duser.dll.ForwardGadgetMessage
duser.dll.FindGadgetFromPoint
comctl32.dll.RemoveWindowSubclass
dui70.dll.?OnUnHosted@HWNDHost@DirectUI@@MAEXPAVElement@2@@Z
duser.dll.DisableContainerHwnd
dui70.dll.?MessageCallback@HWNDHost@DirectUI@@UAEIPAUtagGMSG@@@Z
dui70.dll.?HandleUiaDestroyListener@Element@DirectUI@@UAEXXZ
dui70.dll.?OnDestroy@HWNDHost@DirectUI@@UAEXXZ
dui70.dll.??1CCBase@DirectUI@@UAE@XZ
uxtheme.dll.BufferedPaintUnInit
duser.dll.DUserFlushMessages
duser.dll.DUserFlushDeferredMessages
duser.dll.DeleteHandle
dui70.dll.UnInitThread
user32.dll.UnregisterMessagePumpHook
advapi32.dll.IsValidSid
advapi32.dll.GetLengthSid
advapi32.dll.CopySid
shell32.dll.SHGetFolderPathW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
cryptsp.dll.CryptReleaseContext
dui70.dll.UnInitProcessPriv
dui70.dll.?Release@ClassInfoBase@DirectUI@@UAEHXZ
dui70.dll.?GetGlobalIndex@ClassInfoBase@DirectUI@@UBEIXZ
dui70.dll.??1ClassInfoBase@DirectUI@@UAE@XZ
kernel32.dll.ReleaseActCtx
advapi32.dll.RegisterEventSourceW
advapi32.dll.ReportEventW
advapi32.dll.DeregisterEventSource
werui.dll.WerUITerminate
werui.dll.WerUIDelete
wer.dll.WerReportCloseHandle
user32.dll.MsgWaitForMultipleObjects
advapi32.dll.DuplicateToken
wer.dll.WerpFreeString
rpcrt4.dll.RpcBindingFree