魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2022-09-25 03:35:30 | 2022-09-25 03:36:40 | 70 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp03-1 | win7-sp1-x64-shaapp03-1 | KVM | 2022-09-25 03:35:32 | 2022-09-25 03:36:42 |
| 魔盾分数 |
|---|
10.0恶意的 |
文件详细信息
| 文件名 | CBAIDE-V2.0.exe |
|---|---|
| 文件大小 | 28823552 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | F8EE24F4 |
| MD5 | cab033deb1cca30909cbaeb24b6e038a |
| SHA1 | 90a104c1c542013e29409ab12ecdd5fa6fb46284 |
| SHA256 | bd415a063526f28c5f6c6411779776c033e3d2d3c550a492ae2a4dbcd135f2b2 |
| SHA512 | 642dda56390a5334f25703540aa16187b31d88d833a142b43070b1568d3fef34efc67e4a9c55e3f11cbfe007ededa057260869b008a5a99dc86264eec0e04843 |
| Ssdeep | 786432:paLg+moS9iEkJjnvwaEqANGJeyNsJkZwXD:paL5mD9iXRnIaZNsJkZ |
| PEiD | 无匹配 |
| Yara |
|
| VirusTotal | VirusTotal查询失败 |
特征
创建RWX内存
通过进程尝试延迟分析任务
Process: explorer.exe tried to sleep 60 seconds, actually delayed analysis time by 0 seconds
魔盾wping.org IP地址信誉系统
Greylist: 180.97.105.13
Greylist: 66.70.229.50
发起了一些HTTP请求
URL: http://activate.htsoft.com/activate/test.html
二进制文件可能包含加密或压缩数据
section: name: .vmp1, entropy: 7.82, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x01b7a000, virtual_size: 0x01b79884
样本投放可执行文件到临时目录
魔盾安全Yara规则检测结果 - 安全告警
Informational: Possibly employs anti-virtualization techniques
Critical: Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
创建一个隐藏文件或系统文件
file: C:\unoka128
可执行文件可能使用VMProtect打包
section: {'name': '.vmp0', 'characteristics': 'IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE', 'virtual_address': '0x019c8000', 'size_of_data': '0x00000000', 'entropy': '0.00', 'virtual_size': '0x000dd5cd', 'characteristics_raw': '0xe0000060'}
检测到网络活动但没有显示在API日志中
country_name: China
ip: 180.97.105.13
inaddrarpa:
hostname: fmd-data.gz.bcebos.com
score: 5
ip: 180.97.105.13
domain: fmd-data.gz.bcebos.com
可疑的样本异常终止
尝试阻止沙箱线程以防止恶意行为被记录
异常的多次调用CMD
Command: cmd.exe /c explorer.exe c:\users\test\appdata\local\temp\systloge.exe
检测到样本尝试模糊或欺骗文件类型
运行截图
网络分析
访问主机记录
| 直接访问 | IP地址 | 国家名 |
|---|---|---|
| 否 | 180.97.105.13 | China |
| 否 | 66.70.229.50 | United States |
域名解析
| 域名 | 响应 |
|---|---|
| fmd-data.gz.bcebos.com |
A 180.97.105.13
CNAME gz.bcebos.com CNAME bos.gz.bcebos.n.shifen.com |
| activate.htsoft.com | A 66.70.229.50 |
TCP连接
| IP地址 | 端口 |
|---|---|
| 180.97.105.13 | 443 |
| 23.192.228.89 | 80 |
| 66.70.229.50 | 80 |
| 66.70.229.50 | 443 |
UDP连接
| IP地址 | 端口 |
|---|---|
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
| 192.168.122.1 | 53 |
HTTP请求
| URL | HTTP数据 |
|---|---|
| http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip | GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1 Accept: */* If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT User-Agent: IPM Host: acroipm.adobe.com Connection: Keep-Alive Cache-Control: no-cache |
| http://activate.htsoft.com/activate/test.html | GET /activate/test.html HTTP/1.1 User-Agent: URL_download Host: activate.htsoft.com |
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x01eb9628 |
| 声明校验值 | 0x00000000 |
| 实际校验值 | 0x01b81900 |
| 最低操作系统版本要求 | 5.0 |
| 编译时间 | 2021-12-28 20:00:13 |
| 载入哈希 | 61dfbc7d3afe009a71d057c42fa99ec4 |
| 图标 |  |
| 图标精确哈希值 | ddea6aed184e5f40c47b4f8604799be3 |
| 图标相似性哈希值 | d8a0ba9ab3d18f8a88c48ff3a55f7629 |
版本信息
| LegalCopyright: | CABIDE 2.1.7 Installation |
| FileVersion: | 2.1.7.0 |
| CompanyName: | CAB |
| Comments: | CABIDE 2.1.7 Installation |
| ProductName: | CAB |
| ProductVersion: | 2.1.7.0 |
| FileDescription: | CABIDE 2.1.7 Installation |
| Translation: | 0x0804 0x04b0 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000a1416 | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 0.00 |
| .rdata | 0x000a3000 | 0x018d5f00 | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 0.00 |
| .data | 0x01979000 | 0x0004e14a | 0x00000000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .vmp0 | 0x019c8000 | 0x000dd5cd | 0x00000000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.00 |
| .vmp1 | 0x01aa6000 | 0x01b79884 | 0x01b7a000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 7.82 |
| .rsrc | 0x03620000 | 0x00001d91 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.23 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x03621024 | 0x000008a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.27 | data |
| RT_ICON | 0x03621024 | 0x000008a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.27 | data |
| RT_ICON | 0x03621024 | 0x000008a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.27 | data |
| RT_ICON | 0x03621024 | 0x000008a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.27 | data |
| RT_ICON | 0x03621024 | 0x000008a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.27 | data |
| RT_ICON | 0x03621024 | 0x000008a8 | LANG_NEUTRAL | SUBLANG_NEUTRAL | 4.27 | data |
| RT_GROUP_ICON | 0x03621920 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_GROUP_ICON | 0x03621920 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_GROUP_ICON | 0x03621920 | 0x00000014 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.02 | MS Windows icon resource - 1 icon, 16x16, 16 colors |
| RT_VERSION | 0x03621934 | 0x00000290 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 3.34 | MS Windows COFF PA-RISC object file |
| RT_MANIFEST | 0x03621bc4 | 0x000001cd | LANG_NEUTRAL | SUBLANG_NEUTRAL | 5.08 | XML 1.0 document, ASCII text, with very long lines, with no line terminators |
导入
库 WINMM.dll:
• 0x3a11000 - waveOutWrite
库 WS2_32.dll:
• 0x3a11008 - WSAAsyncSelect
库 VERSION.dll:
• 0x3a11010 - VerLanguageNameA
库 KERNEL32.dll:
• 0x3a11018 - GetVersionExA
• 0x3a1101c - GetVersion
• 0x3a11020 - EnumResourceNamesA
库 USER32.dll:
• 0x3a11028 - WinHelpA
库 GDI32.dll:
• 0x3a11030 - SetBkColor
库 WINSPOOL.DRV:
• 0x3a11038 - DocumentPropertiesA
库 ADVAPI32.dll:
• 0x3a11040 - RegSetValueExA
库 SHELL32.dll:
• 0x3a11048 - ShellExecuteA
库 ole32.dll:
• 0x3a11050 - CLSIDFromString
库 OLEAUT32.dll:
• 0x3a11058 - RegisterTypeLib
库 COMCTL32.dll:
• 0x3a11060 - ImageList_Destroy
库 comdlg32.dll:
• 0x3a11068 - ChooseColorA
库 KERNEL32.dll:
• 0x3a11070 - GetModuleFileNameW
库 KERNEL32.dll:
• 0x3a11078 - GetModuleHandleA
• 0x3a1107c - LoadLibraryA
• 0x3a11080 - LocalAlloc
• 0x3a11084 - LocalFree
• 0x3a11088 - GetModuleFileNameA
• 0x3a1108c - ExitProcess
投放文件
行为分析
互斥量(Mutexes)
无信息
执行的命令
- cmd.exe /C explorer.exe C:\Users\test\AppData\Local\Temp\SystLoge.exe
- explorer.exe C:\Users\test\AppData\Local\Temp\SystLoge.exe
创建的服务
无信息
启动的服务
无信息
进程
CBAIDE-V2.0.exe PID: 2752, 上一级进程 PID: 2352
cmd.exe PID: 2932, 上一级进程 PID: 2752
explorer.exe PID: 3008, 上一级进程 PID: 2932
访问的文件
- C:\Users\test\AppData\Local\Temp\CBAIDE-V2.0.exe
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\Fonts\staticcache.dat
- C:\unoka128
- C:\
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- C:\Windows\System32\tzres.dll
- C:\Users\test\AppData\Local\Temp\SystLoge.exe
- C:\Users\test\AppData\Local\Temp\shlwapi.dll
- C:\Program Files (x86)\CAB\CABIDE\data
- C:\Program Files\CAB\CABIDE\data
- C:\Users\test\AppData\Local\Temp\kernel32.DLL
- C:\Users\test\AppData\Local\Temp
- C:\Users
- C:\Users\test
- C:\Users\test\AppData
- C:\Users\test\AppData\Local
- C:\Users\test\AppData\Local\Temp\explorer.exe
- C:\Users\test\AppData\Local\Temp\explorer.exe.*
- C:\ProgramData\Oracle\Java\javapath\explorer.exe
- C:\ProgramData\Oracle\Java\javapath\explorer.exe.*
- C:\Windows\System32\explorer.exe
- C:\Windows\SysWOW64\explorer.exe.123.Manifest
- \Device\KsecDD
- C:\Windows\SysWOW64\shell32.dll
- C:\Users\test\AppData\Local\Microsoft\Windows\Caches
- C:\Users\test\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
- C:\Users\test\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000052.db
- C:\Users\desktop.ini
- \??\MountPointManager
读取的文件
- C:\Users\test\AppData\Local\Temp\CBAIDE-V2.0.exe
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Windows\Fonts\staticcache.dat
- C:\unoka128
- C:\Windows\SysWOW64\zh-CN\KERNELBASE.dll.mui
- C:\Windows\System32\tzres.dll
- C:\Windows\SysWOW64\explorer.exe.123.Manifest
- \Device\KsecDD
- C:\Windows\SysWOW64\shell32.dll
- C:\
- C:\Users\test\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
- C:\Users\test\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000052.db
- C:\Users\desktop.ini
- C:\Users
- C:\Users\test
- C:\Users\test\AppData
- C:\Users\test\AppData\Local
- C:\Users\test\AppData\Local\Temp
修改的文件
- C:\unoka128
- C:\Users\test\AppData\Local\Temp\SystLoge.exe
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
- HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Shell\ResponseMonitor
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerStartupTraceRecorded
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{EF87B4CB-F2CE-4785-8658-4CA6C63E38C6}\TopViews\{00000000-0000-0000-0000-000000000000}
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\explorer.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
- HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
- HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
- HKEY_CLASSES_ROOT\Directory
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
- HKEY_CLASSES_ROOT\Folder
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
- HKEY_CLASSES_ROOT\AllFilesystemObjects
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
- HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
读取的注册表键
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DisableUNCCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\EnableExtensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DelayedExpansion
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\DefaultColor
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\CompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\PathCompletionChar
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Command Processor\AutoRun
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
- HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerStartupTraceRecorded
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
修改的注册表键
无信息
删除的注册表键
无信息
API解析
- kernel32.dll.FlsAlloc
- kernel32.dll.FlsGetValue
- kernel32.dll.FlsSetValue
- kernel32.dll.FlsFree
- kernel32.dll.IsProcessorFeaturePresent
- cryptbase.dll.SystemFunction036
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- comctl32.dll.RegisterClassNameW
- uxtheme.dll.OpenThemeData
- imm32.dll.ImmIsIME
- gdi32.dll.GetLayout
- gdi32.dll.GdiRealizationInfo
- gdi32.dll.FontIsLinked
- advapi32.dll.RegOpenKeyExW
- advapi32.dll.RegQueryInfoKeyW
- gdi32.dll.GetTextFaceAliasW
- advapi32.dll.RegEnumValueW
- advapi32.dll.RegCloseKey
- advapi32.dll.RegQueryValueExW
- advapi32.dll.RegQueryValueExA
- advapi32.dll.RegEnumKeyExW
- gdi32.dll.GetTextExtentExPointWPri
- uxtheme.dll.EnableThemeDialogTexture
- shlwapi.dll.PathIsDirectoryA
- kernel32.dll.CreateToolhelp32Snapshot
- kernel32.dll.Process32First
- kernel32.dll.Process32Next
- kernel32.dll.CloseHandle
- oleaut32.dll.#500
- kernel32.dll.SetThreadUILanguage
- kernel32.dll.CopyFileExW
- kernel32.dll.IsDebuggerPresent
- kernel32.dll.SetConsoleInputExeNameW
- ole32.dll.CreateBindCtx
- ole32.dll.CoTaskMemAlloc
- ole32.dll.CoGetApartmentType
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoTaskMemFree
- comctl32.dll.#236
- oleaut32.dll.#6
- ole32.dll.CoGetMalloc
- comctl32.dll.#320
- ole32.dll.StringFromGUID2
- comctl32.dll.#324
- comctl32.dll.#323
- comctl32.dll.#328
- comctl32.dll.#334
- advapi32.dll.RegEnumKeyW
- oleaut32.dll.#2
- ole32.dll.CoCreateInstance
- setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
- advapi32.dll.InitializeSecurityDescriptor
- advapi32.dll.SetEntriesInAclW
- ntmarta.dll.GetMartaExtensionInterface
- advapi32.dll.SetSecurityDescriptorDacl
- advapi32.dll.IsTextUnicode
- comctl32.dll.#332
- comctl32.dll.#338
- comctl32.dll.#339
- advapi32.dll.OpenThreadToken
- shell32.dll.#102
- setupapi.dll.CM_Get_Device_Interface_List_ExW
- ole32.dll.CoRevokeInitializeSpy
- comctl32.dll.#388
- ole32.dll.NdrOleInitializeExtension
- ole32.dll.CoGetClassObject
- ole32.dll.CoGetMarshalSizeMax
- ole32.dll.CoMarshalInterface
- ole32.dll.CoUnmarshalInterface
- ole32.dll.StringFromIID
- ole32.dll.CoGetPSClsid
- ole32.dll.CoReleaseMarshalData
- ole32.dll.DcomChannelSetHResult
- comctl32.dll.#386
- ole32.dll.CoAllowSetForegroundWindow
- advapi32.dll.UnregisterTraceGuids
- cryptsp.dll.CryptReleaseContext
- comctl32.dll.#321