魔盾安全分析报告
| 分析类型 | 开始时间 | 结束时间 | 持续时间 | 分析引擎版本 |
|---|---|---|---|---|
| FILE | 2017-12-15 11:07:46 | 2017-12-15 11:10:53 | 187 秒 | 1.4-Maldun |
| 虚拟机机器名 | 标签 | 虚拟机管理 | 开机时间 | 关机时间 |
|---|---|---|---|---|
| win7-sp1-x64-shaapp01-1 | win7-sp1-x64-shaapp01-1 | KVM | 2017-12-15 11:07:46 | 2017-12-15 11:10:04 |
| 魔盾分数 |
|---|
10.0Autorun |
文件详细信息
| 文件名 | RECYCLER.exe_ |
|---|---|
| 文件大小 | 1221923 字节 |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| CRC32 | 6FBB1DC1 |
| MD5 | 366ff3830bf635594da70fefb13ddbb3 |
| SHA1 | 421ae492f1b76f03a608c860515d7c8f3a246781 |
| SHA256 | be84905f084711bdd9dfb9965bd1b47b382bcc427d3f092696796807b312cbd0 |
| SHA512 | 34d3be59ffefd4dba6a76dee21a363d1a24a9c40f3380aff2991733daf97d93dc1afae863ea6dac8b57525bc11c70ce62cbf7e209a34b20bec093c4d426fe4f5 |
| Ssdeep | 24576:CD+VzUu1KNWKIu1JfJZc9TNowNbpqhaKp0tUilYq2DLq:u+5Uu1WIwxVopqh10tx2Xq |
| PEiD | 无匹配 |
| Yara | 无Yara规则匹配 |
| VirusTotal |
VirusTotal链接 VirusTotal扫描时间: 2013-12-19 18:45:48 扫描结果: 39/49 |
特征
从文件自身的二进制镜像中读取数据
self_read: process: RECYCLER.exe_, pid: 2032, offset: 0x00000000, length: 0x0012a523
self_read: process: RECYCLER.exe_, pid: 2032, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 1560, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 2204, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 2460, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 2684, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 2936, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 2160, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 2732, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 1156, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 2548, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 1868, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 3228, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 3448, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 3676, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 3904, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 2060, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 3512, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 3852, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 2848, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 3680, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 3768, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 4088, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 4292, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 4508, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 4736, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 4964, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 3328, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 4492, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 5052, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 4556, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 4008, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 5100, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 5180, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 5404, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 5632, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 5852, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 6080, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 4912, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 5804, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 5540, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 5620, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 6084, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 5552, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 6380, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 6620, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 6848, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 7076, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 6436, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 6804, offset: 0x0001a000, length: 0x00110523
self_read: process: 5848E2.EXE, pid: 7064, offset: 0x0001a000, length: 0x00110523
二进制文件可能包含加密或压缩数据
section: name: .text, entropy: 6.97, characteristics: IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x00006000, virtual_size: 0x000051ec
section: name: .data, entropy: 6.82, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x0000d000, virtual_size: 0x0000d000
通过进程尝试长时间延迟分析任务
Process: explorer.exe tried to sleep 3000 seconds, actually delayed analysis time by 0 seconds
生成一个自己的复制文件
copy: C:\Windows\System32\911B41\5848E2.EXE
异常的二进制特征
anomaly: Timestamp on binary predates the release date of the OS version it requires by at least a year
anomaly: Found duplicated section names
文件已被至少十个VirusTotal上的反病毒引擎检测为病毒
Bkav: W32.FlyStudioTn.Heur
MicroWorld-eScan: Win32.Worm.Autorun.VE
CAT-QuickHeal: Backdoor.FlyAgent.F
McAfee: W32/Autorun.worm.bx
K7GW: Backdoor ( 04c544dc1 )
K7AntiVirus: Riskware ( 2c53ce810 )
F-Prot: <W32/Nuj.A.gen!Eldorado
Symantec: Packed.Generic.244
Norman: FlyAgent.CX
TotalDefense: Win32/Nuj.B!generic
TrendMicro-HouseCall: WORM_AUTORUN.SMW
Avast: Win32:EvilEPL [Cryp]
ClamAV: Worm.FlyStudio-22
Kaspersky: Trojan-Downloader.Win32.FlyStudio.il
BitDefender: Win32.Worm.Autorun.VE
Agnitum: Backdoor.FlyAgent!DKj8hwwixD4
SUPERAntiSpyware: Trojan.Agent/Gen-XPFraud
Ad-Aware: Win32.Worm.Autorun.VE
Sophos: Mal/EncPk-NB
F-Secure: Trojan-Dropper:W32/Peed.gen!A
DrWeb: Trojan.Siggen3.62001
VIPRE: Trojan.Win32.Autorun.dm (v)
AntiVir: TR/Dropper.Gen
TrendMicro: WORM_AUTORUN.SMW
McAfee-GW-Edition: W32/Autorun.worm.bx
Emsisoft: Win32.Worm.Autorun.VE (B)
Jiangmin: TrojanDownloader.FlyStudio.kb
Antiy-AVL: Trojan/Win32.FlyStudio
Kingsoft: Win32.Troj.EncodeFk.ak.(kcloud)
Microsoft: Backdoor:Win32/FlyAgent.F
AhnLab-V3: Win32/Flystudio.worm.Gen
GData: Win32.Worm.Autorun.VE
Commtouch: W32/Nuj.A.gen!Eldorado
Panda: Trj/Genetic.gen
ESET-NOD32: Win32/Packed.FlyStudio.O.Gen
Rising: PE:Trojan.Win32.Generic.12CD8397!315458455
Ikarus: Virus.Win32.Sality
Fortinet: W32/PckdFlyStudio.gen
AVG: Win32/Heur
运行截图
网络分析
静态分析
PE 信息
| 初始地址 | 0x00400000 |
|---|---|
| 入口地址 | 0x0040136a |
| 声明校验值 | 0x001346fe |
| 实际校验值 | 0x001346fe |
| 最低操作系统版本要求 | 4.0 |
| 编译时间 | 1972-12-25 13:33:23 |
| 载入哈希 | 9165ea3e914e03bda3346f13edbd6ccd |
| 图标 |  |
| 图标精确哈希值 | 3fac314695184b546842efbb6babc4d9 |
| 图标相似性哈希值 | 83be7baeee9d10e23086447dcea1db66 |
PE数据组成
| 名称 | 虚拟地址 | 虚拟大小 | 原始数据大小 | 特征 | 熵(Entropy) |
|---|---|---|---|---|---|
| .text | 0x00001000 | 0x000051ec | 0x00006000 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 6.97 |
| .rdata | 0x00007000 | 0x00000a4a | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 3.58 |
| .data | 0x00008000 | 0x00001f58 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 4.64 |
| .data | 0x0000a000 | 0x0000d000 | 0x0000d000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 6.82 |
| .rsrc | 0x00017000 | 0x000024f0 | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 3.62 |
覆盖
| 偏移量: | 0x0001a000 |
| 大小: | 0x00110523 |
资源
| 名称 | 偏移量 | 大小 | 语言 | 子语言 | 熵(Entropy) | 文件类型 |
|---|---|---|---|---|---|---|
| RT_ICON | 0x00018608 | 0x00000ea8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.29 | data |
| RT_ICON | 0x00018608 | 0x00000ea8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.29 | data |
| RT_ICON | 0x00018608 | 0x00000ea8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.29 | data |
| RT_ICON | 0x00018608 | 0x00000ea8 | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 4.29 | data |
| RT_GROUP_ICON | 0x000194b0 | 0x0000003e | LANG_CHINESE | SUBLANG_CHINESE_SIMPLIFIED | 2.74 | MS Windows icon resource - 4 icons, 16x16 |
导入
库 KERNEL32.dll:
• 0x407000 - GetProcAddress
• 0x407004 - LoadLibraryA
• 0x407008 - CloseHandle
• 0x40700c - WriteFile
• 0x407010 - CreateDirectoryA
• 0x407014 - GetTempPathA
• 0x407018 - ReadFile
• 0x40701c - SetFilePointer
• 0x407020 - CreateFileA
• 0x407024 - GetModuleFileNameA
• 0x407028 - GetStringTypeA
• 0x40702c - LCMapStringW
• 0x407030 - LCMapStringA
• 0x407034 - HeapAlloc
• 0x407038 - HeapFree
• 0x40703c - GetModuleHandleA
• 0x407040 - GetStartupInfoA
• 0x407044 - GetCommandLineA
• 0x407048 - GetVersion
• 0x40704c - ExitProcess
• 0x407050 - HeapDestroy
• 0x407054 - HeapCreate
• 0x407058 - VirtualFree
• 0x40705c - VirtualAlloc
• 0x407060 - HeapReAlloc
• 0x407064 - TerminateProcess
• 0x407068 - GetCurrentProcess
• 0x40706c - UnhandledExceptionFilter
• 0x407070 - FreeEnvironmentStringsA
• 0x407074 - FreeEnvironmentStringsW
• 0x407078 - WideCharToMultiByte
• 0x40707c - GetEnvironmentStrings
• 0x407080 - GetEnvironmentStringsW
• 0x407084 - SetHandleCount
• 0x407088 - GetStdHandle
• 0x40708c - GetFileType
• 0x407090 - RtlUnwind
• 0x407094 - GetCPInfo
• 0x407098 - GetACP
• 0x40709c - GetOEMCP
• 0x4070a0 - MultiByteToWideChar
• 0x4070a4 - GetStringTypeW
库 USER32.dll:
• 0x4070ac - MessageBoxA
• 0x4070b0 - wsprintfA
投放文件
eAPI.fne
| 文件名 | eAPI.fne |
|---|---|
| 相关文件 |
|
| 文件大小 | 339968 bytes |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5 | 1127360c56d642fb68f745256486b3df |
| SHA1 | 5749caddcf9724c636f14fd0794e63827596d584 |
| SHA256 | c0e82e5656920b636b9a31f6ca0339f0f761fe6a81de31af2a6ffbd7c8ebd62d |
| SHA512 | df2f0dccb6fe9ce5b7caf4720e0ecb32751aa005782201b0b03cc438f0aaadc7b87369751f97013bf7ebe6270f4826afeb13452f8f51d880bb2a915d4bbf5716 |
| Ssdeep | 6144:BMjWXfuD3+Ct7ml+eM/SZMj9xYOlnBo+Wy3avFmsVj9:BMinCBBDaZ69Bz0vND |
| VirusTotal | 搜索相关分析 |
dp1.fne
| 文件名 | dp1.fne |
|---|---|
| 相关文件 |
|
| 文件大小 | 126976 bytes |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5 | 61a15938ed30f4aa8ad36c8135da989f |
| SHA1 | d6b67e856309218a1411b34089999ec678826854 |
| SHA256 | 2b41dc58887e07c43be0a15e9e0f46d7c860f2e11156559038d9c92318224c20 |
| SHA512 | 6de61a5fb871988deef8698ffc9aa01a42e12b7cb37ad180112a19cd54990395f80b3d2c4d59ae4b72abb4d43c36d14491da1ee775f3805cc6583484bcb75422 |
| Ssdeep | 3072:oB5SvycAhCs4+YRNoJPpTVgINIsM51oXOm:obi5ANeRNoJRTVgINI3iOm |
| VirusTotal | 搜索相关分析 |
krnln.fnr
| 文件名 | krnln.fnr |
|---|---|
| 相关文件 |
|
| 文件大小 | 1101824 bytes |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5 | 003a1a9fb9b4d448a0f99650b530c3e4 |
| SHA1 | aa511a314f8c1650801850723bd88f22d758a29b |
| SHA256 | b988ef547f838b9b7b8b4e4ff605329598f86e2999b3adaaee8e7f75b8da5dfd |
| SHA512 | 8eb128c8ed3780572f8fc24fbf01f9cae46367e4f69831e5cea7a86f77a6f27152f377b872c08e142035faf18f941b3db0d5c2d6476074943889125401e46c46 |
| Ssdeep | 24576:t/kdFuDVK2rAAaUHH6ACygojV/sfIK0m:t/uN2vaG6/ygoh |
| VirusTotal | 搜索相关分析 |
HtmlView.fne
| 文件名 | HtmlView.fne |
|---|---|
| 相关文件 |
|
| 文件大小 | 217088 bytes |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5 | 1ea5ccdc2e2713772dbe59cbf66c3af7 |
| SHA1 | 4b6ccfd6d517507252d7c417ee06e1f0b135035d |
| SHA256 | 873d169ce1f6191035c33de2068f68ebd9a25c5e7a4dd5d4495ca89239cfa177 |
| SHA512 | e8a0055b9546ef5309d1b6c8ed48c2a5e7dee15b1243cc5e7580f117e10a7bb44a88e95c7410c13077c50c1726e71bb1abc44245e0f7685df491a1cd36e34b43 |
| Ssdeep | 3072:qveEGwDVIqJgDIVzdlyrIowuZku8BGfdP+jcmNrW65uxIoPNH3fnPK0rEa6Ni2:2eEGwD1gDOzSFZQkfdP7JXK0rEc2 |
| VirusTotal | 搜索相关分析 |
5848E2.EXE
| 文件名 | 5848E2.EXE |
|---|---|
| 相关文件 |
|
| 文件大小 | 1221923 bytes |
| 文件类型 | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 | 366ff3830bf635594da70fefb13ddbb3 |
| SHA1 | 421ae492f1b76f03a608c860515d7c8f3a246781 |
| SHA256 | be84905f084711bdd9dfb9965bd1b47b382bcc427d3f092696796807b312cbd0 |
| SHA512 | 34d3be59ffefd4dba6a76dee21a363d1a24a9c40f3380aff2991733daf97d93dc1afae863ea6dac8b57525bc11c70ce62cbf7e209a34b20bec093c4d426fe4f5 |
| Ssdeep | 24576:CD+VzUu1KNWKIu1JfJZc9TNowNbpqhaKp0tUilYq2DLq:u+5Uu1WIwxVopqh10tx2Xq |
| VirusTotal | 搜索相关分析 |
internet.fne
| 文件名 | internet.fne |
|---|---|
| 相关文件 |
|
| 文件大小 | 184320 bytes |
| 文件类型 | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5 | eafbb920055c2490c24a5ed73ecd3508 |
| SHA1 | f2f4992275210c3947cab8893d4e10af2b0b8314 |
| SHA256 | 60ba233990c3e6340093a8c60b66554f88e2a24378a5403d2b83fce67e53abbe |
| SHA512 | 62017976d64d8704db6b74db2d35048d2490e902a60f154b245893d80f70446d192530afe0bbc77261db83db7bd77441a720074e045822e14c21321685690f5d |
| Ssdeep | 3072:Z0zFETNf56uLafW0bVTlCho2VWafegOlW7Ng/6ok8TsXHHEpFazSp:sFETZhLULVxC+afegOk7Ny2eFO |
| VirusTotal | 搜索相关分析 |
行为分析
互斥量(Mutexes)
无信息
执行的命令
- explorer C:\Users\test\AppData\Local\Temp\RECYCLER_
- C:\Windows\system32\911B41\5848E2.EXE
- explorer C:\Windows\SysWOW64\911B41\5848E2
创建的服务
无信息
启动的服务
无信息
进程
RECYCLER.exe_ PID: 2032, 上一级进程 PID: 300
explorer.exe PID: 2044, 上一级进程 PID: 2032
5848E2.EXE PID: 1560, 上一级进程 PID: 2032
explorer.exe PID: 2128, 上一级进程 PID: 1560
5848E2.EXE PID: 2204, 上一级进程 PID: 1560
explorer.exe PID: 2352, 上一级进程 PID: 2204
5848E2.EXE PID: 2460, 上一级进程 PID: 2204
explorer.exe PID: 2592, 上一级进程 PID: 2460
5848E2.EXE PID: 2684, 上一级进程 PID: 2460
explorer.exe PID: 2812, 上一级进程 PID: 2684
5848E2.EXE PID: 2936, 上一级进程 PID: 2684
explorer.exe PID: 2080, 上一级进程 PID: 2936
5848E2.EXE PID: 2160, 上一级进程 PID: 2936
explorer.exe PID: 2456, 上一级进程 PID: 2160
5848E2.EXE PID: 2732, 上一级进程 PID: 2160
explorer.exe PID: 2908, 上一级进程 PID: 2732
5848E2.EXE PID: 1156, 上一级进程 PID: 2732
explorer.exe PID: 2876, 上一级进程 PID: 1156
5848E2.EXE PID: 2548, 上一级进程 PID: 1156
explorer.exe PID: 2728, 上一级进程 PID: 2548
5848E2.EXE PID: 1868, 上一级进程 PID: 2548
explorer.exe PID: 3152, 上一级进程 PID: 1868
5848E2.EXE PID: 3228, 上一级进程 PID: 1868
explorer.exe PID: 3372, 上一级进程 PID: 3228
5848E2.EXE PID: 3448, 上一级进程 PID: 3228
explorer.exe PID: 3604, 上一级进程 PID: 3448
5848E2.EXE PID: 3676, 上一级进程 PID: 3448
explorer.exe PID: 3832, 上一级进程 PID: 3676
5848E2.EXE PID: 3904, 上一级进程 PID: 3676
explorer.exe PID: 4056, 上一级进程 PID: 3904
5848E2.EXE PID: 2060, 上一级进程 PID: 3904
explorer.exe PID: 1668, 上一级进程 PID: 2060
5848E2.EXE PID: 3512, 上一级进程 PID: 2060
explorer.exe PID: 3644, 上一级进程 PID: 3512
5848E2.EXE PID: 3852, 上一级进程 PID: 3512
explorer.exe PID: 3332, 上一级进程 PID: 3852
5848E2.EXE PID: 2848, 上一级进程 PID: 3852
explorer.exe PID: 3752, 上一级进程 PID: 2848
5848E2.EXE PID: 3680, 上一级进程 PID: 2848
explorer.exe PID: 2100, 上一级进程 PID: 3680
5848E2.EXE PID: 3768, 上一级进程 PID: 3680
explorer.exe PID: 3908, 上一级进程 PID: 3768
5848E2.EXE PID: 4088, 上一级进程 PID: 3768
explorer.exe PID: 4212, 上一级进程 PID: 4088
5848E2.EXE PID: 4292, 上一级进程 PID: 4088
explorer.exe PID: 4436, 上一级进程 PID: 4292
5848E2.EXE PID: 4508, 上一级进程 PID: 4292
explorer.exe PID: 4664, 上一级进程 PID: 4508
5848E2.EXE PID: 4736, 上一级进程 PID: 4508
explorer.exe PID: 4892, 上一级进程 PID: 4736
5848E2.EXE PID: 4964, 上一级进程 PID: 4736
explorer.exe PID: 4112, 上一级进程 PID: 4964
5848E2.EXE PID: 3328, 上一级进程 PID: 4964
explorer.exe PID: 4428, 上一级进程 PID: 3328
5848E2.EXE PID: 4492, 上一级进程 PID: 3328
explorer.exe PID: 4168, 上一级进程 PID: 4492
5848E2.EXE PID: 5052, 上一级进程 PID: 4492
explorer.exe PID: 3656, 上一级进程 PID: 5052
5848E2.EXE PID: 4556, 上一级进程 PID: 5052
explorer.exe PID: 3404, 上一级进程 PID: 4556
5848E2.EXE PID: 4008, 上一级进程 PID: 4556
explorer.exe PID: 4944, 上一级进程 PID: 4008
5848E2.EXE PID: 5100, 上一级进程 PID: 4008
explorer.exe PID: 4724, 上一级进程 PID: 5100
5848E2.EXE PID: 5180, 上一级进程 PID: 5100
explorer.exe PID: 5328, 上一级进程 PID: 5180
5848E2.EXE PID: 5404, 上一级进程 PID: 5180
explorer.exe PID: 5556, 上一级进程 PID: 5404
5848E2.EXE PID: 5632, 上一级进程 PID: 5404
explorer.exe PID: 5780, 上一级进程 PID: 5632
5848E2.EXE PID: 5852, 上一级进程 PID: 5632
explorer.exe PID: 6008, 上一级进程 PID: 5852
5848E2.EXE PID: 6080, 上一级进程 PID: 5852
explorer.exe PID: 5156, 上一级进程 PID: 6080
5848E2.EXE PID: 4912, 上一级进程 PID: 6080
explorer.exe PID: 4960, 上一级进程 PID: 4912
5848E2.EXE PID: 5804, 上一级进程 PID: 4912
explorer.exe PID: 6060, 上一级进程 PID: 5804
5848E2.EXE PID: 5540, 上一级进程 PID: 5804
explorer.exe PID: 4512, 上一级进程 PID: 5540
5848E2.EXE PID: 5620, 上一级进程 PID: 5540
explorer.exe PID: 5752, 上一级进程 PID: 5620
5848E2.EXE PID: 6084, 上一级进程 PID: 5620
explorer.exe PID: 3728, 上一级进程 PID: 6084
5848E2.EXE PID: 5552, 上一级进程 PID: 6084
explorer.exe PID: 6280, 上一级进程 PID: 5552
5848E2.EXE PID: 6380, 上一级进程 PID: 5552
explorer.exe PID: 6540, 上一级进程 PID: 6380
5848E2.EXE PID: 6620, 上一级进程 PID: 6380
explorer.exe PID: 6768, 上一级进程 PID: 6620
5848E2.EXE PID: 6848, 上一级进程 PID: 6620
explorer.exe PID: 6996, 上一级进程 PID: 6848
5848E2.EXE PID: 7076, 上一级进程 PID: 6848
explorer.exe PID: 6188, 上一级进程 PID: 7076
5848E2.EXE PID: 6436, 上一级进程 PID: 7076
explorer.exe PID: 6600, 上一级进程 PID: 6436
5848E2.EXE PID: 6804, 上一级进程 PID: 6436
explorer.exe PID: 6524, 上一级进程 PID: 6804
5848E2.EXE PID: 7064, 上一级进程 PID: 6804
explorer.exe PID: 6664, 上一级进程 PID: 7064
访问的文件
- C:\Users\test\AppData\Local\Temp\RECYCLER.exe_
- C:\Users\test\AppData\Local\Temp\E_N4
- C:\Users\test\AppData\Local\Temp\E_N4\krnln.fnr
- C:\Users\test\AppData\Local\Temp\E_N4\HtmlView.fne
- C:\Users\test\AppData\Local\Temp\E_N4\internet.fne
- C:\Users\test\AppData\Local\Temp\E_N4\eAPI.fne
- C:\Users\test\AppData\Local\Temp\E_N4\dp1.fne
- C:\Users\test\AppData\Local\Temp\WINMM.dll
- C:\Windows\System32\winmm.dll
- C:\Users\test\AppData\Local\Temp\RECYCLER.exe_.Local\
- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af
- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
- C:\Users\test\AppData\Local\Temp\WINSPOOL.DRV
- C:\Windows\System32\winspool.drv
- C:\Users\test\AppData\Local\Temp\OLEPRO32.DLL
- C:\Windows\System32\olepro32.dll
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\Temp\E_N4\HtmlView.fnr
- C:\Users\test\AppData\Local\Temp\oledlg.dll
- C:\Windows\System32\oledlg.dll
- C:\Users\test\AppData\Local\Temp\E_N4\eAPI.fnr
- C:\Users\test\AppData\Local\Temp\iphlpapi.dll
- C:\Windows\System32\IPHLPAPI.DLL
- C:\Users\test\AppData\Local\Temp\WINNSI.DLL
- C:\Windows\System32\winnsi.dll
- C:\Users\test\AppData\Local\Temp\MPR.dll
- C:\Windows\System32\mpr.dll
- C:\Users\test\AppData\Local\Temp\VERSION.dll
- C:\Windows\System32\version.dll
- C:\
- C:\Users\test\AppData\Local\Temp\E_N4\dp1.fnr
- C:\Windows\System32\911B41\
- C:\Windows\System32\911B41\5848E2.EXE
- C:\Windows\SysWOW64\explorer.exe.123.Manifest
- \Device\KsecDD
- C:\Windows\SysWOW64\shell32.dll
- C:\Users
- \??\MountPointManager
- C:\Users\test\AppData\Local\Microsoft\Windows\Caches
- C:\Users\test\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
- C:\Users\test\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000036.db
- C:\Users\desktop.ini
- C:\Users\test
- C:\Users\test\AppData
- C:\Users\test\AppData\Local
- C:\Users\test\AppData\Local\Temp
- C:\Users\test\AppData\Local\Temp\RECYCLER_
- C:\Users\test\Documents
- C:\Windows\SysWOW64\911B41\5848E2.EXE
- C:\Windows\SysWOW64\911B41\WINMM.dll
- C:\Windows\SysWOW64\911B41\5848E2.EXE.Local\
- C:\Windows\SysWOW64\911B41\WINSPOOL.DRV
- C:\Windows\SysWOW64\911B41\OLEPRO32.DLL
- C:\Windows\SysWOW64\911B41
- C:\Windows\SysWOW64\911B41\oledlg.dll
- C:\Windows\SysWOW64\911B41\iphlpapi.dll
- C:\Windows\SysWOW64\911B41\WINNSI.DLL
- C:\Windows\SysWOW64\911B41\MPR.dll
- C:\Windows\SysWOW64\911B41\VERSION.dll
- C:\Windows
- C:\Windows\SysWOW64
- C:\Windows\SysWOW64\911B41\5848E2
读取的文件
- C:\Users\test\AppData\Local\Temp\RECYCLER.exe_
- C:\Users\test\AppData\Local\Temp\E_N4\krnln.fnr
- C:\Windows\System32\winmm.dll
- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
- C:\Windows\System32\winspool.drv
- C:\Windows\System32\olepro32.dll
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\test\AppData\Local\Temp\E_N4\HtmlView.fne
- C:\Windows\System32\oledlg.dll
- C:\Users\test\AppData\Local\Temp\E_N4\eAPI.fne
- C:\Windows\System32\IPHLPAPI.DLL
- C:\Windows\System32\winnsi.dll
- C:\Windows\System32\mpr.dll
- C:\Windows\System32\version.dll
- C:\Users\test\AppData\Local\Temp\E_N4\dp1.fne
- C:\Windows\SysWOW64\explorer.exe.123.Manifest
- \Device\KsecDD
- C:\Windows\SysWOW64\shell32.dll
- C:\
- C:\Users\test\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
- C:\Users\test\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000036.db
- C:\Users\desktop.ini
- C:\Users
- C:\Users\test
- C:\Users\test\AppData
- C:\Users\test\AppData\Local
- C:\Users\test\AppData\Local\Temp
- C:\Windows\SysWOW64\911B41\5848E2.EXE
- C:\Windows
- C:\Windows\SysWOW64
- C:\Windows\SysWOW64\911B41
修改的文件
- C:\Users\test\AppData\Local\Temp\E_N4\krnln.fnr
- C:\Users\test\AppData\Local\Temp\E_N4\HtmlView.fne
- C:\Users\test\AppData\Local\Temp\E_N4\internet.fne
- C:\Users\test\AppData\Local\Temp\E_N4\eAPI.fne
- C:\Users\test\AppData\Local\Temp\E_N4\dp1.fne
- C:\Windows\System32\911B41\5848E2.EXE
删除的文件
无信息
注册表键
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\krnln.fnr
- HKEY_CLASSES_ROOT\CLSID
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\HtmlView.fne
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\eAPI.fne
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\dp1.fne
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Shell\ResponseMonitor
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerStartupTraceRecorded
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderTypes\{EF87B4CB-F2CE-4785-8658-4CA6C63E38C6}\TopViews\{00000000-0000-0000-0000-000000000000}
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\explorer.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
- HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
- HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Shell\RegisteredApplications\UrlAssociations\Directory\OpenWithProgids
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Directory
- HKEY_CLASSES_ROOT\Directory
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
- HKEY_CLASSES_ROOT\Folder
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
- HKEY_CLASSES_ROOT\AllFilesystemObjects
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Category
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Name
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\ParentFolder
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Description
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\RelativePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\ParsingName
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\InfoTip
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\LocalizedName
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Icon
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Security
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\StreamResource
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\StreamResourceType
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\LocalRedirectOnly
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Roamable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\PreCreate
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Stream
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\PublishExpandedPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Attributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\FolderTypeID
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\InitFolderHandler
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\PropertyBag
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
- HKEY_CURRENT_USER
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
- HKEY_CLASSES_ROOT\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\Attributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\CallForAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\RestrictedAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsFORDISPLAY
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideFolderVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\UseDropHandler
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsFORPARSING
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsParseDisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\QueryForOverlay
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\MapNetDriveVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\QueryForInfoTip
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideInWebView
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideOnDesktopPerUser
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsAliasedNotifications
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsUniversalDelegate
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\NoFileFolderJunction
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\PinToNameSpaceTree
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HasNavigationEnum
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{59031A47-3F72-44A7-89C5-5595FE6B30EE}
- HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\AddToFavoritesInitialSelection
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\AddToFeedsInitialSelection
读取的注册表键
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\krnln.fnr
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\HtmlView.fne
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\eAPI.fne
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\dp1.fne
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerStartupTraceRecorded
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a4-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Data
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{372941a3-1bd9-11e5-9838-806e6f6e6963}\Generation
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Category
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Name
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\ParentFolder
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Description
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\RelativePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\ParsingName
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\InfoTip
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\LocalizedName
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Icon
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Security
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\StreamResource
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\StreamResourceType
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\LocalRedirectOnly
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Roamable
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\PreCreate
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Stream
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\PublishExpandedPath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\Attributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\FolderTypeID
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{FDD39AD0-238F-46AF-ADB4-6C85480369C7}\InitFolderHandler
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\Attributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\CallForAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\RestrictedAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsFORDISPLAY
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideFolderVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\UseDropHandler
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsFORPARSING
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsParseDisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\QueryForOverlay
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\MapNetDriveVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\QueryForInfoTip
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideInWebView
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HideOnDesktopPerUser
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsAliasedNotifications
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\WantsUniversalDelegate
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\NoFileFolderJunction
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\PinToNameSpaceTree
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder\HasNavigationEnum
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{59031A47-3F72-44A7-89C5-5595FE6B30EE}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
修改的注册表键
无信息
删除的注册表键
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\AddToFavoritesInitialSelection
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\AddToFeedsInitialSelection
API解析
- kernel32.dll.IsProcessorFeaturePresent
- krnln.fnr.GetNewSock
- cryptbase.dll.SystemFunction036
- kernel32.dll.SortGetHandle
- kernel32.dll.SortCloseHandle
- krnln.fnr.GetNewInf
- htmlview.fne.GetNewInf
- urlmon.dll.#414
- shell32.dll.SHGetSpecialFolderPathA
- eapi.fne.GetNewInf
- kernel32.dll.GetDiskFreeSpaceExA
- dp1.fne.GetNewInf
- oleaut32.dll.#500
- ole32.dll.CreateBindCtx
- ole32.dll.CoTaskMemAlloc
- ole32.dll.CoGetApartmentType
- ole32.dll.CoRegisterInitializeSpy
- ole32.dll.CoTaskMemFree
- comctl32.dll.#236
- oleaut32.dll.#6
- ole32.dll.CoGetMalloc
- comctl32.dll.#320
- ole32.dll.StringFromGUID2
- comctl32.dll.#324
- comctl32.dll.#323
- comctl32.dll.#328
- comctl32.dll.#334
- setupapi.dll.CM_Get_Device_Interface_List_Size_ExW
- advapi32.dll.RegEnumKeyW
- oleaut32.dll.#2
- setupapi.dll.CM_Get_Device_Interface_List_ExW
- ole32.dll.CoCreateInstance
- comctl32.dll.#332
- advapi32.dll.InitializeSecurityDescriptor
- advapi32.dll.SetEntriesInAclW
- comctl32.dll.#386
- ntmarta.dll.GetMartaExtensionInterface
- advapi32.dll.SetSecurityDescriptorDacl
- advapi32.dll.IsTextUnicode
- comctl32.dll.#338
- comctl32.dll.#339
- advapi32.dll.OpenThreadToken
- shell32.dll.#102
- ole32.dll.CoInitializeEx
- ole32.dll.CoUninitialize
- ole32.dll.CoRevokeInitializeSpy
- comctl32.dll.#388
- ole32.dll.NdrOleInitializeExtension
- ole32.dll.CoGetClassObject
- ole32.dll.CoGetMarshalSizeMax
- ole32.dll.CoMarshalInterface
- ole32.dll.CoUnmarshalInterface
- ole32.dll.StringFromIID
- ole32.dll.CoGetPSClsid
- ole32.dll.CoReleaseMarshalData
- ole32.dll.DcomChannelSetHResult
- ole32.dll.CoAllowSetForegroundWindow
- advapi32.dll.UnregisterTraceGuids
- cryptsp.dll.CryptReleaseContext
- comctl32.dll.#321
- wininet.dll.InternetSetOptionW